This module is responsible for the EKS Worker Nodes in the EKS cluster
topology. You must launch a control plane in order
for the worker nodes to function. See the eks-cluster-control-plane module for
managing an EKS control plane.
How do you use this module?
See the root README for instructions on using Terraform modules.
See variables.tf for all the variables you can set on this module.
See outputs.tf for all the variables that are outputed by this module.
Differences with managed node groups
See the [Differences with self managed workers] section in the documentation for eks-cluster-managed-workers
module for a detailed overview of differences with EKS Managed Node Groups.
What should be included in the user-data script?
In order for the EKS worker nodes to function, it must register itself to the Kubernetes API run by the EKS control
plane. This is handled by the bootstrap script provided in the EKS optimized AMI. The user-data script should call the
bootstrap script at some point during its execution. You can get this information from the eks-cluster-control-plane
module.
EKS clusters using Kubernetes version 1.14 and above automatically create a managed security group known as the cluster
security group. The cluster security group is designed to allow all traffic from the control plane and worker nodes to
flow freely between each other. This security group has the following rules:
Allow Kubernetes API traffic between the security group and the control plane security group.
Allow all traffic between instances of the security group ("ingress all from self").
Allow all outbound traffic.
EKS will automatically use this security group for the underlying worker instances used with managed node groups or
Fargate. This allows traffic to flow freely between Fargate Pods and worker instances managed with managed node groups.
You can read more about the cluster security group in the AWS
docs.
By default this module will attach two security groups to the worker nodes managed by the module:
The cluster security group.
A custom security group that can be extended with additional rules.
You can attach additional security groups to the nodes using the var.additional_security_group_ids input variable.
If you would like to avoid the cluster security group (this is useful if
you wish to isolate at the network level the workers managed by this module from other workers in your cluster like
Fargate, Managed Node Groups, or other self managed ASGs), set the use_cluster_security_group input variable to
false. With this setting, the module will apply recommended security group rules to the custom group to allow the node
to function as a EKS worker. The rules used for the new security group are based on the recommendations provided by
AWS for configuring
an EKS cluster.
<a name="how-to-extend-security-group"></a>How do you add additional security group rules?
To add additional security group rules to the EKS cluster worker nodes, you can use the
aws_security_group_rule resource, and set its
security_group_id argument to the Terraform output of this module called eks_worker_security_group_id for the worker
nodes. For example, here is how you can allow the EC2 Instances in this cluster to allow incoming HTTP requests on port
8080:
Note: The security group rules you add will apply to ALL Pods running on these EC2 Instances. There is currently no
way in EKS to manage security group rules on a per-Pod basis. Instead, rely on Kubernetes Network
Policies to restrict network access within a
Kubernetes cluster.
What IAM policies are attached to the EKS Cluster?
This module will create IAM roles for the EKS cluster worker nodes with the minimum set of policies necessary
for the cluster to function as a Kubernetes cluster. The policies attached to the roles are the same as those documented
in the AWS getting started guide for EKS.
How do you add additional IAM policies?
To add additional IAM policies to the EKS cluster worker nodes, you can use the
aws_iam_role_policy or
aws_iam_policy_attachment resources, and set
the IAM role id to the Terraform output of this module called eks_worker_iam_role_name for the worker nodes. For
example, here is how you can allow the worker nodes in this cluster to access an S3 bucket:
Note: The IAM policies you add will apply to ALL Pods running on these EC2 Instances. See the How do I associate
IAM roles to the Pods? section of the
eks-cluster-control-plane module README for more fine-grained allocation of IAM credentials to Pods.
How do I SSH into the nodes?
This module provides options to allow you to SSH into the worker nodes of an EKS cluster that are managed by this
module. To do so, you must first use an AMI that is configured to allow SSH access. Then, you must setup the auto
scaling group to launch instances with a known keypair that you have access to by using the
cluster_instance_keypair_name option of the module. Finally, you need to configure the security group of the worker
node to allow access to the port for SSH by extending the security group of the worker nodes by following the guide
above. This will allow SSH access to the instance using the specified keypair, provided
the server AMI is configured to run the ssh daemon.
Note: Using a single key pair shared with your whole team for all of your SSH access is not secure. For a more
secure option that allows each developer to use their own SSH key, and to manage server access via IAM or your Identity
Provider (e.g. Google, ADFS, Okta, etc), see ssh-grunt.
How do I roll out an update to the instances?
Terraform and AWS do not provide a way to automatically roll out a change to the Instances in an EKS Cluster. Due to
Terraform limitations (see here for a discussion), there is
currently no way to implement this purely in Terraform code. Therefore, we've embedded this functionality into
kubergrunt that can do a zero-downtime roll out for you.
This module will not automatically scale in response to resource usage by default, the
autoscaling_group_configurations.*.max_size option is only used to give room for new instances during rolling updates.
To enable auto-scaling in response to resource utilization, you must set the include_autoscaler_discovery_tags input
variable to true and also deploy the Kubernetes Cluster Autoscaler module.
