feat: add eks auto mode

README.md

@@ -415,6 +415,7 @@ Available targets:
 | <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If provided, the KMS Key ID to use to encrypt AWS CloudWatch logs | `string` | `null` | no |
 | <a name="input_cluster_attributes"></a> [cluster\_attributes](#input\_cluster\_attributes) | Override label module default cluster attributes | `list(string)` | <pre>[<br/>  "cluster"<br/>]</pre> | no |
+| <a name="input_cluster_compute_config"></a> [cluster\_compute\_config](#input\_cluster\_compute\_config) | Configuration block with compute configuration for EKS Auto Mode<br/><br/>enabled: Request to enable or disable the compute capability on your EKS Auto Mode cluster. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your Amazon Web Services account.<br/>node\_pools: Optional configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.<br/>node\_role\_arn: Optional ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. | `any` | `{}` | no |
 | <a name="input_cluster_depends_on"></a> [cluster\_depends\_on](#input\_cluster\_depends\_on) | If provided, the EKS will depend on this object, and therefore not be created until this object is finalized.<br/>This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created. | `any` | `null` | no |
 | <a name="input_cluster_encryption_config_enabled"></a> [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no |
 | <a name="input_cluster_encryption_config_kms_key_deletion_window_in_days"></a> [cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days](#input\_cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no |

docs/terraform.md

@@ -70,6 +70,7 @@
 | <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If provided, the KMS Key ID to use to encrypt AWS CloudWatch logs | `string` | `null` | no |
 | <a name="input_cluster_attributes"></a> [cluster\_attributes](#input\_cluster\_attributes) | Override label module default cluster attributes | `list(string)` | <pre>[<br/>  "cluster"<br/>]</pre> | no |
+| <a name="input_cluster_compute_config"></a> [cluster\_compute\_config](#input\_cluster\_compute\_config) | Configuration block with compute configuration for EKS Auto Mode<br/><br/>enabled: Request to enable or disable the compute capability on your EKS Auto Mode cluster. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your Amazon Web Services account.<br/>node\_pools: Optional configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.<br/>node\_role\_arn: Optional ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. | `any` | `{}` | no |
 | <a name="input_cluster_depends_on"></a> [cluster\_depends\_on](#input\_cluster\_depends\_on) | If provided, the EKS will depend on this object, and therefore not be created until this object is finalized.<br/>This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created. | `any` | `null` | no |
 | <a name="input_cluster_encryption_config_enabled"></a> [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no |
 | <a name="input_cluster_encryption_config_kms_key_deletion_window_in_days"></a> [cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days](#input\_cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no |

examples/complete/fixtures.us-east-2.tfvars

@@ -57,3 +57,8 @@ upgrade_policy = {
 zonal_shift_config = {
   enabled = true
 }
+
+cluster_compute_config = {
+  enabled    = true
+  node_pools = ["general-purpose"]
+}

examples/complete/main.tf

@@ -115,6 +115,7 @@ module "eks_cluster" {
   bootstrap_self_managed_addons_enabled = var.bootstrap_self_managed_addons_enabled
   upgrade_policy                        = var.upgrade_policy
   zonal_shift_config                    = var.zonal_shift_config
+  cluster_compute_config                = var.cluster_compute_config
 
   access_entry_map = local.access_entry_map
   access_config = {

examples/complete/variables.tf

@@ -131,6 +131,18 @@ variable "zonal_shift_config" {
   default     = null
 }
 
+variable "cluster_compute_config" {
+  description = <<-EOT
+  Configuration block with compute configuration for EKS Auto Mode
+
+  enabled: Request to enable or disable the compute capability on your EKS Auto Mode cluster. If the compute capability is enabled, EKS Auto Mode will create and delete EC2 Managed Instances in your Amazon Web Services account.
+  node_pools: Optional configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are general-purpose and system.
+  node_role_arn: Optional ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster.
+  EOT
+  type        = any
+  default     = {}
+}
+
 variable "private_ipv6_enabled" {
   type        = bool
   default     = false

main.tf

@@ -14,6 +14,8 @@ locals {
   }
 
   cloudwatch_log_group_name = "/aws/eks/${module.label.id}/cluster"
+
+  auto_mode_enabled = try(var.cluster_compute_config.enabled, false)
 }
 
 module "label" {
@@ -56,19 +58,31 @@ resource "aws_kms_alias" "cluster" {
 resource "aws_eks_cluster" "default" {
   #bridgecrew:skip=BC_AWS_KUBERNETES_1:Allow permissive security group for public access, difficult to restrict without a VPN
   #bridgecrew:skip=BC_AWS_KUBERNETES_4:Let user decide on control plane logging, not necessary in non-production environments
-  count                         = local.enabled ? 1 : 0
-  name                          = module.label.id
-  tags                          = module.label.tags
-  role_arn                      = local.eks_service_role_arn
-  version                       = var.kubernetes_version
-  enabled_cluster_log_types     = var.enabled_cluster_log_types
-  bootstrap_self_managed_addons = var.bootstrap_self_managed_addons_enabled
+  count                     = local.enabled ? 1 : 0
+  name                      = module.label.id
+  tags                      = module.label.tags
+  role_arn                  = local.eks_service_role_arn
+  version                   = var.kubernetes_version
+  enabled_cluster_log_types = var.enabled_cluster_log_types
+  # Enabling EKS Auto Mode also requires that bootstrap_self_managed_addons is set to false
+  bootstrap_self_managed_addons = local.auto_mode_enabled ? coalesce(var.bootstrap_self_managed_addons, false) : var.bootstrap_self_managed_addons
 
   access_config {
     authentication_mode                         = var.access_config.authentication_mode
     bootstrap_cluster_creator_admin_permissions = var.access_config.bootstrap_cluster_creator_admin_permissions
   }
 
+  # EKS Auto Mode
+  dynamic "compute_config" {
+    for_each = length(var.cluster_compute_config) > 0 ? [var.cluster_compute_config] : []
+
+    content {
+      enabled       = local.auto_mode_enabled
+      node_pools    = local.auto_mode_enabled ? try(compute_config.value.node_pools, []) : null
+      node_role_arn = local.auto_mode_enabled && length(try(compute_config.value.node_pools, [])) > 0 ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
+    }
+  }
+
   lifecycle {
     # bootstrap_cluster_creator_admin_permissions is documented as only applying
     # to the initial creation of the cluster, and being unreliable afterward,

variables.tf

@@ -29,6 +29,23 @@ variable "cluster_depends_on" {
   default     = null
 }
 
+variable "cluster_compute_config" {
+  description = <<-EOT
+    Configuration block with compute configuration for EKS Auto Mode.
+    {
+      enabled       = bool,
+      node_pools    = list(string),
+      node_role_arn = string
+    }
+  EOT
+  type = object({
+    enabled       = optional(bool, false)
+    node_pools    = optional(list(string), [])
+    node_role_arn = optional(string, null)
+  })
+  default     = {}
+}
+
 variable "create_eks_service_role" {
   type        = bool
   description = "Set `false` to use existing `eks_cluster_service_role_arn` instead of creating one"
@@ -45,7 +62,6 @@ variable "eks_cluster_service_role_arn" {
   default     = null
 }
 
-
 variable "kubernetes_version" {
   type        = string
   description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used"