terraform-aws-eks

DOCS:

• Clarify usage of both AWS-Managed Node Groups and Self-Managed Worker Groups (#1094)

ENHANCEMENTS:

• Tags passed into worker groups should also be excluded from Launch Template tag specification (#1095)

BUG FIXES:

• Don’t add empty Roles ARN in aws-auth configmap, specifically when no Fargate profiles are specified (#1096)

FEATURES:

• Add EKS Fargate support (#1067)
• Tags passed into worker groups override tags from var.tags for Autoscaling Groups (#1092)

BUG FIXES:

• Change the default launch_template_id to null for Managed Node Groups (#1088)

DOCS:

• Fix IRSA example when deploying cluster-autoscaler from the latest kubernetes/autoscaler helm repo (#1090)
• Explain node_groups and worker_groups difference in FAQ (#1081)
• Update autoscaler installation in IRSA example (#1063)

NOTES:

• Tags that are passed into var.worker_groups_launch_template or var.worker_groups now override tags passed in via var.tags for Autoscaling Groups only. This allow ASG Tags to be overwritten, so that propagate_at_launch can be tweaked for a particular key.

FEATURES:

• Add Launch Template support for Managed Node Groups (#997)
• Add cloudwatch_log_group_arn to outputs (#1071)
• Add kubernetes standard labels to avoid manual mistakes on the managed aws-auth configmap (#989)

CI:

• Use ubuntu-latest instead of MacOS for docs checks (#1074)
• Fix GitHub Actions CI macOS build errors (#1065)

BUG FIXES:

• The type of the output cloudwatch_log_group_name should be a string instead of a list of strings (#1061)
• Use splat syntax to avoid errors during destroy with an empty state (#1041)
• Fix cycle error during the destroy phase when we change workers order (#1043)
• Set IAM Path for cluster_elb_sl_role_creation IAM policy (#1045)
• Use the amazon ImageOwnerAlias for worker ami owner instead of owner id (#1038)

NOTES:

• Managed Node Groups now support Launch Templates. The Launch Template it self is not managed by this module, so you have to create it by your self and pass it's id to this module. See docs and examples/launch_templates_with_managed_node_groups/ for more details.
• The output cloudwatch_log_group_name was incorrectly returning the log group name as a list of strings. As a workaround, people were using module.eks_cluster.cloudwatch_log_group_name[0] but that was totally inconsistent with output name. Those users can now use module.eks_cluster.cloudwatch_log_group_name directly.
• Keep in mind that changing the order of workers group is a destructive operation. All workers group are destroyed and recreated. If you want to do this safely, you should move then in state with terraform state mv until we manage workers groups as maps.

BUG FIXES:

• Use customer managed policy instead of inline policy for cluster_elb_sl_role_creation (#1039)
• More compatibility fixes for Terraform v0.13 and aws v3 (#976)
• Create cluster_private_access security group rules when it should (#981)
• random_pet with LT workers under 0.13.0 (#940)

ENHANCEMENTS:

• Make the cpu_credits optional for workers launch template (#1030)
• update the wait_for_cluster_cmd logic to use curl if wget doesn't exist (#1002)

FEATURES:

• Add load_balancers parameter to associate a CLB (Classic Load Balancer) to worker groups ASG (#992)
• Dynamic Partition for IRSA to support AWS-CN Deployments (#1028)
• Add AmazonEKSVPCResourceController to cluster policy to be able to set AWS Security Groups for pod (#1011)
• Cluster version is now a required variable. (#972)

CI:

• Bump terraform pre-commit hook version and re-run terraform-docs with the latest version to fix the CI (#1033)
• fix CI lint job (#973)

DOCS:

• Add important notes about the retry logic and the wget requirement (#999)
• Update README about cluster_version variable requirement (#988)
• Mixed spot + on-demand instance documentation (#967)
• Describe key_name is about AWS EC2 key pairs (#970)
• Better documentation of cluster_id output blocking (#955)

BREAKING CHANGES:

• Default for cluster_endpoint_private_access_cidrs is now null instead of ["0.0.0.0/0"]. It makes the variable required when cluster_create_endpoint_private_access_sg_rule is set to true. This will force everyone who want to have a private access to set explicitly their allowed subnets for the sake of the principle of least access by default.
• cluster_version variable is now required.

NOTES:

• The usage of customer managed policy, not an inline policy, for the cluster_elb_sl_role_creation policy is common for "enterprise" AWS users to disallow inline policies with an SCP rule for auditing-related reasons, and this accomplishes the same thing.
• credit_specification for worker groups launch template can now be set to null so that we can use non burstable EC2 families
• Starting in v12.1.0 the cluster_id output depends on the
  wait_for_cluster null resource. This means that initialisation of the
  kubernetes provider will be blocked until the cluster is really ready,
  if the module is set to manage the aws_auth ConfigMap and user followed
  the typical Usage Example. kubernetes resources in the same plan do not
  need to depend on anything explicitly.

