This module is responsible for the EKS Control Plane in the EKS cluster topology. You must
launch worker nodes in order to be able to schedule pods on your cluster. See the eks-cluster-workers
module for managing EKS worker nodes.
How do you use this module?
See the root README for instructions on using Terraform modules.
You will need to install kubectl to follow the
instructions.
If you wish to use the automatic configuration, you will need
kubergrunt. Refer to the kubergrunt documentation for installation
instructions.
What is the EKS Control Plane?
The EKS Control Plane is a managed service entrirely managed by AWS. This contains the resources and endpoint to run and
access the Kubernetes master components.
The resources are deployed into your VPC so that they inherit the network rules you configure for your VPC.
Specifically, the control plane consists of:
etcd: A distributed key value store used by Kubernetes to hold the metadata and cluster
state.
kube-apiserver: Web service that exposes the Kubernetes API. This is the main entrypoint for interacting with the
Kubernetes cluster.
kube-scheduler: This component is responsible for watching for newly created Pods on the cluster, and scheduling
them on to the available worker nodes.
kube-controller-manager: This component is responsible for executing the controller logic. Controllers are
responsible for managing the Pods on the cluster. For example, you can use a
Deployment controller to ensure that a
specified number of replicas of a Pod is running on the cluster.
cloud-controller-manager: This component is responsible for managing cloud components that Kubernetes will manage.
This includes resources like the
LoadBalancers.
You can read more about the different components of EKS in the project README.
What security group rules are created?
This module will create a security group for the EKS cluster master nodes to allow them to function as a Kubernetes
cluster. The rules are based on the recommendations provided by
AWS for configuring an EKS cluster.
<a name="how-to-extend-security-group"></a>How do you add additional security group rules?
To add additional security group rules to the EKS cluster master nodes, you can use the
aws_security_group_rule resource, and set its
security_group_id argument to the Terraform output of this module called eks_control_plane_security_group_id. For example, here is how you can allow the master nodes
in this cluster to allow incoming HTTPS requests on port 443 from an additional security group that is not the workers:
What IAM policies are attached to the EKS Cluster?
This module will create IAM roles for the EKS cluster master nodes with the minimum set of policies necessary
for the cluster to function as a Kubernetes cluster. The policies attached to the roles are the same as those documented
in the AWS getting started guide for EKS.
How do you add additional IAM policies?
To add additional IAM policies to the EKS cluster master nodes, you can use the
aws_iam_role_policy or
aws_iam_policy_attachment resources, and set
the IAM role id to the Terraform output of this module called eks_control_plane_iam_role_name for the master nodes. For
example, here is how you can allow the master nodes in this cluster to access an S3 bucket:
NOTE: This configuration depends on kubergrunt, minimum version 0.5.3
This module will set up the OpenID Connect Provider that can be used with the IAM Roles for Service
Accounts feature. When this
feature is enabled, you can exchange the Kubernetes Service Account Tokens for IAM role credentials using the
sts:AssumeRoleWithWebIdentity AWS API in the STS service.
To allow Kubernetes Service Accounts to assume the roles, you need to grant the proper assume role IAM policies to the
role that is being assumed. Specifically, you need to:
Allow the OpenID Connect Provider to assume the role.
Specify any conditions on assuming the role. You can restrict by:
Service Accounts that can assume the role
Which Namespaces have full access to assume the role (meaning, all Service Accounts in the Namespace can assume
that role).
Once you have an IAM Role that can be assumed by the Kubernetes Service Account, you can configure your Pods to exchange
them for IAM role credentials. EKS will automatically configure the correct environment variables that the SDK expects
on the Pods when you annotate the associated Service Account with the role it should assume.
The following shows an example Kubernetes manifest that configures the Service Account to assume the IAM role arn:aws:iam::123456789012:role/myrole:
Note that the AWS SDK will automatically assume the role if you are using a compatible version. The following is a list
of the minimum SDK version for various platforms that support the AWS_WEB_IDENTITY_TOKEN_FILE environment variable
used by IRSA:
By design, AWS does not allow you to SSH into the master nodes of an EKS cluster.
API Access and Networking
By default the Kubernetes API is accessible from the internet. This is to make operations easier when making requests to
the EKS cluster control plane. However, this module supports restricting access to only be allowed from within the VPC.
You can restrict public access by setting the endpoint_public_access input variable to false.
Control Plane Logging
EKS supports exporting various logs to CloudWatch. By default, none of the logging options are enabled by this module.
To enable logs, you can pass in the relevant type strings to the enabled_cluster_log_types input variable. For
example, to enable API server and audit logs, you can pass in the list ["api", "audit"]. See the official
documentation for a list of available log
types.
How do I configure encryption at rest for Secrets?
Kubernetes Secrets are resources in the cluster designed to
store and manage sensitive information. These behave like
ConfigMaps, but have a few extra
properties that enhance their security profile.
All EKS clusters encrypt Kubernetes Secrets at rest at the disk level using shared AWS managed KMS keys. Alternatively,
you can provide your own KMS Customer Master Key (CMK) to use for envelope encryption. In envelope encryption,
Kubernetes will use the provided CMK to encrypt the secret keys used to encrypt the Kubernetes Secrets. For each Secret,
Kubernetes will dynamically generate a new data encryption key (DEK) for the purposes of encrypting and decrypting the
secret. This key is then encrypted using the provided CMK before being stored in the cluster. In this way, you can
manage access to the Secret (indirectly by restricting access to the DEK) through the KMS permissions. For example, you
can disable all access to any Secrets in the EKS cluster by removing the permissions to encrypt/decrypt using the KMS
key in case of a breach.
To enable envelope encryption, provide the KMS key ARN you would like to use using the variable
secret_envelope_encryption_kms_key_arn. Note that if the KMS key belongs to another account, you will need to grant
access to manage permissions for the key to the account holding the EKS cluster. See Allowing users in other accounts
to use a CMK from
the official AWS docs for more information.
How do I deploy Pods on Fargate?
AWS Fargate is an AWS managed infrastructure for running ECS Tasks and EKS Pods
without any worker nodes. With Fargate, your EKS Pods will automatically be assigned a node from a shared pool of VMs
that are fully managed by AWS. This means that you can focus entirely on the application you are deploying and not have
to worry about servers, clusters, and the underlying infrastructure as a whole.
To use Fargate with your EKS Pods, you need to create a Fargate Profile to select the Pods that you want to run. You can
use Namespaces and Labels to restrict which Pods of the EKS cluster will run on Fargate. This means that Pods that match
the specifications of the Fargate Profile will automatically be deployed to Fargate without any further configuration.
Some additional notes on using Fargate:
Fargate Profiles require a Pod Execution Role, which is an IAM role that will be assigned to the underlying
kubelet of the Fargate instance. At a minimum, this role must be given enough permissions to pull the images
used by the Pod. Note that this role is NOT made available to the Pods! Use the IAM Role for Service Accounts
(IRSA) feature of EKS to assign IAM roles for use by the Pods themselves.
If you set the input variable schedule_control_plane_services_on_fargate on this module, the module will
automatically allocate a Fargate Profile that selects the core control plane services deployed in the kube-system
Namespace (e.g., core-dns). This profile is highly selective and will most likely not match any other Pods in the
cluster. To deploy additional Pods onto Fargate, you must manually create Fargate Profiles that select those Pods (use
the aws_eks_fargate_profile resource to
provision Fargate Profiles with Terraform). The Pod Execution Role created by the module may be reused for other
Fargate Profiles.
Fargate does not support DaemonSets. This means that you can't rely on the eks-container-logs
module to forward logs to CloudWatch. Instead, you need to manually configure a sidecar fluentd container that
forwards the log entries to CloudWatch Logs. Refer to this AWS blog
post
for documentation on how to setup fluentd with Fargate.
