hashicorp · alanszlosek · Jul 20, 2022 · Jun 9, 2022 · Jun 10, 2022 · Jul 6, 2022
diff --git a/.gitignore b/.gitignore
@@ -4,15 +4,16 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
+*.tfplan
 
 # Crash log files
 crash.log
 
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
-# example.tfvars
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -21,9 +22,6 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
 # Learn Terraform - Provision an EKS Cluster
 
 This repo is a companion repo to the [Provision an EKS Cluster learn guide](https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster), containing
-Terraform configuration files to provision an EKS cluster on AWS.
+Terraform configuration files to provision an EKS cluster on AWS.
diff --git a/eks-cluster.tf b/eks-cluster.tf
@@ -1,38 +1,59 @@
 module "eks" {
-  source          = "terraform-aws-modules/eks/aws"
-  version         = "17.24.0"
+  source  = "terraform-aws-modules/eks/aws"
+  version = "18.26.3"
+
   cluster_name    = local.cluster_name
-  cluster_version = "1.20"
-  subnets         = module.vpc.private_subnets
+  cluster_version = "1.22"
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  manage_aws_auth_configmap = true
+
+  eks_managed_node_group_defaults = {
+    ami_type = "AL2_x86_64"
 
-  vpc_id = module.vpc.vpc_id
+    attach_cluster_primary_security_group = true
 
-  workers_group_defaults = {
-    root_volume_type = "gp2"
+    # Disabling and using externally provided security groups
+    create_security_group = false
   }
 
-  worker_groups = [
-    {
-      name                          = "worker-group-1"
-      instance_type                 = "t2.small"
-      additional_userdata           = "echo foo bar"
-      additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id]
-      asg_desired_capacity          = 2
-    },
-    {
-      name                          = "worker-group-2"
-      instance_type                 = "t2.medium"
-      additional_userdata           = "echo foo bar"
-      additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id]
-      asg_desired_capacity          = 1
-    },
-  ]
-}
+  eks_managed_node_groups = {
+    one = {
+      name = "node-group-1"
 
-data "aws_eks_cluster" "cluster" {
-  name = module.eks.cluster_id
-}
+      instance_types = ["t3.small"]
+
+      min_size     = 1
+      max_size     = 3
+      desired_size = 2
 
-data "aws_eks_cluster_auth" "cluster" {
-  name = module.eks.cluster_id
+      pre_bootstrap_user_data = <<-EOT
+      echo 'foo bar'
+      EOT
+
+      vpc_security_group_ids = [
+        aws_security_group.node_group_one.id
+      ]
+    }
+
+    two = {
+      name = "node-group-2"
+
+      instance_types = ["t3.medium"]
+
+      min_size     = 1
+      max_size     = 2
+      desired_size = 1
+
+      pre_bootstrap_user_data = <<-EOT
+      echo 'foo bar'
+      EOT
+
+      vpc_security_group_ids = [
+        aws_security_group.node_group_two.id
+      ]
+    }
+  }
 }
diff --git a/kubernetes-dashboard-admin.rbac.yaml b/kubernetes-dashboard-admin.rbac.yaml
diff --git a/kubernetes.tf → main.tf b/kubernetes.tf → main.tf
@@ -1,12 +1,31 @@
 # Kubernetes provider
 # https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster#optional-configure-terraform-kubernetes-provider
 # To learn how to schedule deployments and services using the provider, go here: https://learn.hashicorp.com/terraform/kubernetes/deploy-nginx-kubernetes
-
 # The Kubernetes provider is included in this file so the EKS module can complete successfully. Otherwise, it throws an error when creating `kubernetes_config_map.aws_auth`.
 # You should **not** schedule deployments and services in this workspace. This keeps workspaces modular (one for provision EKS, another for scheduling Kubernetes resources) as per best practices.
-
 provider "kubernetes" {
-  host                   = data.aws_eks_cluster.cluster.endpoint
-  token                  = data.aws_eks_cluster_auth.cluster.token
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    # This requires the awscli to be available locally where Terraform is executed
+    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_id]
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  cluster_name = "education-eks-${random_string.suffix.result}"
+}
+
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
 }
diff --git a/outputs.tf b/outputs.tf
@@ -1,26 +1,21 @@
 output "cluster_id" {
-  description = "EKS cluster ID."
+  description = "EKS cluster ID"
   value       = module.eks.cluster_id
 }
 
 output "cluster_endpoint" {
-  description = "Endpoint for EKS control plane."
+  description = "Endpoint for EKS control plane"
   value       = module.eks.cluster_endpoint
 }
 
 output "cluster_security_group_id" {
-  description = "Security group ids attached to the cluster control plane."
+  description = "Security group ids attached to the cluster control plane"
   value       = module.eks.cluster_security_group_id
 }
 
-output "kubectl_config" {
-  description = "kubectl config as generated by the module."
-  value       = module.eks.kubeconfig
-}
-
-output "config_map_aws_auth" {
-  description = "A kubernetes configuration to authenticate to this EKS cluster."
-  value       = module.eks.config_map_aws_auth
+output "aws_auth_configmap_yaml" {
+  description = "Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles"
+  value       = module.eks.aws_auth_configmap_yaml
 }
 
 output "region" {