Note that the cluster autoscaler only supports ASGs that manage nodes in a single availability zone. This means that you
need to carefully provision the managed node groups such that you have one group per AZ if you wish to use the cluster
autoscaler. To accomplish this, ensure that the subnet_ids in each autoscaling_group_configurations input map entry
come from the same AZ.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"cd0f759ae90af4380a46377f990df626a9b4384f"}]},{"name":".gitignore","path":".gitignore","sha":"7f6cf4bc746bbfd6da4c7a21dbcf1a2296aa0c10"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"b008949ef10a7bad93ab93e8821da77577a30c5c"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"ecbeaab263c59e955b621268f161059633041e3d"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"a7cc7bd94443c252390564fa988755dbbe80d87d"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE.md","path":"LICENSE.md","sha":"a2cf01ecdd725fddd718ab91c80c115882c94f3c"},{"name":"README.adoc","path":"README.adoc","sha":"d910b297cb8da321866768941c9e1bb5f38b12d5"},{"name":"_docs","children":[{"name":"eks-architecture.png","path":"_docs/eks-architecture.png","sha":"b4c9c46f88ed465c5575e915af54ad9920b56941"},{"name":"eks-icon.png","path":"_docs/eks-icon.png","sha":"83a29dc46e7bc6234ba5bb825e8ae283c56229a0"}]},{"name":"core-concepts.md","path":"core-concepts.md","sha":"3c504a547fc55ecff5536141534a32ed8a4a4ae7"},{"name":"examples","children":[{"name":"README.md","path":"examples/README.md","sha":"a70f3adc0c888e07b0b03cb32fbd156547c354da"},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"examples/eks-cluster-managed-workers/README.md","sha":"21acaeb73c1d8a1819480bc7a8d1c35b8fa69081"},{"name":"dependencies.tf","path":"examples/eks-cluster-managed-workers/dependencies.tf","sha":"c51d22849120296cb44e2637625fbe0ef4405a53"},{"name":"main.tf","path":"examples/eks-cluster-managed-workers/main.tf","sha":"d2646b8c0d8e202d4b6ff2d394f0d6f59ab6a18f"},{"name":"outputs.tf","path":"examples/eks-cluster-managed-workers/outputs.tf","sha":"431bebd71e3f9d5c299c1740ba16b2eef717cbf0"},{"name":"variables.tf","path":"examples/eks-cluster-managed-workers/variables.tf","sha":"a574f2c8b45970431a4d8c0fb4eb372ee1676ea6"}]},{"name":"eks-cluster-with-iam-role-mappings","children":[{"name":"README.md","path":"examples/eks-cluster-with-iam-role-mappings/README.md","sha":"6479e81678f2e08df477d467f2124f5dc53e9e53"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-iam-role-mappings/dependencies.tf","sha":"9652dab961175e0f2273b109b5f1724a38e3970f"},{"name":"main.tf","path":"examples/eks-cluster-with-iam-role-mappings/main.tf","sha":"85472aed315ae52f6793d3d911fc04e3c74f8d4f"},{"name":"outputs.tf","path":"examples/eks-cluster-with-iam-role-mappings/outputs.tf","sha":"3876c30890ffef1726d533a869c23e66fa244e6c"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-cluster-with-iam-role-mappings/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-iam-role-mappings/variables.tf","sha":"d312645223f2c0f65c38416b50145cc58762052b"}]},{"name":"eks-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/README.md","sha":"381a926738c4630930441ad070c95d3e52a25754"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/core-services/README.md","sha":"c1eb41e7cc60a67d29ef846daf3b2e974ca59e6e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/core-services/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/core-services/main.tf","sha":"b4739bf4fffbdbcd4584c173df875e38b75f7152"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/core-services/outputs.tf","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/core-services/variables.tf","sha":"1b244b6aa868a7e2265b55db57f1a4574891b934"}]},{"name":"eks-cluster","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/eks-cluster/README.md","sha":"8a60a01004a93bbbf2091b730f0207f6dd2cc07e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"58c85fb4cb629a91afe41602e56072c19905e79b"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/main.tf","sha":"ed7f46af2ac6c55f16956f2612ae46edc2941d84"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"be23a13dd6f4063be394b8ca7358b631d50fab8a"},{"name":"user-data","children":[{"name":"app_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/app_worker_user_data.sh","sha":"c5fdd13d5bb04f765f1c90e9f12d23c48e94a252"},{"name":"core_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/core_worker_user_data.sh","sha":"0fa26153108b3d030ceeaae777aeb0a7e115404e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"21c6ee87a2d2c628af70513000a8b071b1938578"}]},{"name":"nginx-service","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/nginx-service/README.md","sha":"0f6649ddb0cbb5aa80a5bc1f3318ea1fd5d0dc35"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/main.tf","sha":"db605685e89d5d8ea0b04ae09d52b4acd815270c"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"298435e01df9fa495b15d512073c62662d292cd3"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/variables.tf","sha":"36ea6f8a36b19e34dbeeb25ae7e5fcf30c956b0f"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/packer/README.md","sha":"6a974a7fd5da7ac13309d9e0c4aaba7bd8cb46c7"},{"name":"build.json","path":"examples/eks-cluster-with-supporting-services/packer/build.json","sha":"25a003de2b3e9ad27915fb5227ffb7bd86d32a23"}]}]},{"name":"eks-fargate-cluster-with-irsa","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-irsa/README.md","sha":"7dfcee13140ca3df3baf9f61e666a45dde71a98a"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-irsa/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-irsa/main.tf","sha":"69b807d8db501b38b30987a37743b860a5b3f844"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-irsa/outputs.tf","sha":"f059d7b74ffbfb06a0868d6d0a5d1831c8f45f10"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-irsa/variables.tf","sha":"60a02795c83eddf91a610e4baf4a5ce001bc1eec"}]},{"name":"eks-fargate-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/README.md","sha":"1612cec3482105c720bcb66db051ce17a69da57c"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/README.md","sha":"cde0ae405e4d73e9e39c67045fb82de8187a673d"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/main.tf","sha":"b0903866b183a7447ee42c4474c11bbeacaf1320"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/variables.tf","sha":"c63e2fdb8d5aa91830db61224ce75ee814d6fa56"}]},{"name":"eks-cluster","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"c7d533db5e590f72eddbe987d0b5353c11b570e1"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/main.tf","sha":"a9475e79018631451acb838c3a9382df55d04d5e"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"edddf9a6ab6f5927db366689db79e1b91db9d8c8"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"72736ac2a85df7150da342545c059b1e9f6e4542"}]},{"name":"nginx-service","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/main.tf","sha":"1ae7751069711726f7c38fafe60d63d0c5f59494"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"655914f91177135cb7c5f15b62166cfc82a62a91"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/variables.tf","sha":"d3c166441cdc556b0839930fbc281b7e8a1bd57f"}]}]},{"name":"eks-fargate-cluster","children":[{"name":"README.md","path":"examples/eks-fargate-cluster/README.md","sha":"df681cdbe945d0592ca57bd3a8eb9ae5d88c2f4a"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster/main.tf","sha":"eafb099d793a3c73ff60f416df4830a053a1746d"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster/outputs.tf","sha":"9fb0eacd494d51072898a36f4d110a6c6ad77f6b"},{"name":"terraform.tfvars.back","path":"examples/eks-fargate-cluster/terraform.tfvars.back","sha":"6cb73f75cc7828c6b3efdc2a9b1787f75ed276d1"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-fargate-cluster/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster/variables.tf","sha":"cd56d66d0980f4d88b0347ff59a96402962d6aa1"}]}]},{"name":"modules","children":[{"name":"eks-alb-ingress-controller-iam-policy","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller-iam-policy/README.md","sha":"c87be2ee00f8f59403f827303915b5a70c602002"},{"name":"iampolicy.json","path":"modules/eks-alb-ingress-controller-iam-policy/iampolicy.json","sha":"5cba0c1500ee2520d72e8d47b86e318958e4dbc7"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller-iam-policy/main.tf","sha":"a79f5a2e6a0ba72562c5a87182db516d8824ed21"},{"name":"outputs.tf","path":"modules/eks-alb-ingress-controller-iam-policy/outputs.tf","sha":"b551b0bcc6eb1b43bfff1606696566658564cfb4"},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller-iam-policy/variables.tf","sha":"250152e6bfeb02a16bed4151ffc7156636db1bd9"}]},{"name":"eks-alb-ingress-controller","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller/README.md","sha":"3bfcd0485ea2239eb786564e74c1de0715f23b57"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller/main.tf","sha":"904eefe37cc316b36adbfed59f3c0ebdb218f343"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-alb-ingress-controller/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-alb-ingress-controller/templates/values.yaml","sha":"9937ba0cbea50640aabca372efedb0e1bdc2ce6d"}]},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller/variables.tf","sha":"0e7c5bdd84bf1835d3cda57a313a2046f310ba23"}]},{"name":"eks-cloudwatch-container-logs","children":[{"name":"README.md","path":"modules/eks-cloudwatch-container-logs/README.md","sha":"83b6cfce471a5b3d0dca1c17b8528d4a3397eae6"},{"name":"main.tf","path":"modules/eks-cloudwatch-container-logs/main.tf","sha":"6827dfece6304e7f439c7bcfb1ccd37c24284c55"},{"name":"outputs.tf","path":"modules/eks-cloudwatch-container-logs/outputs.tf","sha":"7061ed458fec528c8b8b587291f0eccb4324fb72"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-cloudwatch-container-logs/templates/node_affinity.yaml","sha":"cf47b63d7c2b9699e0ab1e36e9a8dadad3a7f4c0"},{"name":"values.yaml","path":"modules/eks-cloudwatch-container-logs/templates/values.yaml","sha":"bff95a2bcea59db932239c8d197aea76d595bcec"}]},{"name":"variables.tf","path":"modules/eks-cloudwatch-container-logs/variables.tf","sha":"748747e26e3fef8f8a44849c752ba548d8531439"}]},{"name":"eks-cluster-control-plane","children":[{"name":"README.md","path":"modules/eks-cluster-control-plane/README.md","sha":"65d135a9506906c44ae7d592ec374afd3cb21c22"},{"name":"control_plane_scripts","children":[{"name":"bin","children":[{"name":"control_plane_scripts_py27_env.pex","path":"modules/eks-cluster-control-plane/control_plane_scripts/bin/control_plane_scripts_py27_env.pex","sha":"a02c9440827aac48475673ed80106b8cc1376bb4"},{"name":"control_plane_scripts_py3_env.pex","path":"modules/eks-cluster-control-plane/control_plane_scripts/bin/control_plane_scripts_py3_env.pex","sha":"3b4950866dbf6ad90a029585521aa90ed3e8887c"}]},{"name":"build.sh","path":"modules/eks-cluster-control-plane/control_plane_scripts/build.sh","sha":"33b5e9231babdb0c2c0997b04a964c27b98a4e13"},{"name":"cleanup_cluster_resources","children":[{"name":"__init__.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/__init__.py","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"global_vars.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/global_vars.py","sha":"47920d25645a8c168f196beb76eb37da60055dd3"},{"name":"main.