How do I upgrade the Kubernetes Version of the cluster?
To upgrade the minor version of Kubernetes deployed on the EKS cluster, you need to update the kubernetes_version
input variable. You must upgrade one minor version at a time, as EKS does not support upgrading by more than one
minor version.
When you bump minor versions, the module will automatically update the deployed Kubernetes components as described in
the official upgrade guide. This is handled by
kubergrunt (minimum version 0.6.2) using the eks
sync-core-components command, which will look up the
deployed Kubernetes version and make the required kubectl calls to deploy the updated components.
Note that you must update the nodes to use the corresponding kubelet version as well. This means that when you update
minor versions, you will also need to update the AMIs used by the worker nodes to match the version and rotate the
workers. For more information on rotating worker nodes, refer to How do I roll out an update to the
instances? in the eks-cluster-workers
module README.
Here are detailed steps on how to update your cluster:
Bump the kubernetes_version in the module variable to the next minor version in your module block for
eks-cluster-control-plane.
For self managed worker nodes (eks-cluster-workers module), build a new AMI for your worker nodes that depend on
an EKS optimized AMI for the Kubernetes minor version. Update the asg_default_instance_ami variable to the new AMI in
your module block for eks-cluster-workers.
Apply the changes. This will update the Kubernetes version on the EKS control plane, and stage the updates for your
workers. Note that your cluster will continue to function as Kubernetes supports worker nodes that are 1 minor
version behind.
Roll out the AMI update using kubergrunt eks deploy.
Python Helper Scripts
This module contains various python helper scripts that are used to achieve enhanced functionality not available in
Terraform. All these scripts are intended to be used as part of local-exec
provisioner. In order to support disabling the scripts, we
use a null_resource to wrap the provisioner. See this
module's main.tf file for example usage.
Since this is a python script, The operator machine must have a valid python interpreter available in the PATH under
the name python. The scripts support python versions 2.7, 3.5, 3.6, 3.7, and 3.8, on Mac OSX or Linux.
Below is an overview of the scripts:
cleanup_cluster_resources: Clean up any residual resources managed by the EKS cluster that may be remaining after
the cluster is destroyed. This is used to workaround terraform and kubernetes limitations that may leave managed
resources behind.
Troubleshooting
AccessDenied when provisioning Services of LoadBalancer type
On brand new accounts, AWS needs to provision a new Service Linked Role for ELBs when an ELB is first provisioned. EKS
automatically creates the Service Linked Role if it doesn't exist, but it needs more permissions than is provided by
default. Since the permission is only needed as a one time thing, binding the necessary permissions would be a violation
of least privileges.
As such, this module does not bind the requisite permissions, and instead we recommend taking one of the following
approaches:
Create a one time wrapper module that appends the following IAM permissions to the control plane IAM role (the output
eks_master_iam_role_arn), and deploy the EKS cluster with LoadBalancer service:
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"8e34b1511c8139bbe82d515766af82a1b9fce933"}]},{"name":".gitignore","path":".gitignore","sha":"c95113b7b14c0533152b21a0491d6fd76aacb253"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"2a146b2385ade859614e293dc083f39a9972b5fe"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"ecbeaab263c59e955b621268f161059633041e3d"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"a7cc7bd94443c252390564fa988755dbbe80d87d"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE.md","path":"LICENSE.md","sha":"a2cf01ecdd725fddd718ab91c80c115882c94f3c"},{"name":"README.adoc","path":"README.adoc","sha":"d7f2bd16fa80949980f7733f5a6f060a270430e8"},{"name":"_docs","children":[{"name":"eks-architecture.png","path":"_docs/eks-architecture.png","sha":"b4c9c46f88ed465c5575e915af54ad9920b56941"},{"name":"eks-icon.png","path":"_docs/eks-icon.png","sha":"83a29dc46e7bc6234ba5bb825e8ae283c56229a0"},{"name":"iam-role-icon.png","path":"_docs/iam-role-icon.png","sha":"c05bb05e6caae9b9db46505ce505a386f21fa2e4"}]},{"name":"core-concepts.md","path":"core-concepts.md","sha":"05a677fa120572a099fe546f16ec55c21207c10d"},{"name":"examples","children":[{"name":"README.md","path":"examples/README.md","sha":"668e34198ac21f150743f330ab1208f5f67e6b3c"},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"examples/eks-cluster-managed-workers/README.md","sha":"b8f9642b8db4b69f3e35faee0801f0421f92a83d"},{"name":"dependencies.tf","path":"examples/eks-cluster-managed-workers/dependencies.tf","sha":"c51d22849120296cb44e2637625fbe0ef4405a53"},{"name":"main.tf","path":"examples/eks-cluster-managed-workers/main.tf","sha":"3b2b55d3406fe1744c5e6224dcd29384efd27361"},{"name":"outputs.tf","path":"examples/eks-cluster-managed-workers/outputs.tf","sha":"bbf83d99c547cf6ccff2b6f0782d083de971cd32"},{"name":"user-data","children":[{"name":"user_data.sh","path":"examples/eks-cluster-managed-workers/user-data/user_data.sh","sha":"c5fdd13d5bb04f765f1c90e9f12d23c48e94a252"}]},{"name":"variables.tf","path":"examples/eks-cluster-managed-workers/variables.tf","sha":"cebb93007096724b08453a8d6c2fe01cb45b29e5"}]},{"name":"eks-cluster-with-iam-role-mappings","children":[{"name":"README.md","path":"examples/eks-cluster-with-iam-role-mappings/README.md","sha":"67c3a556cedc312b67bd50f8f439dff7bbad0034"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-iam-role-mappings/dependencies.tf","sha":"9652dab961175e0f2273b109b5f1724a38e3970f"},{"name":"main.tf","path":"examples/eks-cluster-with-iam-role-mappings/main.tf","sha":"6b1305f6b1b62529139d554a64ef99ae2a32b7e1"},{"name":"outputs.tf","path":"examples/eks-cluster-with-iam-role-mappings/outputs.tf","sha":"e641213ad585fffe0f165b9a543d54c9175a1a7d"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-cluster-with-iam-role-mappings/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-iam-role-mappings/variables.tf","sha":"1cdeee06025ba70bc0af588d1143c80af0f68b26"}]},{"name":"eks-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/README.md","sha":"cd0e673a332314bdf5dfd0bae662e5eaea48e613"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/core-services/README.md","sha":"c1eb41e7cc60a67d29ef846daf3b2e974ca59e6e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/core-services/dependencies.tf","sha":"977c72682567c034c4effe391757cab2f342086f"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/core-services/main.tf","sha":"bb947f0a53e670452159abdae6b1572a440c6c2c"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/core-services/outputs.tf","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/core-services/variables.tf","sha":"bc2d6c9fcad89fb5d1d8b27428c26a8409de3142"}]},{"name":"eks-cluster","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/eks-cluster/README.md","sha":"8a60a01004a93bbbf2091b730f0207f6dd2cc07e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"58c85fb4cb629a91afe41602e56072c19905e79b"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/main.tf","sha":"f6a3b1158b00592809853a758d0e52467e3e8214"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"be23a13dd6f4063be394b8ca7358b631d50fab8a"},{"name":"user-data","children":[{"name":"app_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/app_worker_user_data.sh","sha":"c5fdd13d5bb04f765f1c90e9f12d23c48e94a252"},{"name":"core_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/core_worker_user_data.sh","sha":"0fa26153108b3d030ceeaae777aeb0a7e115404e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"53a92d4ea68f4d9b74c54e534d36e4d1924de703"}]},{"name":"nginx-service","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/nginx-service/README.md","sha":"0f6649ddb0cbb5aa80a5bc1f3318ea1fd5d0dc35"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/main.tf","sha":"fd8cb0c6dbc880a220467fc9e811f355a17f2864"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"298435e01df9fa495b15d512073c62662d292cd3"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/variables.tf","sha":"36ea6f8a36b19e34dbeeb25ae7e5fcf30c956b0f"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/packer/README.md","sha":"6a974a7fd5da7ac13309d9e0c4aaba7bd8cb46c7"},{"name":"build.json","path":"examples/eks-cluster-with-supporting-services/packer/build.json","sha":"ec09a52aea9b37aabe721f76e32e8eea02ece16f"}]}]},{"name":"eks-fargate-cluster-with-irsa","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-irsa/README.md","sha":"27e8ad7773480a5431283c43609e3c7a47632f23"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-irsa/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-irsa/main.tf","sha":"e15e4aff2ef57f8436ddc9bd60fce4245a2b2ef8"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-irsa/outputs.tf","sha":"f059d7b74ffbfb06a0868d6d0a5d1831c8f45f10"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-irsa/variables.tf","sha":"ba960ca7cca1e1abd0598cdd53df530b85895735"}]},{"name":"eks-fargate-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/README.md","sha":"03531a9ce95edd0babef101bb2eeafde47a84505"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/README.md","sha":"cde0ae405e4d73e9e39c67045fb82de8187a673d"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/dependencies.tf","sha":"977c72682567c034c4effe391757cab2f342086f"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/main.tf","sha":"bae15ebef102b49230bdb466bb888469a7fb044f"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/variables.tf","sha":"fbe18fbde325d89c51737f66fc86762fbee090c5"}]},{"name":"eks-cluster","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"c7d533db5e590f72eddbe987d0b5353c11b570e1"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/main.tf","sha":"2424a9b951507551102d2ac33889947aa3859e4f"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"edddf9a6ab6f5927db366689db79e1b91db9d8c8"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"68140487d4bf2696cda5fb9781c46d60b9e309e5"}]},{"name":"nginx-service","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/main.tf","sha":"d87d3cd6ec547794ce86a16216e6fca7386804e9"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"655914f91177135cb7c5f15b62166cfc82a62a91"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/variables.tf","sha":"d3c166441cdc556b0839930fbc281b7e8a1bd57f"}]}]},{"name":"eks-fargate-cluster","children":[{"name":"README.md","path":"examples/eks-fargate-cluster/README.md","sha":"a1013138cb6f63a7109f287e76030b7cc71f447e"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster/main.tf","sha":"565487a6c0ee5f81302234b60c828e6390f33fb9"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster/outputs.tf","sha":"c2cfdb7ae48dc63df1b65d18e88179e9ddbaa735"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-fargate-cluster/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster/variables.tf","sha":"ea24bdd726a83dcd4c64976dc7322081304837cb"}]}]},{"name":"modules","children":[{"name":"eks-alb-ingress-controller-iam-policy","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller-iam-policy/README.md","sha":"c87be2ee00f8f59403f827303915b5a70c602002"},{"name":"iampolicy.json","path":"modules/eks-alb-ingress-controller-iam-policy/iampolicy.json","sha":"11b345cb86734392f4efca98ccbf76761bb5e313"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller-iam-policy/main.tf","sha":"42b450dc6b17fba3ae8b66dd6cfca8f8e4e574be"},{"name":"outputs.tf","path":"modules/eks-alb-ingress-controller-iam-policy/outputs.tf","sha":"b551b0bcc6eb1b43bfff1606696566658564cfb4"},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller-iam-policy/variables.tf","sha":"250152e6bfeb02a16bed4151ffc7156636db1bd9"}]},{"name":"eks-alb-ingress-controller","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller/README.md","sha":"39684ae899557d5b509bcf75cffab6a196fd389e"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller/main.tf","sha":"2eac12e3dc5132538653e73cc39b47bc339938b0"},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller/variables.tf","sha":"17208d1993109c8ee8ae41af02357974656ba1e2"}]},{"name":"eks-aws-auth-merger","children":[{"name":"Dockerfile","path":"modules/eks-aws-auth-merger/Dockerfile","sha":"5ac1f9c32ce10ae515a41a9e339fab08bce6faea"},{"name":"README.adoc","path":"modules/eks-aws-auth-merger/README.adoc","sha":"1a8e70b12c0304004b468fdda81dab2d0941c4fc"},{"name":"aws-auth-merger","children":[{"name":"aws_auth_merger.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/aws_auth_merger.go","sha":"63cf5b70211f5e2dc60ddb25b08e111787a3939c"},{"name":"aws_auth_merger_test.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/aws_auth_merger_test.go","sha":"218a7dbb20c3e5ba80e6540156a81241360c6930"},{"name":"cli.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/cli.go","sha":"8c335463605f65db25d773271da67a19d4caea7b"},{"name":"configmap_watch_controller.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/configmap_watch_controller.go","sha":"15852b7b2437ef1a46c4d66176ffaf48db294d20"},{"name":"debouncer.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/debouncer.go","sha":"2376c66675e380b636421c17ea573fa12a141dd0"},{"name":"debouncer_test.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/debouncer_test.go","sha":"e6cd8e44503b4dea3e81b26ff20db39c35c8c72e"},{"name":"go.mod","path":"modules/eks-aws-auth-merger/aws-auth-merger/go.mod","sha":"8740e625dd81f91954a8c6c8d7d7db38838ccaf4"},{"name":"go.sum","path":"modules/eks-aws-auth-merger/aws-auth-merger/go.sum","sha":"b7c89fd5be7b1ec4db3f2e56843c17976c781fbb"},{"name":"main.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/main.go","sha":"9061cabd38668a323387cf8b7252ed2b45cbf2b9"},{"name":"mapping.