terraform-aws-eks

Terraform module for AWS EKS clusters

Requirements

Name	Version
terraform	>= 1.3
aws	>= 6.0.0
helm	>= 2.13.0
kubernetes	>= 2.29.0

Providers

Name	Version
aws	6.8.0

Modules

Name	Source	Version
access	./modules/access	n/a
addons	./modules/addons	n/a
cloudwatch_logs	./modules/cloudwatch_logs	n/a
cluster	./modules/cluster	n/a
encryption	./modules/encryption	n/a
irsa	./modules/irsa	n/a
namespaces	./modules/namespaces	n/a
node_groups	./modules/node_groups	n/a

Resources

Name	Type
aws_eks_cluster_versions.available	data source

Inputs

Name	Description	Type	Default	Required
access_entries	Access entries to grant. Provide a list of objects with principal and policy.	list(object({ principal_arn = string policy_arn = string kubernetes_groups = optional(list(string), []) type = optional(string) access_scope = optional(object({ type = string namespaces = optional(list(string), []) }), null) }))	[]	no
cloudwatch_prevent_destroy	Whether to set lifecycle prevent_destroy on log groups	bool	false	no
cloudwatch_retention_in_days	Retention in days for CloudWatch log groups	number	90	no
cluster_authentication_mode	EKS cluster authentication mode	string	"API_AND_CONFIG_MAP"	no
cluster_enabled_log_types	List of enabled cluster control plane log types	list(string)	[]	no
cluster_endpoint_public_access_cidrs	CIDR blocks for which EKS public endpoint is accessible	list(string)	[ "0.0.0.0/0" ]	no
cluster_executor_role_arn	Optional IAM role ARN to grant cluster admin via an EKS access entry	string	null	no
cluster_name	EKS cluster name	string	n/a	yes
cluster_upgrade_policy	Upgrade policy for EKS cluster	object({ support_type = optional(string, null) })	{}	no
cluster_version	EKS Kubernetes version, e.g., 1.32	string	n/a	yes
cluster_vpc_config	Optional object for full cluster VPC config	object({ subnet_ids = optional(list(string), null) private_subnet_ids = optional(list(string), null) private_access_cidrs = optional(list(string), null) public_access_cidrs = optional(list(string), null) service_cidr = optional(string, null) security_group_ids = optional(list(string), null) endpoint_private_access = optional(bool, null) endpoint_public_access = optional(bool, null) })	null	no
cluster_zonal_shift_config	Zonal shift configuration	object({ enabled = optional(bool, false) })	{}	no
coredns_version	Optional version for CoreDNS addon	string	null	no
create	Whether to create resources. Useful for tests.	bool	true	no
create_security_group	Whether to create the cluster security group	bool	true	no
ebs_csi_version	Optional version for EBS CSI driver addon	string	null	no
efs_csi_version	Optional version for EFS CSI driver addon	string	null	no
eks_log_prevent_destroy	Alias of cloudwatch_prevent_destroy	bool	true	no
eks_log_retention_days	Alias of cloudwatch_retention_in_days	number	90	no
enable_cloudwatch_observability	Enable CloudWatch observability features	bool	false	no
enable_cluster_encryption	Enable KMS envelope encryption for Kubernetes secrets	bool	false	no
enable_coredns	Enable CoreDNS addon	bool	true	no
enable_ebs_csi	Enable EBS CSI driver addon	bool	false	no
enable_efs_csi	Enable EFS CSI driver addon	bool	false	no
enable_irsa	Enable IRSA (OIDC provider and optional roles)	bool	false	no
enable_kube_proxy	Enable kube-proxy addon	bool	true	no
enable_oidc	Enable IAM OIDC provider (alias of enable_irsa)	bool	false	no
enable_vpc_cni	Enable VPC CNI addon	bool	true	no
encryption_kms_key_arn	Optional pre-existing KMS key ARN for EKS secret encryption	string	null	no
existing_oidc_provider_arn	If set, use this OIDC provider ARN instead of creating a new one	string	null	no
kube_proxy_version	Optional version for kube-proxy addon	string	null	no
managed_node_groups	Map of managed node group configurations	map(object({ subnet_ids = list(string) desired_size = number max_size = number min_size = number instance_types = list(string) remote_access = optional(object({ ec2_ssh_key = string source_security_group_ids = list(string) })) update_config = optional(object({ max_unavailable = optional(number) max_unavailable_percentage = optional(number) })) taints = optional(list(object({ key = string value = string effect = string }))) labels = optional(map(string)) tags = optional(map(string)) }))	{}	no
namespaces	Namespaces to create. Accepts either a list of objects [{ name, labels }] or a map(name => { labels }).	any	[]	no
node_group_additional_policies	Map of additional IAM policies for node groups	map(object({ policy = string }))	{}	no
private_subnet_ids	List of private subnet IDs for the EKS cluster	list(string)	null	no
public_subnet_ids	Optional list of public subnet IDs (unused by default)	list(string)	null	no
self_managed_node_groups	Map of self-managed node group configurations	map(object({ subnet_ids = list(string) desired_size = number max_size = number min_size = number ami_id = string instance_type = string block_device_mappings = optional(list(object({ device_name = string ebs = object({ volume_size = number volume_type = string iops = optional(number) throughput = optional(number) encrypted = optional(bool) kms_key_id = optional(string) delete_on_termination = optional(bool) }) }))) network_interfaces = optional(list(object({ associate_public_ip_address = optional(bool) delete_on_termination = optional(bool) device_index = number interface_type = optional(string) ipv4_address_count = optional(number) ipv4_addresses = optional(list(string)) ipv4_prefix_count = optional(number) ipv4_prefixes = optional(list(string)) ipv6_address_count = optional(number) ipv6_addresses = optional(list(string)) ipv6_prefix_count = optional(number) ipv6_prefixes = optional(list(string)) network_card_index = optional(number) network_interface_id = optional(string) private_ip_address = optional(string) subnet_id = string }))) bootstrap_script = optional(string) target_group_arns = optional(list(string)) labels = optional(map(string)) taints = optional(list(object({ key = string value = string effect = string }))) tags = optional(map(string)) }))	{}	no
tags	Common tags to apply to resources	map(string)	{}	no
timeouts	Timeouts for EKS cluster operations	object({ create = optional(string, null) update = optional(string, null) delete = optional(string, null) })	{}	no
vpc_cni_version	Optional version for VPC CNI addon	string	null	no
vpc_id	VPC ID for the EKS cluster	string	n/a	yes

Outputs

Name	Description
addons_status	Status of managed addons
addons_versions	Versions of managed addons
cluster_arn	ARN of the EKS cluster
cluster_auth_token	Token to use for authentication with the cluster
cluster_ca_certificate	Base64 encoded certificate data required to communicate with the cluster
cluster_endpoint	Endpoint for EKS cluster
cluster_name	Name of the EKS cluster
cluster_oidc_issuer_url	OIDC issuer URL for the cluster
managed_node_group_arns	ARNs of managed node groups
managed_node_group_ids	IDs of managed node groups
managed_node_group_resources	Resource information for managed node groups
managed_node_group_role_arns	ARNs of managed node group IAM roles
managed_node_group_role_names	Names of managed node group IAM roles
self_managed_node_group_asg_names	Auto scaling group names for self-managed node groups
self_managed_node_group_launch_template_ids	Launch template IDs for self-managed node groups
self_managed_node_group_role_arns	ARNs of self-managed node group IAM roles
self_managed_node_group_role_names	Names of self-managed node group IAM roles