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/main.py","sha":"21dfb38d1bf8f4d15a03da5e09ae3ba575eb4501"},{"name":"vpc.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/vpc.py","sha":"adaf19fe8e191badfad40513984778d36a059ba5"}]},{"name":"control_plane_scripts_utils","children":[{"name":"__init__.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/control_plane_scripts_utils/__init__.py","sha":"37d050d1afd8ebb0c9d6916cff61fa674e6ac8a3"},{"name":"project_logging.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/control_plane_scripts_utils/project_logging.py","sha":"c29bfb0dfe0a3d4e04aeaabff0b2e58387ccf12b"}]},{"name":"dev_requirements.txt","path":"modules/eks-cluster-control-plane/control_plane_scripts/dev_requirements.txt","sha":"430b91474dc8220624012e70d8c2e43582f17161"},{"name":"requirements.txt","path":"modules/eks-cluster-control-plane/control_plane_scripts/requirements.txt","sha":"0ae8cdb74f4c793658c5dfdd13ce1ec723f7b2a1"},{"name":"upgrade_cluster","children":[{"name":"__init__.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/__init__.py","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"eks.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/eks.py","sha":"d0aca412ffa983300df0d8926bee8829e148f85e"},{"name":"exceptions.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/exceptions.py","sha":"c35893a0f70e2c0d86dd64b7bce8d092e84355b3"},{"name":"global_vars.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/global_vars.py","sha":"e223eefafed2576c8988a708395d92f6908b3f49"},{"name":"k8s.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/k8s.py","sha":"c61fe768344f868303b7dac3b201b28b6ab10a1d"},{"name":"k8s_version_map.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/k8s_version_map.py","sha":"b25ddc93cfc13423cc8792ffa74b2f4127851173"},{"name":"main.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/main.py","sha":"30cf982ecf0a2304dcdb3467b28aad455d01e4e9"}]}]},{"name":"dependencies.tf","path":"modules/eks-cluster-control-plane/dependencies.tf","sha":"6389b5cb477cef74e9bae294c41bbdd05b8d8aa5"},{"name":"main.tf","path":"modules/eks-cluster-control-plane/main.tf","sha":"d2babf9edb4d77b71ca2d2f02cf3c78b1cb1092c"},{"name":"outputs.tf","path":"modules/eks-cluster-control-plane/outputs.tf","sha":"1d9c33ed79e9a4bdfec1dd228aa440a2932d74ef"},{"name":"templates","children":[{"name":"kubectl_config.tpl","path":"modules/eks-cluster-control-plane/templates/kubectl_config.tpl","sha":"083a5e914505363541190db3ee412d8d9e15b4ec"}]},{"name":"variables.tf","path":"modules/eks-cluster-control-plane/variables.tf","sha":"15d5a712ce52db18f0449d6fbea7e5b07e1df2d5"}]},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"modules/eks-cluster-managed-workers/README.md","sha":"a44255e58e4c5949e3216339358124593ae2bbae"},{"name":"main.tf","path":"modules/eks-cluster-managed-workers/main.tf","sha":"56bad0a77dcc6eda3cf529007d2f354ba89bc82b"},{"name":"outputs.tf","path":"modules/eks-cluster-managed-workers/outputs.tf","sha":"391b5aff36a080568d94aae450d00b78488fb2e4"},{"name":"variables.tf","path":"modules/eks-cluster-managed-workers/variables.tf","sha":"fbb0d0efade0cb20f388b3c0f9cfeebf4cd87ff3"}]},{"name":"eks-cluster-workers-cross-access","children":[{"name":"README.md","path":"modules/eks-cluster-workers-cross-access/README.md","sha":"6c4e50bda62acc6c06d836488ef54f7119f27aee"},{"name":"main.tf","path":"modules/eks-cluster-workers-cross-access/main.tf","sha":"30885a053867992d0c3ee3804ba6833ae463c116"},{"name":"outputs.tf","path":"modules/eks-cluster-workers-cross-access/outputs.tf","sha":"c6c7f7a89007c55be5470ffd639c05c3fb052ad7"},{"name":"variables.tf","path":"modules/eks-cluster-workers-cross-access/variables.tf","sha":"d64aab893b6e909416189e985f072dd8809dfa2f"}]},{"name":"eks-cluster-workers","children":[{"name":"README.md","path":"modules/eks-cluster-workers/README.md","sha":"b846d1233c8a490fcb1bb0e7581c274f92d1c978","toggled":true},{"name":"dependencies.tf","path":"modules/eks-cluster-workers/dependencies.tf","sha":"57ce2b550d2bd4a4a969fbb37cc058cd9825ea86"},{"name":"main.tf","path":"modules/eks-cluster-workers/main.tf","sha":"1b4ee8765da90838dea560a53e860e13216d94c5"},{"name":"outputs.tf","path":"modules/eks-cluster-workers/outputs.tf","sha":"15a01dabd1c0a11011e2488c4df1f43468312454"},{"name":"variables.tf","path":"modules/eks-cluster-workers/variables.tf","sha":"d646d70fb828c1c6385f6ff3c5935c27011ae4d0"}],"toggled":true},{"name":"eks-iam-role-assume-role-policy-for-service-account","children":[{"name":"README.md","path":"modules/eks-iam-role-assume-role-policy-for-service-account/README.md","sha":"efbbbd70fea3661c662750768facb7950239ffa3"},{"name":"main.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/main.tf","sha":"be2fefe5e1a29a2582d1dcdc0b700b74f198cfc9"},{"name":"outputs.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/outputs.tf","sha":"c2910cec89910bb06a157311ac8c4bf72835dfe5"},{"name":"variables.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/variables.tf","sha":"dc660ddf84158851145289f6036a0fc19fbf7ce4"}]},{"name":"eks-k8s-cluster-autoscaler-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/README.md","sha":"a22e2264a296fe1bf00f2c8b2f72ae728d0277c3"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/main.tf","sha":"c743f0e3523119155e2f2a6434e6f634d659aaee"},{"name":"outputs.