-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy patheks.tf
More file actions
139 lines (116 loc) · 4.09 KB
/
eks.tf
File metadata and controls
139 lines (116 loc) · 4.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "20.31.6"
iam_role_use_name_prefix = !var.allow_long_names
cluster_name = var.eks_cluster_name
cluster_version = var.eks_cluster_version
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
cluster_security_group_name = "${var.eks_cluster_name}-sg"
enable_irsa = true
access_entries = local.merged_access_entries
## Control plane logging
create_cloudwatch_log_group = true
cluster_enabled_log_types = var.cluster_enabled_log_types
cloudwatch_log_group_retention_in_days = var.cluster_log_retention_in_days
cluster_addons = merge(
{
coredns = {
addon_version = var.addons_versions.coredns
}
kube-proxy = {
addon_version = var.addons_versions.kube_proxy
}
vpc-cni = {
service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
}
},
var.enable_efs_csi ? {
aws-efs-csi-driver = {
addon_version = var.addons_versions.efs_csi
service_account_role_arn = module.irsa-efs-csi.iam_role_arn
tags = tomap({ eks_addon = "efs_csi" })
}
} : {}
)
cluster_security_group_additional_rules = {
egress_nodes_ephemeral_ports_tcp = {
description = "To node 1025-65535"
protocol = "tcp"
from_port = 1025
to_port = 65535
type = "egress"
source_node_security_group = true
}
}
node_security_group_additional_rules = {
ingress_self_all = {
description = "Node to node all ports/protocols"
protocol = "-1"
from_port = 0
to_port = 0
type = "ingress"
self = true
}
}
cluster_ip_family = "ipv4"
create_cni_ipv6_iam_policy = false
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
control_plane_subnet_ids = var.control_plane_subnet_ids
# EKS Managed Node Group(s)
eks_managed_node_group_defaults = {
ami_type = var.eks_ami_type
disk_size = var.eks_disk_size
instance_types = var.eks_instance_types
iam_role_attach_cni_policy = true
iam_role_additional_policies = var.eks_node_additional_policies
block_device_mappings = {
xvda = {
device_name = "/dev/xvda"
ebs = {
volume_size = var.eks_disk_size
volume_type = var.eks_volume_type
iops = var.eks_volume_iops
throughput = 150
encrypted = true
delete_on_termination = true
}
}
}
}
eks_managed_node_groups = {
eks_workers = {
iam_role_use_name_prefix = !var.allow_long_names
name = "${var.eks_cluster_name}-ng"
min_size = var.eks_ng_min_size
max_size = var.eks_ng_max_size
desired_size = var.eks_ng_desired_size
ebs_optimized = true
metadata_options = {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 2
instance_metadata_tags = "disabled"
}
subnet_ids = var.subnet_ids
capacity_type = var.eks_ng_capacity_type
create_security_group = true
security_group_name = "${var.eks_cluster_name}-ng-sg"
}
}
tags = var.eks_tags
kms_key_enable_default_policy = var.kms_key_enable_default_policy
kms_key_users = var.kms_key_users
}
resource "aws_eks_addon" "ebs-csi" {
cluster_name = module.eks.cluster_name
addon_name = "aws-ebs-csi-driver"
addon_version = var.addons_versions.ebs_csi
service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
tags = merge(
var.eks_tags,
tomap({ eks_addon = "ebs_csi" })
)
}