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/mapping.go","sha":"1d0a36862e4b4a24ddd6112b016acce54e643775"},{"name":"mapping_test.go","path":"modules/eks-aws-auth-merger/aws-auth-merger/mapping_test.go","sha":"02c91e45a128d6c306ec42a548ac9023df350e78"}]},{"name":"core-concepts.md","path":"modules/eks-aws-auth-merger/core-concepts.md","sha":"2da0061c35747e9f280f8a440adfc4534da40fa4"},{"name":"main.tf","path":"modules/eks-aws-auth-merger/main.tf","sha":"d2a5b5fd266a623cdf5f6669c256acf5fe70339d"},{"name":"outputs.tf","path":"modules/eks-aws-auth-merger/outputs.tf","sha":"d733fb246403f97ac011cbedf3f1d2761badef82"},{"name":"variables.tf","path":"modules/eks-aws-auth-merger/variables.tf","sha":"429e5990df785c4c01c4a07668d41ce648e4e68b"}]},{"name":"eks-cluster-control-plane","children":[{"name":"README.md","path":"modules/eks-cluster-control-plane/README.md","sha":"ad90d83c6eea189d50c22069865c3f8cda1acd6a","toggled":true},{"name":"dependencies.tf","path":"modules/eks-cluster-control-plane/dependencies.tf","sha":"5c71c526fdc6e550e5cf51dcb9a89dae10e8fca8"},{"name":"main.tf","path":"modules/eks-cluster-control-plane/main.tf","sha":"7d6c865c7796a23994bdb2abc87bd1981ae5d230"},{"name":"outputs.tf","path":"modules/eks-cluster-control-plane/outputs.tf","sha":"4cb9b9f5445bef1b3d93e4e3a14950eae72a2acb"},{"name":"scripts","children":[{"name":"find_and_run_kubergrunt.py","path":"modules/eks-cluster-control-plane/scripts/find_and_run_kubergrunt.py","sha":"24b01390e361b6131de0cca421bedf27eac41609"}]},{"name":"templates","children":[{"name":"kubectl_config.tpl","path":"modules/eks-cluster-control-plane/templates/kubectl_config.tpl","sha":"083a5e914505363541190db3ee412d8d9e15b4ec"}]},{"name":"variables.tf","path":"modules/eks-cluster-control-plane/variables.tf","sha":"f2742ac30bc16e0e5d466a4129d48c7b739f1f73"}],"toggled":true},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"modules/eks-cluster-managed-workers/README.md","sha":"54382d2f993b4b5e9cac30e9b44c36138d0e8ea2"},{"name":"main.tf","path":"modules/eks-cluster-managed-workers/main.tf","sha":"fa0957a10cee66c886e311426aabaa76b71308d1"},{"name":"outputs.tf","path":"modules/eks-cluster-managed-workers/outputs.tf","sha":"391b5aff36a080568d94aae450d00b78488fb2e4"},{"name":"variables.tf","path":"modules/eks-cluster-managed-workers/variables.tf","sha":"0c1141a879699f7e4c05b49c0ab42a45a1ff12c4"}]},{"name":"eks-cluster-workers-cross-access","children":[{"name":"README.md","path":"modules/eks-cluster-workers-cross-access/README.md","sha":"6c4e50bda62acc6c06d836488ef54f7119f27aee"},{"name":"main.tf","path":"modules/eks-cluster-workers-cross-access/main.tf","sha":"98dd7772c485c12cfa2371ebc7fbf3421ecb0d36"},{"name":"outputs.tf","path":"modules/eks-cluster-workers-cross-access/outputs.tf","sha":"c6c7f7a89007c55be5470ffd639c05c3fb052ad7"},{"name":"variables.tf","path":"modules/eks-cluster-workers-cross-access/variables.tf","sha":"d64aab893b6e909416189e985f072dd8809dfa2f"}]},{"name":"eks-cluster-workers","children":[{"name":"README.md","path":"modules/eks-cluster-workers/README.md","sha":"e2ff0e1c7054539c1802087972ce6f2954c57ab0"},{"name":"dependencies.tf","path":"modules/eks-cluster-workers/dependencies.tf","sha":"d177e89ddc5cb6b4ab5b36ec96fd1ec22a008a49"},{"name":"main.tf","path":"modules/eks-cluster-workers/main.tf","sha":"0d95f6933aed03c5a4f6f207b65961cb80913fa2"},{"name":"outputs.tf","path":"modules/eks-cluster-workers/outputs.tf","sha":"d2dddf7803dbd3712c8f953c811c926eb141ace3"},{"name":"variables.tf","path":"modules/eks-cluster-workers/variables.tf","sha":"75aa2467f848a84bfce9007c18cd8534c458b758"}]},{"name":"eks-container-logs","children":[{"name":"README.md","path":"modules/eks-container-logs/README.md","sha":"3af3ffd83b5c0205f122ecba654dec888c6efd72"},{"name":"main.tf","path":"modules/eks-container-logs/main.tf","sha":"e009253eb39a968e5fde74d189cd964f5b626441"},{"name":"outputs.tf","path":"modules/eks-container-logs/outputs.tf","sha":"7061ed458fec528c8b8b587291f0eccb4324fb72"},{"name":"variables.tf","path":"modules/eks-container-logs/variables.tf","sha":"5ea6675992d0555490a38d822f5e8e18353149ee"}]},{"name":"eks-iam-role-assume-role-policy-for-service-account","children":[{"name":"README.md","path":"modules/eks-iam-role-assume-role-policy-for-service-account/README.md","sha":"efbbbd70fea3661c662750768facb7950239ffa3"},{"name":"main.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/main.tf","sha":"063478d0ad86bd49796e6ccfdce78df8690ed4e3"},{"name":"outputs.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/outputs.tf","sha":"c2910cec89910bb06a157311ac8c4bf72835dfe5"},{"name":"variables.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/variables.tf","sha":"dc660ddf84158851145289f6036a0fc19fbf7ce4"}]},{"name":"eks-k8s-cluster-autoscaler-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/README.md","sha":"a22e2264a296fe1bf00f2c8b2f72ae728d0277c3"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/main.tf","sha":"e2c933e4bd22a6c56a3b2206e8580e5dd5e24630"},{"name":"outputs.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/outputs.tf","sha":"8b6c4e1747b3fa6a88c6233ec87aa2f450dfd334"},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/variables.tf","sha":"7534ac11f3cd71e1a1bf9521065a474f5f56ec3c"}]},{"name":"eks-k8s-cluster-autoscaler","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler/README.md","sha":"a74848607c42fcef696f121c2506ace0b83ced87"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler/main.tf","sha":"a3d6870ee182b0983837c098b377e2be6885e85d"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/values.yaml","sha":"081ab7f76dc4e753975b427d7cee51589965715d"}]},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler/variables.tf","sha":"d5b3e8d46303947a8a9a6a3fba1e18a720fc8b84"}]},{"name":"eks-k8s-external-dns-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns-iam-policy/README.md","sha":"a33d41f9824e6270ef4573d6b7e22b394224689c"},{"name":"main.tf","path":"modules/eks-k8s-external-dns-iam-policy/main.tf","sha":"3bce6ac6a113c2d2d22647f37d779c2dcabacb35"},{"name":"outputs.tf","path":"modules/eks-k8s-external-dns-iam-policy/outputs.tf","sha":"21604a63b741b94ea9ebffd20b18772131020fcf"},{"name":"variables.tf","path":"modules/eks-k8s-external-dns-iam-policy/variables.tf","sha":"c9d71db85ad8f3085d9ae3c3073bf46da6241b75"}]},{"name":"eks-k8s-external-dns","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns/README.md","sha":"0feaa9793a59843f8999449ffcb2a53e9d33a120"},{"name":"main.tf","path":"modules/eks-k8s-external-dns/main.tf","sha":"86acf0f74e13ae71ba54cc6372818eeef0cf5532"},{"name":"variables.tf","path":"modules/eks-k8s-external-dns/variables.tf","sha":"cc5fda3437c6a96e5bd58940f359c06a3aef69c7"}]},{"name":"eks-k8s-role-mapping","children":[{"name":"README.md","path":"modules/eks-k8s-role-mapping/README.md","sha":"2962e93307761b2356c62f0ac8068dc01f98d9f4"},{"name":"main.tf","path":"modules/eks-k8s-role-mapping/main.tf","sha":"cc53d89973699f2be1242bbb85664e231158c802"},{"name":"outputs.tf","path":"modules/eks-k8s-role-mapping/outputs.tf","sha":"95d4d4ec652bb541b91a2844e00f68064b423e60"},{"name":"variables.tf","path":"modules/eks-k8s-role-mapping/variables.tf","sha":"5c696a015d9e8b44e5687b758c61ac49f3a4b7ef"}]},{"name":"eks-scripts","children":[{"name":"README.md","path":"modules/eks-scripts/README.md","sha":"7be1bd16caabc8f864937895958b2c38bb7af7b9"},{"name":"bin","children":[{"name":"map-ec2-tags-to-node-labels","path":"modules/eks-scripts/bin/map-ec2-tags-to-node-labels","sha":"a0e9f3cc0caec66c2fd01c66042164f267e3b7a9"},{"name":"map_ec2_tags_to_node_labels.py","path":"modules/eks-scripts/bin/map_ec2_tags_to_node_labels.py","sha":"f75ad19587e95b2bd8924125ea2a1a697154909f"}]},{"name":"dev_requirements.txt","path":"modules/eks-scripts/dev_requirements.txt","sha":"f56f9d1629a85734fe16ed70f00f36b830cd97c9"},{"name":"install.sh","path":"modules/eks-scripts/install.sh","sha":"7f192fca97b098482a8a398019d4d53f45dba478"}]},{"name":"eks-vpc-tags","children":[{"name":"README.md","path":"modules/eks-vpc-tags/README.md","sha":"b53e923baaa79718b55a272158ff9b710871a6ce"},{"name":"main.tf","path":"modules/eks-vpc-tags/main.tf","sha":"816b047f0a944d10c17bfafaaaa7f519c90aeff5"},{"name":"outputs.tf","path":"modules/eks-vpc-tags/outputs.tf","sha":"0ef2787cfd02ea8668c687302b1929618079a0b2"},{"name":"variables.tf","path":"modules/eks-vpc-tags/variables.tf","sha":"a6e332e9da4e473e1e42b1ca6c7b0ba139a77cfb"}]}],"toggled":true},{"name":"rfc","children":[{"name":"shipping-logs-to-cloudwatch.md","path":"rfc/shipping-logs-to-cloudwatch.md","sha":"606410240f3c5b5fe85175c05429c52c7e46ad42"}]},{"name":"setup.cfg","path":"setup.cfg","sha":"981bc2bfd0b35029438d56c6d862a7f