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/outputs.tf","sha":"8b6c4e1747b3fa6a88c6233ec87aa2f450dfd334"},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/variables.tf","sha":"be3db9023160b3754187f2f21ce77772b43ced53"}]},{"name":"eks-k8s-cluster-autoscaler","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler/README.md","sha":"a74848607c42fcef696f121c2506ace0b83ced87"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler/main.tf","sha":"f39dcbe11cfff6a81e23f3517c53d67420eccc37"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/values.yaml","sha":"4fad2031b54ad610fcd65abb03020d7d2db924de"}]},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler/variables.tf","sha":"e900fccd3c1cb0cccbf5cc7e76667f54ea509a5b"}]},{"name":"eks-k8s-external-dns-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns-iam-policy/README.md","sha":"a33d41f9824e6270ef4573d6b7e22b394224689c"},{"name":"main.tf","path":"modules/eks-k8s-external-dns-iam-policy/main.tf","sha":"b346bd0324c30907dd62ac89f93fe9cc7799fd4d"},{"name":"outputs.tf","path":"modules/eks-k8s-external-dns-iam-policy/outputs.tf","sha":"21604a63b741b94ea9ebffd20b18772131020fcf"},{"name":"variables.tf","path":"modules/eks-k8s-external-dns-iam-policy/variables.tf","sha":"250152e6bfeb02a16bed4151ffc7156636db1bd9"}]},{"name":"eks-k8s-external-dns","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns/README.md","sha":"59199651539725e656c97f18fefee22e39e311a5"},{"name":"main.tf","path":"modules/eks-k8s-external-dns/main.tf","sha":"7696052822928880e4da50296c7dd2ccdf32e267"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-k8s-external-dns/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-k8s-external-dns/templates/values.yaml","sha":"ed22e91abbdc486ba7b0e79f28f63853b3860969"}]},{"name":"variables.tf","path":"modules/eks-k8s-external-dns/variables.tf","sha":"5f385a2e0aeef50a2f99b9e94f8648ecb7561b7d"}]},{"name":"eks-k8s-role-mapping","children":[{"name":"README.md","path":"modules/eks-k8s-role-mapping/README.md","sha":"eda8f8d176a772c66fb9ba39e0db186cb51a3c9c"},{"name":"main.tf","path":"modules/eks-k8s-role-mapping/main.tf","sha":"6fcd7d1fefe10d1ed9b22cf16a1c272c347d1cfa"},{"name":"outputs.tf","path":"modules/eks-k8s-role-mapping/outputs.tf","sha":"95d4d4ec652bb541b91a2844e00f68064b423e60"},{"name":"variables.tf","path":"modules/eks-k8s-role-mapping/variables.tf","sha":"87e3ec8e2456d90175fa4c5cf0110bae86998170"}]},{"name":"eks-scripts","children":[{"name":"README.md","path":"modules/eks-scripts/README.md","sha":"96baaf535647b9f4c364d6a19057bcccb42df2be"},{"name":"bin","children":[{"name":"map-ec2-tags-to-node-labels","path":"modules/eks-scripts/bin/map-ec2-tags-to-node-labels","sha":"8087c82d4d47f25439f118c2a51e59d22689ada7"},{"name":"map_ec2_tags_to_node_labels.py","path":"modules/eks-scripts/bin/map_ec2_tags_to_node_labels.py","sha":"f75ad19587e95b2bd8924125ea2a1a697154909f"}]},{"name":"dev_requirements.txt","path":"modules/eks-scripts/dev_requirements.txt","sha":"f56f9d1629a85734fe16ed70f00f36b830cd97c9"},{"name":"install.sh","path":"modules/eks-scripts/install.sh","sha":"7f192fca97b098482a8a398019d4d53f45dba478"}]},{"name":"eks-vpc-tags","children":[{"name":"README.md","path":"modules/eks-vpc-tags/README.md","sha":"b53e923baaa79718b55a272158ff9b710871a6ce"},{"name":"outputs.tf","path":"modules/eks-vpc-tags/outputs.tf","sha":"0ef2787cfd02ea8668c687302b1929618079a0b2"},{"name":"variables.tf","path":"modules/eks-vpc-tags/variables.tf","sha":"a6e332e9da4e473e1e42b1ca6c7b0ba139a77cfb"},{"name":"versions.tf","path":"modules/eks-vpc-tags/versions.tf","sha":"e5d003c3e7a7296ca0f610fc77f94f2139fc59d2"}]}],"toggled":true},{"name":"rfc","children":[{"name":"shipping-logs-to-cloudwatch.md","path":"rfc/shipping-logs-to-cloudwatch.md","sha":"3ac6a0fd509477c36e1b4079e82ed3def7fe03d8"}]},{"name":"setup.cfg","path":"setup.cfg","sha":"981bc2bfd0b35029438d56c6d862a7f1519b8fe6"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"9bf8180d731bdc892279fcdbcbb03d245f31f83a"},{"name":"eks_cluster_integration_test.go","path":"test/eks_cluster_integration_test.go","sha":"706f2eda374a9a831febfe04d72f2df01cf87533"},{"name":"eks_cluster_managed_workers_test.go","path":"test/eks_cluster_managed_workers_test.go","sha":"1eacfe2ec7d3a375c975ede65b028459bd9a0695"},{"name":"eks_cluster_test_helpers.go","path":"test/eks_cluster_test_helpers.go","sha":"ea30d40f827611931ca5bfa719e1d2de8f46d59a"},{"name":"eks_cluster_upgrade_test.go","path":"test/eks_cluster_upgrade_test.go","sha":"1b042cf51b93efaf8c14ee7fc0f7695266048627"},{"name":"eks_cluster_with_iam_role_test.go","path":"test/eks_cluster_with_iam_role_test.go","sha":"ca0b2f65ebffee9c417c59c49884b4034c6ca895"},{"name":"eks_cluster_with_supporting_services_test.go","path":"test/eks_cluster_with_supporting_services_test.go","sha":"0c99e8e8f747904133536fb3ca940f905e0e697e"},{"name":"eks_cluster_workers_optional_test.go","path":"test/eks_cluster_workers_optional_test.go","sha":"bc42df3ce9cf3ceb2aa9ae1484b4a25a389e7c8b"},{"name":"eks_envelope_encryption_test.go","path":"test/eks_envelope_encryption_test.go","sha":"3d8b92c4d3d4244c6431ccae95f0faeb0328bdce"},{"name":"eks_fargate_cluster_disable_public_endpoint_test.go","path":"test/eks_fargate_cluster_disable_public_endpoint_test.go","sha":"25ba0984ef5979ca146d16b63654559939d822db"},{"name":"eks_fargate_cluster_irsa_test.go","path":"test/eks_fargate_cluster_irsa_test.go","sha":"a066ec0cf9a8b7b949054de53f063d3ebe1c80e7"},{"name":"eks_fargate_cluster_public_access_cidr_test.go","path":"test/eks_fargate_cluster_public_access_cidr_test.go","sha":"2a82ad5a0bbb9311bb9c91a2c0be3f3dbe1b4d5e"},{"name":"eks_fargate_cluster_test.go","path":"test/eks_fargate_cluster_test.go","sha":"a50d3691cbdec0ba41e2212015105254d7a516c7"},{"name":"eks_fargate_cluster_with_supporting_services_test.go","path":"test/eks_fargate_cluster_with_supporting_services_test.go","sha":"a236dc2c1647da144a3fa973492b18ad80d64103"},{"name":"eks_mixed_cluster_dns_test.go","path":"test/eks_mixed_cluster_dns_test.go","sha":"dae