Explore the diagrams Β»
Report a Bug Β· Request a Feature Β· Ask a Question
Table of Contents
Terraform cluster module which deploys a Kubernetes (EKS) cluster control-plane to AWS. Supports logs ingested to CloudWatch via KMS encryption. Deploys EKS Add-Ons "aws-vpc-cni" and "kube-proxy" with matching EKS control-plane version. Creates an IAM OIDC provider to be used with EKS IRSA authentication mechanism. -- Part of stackx.
βΉοΈ Architecture Diagrams
| Placeholder | Rover |
|---|---|
 |
 |
- AWS credentials
- Terraform
- VPC network and subnets
To get started, clone the projects, check all configurable Inputs and deploy everything with make.
git clone https://github.com/ventx/stackx-terraform-aws-cluster.git
make all # init, validate, plan, applyYou can run this module in conjunction with other stackx components (recommended) or as single-use (build your own).
Deployment time around (with dependency modules): 15 minutes
--- PASS: TestAwsCluster (958.78s)This is just a bare minimum example of how to use the module. See all available stackx modules here: https://github.com/ventx
module "aws-network" {
source = "ventx/stackx-network/aws"
version = "0.1.0"
}
module "aws-cluster" {
source = "ventx/stackx-cluster/aws"
version = "0.3.1" // Pinned and tested version, generated by {x-release-please-version}
cluster_version = "1.23"
subnet_ids = module.aws_network.private_subnet_ids
} module "aws-cluster" {
source = "ventx/stackx-cluster/aws"
version = "0.3.1" // Pinned and tested version, generated by {x-release-please-version}
cluster_version = "1.22"
subnet_ids = ["subnet-1", "subnet-2", "subnet-3"]
}- Simple and easy to use, just the bare minimum
- Control-Plan logs ingested to CloudWatch via KMS encryption
- EKS Add-Ons "aws-vpc-cni" and "kube-proxy"
- IAM OIDC provider to be used with EKS IRSA
- EKS Fargate Profile support (disabled by default)
- EKS
- EKS Fargate Profile
- CloudWatch Log Group
- IAM OIDC provider
- IAM Policies
- IAM Roles
- SecurityGroup
- SecurityGroup rules
- KMS Key
- KMS Key Alias
Our Terraform modules are are highly opionated:
- Keep modules small, focused, simple and easy to understand
- Prefer simple code over complex code
- Prefer KISS > DRY
- Set some sane default values for variables, but do not set a default value if user input is strictly required
These opinions can be seen as some "soft" rules but which are not strictly required.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 3.45.0 |
| local | >= 2.1.0 |
| null | >= 3.1.0 |
| tls | >= 3.1.0 |
| Name | Version |
|---|---|
| aws | 5.22.0 |
| tls | 4.0.4 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_cw_retention | Specifies the number of days you want to retain log events in the log group for EKS Cluster events (e.g. 90 => 90 days) |
number |
1 |
no |
| cluster_tags | Add additional tags to the EKS created main/primary cluster Security Group - will be merged with var.tags and Karpenter discovery tag |
map(string) |
{} |
no |
| cluster_version | Kubernetes master major version (e.g. 1.28) (https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html) |
string |
"1.27" |
no |
| cw_kms_arn | KMS Key ARN for CloudWatch encryption - if not set, your EKS control plane logs will be ingested unencrypted | string |
"" |
no |
| eks_api_access_cidrs | IP CIDRs which are allowed to access the EKS API Public endpoint) | list(string) |
[ |
no |
| eks_cluster_log_types | Log types to enable for EKS Cluster (Master) - Valid values: api, audit, authenticator, controllerManager, scheduler |
list(string) |
[ |
no |
| eks_kms_admin_arns | Additional ARNs to be added in EKS KMS Key Policy for administrative access (default: current context) | list(string) |
[] |
no |
| eks_kms_arn | KMS Key ARN for EKS secrets encryption-at-rest | string |
null |
no |
| eks_kms_key_deletion_window | The waiting period, specified in number of days (between 7 and 30), until the AWS KMS Key will be finally deleted. |