1519b8fe6"},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"9bf8180d731bdc892279fcdbcbb03d245f31f83a"},{"name":"eks_cluster_drain_test.go","path":"test/eks_cluster_drain_test.go","sha":"def624eb66ff6eb746c651dea59c4415a85ffd76"},{"name":"eks_cluster_integration_test.go","path":"test/eks_cluster_integration_test.go","sha":"471a3100ec1db2b42e2f80f2184621b3553020f3"},{"name":"eks_cluster_managed_workers_test.go","path":"test/eks_cluster_managed_workers_test.go","sha":"0e67a65ab14f81d0872895e117b8ecb31acaca03"},{"name":"eks_cluster_test_helpers.go","path":"test/eks_cluster_test_helpers.go","sha":"e6b2979ffa4b9e933e18dcb4461ec319cf9a5932"},{"name":"eks_cluster_upgrade_test.go","path":"test/eks_cluster_upgrade_test.go","sha":"4fe634a2322165bdb8130628d5fc9fd93e7a0969"},{"name":"eks_cluster_with_auth_merger_test.go","path":"test/eks_cluster_with_auth_merger_test.go","sha":"fdbe2bc7eb1f4565e394f8ac6124c7bc795f3884"},{"name":"eks_cluster_with_iam_role_test.go","path":"test/eks_cluster_with_iam_role_test.go","sha":"962deb50187b8daed1df05102a30562248b8137e"},{"name":"eks_cluster_with_supporting_services_test.go","path":"test/eks_cluster_with_supporting_services_test.go","sha":"d1e60137ff053fa816c11fd4cb10e73c61b41126"},{"name":"eks_cluster_workers_optional_test.go","path":"test/eks_cluster_workers_optional_test.go","sha":"0f6179eb2f1d0d6809aebf7a16c7afa3f4e49fc3"},{"name":"eks_envelope_encryption_test.go","path":"test/eks_envelope_encryption_test.go","sha":"3d8b92c4d3d4244c6431ccae95f0faeb0328bdce"},{"name":"eks_fargate_cluster_disable_public_endpoint_test.go","path":"test/eks_fargate_cluster_disable_public_endpoint_test.go","sha":"25ba0984ef5979ca146d16b63654559939d822db"},{"name":"eks_fargate_cluster_irsa_test.go","path":"test/eks_fargate_cluster_irsa_test.go","sha":"8a1e4f4599f63b357af1ca36b135898e7663f1fe"},{"name":"eks_fargate_cluster_public_access_cidr_test.go","path":"test/eks_fargate_cluster_public_access_cidr_test.go","sha":"2a82ad5a0bbb9311bb9c91a2c0be3f3dbe1b4d5e"},{"name":"eks_fargate_cluster_test.go","path":"test/eks_fargate_cluster_test.go","sha":"a50d3691cbdec0ba41e2212015105254d7a516c7"},{"name":"eks_fargate_cluster_with_supporting_services_test.go","path":"test/eks_fargate_cluster_with_supporting_services_test.go","sha":"a236dc2c1647da144a3fa973492b18ad80d64103"},{"name":"eks_mixed_cluster_dns_test.go","path":"test/eks_mixed_cluster_dns_test.go","sha":"069332615ab046026f91262ebfb3715786132895"},{"name":"errors.go","path":"test/errors.go","sha":"be062fe0205ff82db8183d0fde639aa1883013ad"},{"name":"go.mod","path":"test/go.mod","sha":"2a66084362eee66b1df3c80716dc15fd4f845356"},{"name":"go.sum","path":"test/go.sum","sha":"6a50e9f9a87ea976f1e14cde47ae194d4b87be78"},{"name":"kubefixtures","children":[{"name":"autoscaler-test-pods-deployment.yml","path":"test/kubefixtures/autoscaler-test-pods-deployment.yml","sha":"b2d94c4bfa729b639290ee21629c19ca6ea694ee"},{"name":"eks-irsa-test.yml","path":"test/kubefixtures/eks-irsa-test.yml","sha":"db5439cf6d38873dbae71daa4197d6947990a94a"},{"name":"eks-k8s-role-mapping-test-role.yml","path":"test/kubefixtures/eks-k8s-role-mapping-test-role.yml","sha":"ede7587308d2a4ecf55042b05800099c43f3af7d"},{"name":"kube-system-sa-admin-binding.yml","path":"test/kubefixtures/kube-system-sa-admin-binding.yml","sha":"282d406512102cbe54e952575f26e7e0fbb2aa9a"},{"name":"nginx-deployment.yml","path":"test/kubefixtures/nginx-deployment.yml","sha":"a58866e59c113635af24982cfb0b530f0c416af0"},{"name":"robust-nginx-deployment.yml","path":"test/kubefixtures/robust-nginx-deployment.yml","sha":"87ead0f9733e422099bc430ed281e2054e698f10"}]},{"name":"script_tests","children":[{"name":"executor.sh","path":"test/script_tests/executor.sh","sha":"458c534996fbc045081d1cfae521c090f6787a7f"},{"name":"requirements.txt","path":"test/script_tests/requirements.txt","sha":"7372bb177f500724ac7b3d1730d5018d768e538b"},{"name":"test_map_ec2_tags_to_node_labels.py","path":"test/script_tests/test_map_ec2_tags_to_node_labels.py","sha":"6b88e92ac569e20ece5a35c74f053a08839e4638"},{"name":"tox.ini","path":"test/script_tests/tox.ini","sha":"3a18859a7fbe2f3897fd85f69b081e308f8e47a1"}]},{"name":"terratest_options.go","path":"test/terratest_options.go","sha":"9c0fc2cde3ebb6db359ea8cba88153c0eb66c7db"},{"name":"test_debug_helpers.go","path":"test/test_debug_helpers.go","sha":"c71a7a9d5b68f0f59d2518496d9f5893206b5e22"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"4633eab64d3382614ac38d1f3840e45c522486e2"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"eks-cluster-control-plane-module\">EKS Cluster Control Plane Module</h1><div class=\"preview__body--border\"></div><p>This Terraform Module launches an <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/clusters.html\" class=\"preview__body--description--blue\" target=\"_blank\">Elastic Container Service for Kubernetes\nCluster</a>.</p>\n<p>This module is responsible for the EKS Control Plane in <a href=\"#what-is-an-eks-cluster\" class=\"preview__body--description--blue\">the EKS cluster topology</a>. You must\nlaunch worker nodes in order to be able to schedule pods on your cluster. See the <a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-cluster-workers\" class=\"preview__body--description--blue\">eks-cluster-workers\nmodule</a> for managing EKS worker nodes.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.36.0/terraform-aws-eks/README.adoc\" class=\"preview__body--description--blue\">root README</a> for instructions on using Terraform modules.</li>\n<li>See the <a href=\"/repos/v0.36.0/terraform-aws-eks/examples\" class=\"preview__body--description--blue\">examples</a> folder for example usage.</li>\n<li>See <a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-cluster-control-plane/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a> for all the variables you can set on this module.</li>\n<li>See <a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-cluster-control-plane/outputs.tf\" class=\"preview__body--description--blue\">outputs.tf</a> for all the variables that are outputed by this module.</li>\n<li>This module depends on a packaged python binary, which requires a working python install.</li>\n<li>This module depends on <a href=\"https://kubernetes.io/docs/tasks/tools/install-kubectl/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>kubectl</code></a>.</li>\n<li>See <a href=\"/repos/v0.36.0/terraform-aws-eks/core-concepts.md#how-to-authenticate-kubectl\" class=\"preview__body--description--blue\">How do I authenticate kubectl to the EKS cluster?</a> for information on how\nto authenticate kubectl.\n<ul>\n<li>You will need to install <a href=\"https://kubernetes.io/docs/tasks/tools/install-kubectl/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>kubectl</code></a> to follow the\ninstructions.</li>\n<li>If you wish to use the automatic configuration, you will need\n<a href=\"/repos/kubergrunt\" class=\"preview__body--description--blue\"><code>kubergrunt</code></a>. Refer to the <code>kubergrunt</code> documentation for installation\ninstructions.</li>\n</ul>\n</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"what-is-the-eks-control-plane\">What is the EKS Control Plane?</h2>\n<p>The EKS Control Plane is a managed service entrirely managed by AWS. This contains the resources and endpoint to run and\naccess the <a href=\"https://kubernetes.io/docs/concepts/overview/components/#master-components\" class=\"preview__body--description--blue\" target=\"_blank\">Kubernetes master components</a>.