0c9dd16808d92d6ba08977513798340767459"},{"name":"errors.go","path":"test/errors.go","sha":"be062fe0205ff82db8183d0fde639aa1883013ad"},{"name":"go.mod","path":"test/go.mod","sha":"ad9f275481179887ebada26ac28186866b827563"},{"name":"go.sum","path":"test/go.sum","sha":"7844bf26994c49320e11604a6ebb2b32afeecc6b"},{"name":"kubefixtures","children":[{"name":"autoscaler-test-pods-deployment.yml","path":"test/kubefixtures/autoscaler-test-pods-deployment.yml","sha":"b2d94c4bfa729b639290ee21629c19ca6ea694ee"},{"name":"eks-irsa-test.yml","path":"test/kubefixtures/eks-irsa-test.yml","sha":"db5439cf6d38873dbae71daa4197d6947990a94a"},{"name":"eks-k8s-role-mapping-test-role.yml","path":"test/kubefixtures/eks-k8s-role-mapping-test-role.yml","sha":"ede7587308d2a4ecf55042b05800099c43f3af7d"},{"name":"kube-system-sa-admin-binding.yml","path":"test/kubefixtures/kube-system-sa-admin-binding.yml","sha":"282d406512102cbe54e952575f26e7e0fbb2aa9a"},{"name":"nginx-deployment.yml","path":"test/kubefixtures/nginx-deployment.yml","sha":"a58866e59c113635af24982cfb0b530f0c416af0"},{"name":"robust-nginx-deployment.yml","path":"test/kubefixtures/robust-nginx-deployment.yml","sha":"87ead0f9733e422099bc430ed281e2054e698f10"}]},{"name":"script_tests","children":[{"name":"executor.sh","path":"test/script_tests/executor.sh","sha":"458c534996fbc045081d1cfae521c090f6787a7f"},{"name":"requirements.txt","path":"test/script_tests/requirements.txt","sha":"e855b2d366822bbc91b9d29140df9f060ceb6864"},{"name":"test_map_ec2_tags_to_node_labels.py","path":"test/script_tests/test_map_ec2_tags_to_node_labels.py","sha":"1bb3a5eae3727c0e6caf29c2cf4b7d596bb9a161"},{"name":"tox.ini","path":"test/script_tests/tox.ini","sha":"a7b8c79ca45e700e9cb7b8b493b37c68bc4408c2"}]},{"name":"terratest_options.go","path":"test/terratest_options.go","sha":"327f1900a48e4a1eb85c49e4dbbd2610f81685e7"},{"name":"test_debug_helpers.go","path":"test/test_debug_helpers.go","sha":"c71a7a9d5b68f0f59d2518496d9f5893206b5e22"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"9c7eb9d7c3f2d1acc6d305bfc95371fca8ee0221"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"eks-cluster-workers-module\">EKS Cluster Workers Module</h1><div class=\"preview__body--border\"></div><p><strong>This module provisions self managed ASGs, in contrast to <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html\" class=\"preview__body--description--blue\" target=\"_blank\">EKS Managed Node Groups</a>. See the <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-managed-workers\" class=\"preview__body--description--blue\">eks-cluster-managed-workers</a> module for a module to deploy Managed Node Groups.</strong></p>\n<p>This Terraform Module launches worker nodes for an <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/clusters.html\" class=\"preview__body--description--blue\" target=\"_blank\">Elastic Container Service for Kubernetes\nCluster</a> that you can use to run Kubernetes Pods and\nDeployments.</p>\n<p>This module is responsible for the EKS Worker Nodes in <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-control-plane/README.md#what-is-an-eks-cluster\" class=\"preview__body--description--blue\">the EKS cluster\ntopology</a>. You must launch a control plane in order\nfor the worker nodes to function. See the <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-control-plane\" class=\"preview__body--description--blue\">eks-cluster-control-plane module</a> for\nmanaging an EKS control plane.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.22.1/terraform-aws-eks/README.adoc\" class=\"preview__body--description--blue\">root README</a> for instructions on using Terraform modules.</li>\n<li>See the <a href=\"/repos/v0.22.1/terraform-aws-eks/examples\" class=\"preview__body--description--blue\">examples</a> folder for example usage.</li>\n<li>See <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-workers/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a> for all the variables you can set on this module.</li>\n<li>See <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-workers/outputs.tf\" class=\"preview__body--description--blue\">outputs.tf</a> for all the variables that are outputed by this module.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"differences-with-managed-node-groups\">Differences with managed node groups</h2>\n<p>See the [Differences with self managed workers] section in the documentation for <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-managed-workers\" class=\"preview__body--description--blue\">eks-cluster-managed-workers\nmodule</a> for a detailed overview of differences with EKS Managed Node Groups.</p>\n<h2 class=\"preview__body--subtitle\" id=\"what-should-be-included-in-the-user-data-script\">What should be included in the user-data script?</h2>\n<p>In order for the EKS worker nodes to function, it must register itself to the Kubernetes API run by the EKS control\nplane. This is handled by the bootstrap script provided in the EKS optimized AMI. The user-data script should call the\nbootstrap script at some point during its execution. You can get this information from the <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-control-plane\" class=\"preview__body--description--blue\">eks-cluster-control-plane\nmodule</a>.</p>\n<p>For an example of a user data script, see the <a href=\"/repos/v0.22.1/terraform-aws-eks/examples/eks-cluster-with-iam-role-mappings/user-data/user-data.sh\" class=\"preview__body--description--blue\">eks-cluster example's user-data.sh\nscript</a>.