number |
7 |
no |
| enable_addon_kube_proxy | Enable / Disable EKS Addon kube-proxy |
bool |
true |
no |
| enable_addon_vpc_cni | Enable / Disable EKS Addon vpc-cni |
bool |
true |
no |
| endpoint_private_access | Enable / Disable private EKS API endpoint | bool |
true |
no |
| endpoint_public_access | Enable / Disable private EKS API endpoint | bool |
true |
no |
| fargate | Enable / Disable use of Fargate profile | bool |
false |
no |
| fargate_iam_role_arn | Existing IAM Role ARN to be used for Fargate Execution Role | string |
"" |
no |
| fargate_selectors | List of selector for Kubernetes Pods to execute with the Fargate Profile (Default to a K8s Namespace: fargate) |
any |
[ |
no |
| ip_family | IP Family for EKS cluster - ipv4 or ipv6 |
string |
"ipv4" |
no |
| name | Base Name for all resources (preferably generated by terraform-null-label) | string |
"stackx-cluster" |
no |
| subnet_ids | Subnet IDs to create EKS Cluster into | list(string) |
n/a | yes |
| tag_cluster_sg | Add tags to EKS created Cluster Security Group | bool |
true |
no |
| tags | User specific Tags / Labels to attach to resources (will be merged with module tags) | map(string) |
{} |
no |
| tf_eks_cluster_timeouts | (Optional) Updated Terraform resource management timeouts. Applies to aws_eks_cluster in particular to permit resource management times |
map(string) |
{ |
no |
| tf_eks_fargate_profile_timeouts | (Optional) Updated Terraform resource management timeouts. Applies to aws_eks_fargate_profile in particular to permit resource management times |
map(string) |
{ |
no |
| worker_sg_id | SecurityGroup ID of Worker nodes | string |
null |
no |
| Name | Description |
|---|---|
| api_cidrs | EKS Public API endpoint allowed CIDRs |
| cluster_ca | EKS Cluster certificate authority |
| cluster_endpoint | EKS Cluster endpoint |
| cluster_name | EKS Cluster name |
| cluster_role_arn | ARN of the EKS cluster IAM role |
| cluster_security_group_id | EKS Cluster Security Group ID created by Amazon EKS |
| cluster_version | EKS Cluster K8s Version |
| eni_sg_ids | EKS Cluster cross-account ENIs Security Group IDs |
| k8s_version | EKS Cluster K8s Version |
| oidc_issuer | Issuer URL of EKS Cluster OIDC |
| oidc_issuer_arn | OIDC Identity issuer ARN for the EKS cluster (IRSA) |
| platform_version | EKS Cluster Platform Version |
| sg_id | EKS Cluster Security Group ID created by Amazon EKS (convenience output) |
| vpc_id | EKS Cluster VPC ID |
If you need professional support directly by the maintainers of the project, don't hesitate to contact us:
- GitHub issues
- Contact options listed on this GitHub profile
If you want to say thank you or/and support active development of terraform-aws-stackx-cluster:
- Add a GitHub Star to the project.
- Tweet about the terraform-aws-stackx-cluster.
- Write interesting articles about the project on Dev.to, Medium or your personal blog.
Together, we can make terraform-aws-stackx-cluster better!
First off, thanks for taking the time to contribute! Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make will benefit everybody else and are greatly appreciated.
Please read our contribution guidelines, and thank you for being involved!
terraform-aws-stackx-cluster follows good practices of security, but 100% security cannot be assured. terraform-aws-stackx-cluster is provided "as is" without any warranty. Use at your own risk.
For more information and to report security issues, please refer to our security documentation.
This project is licensed under the Apache 2.0 license.
See LICENSE for more information.
- All open source contributors who made this possible
See the open issues for a list of proposed features (and known issues).
- Top Feature Requests (Add your votes using the π reaction)
- Top Bugs (Add your votes using the π reaction)
- Newest Bugs