\nThe resources are deployed into your VPC so that they inherit the network rules you configure for your VPC.</p>\n<p>Specifically, the control plane consists of:</p>\n<ul>\n<li><a href=\"https://coreos.com/etcd/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>etcd</code></a>: A distributed key value store used by Kubernetes to hold the metadata and cluster\nstate.</li>\n<li><code>kube-apiserver</code>: Web service that exposes the Kubernetes API. This is the main entrypoint for interacting with the\nKubernetes cluster.</li>\n<li><code>kube-scheduler</code>: This component is responsible for watching for newly created Pods on the cluster, and scheduling\nthem on to the available worker nodes.</li>\n<li><code>kube-controller-manager</code>: This component is responsible for executing the controller logic. Controllers are\nresponsible for managing the Pods on the cluster. For example, you can use a\n<a href=\"https://kubernetes.io/docs/concepts/workloads/controllers/deployment/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>Deployment</code></a> controller to ensure that a\nspecified number of replicas of a Pod is running on the cluster.</li>\n<li><code>cloud-controller-manager</code>: This component is responsible for managing cloud components that Kubernetes will manage.\nThis includes resources like the\n<a href=\"https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>LoadBalancers</code></a>.</li>\n</ul>\n<p>You can read more about the different components of EKS in <a href=\"/repos/v0.36.0/terraform-aws-eks/core-concepts.md#what-is-an-eks-cluster\" class=\"preview__body--description--blue\">the project README</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"what-security-group-rules-are-created\">What security group rules are created?</h2>\n<p>This module will create a security group for the EKS cluster master nodes to allow them to function as a Kubernetes\ncluster. The rules are based on <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\" class=\"preview__body--description--blue\" target=\"_blank\">the recommendations provided by\nAWS</a> for configuring an EKS cluster.</p>\n<h3 class=\"preview__body--subtitle\" id=\"a-name-how-to-extend-security-group-a-how-do-you-add-additional-security-group-rules\"><a name="how-to-extend-security-group"></a>How do you add additional security group rules?</h3>\n<p>To add additional security group rules to the EKS cluster master nodes, you can use the\n<a href=\"https://www.terraform.io/docs/providers/aws/r/security_group_rule.html\" class=\"preview__body--description--blue\" target=\"_blank\">aws_security_group_rule</a> resource, and set its\n<code>security_group_id</code> argument to the Terraform output of this module called <code>eks_control_plane_security_group_id</code>. For example, here is how you can allow the master nodes\nin this cluster to allow incoming HTTPS requests on port 443 from an additional security group that is not the workers:</p>\n<pre>module <span class=\"hljs-string\">\"eks_cluster\"</span> {\n # (arguments omitted)\n}\n<span class=\"hljs-built_in\">\nresource </span><span class=\"hljs-string\">\"aws_security_group_rule\"</span> <span class=\"hljs-string\">\"allow_inbound_http_from_anywhere\"</span> {\n <span class=\"hljs-built_in\"> type </span> = <span class=\"hljs-string\">\"ingress\"</span>\n from_port = 443\n to_port = 443\n protocol = <span class=\"hljs-string\">\"tcp\"</span>\n\n security_group_id = module.eks_cluster.eks_control_plane_security_group_id\n source_security_group_id = var.source_aws_security_group_id\n}\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"what-iam-policies-are-attached-to-the-eks-cluster\">What IAM policies are attached to the EKS Cluster?</h2>\n<p>This module will create IAM roles for the EKS cluster master nodes with the minimum set of policies necessary\nfor the cluster to function as a Kubernetes cluster. The policies attached to the roles are the same as those documented\nin <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html\" class=\"preview__body--description--blue\" target=\"_blank\">the AWS getting started guide for EKS</a>.</p>\n<h3 class=\"preview__body--subtitle\" id=\"how-do-you-add-additional-iam-policies\">How do you add additional IAM policies?</h3>\n<p>To add additional IAM policies to the EKS cluster master nodes, you can use the\n<a href=\"https://www.terraform.io/docs/providers/aws/r/iam_role_policy.html\" class=\"preview__body--description--blue\" target=\"_blank\">aws_iam_role_policy</a> or\n<a href=\"https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html\" class=\"preview__body--description--blue\" target=\"_blank\">aws_iam_policy_attachment</a> resources, and set\nthe IAM role id to the Terraform output of this module called <code>eks_control_plane_iam_role_name</code> for the master nodes. For\nexample, here is how you can allow the master nodes in this cluster to access an S3 bucket:</p>\n<pre>module <span class=\"hljs-string\">\"eks_cluster\"</span> {\n # (arguments omitted)\n}\n<span class=\"hljs-built_in\">\nresource </span><span class=\"hljs-string\">\"aws_iam_role_policy\"</span> <span class=\"hljs-string\">\"access_s3_bucket\"</span> {\n name = <span class=\"hljs-string\">\"access_s3_bucket\"</span>\n role = module.eks_cluster.eks_control_plane_iam_role_name\n <span class=\"hljs-built_in\"> policy </span>= <<EOF\n{\n <span class=\"hljs-string\">\"Version\"</span>: <span class=\"hljs-string\">\"2012-10-17\"</span>,\n <span class=\"hljs-string\">\"Statement\"</span>: [\n {\n <span class=\"hljs-string\">\"Sid\"</span>: <span class=\"hljs-string\">\"\"</span>,\n <span class=\"hljs-string\">\"Effect\"</span>:<span class=\"hljs-string\">\"Allow\"</span>,\n <span class=\"hljs-string\">\"Action\"</span>: <span class=\"hljs-string\">\"s3:GetObject\"</span>,\n <span class=\"hljs-string\">\"Resource\"</span>: <span class=\"hljs-string\">\"arn:aws:s3:::examplebucket/*\"</span>\n }\n ]\n}\nEOF\n}\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-associate-iam-roles-to-the-pods\">How do I associate IAM roles to the Pods?</h2>\n<p><strong>NOTE: This configuration depends on <a href=\"/repos/kubergrunt\" class=\"preview__body--description--blue\">kubergrunt</a>, minimum version 0.5.3</strong></p>\n<p>This module will set up the OpenID Connect Provider that can be used with the <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html\" class=\"preview__body--description--blue\" target=\"_blank\">IAM Roles for Service\nAccounts</a> feature. When this\nfeature is enabled, you can exchange the Kubernetes Service Account Tokens for IAM role credentials using the\n<code>sts:AssumeRoleWithWebIdentity</code> AWS API in the STS service.</p>\n<p>To allow Kubernetes Service Accounts to assume the roles, you need to grant the proper assume role IAM policies to the\nrole that is being assumed. Specifically, you need to:</p>\n<ul>\n<li>Allow the OpenID Connect Provider to assume the role.</li>\n<li>Specify any conditions on assuming the role. You can restrict by:\n<ul>\n<li>Service Accounts that can assume the role</li>\n<li>Which Namespaces have full access to assume the role (meaning, all Service Accounts in the Namespace can assume\nthat role).</li>\n</ul>\n</li>\n</ul>\n<p>You can use the\n<a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-iam-role-assume-role-policy-for-service-account\" class=\"preview__body--description--blue\">eks-iam-role-assume-role-policy-for-service-account module</a> to\nconstruct the policy using a more convenient interface. Refer to the module documentation for more info.