</p>\n<p>You can read more about the bootstrap script in <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html\" class=\"preview__body--description--blue\" target=\"_blank\">the official documentation for EKS</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"which-security-group-should-i-use\">Which security group should I use?</h2>\n<p>EKS clusters using Kubernetes version 1.14 and above automatically create a managed security group known as the cluster\nsecurity group. The cluster security group is designed to allow all traffic from the control plane and worker nodes to\nflow freely between each other. This security group has the following rules:</p>\n<ul>\n<li>Allow Kubernetes API traffic between the security group and the control plane security group.</li>\n<li>Allow all traffic between instances of the security group ("ingress all from self").</li>\n<li>Allow all outbound traffic.</li>\n</ul>\n<p>EKS will automatically use this security group for the underlying worker instances used with managed node groups or\nFargate. This allows traffic to flow freely between Fargate Pods and worker instances managed with managed node groups.</p>\n<p>You can read more about the cluster security group in <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html#cluster-sg\" class=\"preview__body--description--blue\" target=\"_blank\">the AWS\ndocs</a>.</p>\n<p>By default this module will attach two security groups to the worker nodes managed by the module:</p>\n<ul>\n<li>The cluster security group.</li>\n<li>A custom security group that can be extended with additional rules.</li>\n</ul>\n<p>You can attach additional security groups to the nodes using the <code>var.additional_security_group_ids</code> input variable.</p>\n<p>If you would like to avoid the cluster security group (this is useful if\nyou wish to isolate at the network level the workers managed by this module from other workers in your cluster like\nFargate, Managed Node Groups, or other self managed ASGs), set the <code>use_cluster_security_group</code> input variable to\n<code>false</code>. With this setting, the module will apply recommended security group rules to the custom group to allow the node\nto function as a EKS worker. The rules used for the new security group are based on <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html#control-plane-worker-node-sgs\" class=\"preview__body--description--blue\" target=\"_blank\">the recommendations provided by\nAWS</a> for configuring\nan EKS cluster.</p>\n<h3 class=\"preview__body--subtitle\" id=\"a-name-how-to-extend-security-group-a-how-do-you-add-additional-security-group-rules\"><a name="how-to-extend-security-group"></a>How do you add additional security group rules?</h3>\n<p>To add additional security group rules to the EKS cluster worker nodes, you can use the\n<a href=\"https://www.terraform.io/docs/providers/aws/r/security_group_rule.html\" class=\"preview__body--description--blue\" target=\"_blank\">aws_security_group_rule</a> resource, and set its\n<code>security_group_id</code> argument to the Terraform output of this module called <code>eks_worker_security_group_id</code> for the worker\nnodes. For example, here is how you can allow the EC2 Instances in this cluster to allow incoming HTTP requests on port\n8080:</p>\n<pre>module <span class=\"hljs-string\">\"eks_workers\"</span> {\n # (arguments omitted)\n}\n<span class=\"hljs-built_in\">\nresource </span><span class=\"hljs-string\">\"aws_security_group_rule\"</span> <span class=\"hljs-string\">\"allow_inbound_http_from_anywhere\"</span> {\n <span class=\"hljs-built_in\"> type </span>= <span class=\"hljs-string\">\"ingress\"</span>\n from_port = 8080\n to_port = 8080\n protocol = <span class=\"hljs-string\">\"tcp\"</span>\n cidr_blocks = [<span class=\"hljs-string\">\"0.0.0.0/0\"</span>]\n\n security_group_id = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.eks_workers.eks_worker_security_group_id}</span>\"</span>\n}\n</pre>\n<p><strong>Note</strong>: The security group rules you add will apply to ALL Pods running on these EC2 Instances. There is currently no\nway in EKS to manage security group rules on a per-Pod basis. Instead, rely on <a href=\"https://kubernetes.io/docs/concepts/services-networking/network-policies/\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes Network\nPolicies</a> to restrict network access within a\nKubernetes cluster.</p>\n<h2 class=\"preview__body--subtitle\" id=\"what-iam-policies-are-attached-to-the-eks-cluster\">What IAM policies are attached to the EKS Cluster?</h2>\n<p>This module will create IAM roles for the EKS cluster worker nodes with the minimum set of policies necessary\nfor the cluster to function as a Kubernetes cluster. The policies attached to the roles are the same as those documented\nin <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html\" class=\"preview__body--description--blue\" target=\"_blank\">the AWS getting started guide for EKS</a>.</p>\n<h3 class=\"preview__body--subtitle\" id=\"how-do-you-add-additional-iam-policies\">How do you add additional IAM policies?