DOCS:

• Update required IAM permissions list (#936)
• Improve FAQ on how to deploy from Windows (#927)
• autoscaler X.Y version must match (#928)

FEATURES:

• IMDSv2 metadata configuration in Launch Templates (#938)
• worker launch templates and configurations depend on security group rules and IAM policies (#933)
• Add IAM permissions for ELB svc-linked role creation by EKS cluster (#902)
• Add a homemade depends_on for MNG submodule to ensure ordering of resource creation (#867)

BUG FIXES:

• Strip user supplied Name tag from asg_tags #946)
• Get on_demand_allocation_strategy from local.workers_group_defaults when deciding to use mixed_instances_policy (#908)
• remove unnecessary conditional in private access security group (#915)

NOTES:

• Addition of the IMDSv2 metadata configuration block to Launch Templates will cause a diff to be generated for existing Launch Templates on first Terraform apply. The defaults match existing behaviour.

FEATURES:

• Add aws_security_group_rule.cluster_https_worker_ingress to output values (#901)
• Allow communication between pods on workers and pods using the primary cluster security group (optional) (#892)

BUG FIXES:

• Revert removal of templates provider (#883)
• Ensure kubeconfig ends with \n (#880)
• Work around path bug in aws-iam-authenticator (#894)

DOCS:

• Update FAQ (#891)

NOTES:

• New variable worker_create_cluster_primary_security_group_rules to allow communication between pods on workers and pods using the primary cluster security group (Managed Node Groups or Fargate). It defaults to false to avoid potential conflicts with existing security group rules users may have implemented.

BUG FIXES:

• Fix Launch Templates error with aws 2.61.0 (#875)
• Use splat syntax for cluster name to avoid (known after apply) in managed node groups (#868)

DOCS:

• Add notes for Kubernetes 1.16 (#873)
• Remove useless template provider in examples (#863)

FEATURES:

• Create kubeconfig with non-executable permissions (#864)
• Change EKS default version to 1.16 (#857)

ENHANCEMENTS:

• Remove dependency on external template provider (#854)

BREAKING CHANGES:

• The default cluster_version is now 1.16. Kubernetes 1.16 includes a number of deprecated API removals, and you need to ensure your applications and add ons are updated, or workloads could fail after the upgrade is complete. For more information on the API removals, see the Kubernetes blog post. For action you may need to take before upgrading, see the steps in the EKS documentation. Please set explicitly your cluster_version to an older EKS version until your workloads are ready for Kubernetes 1.16.

BUG FIXES:

• Add vpc_config.cluster_security_group output as primary cluster security group id (#828)
• Wrap local.configmap_roles.groups with tolist() to avoid panic (#846)
• Prevent coalescelist null argument error when destroying worker_group_launch_templates (#842)

FEATURES:

• Add support for EC2 principal in assume worker role policy for China (#827)

FEATURES:

• Add instance tag specifications to Launch Template (#822)
• Add support for additional volumes in launch templates and launch configurations (#800)
• Add interpreter option to wait_for_cluster_cmd (#795)

ENHANCEMENTS:

• Use aws_partition to build IAM policy ARNs (#820)
• Generate aws-auth configmap's roles from Object. No more string concat. (#790)
• Add timeout to default wait_for_cluster_cmd (#791)
• automate changelog management (#786)

BUG FIXES:

• Fix destroy failure when talking to EKS endpoint on private network (#815)
• add ip address when manage_aws_auth is true and public_access is false (#745)
• Add node_group direct dependency on eks_cluster (#796)
• Do not recreate cluster when no SG given (#798)
• Create false and avoid waiting forever for a non-existent cluster to respond (#789)
• fix git-chglog template to format changelog Type nicely (#803)
• fix git-chglog configuration (#802)

CI:

• Restrict sementic PR to validate PR title only (#804)

TESTS:

• remove unused kitchen test related stuff (#787)

BREAKING CHANGES:

• Added support for EKS 1.15 (by @sc250024)

ENHANCEMENTS:

• Ensuring that ami lookup hierarchy is worker_group_launch_templates and worker_groups -> worker_group_defaults -> and finally aws ami lookup (by @ck3mp3r)
• Adding encrypted option to worker's root_block_device as read from the worker configurations (by @craig-rueda)
• Add support for ASG max instance lifetime (by @sidprak)
• Add default_cooldown and health_check_grace_period options to workers ASG (by @ArieLevs)
• Add support for envelope encryption of Secrets (by @babilen5)

BUG FIXES:

• Fix issue with terraform plan phase when IRSA was enabled and create_eks switches to false (by @daroga0002)
• Remove obsolete assumption from README (kubectl & aws-iam-authenticator) (by @pierresteiner)
• Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer)
• Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc)
• Fix support for ASG max instance lifetime for workers (by @barryib)

NOTES:

From EKS 1.15, the VPC tag kubernetes.io/cluster/<cluster-name>: shared is no longer required. So we dropped those tags from exemples.