</p>\n<p>Once you have an IAM Role that can be assumed by the Kubernetes Service Account, you can configure your Pods to exchange\nthem for IAM role credentials. EKS will automatically configure the correct environment variables that the SDK expects\non the Pods when you annotate the associated Service Account with the role it should assume.</p>\n<p>The following shows an example Kubernetes manifest that configures the Service Account to assume the IAM role <code>arn:aws:iam::123456789012:role/myrole</code>:</p>\n<pre><span class=\"hljs-attribute\">apiVersion</span>: v1\n<span class=\"hljs-attribute\">kind</span>: ServiceAccount\n<span class=\"hljs-attribute\">metadata</span>:\n <span class=\"hljs-attribute\">annotations</span>:\n eks.amazonaws.com/<span class=\"hljs-attribute\">role-arn</span>: <span class=\"hljs-attribute\">arn</span>:<span class=\"hljs-attribute\">aws</span>:<span class=\"hljs-attribute\">iam</span>::<span class=\"hljs-number\">123456789012</span>:role/myrole\n</pre>\n<p>Note that the AWS SDK will automatically assume the role if you are using a compatible version. The following is a list\nof the minimum SDK version for various platforms that support the <code>AWS_WEB_IDENTITY_TOKEN_FILE</code> environment variable\nused by IRSA:</p>\n<pre><span class=\"hljs-selector-tag\">Java</span> 1<span class=\"hljs-selector-class\">.11</span><span class=\"hljs-selector-class\">.623</span>\n<span class=\"hljs-selector-tag\">Java2</span> 2<span class=\"hljs-selector-class\">.7</span><span class=\"hljs-selector-class\">.36</span>\n<span class=\"hljs-selector-tag\">Go</span> 1<span class=\"hljs-selector-class\">.23</span><span class=\"hljs-selector-class\">.13</span>\n<span class=\"hljs-selector-tag\">Python</span> 1<span class=\"hljs-selector-class\">.9</span><span class=\"hljs-selector-class\">.220</span>\n<span class=\"hljs-selector-tag\">Node</span> 2<span class=\"hljs-selector-class\">.521</span><span class=\"hljs-selector-class\">.0</span>\n<span class=\"hljs-selector-tag\">Ruby</span> 2<span class=\"hljs-selector-class\">.11</span><span class=\"hljs-selector-class\">.345</span>\n<span class=\"hljs-selector-tag\">PHP</span> 3<span class=\"hljs-selector-class\">.110</span><span class=\"hljs-selector-class\">.7</span>\n<span class=\"hljs-selector-class\">.NET</span> 3<span class=\"hljs-selector-class\">.3</span><span class=\"hljs-selector-class\">.580</span><span class=\"hljs-selector-class\">.0</span>\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-ssh-into-the-nodes\">How do I SSH into the nodes?</h2>\n<p>By design, AWS does not allow you to SSH into the master nodes of an EKS cluster.</p>\n<h2 class=\"preview__body--subtitle\" id=\"api-access-and-networking\">API Access and Networking</h2>\n<p>By default the Kubernetes API is accessible from the internet. This is to make operations easier when making requests to\nthe EKS cluster control plane. However, this module supports restricting access to only be allowed from within the VPC.\nYou can restrict public access by setting the <code>endpoint_public_access</code> input variable to <code>false</code>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"control-plane-logging\">Control Plane Logging</h2>\n<p>EKS supports exporting various logs to CloudWatch. By default, none of the logging options are enabled by this module.\nTo enable logs, you can pass in the relevant type strings to the <code>enabled_cluster_log_types</code> input variable. For\nexample, to enable API server and audit logs, you can pass in the list <code>["api", "audit"]</code>. See <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html\" class=\"preview__body--description--blue\" target=\"_blank\">the official\ndocumentation</a> for a list of available log\ntypes.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-configure-encryption-at-rest-for-secrets\">How do I configure encryption at rest for Secrets?</h2>\n<p>Kubernetes <a href=\"https://kubernetes.io/docs/concepts/configuration/secret/\" class=\"preview__body--description--blue\" target=\"_blank\">Secrets</a> are resources in the cluster designed to\nstore and manage sensitive information. These behave like\n<a href=\"https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/\" class=\"preview__body--description--blue\" target=\"_blank\">ConfigMaps</a>, but have a few extra\nproperties that enhance their security profile.</p>\n<p>All EKS clusters encrypt Kubernetes Secrets at rest at the disk level using shared AWS managed KMS keys. Alternatively,\nyou can provide your own KMS Customer Master Key (CMK) to use for envelope encryption. In envelope encryption,\nKubernetes will use the provided CMK to encrypt the secret keys used to encrypt the Kubernetes Secrets. For each Secret,\nKubernetes will dynamically generate a new data encryption key (DEK) for the purposes of encrypting and decrypting the\nsecret. This key is then encrypted using the provided CMK before being stored in the cluster. In this way, you can\nmanage access to the Secret (indirectly by restricting access to the DEK) through the KMS permissions. For example, you\ncan disable all access to any Secrets in the EKS cluster by removing the permissions to encrypt/decrypt using the KMS\nkey in case of a breach.</p>\n<p>To enable envelope encryption, provide the KMS key ARN you would like to use using the variable\n<code>secret_envelope_encryption_kms_key_arn</code>. Note that if the KMS key belongs to another account, you will need to grant\naccess to manage permissions for the key to the account holding the EKS cluster. See <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html\" class=\"preview__body--description--blue\" target=\"_blank\">Allowing users in other accounts\nto use a CMK</a> from\nthe official AWS docs for more information.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-deploy-pods-on-fargate\">How do I deploy Pods on Fargate?</h2>\n<p><a href=\"https://aws.amazon.com/fargate/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS Fargate</a> is an AWS managed infrastructure for running ECS Tasks and EKS Pods\nwithout any worker nodes. With Fargate, your EKS Pods will automatically be assigned a node from a shared pool of VMs\nthat are fully managed by AWS. This means that you can focus entirely on the application you are deploying and not have\nto worry about servers, clusters, and the underlying infrastructure as a whole.</p>\n<p>To use Fargate with your EKS Pods, you need to create a Fargate Profile to select the Pods that you want to run. You can\nuse Namespaces and Labels to restrict which Pods of the EKS cluster will run on Fargate. This means that Pods that match\nthe specifications of the Fargate Profile will automatically be deployed to Fargate without any further configuration.</p>\n<p>Some additional notes on using Fargate:</p>\n<ul>\n<li>Fargate Profiles require a Pod Execution Role, which is an IAM role that will be assigned to the underlying\n<code>kubelet</code> of the Fargate instance. At a minimum, this role must be given enough permissions to pull the images\nused by the Pod. Note that <strong>this role is NOT made available to the Pods!</strong> Use <a href=\"#how-do-i-associate-iam-roles-to-pods\" class=\"preview__body--description--blue\">the IAM Role for Service Accounts\n(IRSA) feature of EKS</a> to assign IAM roles for use by the Pods themselves.