</h3>\n<p>To add additional IAM policies to the EKS cluster worker nodes, you can use the\n<a href=\"https://www.terraform.io/docs/providers/aws/r/iam_role_policy.html\" class=\"preview__body--description--blue\" target=\"_blank\">aws_iam_role_policy</a> or\n<a href=\"https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html\" class=\"preview__body--description--blue\" target=\"_blank\">aws_iam_policy_attachment</a> resources, and set\nthe IAM role id to the Terraform output of this module called <code>eks_worker_iam_role_name</code> for the worker nodes. For\nexample, here is how you can allow the worker nodes in this cluster to access an S3 bucket:</p>\n<pre>module <span class=\"hljs-string\">\"eks_workers\"</span> {\n # (arguments omitted)\n}\n<span class=\"hljs-built_in\">\nresource </span><span class=\"hljs-string\">\"aws_iam_role_policy\"</span> <span class=\"hljs-string\">\"access_s3_bucket\"</span> {\n name = <span class=\"hljs-string\">\"access_s3_bucket\"</span>\n role = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.eks_workers.eks_worker_iam_role_name}</span>\"</span>\n <span class=\"hljs-built_in\"> policy </span>= <<EOF\n{\n <span class=\"hljs-string\">\"Version\"</span>: <span class=\"hljs-string\">\"2012-10-17\"</span>,\n <span class=\"hljs-string\">\"Statement\"</span>: [\n {\n <span class=\"hljs-string\">\"Sid\"</span>: <span class=\"hljs-string\">\"\"</span>,\n <span class=\"hljs-string\">\"Effect\"</span>:<span class=\"hljs-string\">\"Allow\"</span>,\n <span class=\"hljs-string\">\"Action\"</span>: <span class=\"hljs-string\">\"s3:GetObject\"</span>,\n <span class=\"hljs-string\">\"Resource\"</span>: <span class=\"hljs-string\">\"arn:aws:s3:::examplebucket/*\"</span>\n }\n ]\n}\nEOF\n}\n</pre>\n<p><strong>Note</strong>: The IAM policies you add will apply to ALL Pods running on these EC2 Instances. See the <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-cluster-control-plane/README.md#how-do-i-associate-iam-roles-to-the-pods\" class=\"preview__body--description--blue\">How do I associate\nIAM roles to the Pods?</a> section of the\n<code>eks-cluster-control-plane</code> module README for more fine-grained allocation of IAM credentials to Pods.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-ssh-into-the-nodes\">How do I SSH into the nodes?</h2>\n<p>This module provides options to allow you to SSH into the worker nodes of an EKS cluster that are managed by this\nmodule. To do so, you must first use an AMI that is configured to allow SSH access. Then, you must setup the auto\nscaling group to launch instances with a known keypair that you have access to by using the\n<code>cluster_instance_keypair_name</code> option of the module. Finally, you need to configure the security group of the worker\nnode to allow access to the port for SSH by extending the security group of the worker nodes by following <a href=\"#how-to-extend-security-group\" class=\"preview__body--description--blue\">the guide\nabove</a>. This will allow SSH access to the instance using the specified keypair, provided\nthe server AMI is configured to run the ssh daemon.</p>\n<p><strong>Note</strong>: Using a single key pair shared with your whole team for all of your SSH access is not secure. For a more\nsecure option that allows each developer to use their own SSH key, and to manage server access via IAM or your Identity\nProvider (e.g. Google, ADFS, Okta, etc), see <a href=\"/repos/module-security/modules/ssh-grunt\" class=\"preview__body--description--blue\">ssh-grunt</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-roll-out-an-update-to-the-instances\">How do I roll out an update to the instances?</h2>\n<p>Terraform and AWS do not provide a way to automatically roll out a change to the Instances in an EKS Cluster. Due to\nTerraform limitations (see <a href=\"/repos/module-ecs\" class=\"preview__body--description--blue\">here for a discussion</a>), there is\ncurrently no way to implement this purely in Terraform code. Therefore, we've embedded this functionality into\n<code>kubergrunt</code> that can do a zero-downtime roll out for you.</p>\n<p>Refer to the <a href=\"/repos/kubergrunt#deploy\" class=\"preview__body--description--blue\"><code>deploy</code> subcommand documentation</a> for more details on how this works.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-enable-cluster-auto-scaling\">How do I enable cluster auto-scaling?</h2>\n<p>This module will not automatically scale in response to resource usage by default, the\n<code>autoscaling_group_configurations.*.max_size</code> option is only used to give room for new instances during rolling updates.\nTo enable auto-scaling in response to resource utilization, you must set the <code>include_autoscaler_discovery_tags</code> input\nvariable to <code>true</code> and also deploy the <a href=\"/repos/v0.22.1/terraform-aws-eks/modules/eks-k8s-cluster-autoscaler\" class=\"preview__body--description--blue\">Kubernetes Cluster Autoscaler module</a>.</p>\n<p>Note that the cluster autoscaler only supports ASGs that manage nodes in a single availability zone. This means that you\nneed to carefully provision the managed node groups such that you have one group per AZ if you wish to use the cluster\nautoscaler. To accomplish this, ensure that the <code>subnet_ids</code> in each <code>autoscaling_group_configurations</code> input map entry\ncome from the same AZ.</p>\n<p>Refer to the <a href=\"https://github.com/kubernetes/autoscaler\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes Autoscaler</a> documentation for more details.</p>\n","repoName":"terraform-aws-eks","repoRef":"v0.22.0","serviceDescriptor":{"serviceName":"EC2 Kubernetes Service (EKS) Cluster","serviceRepoName":"terraform-aws-eks","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy a Kubernetes cluster on top of Amazon EC2 Kubernetes Service (EKS).","imageUrl":"eks.png","licenseType":"subscriber","technologies":["Terraform","Python","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Docker orchestration","fileName":"README.md","filePath":"/modules/eks-cluster-workers/README.md","title":"Repo Browser: EC2 Kubernetes Service (EKS) Cluster","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
dependencies.tf
