updates to params and readme

Author: marcincuber

terraform/README.md

@@ -21,8 +21,8 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.98.0 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.1.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.74 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0 |
 
 ## Modules
 
@@ -31,7 +31,7 @@ $ terraform apply
 | <a name="module_eks_cluster"></a> [eks\_cluster](#module\_eks\_cluster) | native-cube/kms/aws | ~> 1.0.0 |
 | <a name="module_eks_node_group_al2023"></a> [eks\_node\_group\_al2023](#module\_eks\_node\_group\_al2023) | native-cube/eks-node-group/aws | ~> 1.1.0 |
 | <a name="module_eks_vpc_flow_logs"></a> [eks\_vpc\_flow\_logs](#module\_eks\_vpc\_flow\_logs) | native-cube/vpc-flow-logs/aws | ~> 2.2.0 |
-| <a name="module_vpc_eks"></a> [vpc\_eks](#module\_vpc\_eks) | terraform-aws-modules/vpc/aws | 5.18.1 |
+| <a name="module_vpc_eks"></a> [vpc\_eks](#module\_vpc\_eks) | terraform-aws-modules/vpc/aws | 6.0.1 |
 
 ## Resources
 
@@ -65,7 +65,7 @@ $ terraform apply
 | [aws_iam_role.adot_collector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.ebs_csi_controller_sa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.ebs_csi_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.eks_node_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.eks_node_karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -79,7 +79,7 @@ $ terraform apply
 | [aws_iam_role_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachments_exclusive.adot_collector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [aws_iam_role_policy_attachments_exclusive.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
-| [aws_iam_role_policy_attachments_exclusive.ebs_csi_controller_sa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
+| [aws_iam_role_policy_attachments_exclusive.ebs_csi_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [aws_iam_role_policy_attachments_exclusive.eks_node_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [aws_iam_role_policy_attachments_exclusive.eks_node_karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [aws_launch_template.cluster_al2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
@@ -142,6 +142,7 @@ $ terraform apply
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_azs"></a> [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
+| <a name="input_capacity_type"></a> [capacity\_type](#input\_capacity\_type) | Type of capacity associated with the EKS Node Group. Defaults to ON\_DEMAND. Valid values: ON\_DEMAND, SPOT. | `string` | `"ON_DEMAND"` | no |
 | <a name="input_ebs_delete_on_termination"></a> [ebs\_delete\_on\_termination](#input\_ebs\_delete\_on\_termination) | Whether the volume should be destroyed on instance termination. | `bool` | `true` | no |
 | <a name="input_ebs_encrypted"></a> [ebs\_encrypted](#input\_ebs\_encrypted) | Enables EBS encryption on the volume. | `bool` | `true` | no |
 | <a name="input_ebs_volume_size"></a> [ebs\_volume\_size](#input\_ebs\_volume\_size) | The size of the volume in gigabytes. | `number` | `100` | no |

terraform/eks-addons.tf

@@ -51,7 +51,7 @@ resource "aws_eks_addon" "aws_ebs_csi_driver" {
   resolve_conflicts_on_create = "OVERWRITE"
   resolve_conflicts_on_update = "OVERWRITE"
 
-  service_account_role_arn = aws_iam_role.ebs_csi_controller_sa.arn
+  service_account_role_arn = aws_iam_role.ebs_csi_controller.arn
 
   preserve = true
 
@@ -60,22 +60,6 @@ resource "aws_eks_addon" "aws_ebs_csi_driver" {
   }
 }
 
-resource "aws_iam_role" "ebs_csi_controller_sa" {
-  name = "ebs-csi-controller-sa"
-
-  assume_role_policy = templatefile("policies/oidc_assume_role_policy.json", {
-    OIDC_ARN  = aws_iam_openid_connect_provider.cluster.arn,
-    OIDC_URL  = replace(aws_iam_openid_connect_provider.cluster.url, "https://", ""),
-    NAMESPACE = "kube-system",
-    SA_NAME   = "ebs-csi-controller-sa"
-  })
-}
-
-resource "aws_iam_role_policy_attachments_exclusive" "ebs_csi_controller_sa" {
-  role_name   = aws_iam_role.ebs_csi_controller_sa.name
-  policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"]
-}
-
 resource "aws_eks_addon" "kubecost" {
   count = var.eks_addon_version_kubecost != null ? 1 : 0
 

terraform/eks-managed-node-group-al2023.tf

@@ -77,7 +77,7 @@ module "eks_node_group_al2023" {
     version = aws_launch_template.cluster_al2023.latest_version
   }
 
-  capacity_type = "ON_DEMAND"
+  capacity_type = var.capacity_type
 
   tags = {
     "kubernetes.io/cluster/${var.name_prefix}" = "owned"

terraform/oidc-iam-roles.tf

@@ -136,3 +136,20 @@ resource "aws_iam_role_policy_attachments_exclusive" "adot_collector" {
     "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
   ]
 }
+
+# Used by EBS CSI addon
+resource "aws_iam_role" "ebs_csi_controller" {
+  name = "${var.name_prefix}-ebs-csi-controller"
+
+  assume_role_policy = templatefile("policies/oidc_assume_role_policy.json", {
+    OIDC_ARN  = aws_iam_openid_connect_provider.cluster.arn,
+    OIDC_URL  = replace(aws_iam_openid_connect_provider.cluster.url, "https://", ""),
+    NAMESPACE = "kube-system",
+    SA_NAME   = "ebs-csi-controller-sa"
+  })
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "ebs_csi_controller" {
+  role_name   = aws_iam_role.ebs_csi_controller.name
+  policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"]
+}

terraform/variables.tf

@@ -47,6 +47,12 @@ variable "instance_types" {
   default     = ["m6i.large"]
 }
 
+variable "capacity_type" {
+  type        = string
+  description = "Type of capacity associated with the EKS Node Group. Defaults to ON_DEMAND. Valid values: ON_DEMAND, SPOT."
+  default     = "ON_DEMAND"
+}
+
 variable "eks_service_ipv4_cidr" {
   type        = string
   description = "The CIDR block to assign Kubernetes service IP addresses from."

terraform/vpc.tf

@@ -1,6 +1,6 @@
 module "vpc_eks" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "5.18.1"
+  version = "6.0.1"
 
   name = var.name_prefix