• Breaking: Removal of autoscaling IAM policy and tags (by @max-rocket-internet)
• Revert #631. Add back manage security group flags. (by @ryanooi)
• Changed timeout for creating EKS (by @confiq)
• Added instructions for how to add Windows nodes (by @ivanguravel)
• [CI] Switch Validate github action to use env vars (by @max-rocket-internet)
• [CI] Bump pre-commit-terraform version (by @barryib)
• Added example examples/irsa for IAM Roles for Service Accounts (by @max-rocket-internet)
• Add iam:{Create,Delete,Get}OpenIDConnectProvider grants to the list of required IAM permissions in docs/iam-permissions.md (by @danielelisi)
• Add a name parameter to be able to manually name EKS Managed Node Groups (by @splieth)
• Pinned kubernetes provider version to exactly 1.10.0 across all examples and README.md's (by @andres-de-castro)
• Change variable default wait_for_cluster_cmd from curl to wget (by @daroga0002)

• Include ability to configure custom os-specific command for waiting until kube cluster is healthy (@sanjeevgiri)
• Disable creation of ingress rules if worker nodes security groups are exists (@andjelx)
• [CI] Update pre-commit and re-generate docs to work with terraform-docs >= 0.8.1 (@barryib)

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/CHANGELOG.md#v810---2019-12-11

🔥 There's many changes in this release including 2 breaking changes 🔥

Now we use the Kubernetes Terraform provider for managing the aws-auth configmap.

Managed Node Groups are now released. Please bear in mind this feature is not only new this module but also EKS. There's still quite a few basic features not supported.

If you have problems and see unexpected plan output then be sure to consult the changelog for this release to see how or why this might be.

This release took way too long to create and we know we must release at a faster pace 🏎

There's some good discussion about the future of this module in https://github.com/terraform-aws-modules/terraform-aws-eks/issues/635

• Test against minimum versions specified in versions.tf (by @dpiddockcmp)
• Updated instance_profile_names and instance_profile_arns outputs to also consider launch template as well as asg (by @ankitwal)
• Fix broken terraform plan/apply on a cluster < 1.14 (by @hodduc)
• Updated application of aws-auth configmap to create kube_config.yaml and aws_auth_configmap.yaml in sequence (and not parallel) to kubectl apply (by @knittingdev)

Added

• Breaking: Allow for specifying a custom AMI for the worker nodes. (by @bmcstdio)
• Added support for Windows workers AMIs (by @hodduc)
• Allow for replacing the full userdata text with a userdata_template_file template and userdata_template_extra_args in worker_groups (by @snstanton)
• Write your awesome addition here (by @you)

Changed

• Breaking: The kubectl configuration file can now be fully-specified using config_output_path. Previously it was assumed that config_output_path referred to a directory and always ended with a forward slash. This is a breaking change if config_output_path does not end with a forward slash (which was advised against by the documentation).
• Changed logic for setting default ebs_optimized to only require maintaining a list of instance types that don't support it (by @jeffmhastings)
• Bumped minimum terraform version to 0.12.2 to prevent an error on yamlencode function (by @toadjaune)
• Access conditional resource using join function in combination with splat syntax (by @miguelaferreira)

Added

• Added tags to aws_eks_cluster introduced by terraform-provider-aws 2.31.0 (by @morganchristiansson)

Changed

• Add option to enable lifecycle hooks creation (by @barryib)
• Remove helm chart value sslCertPath described in docs/autoscaling.md (by @wi1dcard)
• Attaching of IAM policies for autoscaler and CNI to the worker nodes now optional (by @dpiddockcmp)

Added

• Added support for different workers AMI's, i.e. with GPU support (by @rvoitenko)

Changed

• Use null as default value for target_group_arns attribute of worker autoscaling group (by @tatusl)
• Output empty string when cluster identity is empty (by @tbarry)

2 breaking changes here:

https://github.com/terraform-aws-modules/terraform-aws-eks/pull/468
https://github.com/terraform-aws-modules/terraform-aws-eks/pull/424