</li>\n<li>If you set the input variable <code>schedule_control_plane_services_on_fargate</code> on this module, the module will\nautomatically allocate a Fargate Profile that selects the core control plane services deployed in the <code>kube-system</code>\nNamespace (e.g., <code>core-dns</code>). This profile is highly selective and will most likely not match any other Pods in the\ncluster. To deploy additional Pods onto Fargate, you must manually create Fargate Profiles that select those Pods (use\n<a href=\"https://www.terraform.io/docs/providers/aws/r/eks_fargate_profile.html\" class=\"preview__body--description--blue\" target=\"_blank\">the <code>aws_eks_fargate_profile</code> resource</a> to\nprovision Fargate Profiles with Terraform). The Pod Execution Role created by the module may be reused for other\nFargate Profiles.</li>\n<li>Fargate does not support DaemonSets. This means that you can't rely on the <a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-container-logs\" class=\"preview__body--description--blue\">eks-container-logs</a>\nmodule to forward logs to CloudWatch. Instead, you need to manually configure a sidecar <code>fluentd</code> container that\nforwards the log entries to CloudWatch Logs. Refer to <a href=\"https://aws.amazon.com/blogs/containers/how-to-capture-application-logs-when-using-amazon-eks-on-aws-fargate/\" class=\"preview__body--description--blue\" target=\"_blank\">this AWS blog\npost</a>\nfor documentation on how to setup <code>fluentd</code> with Fargate.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-upgrade-the-kubernetes-version-of-the-cluster\">How do I upgrade the Kubernetes Version of the cluster?</h2>\n<p>To upgrade the minor version of Kubernetes deployed on the EKS cluster, you need to update the <code>kubernetes_version</code>\ninput variable. <strong>You must upgrade one minor version at a time</strong>, as EKS does not support upgrading by more than one\nminor version.</p>\n<p>When you bump minor versions, the module will automatically update the deployed Kubernetes components as described in\nthe <a href=\"https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html\" class=\"preview__body--description--blue\" target=\"_blank\">official upgrade guide</a>. This is handled by\n<code>kubergrunt</code> (<strong>minimum version 0.6.2</strong>) using the <a href=\"/repos/kubergrunt#sync-core-components\" class=\"preview__body--description--blue\">eks\nsync-core-components</a> command, which will look up the\ndeployed Kubernetes version and make the required <code>kubectl</code> calls to deploy the updated components.</p>\n<p>Note that you must update the nodes to use the corresponding <code>kubelet</code> version as well. This means that when you update\nminor versions, you will also need to update the AMIs used by the worker nodes to match the version and rotate the\nworkers. For more information on rotating worker nodes, refer to <a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-cluster-workers/README.md#how-do-i-roll-out-an-update-to-the-instances\" class=\"preview__body--description--blue\">How do I roll out an update to the\ninstances?</a> in the <code>eks-cluster-workers</code>\nmodule README.</p>\n<p>Here are detailed steps on how to update your cluster:</p>\n<ol>\n<li>Bump the <code>kubernetes_version</code> in the module variable to the next minor version in your module block for\n<code>eks-cluster-control-plane</code>.</li>\n<li>For self managed worker nodes (<code>eks-cluster-workers</code> module), build a new AMI for your worker nodes that depend on\nan EKS optimized AMI for the Kubernetes minor version. Update the <code>asg_default_instance_ami</code> variable to the new AMI in\nyour module block for <code>eks-cluster-workers</code>.</li>\n<li>Apply the changes. This will update the Kubernetes version on the EKS control plane, and stage the updates for your\nworkers. Note that your cluster will continue to function as Kubernetes supports worker nodes that are 1 minor\nversion behind.</li>\n<li>Roll out the AMI update using <code>kubergrunt eks deploy</code>.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"python-helper-scripts\">Python Helper Scripts</h2>\n<p>This module contains various python helper scripts that are used to achieve enhanced functionality not available in\nTerraform. All these scripts are intended to be used as part of <a href=\"https://www.terraform.io/docs/provisioners/local-exec.html\" class=\"preview__body--description--blue\" target=\"_blank\">local-exec\nprovisioner</a>. In order to support disabling the scripts, we\nuse a <a href=\"https://www.terraform.io/docs/provisioners/null_resource.html\" class=\"preview__body--description--blue\" target=\"_blank\">null_resource</a> to wrap the provisioner. See this\nmodule's <a href=\"/repos/v0.36.0/terraform-aws-eks/modules/eks-cluster-control-plane/main.tf\" class=\"preview__body--description--blue\">main.tf file</a> for example usage.</p>\n<p>Since this is a python script, The operator machine must have a valid python interpreter available in the <code>PATH</code> under\nthe name <code>python</code>. The scripts support python versions 2.7, 3.5, 3.6, 3.7, and 3.8, on Mac OSX or Linux.</p>\n<p>Below is an overview of the scripts:</p>\n<ul>\n<li><code>cleanup_cluster_resources</code>: Clean up any residual resources managed by the EKS cluster that may be remaining after\nthe cluster is destroyed. This is used to workaround terraform and kubernetes limitations that may leave managed\nresources behind.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"troubleshooting\">Troubleshooting</h2>\n<h3 class=\"preview__body--subtitle\" id=\"access-denied-when-provisioning-services-of-load-balancer-type\">AccessDenied when provisioning Services of LoadBalancer type</h3>\n<p>On brand new accounts, AWS needs to provision a new Service Linked Role for ELBs when an ELB is first provisioned. EKS\nautomatically creates the Service Linked Role if it doesn't exist, but it needs more permissions than is provided by\ndefault. Since the permission is only needed as a one time thing, binding the necessary permissions would be a violation\nof least privileges.</p>\n<p>As such, this module does not bind the requisite permissions, and instead we recommend taking one of the following\napproaches:</p>\n<ul>\n<li>\n<p>Create a one time wrapper module that appends the following IAM permissions to the control plane IAM role (the output\n<code>eks_master_iam_role_arn</code>), and deploy the EKS cluster with <code>LoadBalancer</code> service:</p>\n<pre><code> ec2:DescribeAccountAttributes\n ec2:DescribeInternetGateways\n</code></pre>\n</li>\n<li>\n<p>Create an ELB using the AWS console, or the modules in <a href=\"/repos/terraform-aws-load-balancer\" class=\"preview__body--description--blue\">terraform-aws-load-balancer</a>.</p>\n</li>\n<li>\n<p>Create the service linked role using <a href=\"/repos/terraform-aws-service-catalog/modules/landingzone\" class=\"preview__body--description--blue\">the Landing Zone\nmodules</a>.</p>\n</li>\n</ul>\n","repoName":"terraform-aws-eks","repoRef":"v0.40.0","serviceDescriptor":{"serviceName":"EC2 Kubernetes Service (EKS) Cluster","serviceRepoName":"terraform-aws-eks","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy a Kubernetes cluster on top of Amazon EC2 Kubernetes Service (EKS).","imageUrl":"eks.png","licenseType":"subscriber","technologies":["Terraform","Python","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Docker orchestration","fileName":"README.md","filePath":"/modules/eks-cluster-control-plane/README.md","title":"Repo Browser: EC2 Kubernetes Service (EKS) Cluster","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
dependencies.tf
