Terraform module to create Amazon Elastic Kubernetes (EKS) resources πΊπ¦
APACHE-2.0 License
Bot releases are hidden (Show)
Published by antonbabenko 9 months ago
aws-auth
configmap with EKS cluster access entry (#2858)See the UPGRADE-20.0.md guide for further details on the changes and guidance for upgrading
v5.34
v1.3
to support Terraform state moved
blocks as well as other advanced featuresresolve_conflicts
argument within the cluster_addons
configuration has been replaced with resolve_conflicts_on_create
and resolve_conflicts_on_delete
now that resolve_conflicts
is deprecatedpreserve
argument of cluster_addons
is now set to true
. This has shown to be useful for users deprovisioning clusters while avoiding the situation where the CNI is deleted too early and causes resources to be left orphaned resulting in conflicts.irsa
naming convention has been removed, along with an update to the Karpenter controller IAM policy to align with Karpenter's v1beta1
/v0.32
changes. Instead of referring to the role as irsa
or pod_identity
, its simply just an IAM role used by the Karpenter controller and there is support for use with either IRSA and/or Pod Identity (default) at this timeaws-auth
ConfigMap resources have been moved to a standalone sub-module. This removes the Kubernetes provider requirement from the main module and allows for the aws-auth
ConfigMap to be managed independently of the main module. This sub-module will be removed entirely in the next major release.API_AND_CONFIG_MAP
. This is a one way change if applied; if you wish to use CONFIG_MAP
, you will need to set authentication_mode = "CONFIG_MAP"
explicitly when upgrading.spot_interrupt
updated to correct mis-spelling (was spot_interupt
). This will cause the rule to be replacedbootstrap_cluster_creator_admin_permissions
setting on the control plane has been hardcoded to false
since this operation is a one time operation only at cluster creation per the EKS API. Instead, users can enable/disable enable_cluster_creator_admin_permissions
at any time to achieve the same functionality. This takes the identity that Terraform is using to make API calls and maps it into a cluster admin via an access entry. For users on existing clusters, you will need to remove the default cluster administrator that was created by EKS prior to the cluster access entry APIs - see the section Removing the default cluster administrator
for more details.instance_maintenance_policy
and have added max_healthy_percentage
, scale_in_protected_instances
, and standby_instances
arguments to the instance_refresh.preferences
blocksts:AssumeRole
permissions by services, the use of dynamically looking up the DNS suffix has been replaced with the static value of amazonaws.com
. This does not appear to change by partition and instead requires users to set this manually for non-commercial regions.kms_key_enable_default_policy
has changed from false
to true
to align with the default behavior of the aws_kms_key
resourcecreate_instance_profile
has changed from true
to false
to align with the changes in Karpenter v0.32create_instance_profile
default value has changed from true
to false
. Starting with Karpenter v0.32.0
, Karpenter accepts an IAM role and creates the EC2 instance profile used by the nodescomplete
example has been removed due to its redundancy with the other examples