-
Notifications
You must be signed in to change notification settings - Fork 2
/
variables.tf
648 lines (564 loc) · 19.4 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
#######################
# EKS Cluster Settings
#######################
variable "cluster_name" {
description = "EKS Cluster Name"
type = string
}
variable "cluster_version" {
description = "EKS Cluster Version"
type = string
default = "1.31"
validation {
condition = try(tonumber(var.cluster_version) < 1.32, false)
error_message = "EKS Cluster Version 1.32 is not supported by this module. Please use a version less than 1.32"
}
}
variable "cluster_enabled_log_types" {
description = "A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)"
type = list(string)
default = ["audit", "api", "authenticator"]
}
variable "authentication_mode" {
description = "The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`"
type = string
default = "API"
validation {
condition = contains(["CONFIG_MAP", "API", "API_AND_CONFIG_MAP"], var.authentication_mode)
error_message = "Invalid authentication mode. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`"
}
}
#######################
# Cluster IAM Role
#######################
variable "cluster_iam_role" {
description = "Cluster IAM Role name. If undefined, is the same as the cluster name"
type = string
default = ""
}
variable "cluster_iam_boundary" {
description = "IAM boundary for the cluster IAM role, if any"
type = string
default = null
}
#######################
# Workers IAM Role
#######################
variable "workers_iam_role" {
description = "Workers IAM Role name. If undefined, is the same as the cluster name suffixed with 'workers'"
type = string
default = ""
}
variable "workers_iam_boundary" {
description = "IAM boundary for the workers IAM role, if any"
type = string
default = null
}
variable "iam_role_additional_policies" {
description = "Additional policies to be added to the IAM role"
type = set(string)
default = []
}
#######################
# Cluster RBAC (AWS Auth)
#######################
# For Self managed nodes groups set the create_aws_auth to true
variable "create_aws_auth_configmap" {
description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`"
type = bool
default = false
}
variable "manage_aws_auth_configmap" {
description = "Determines whether to manage the contents of the aws-auth configmap. NOTE - make it `true` when `authentication_mode = CONFIG_MAP`"
type = bool
default = false
}
variable "enable_cluster_windows_support" {
description = "Determines whether to create the amazon-vpc-cni configmap and windows worker roles into aws-auth."
type = bool
default = false
}
variable "role_mapping" {
description = "List of IAM roles to give access to the EKS cluster"
type = list(object({
rolearn = string
username = string
groups = list(string)
}))
default = []
}
variable "user_mapping" {
description = "List of IAM Users to give access to the EKS Cluster"
type = list(object({
userarn = string
username = string
groups = list(string)
}))
default = []
}
variable "aws_auth_fargate_profile_pod_execution_role_arns" {
description = "List of Fargate profile pod execution role ARNs to add to the aws-auth configmap"
type = list(string)
default = []
}
#############
# EKS Addons
#############
variable "cluster_addons" {
description = "Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`"
type = any
default = {}
}
variable "cluster_addons_timeouts" {
description = "Create, update, and delete timeout configurations for the cluster addons"
type = map(string)
default = {}
}
#######################
# Cluster Networking
#######################
variable "cluster_endpoint_private_access" {
description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled"
type = bool
default = true
}
variable "cluster_endpoint_public_access" {
description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled"
type = bool
default = true
}
variable "cluster_endpoint_public_access_cidrs" {
description = "List of CIDR blocks which can access the Amazon EKS public API server endpoint"
type = list(string)
default = ["0.0.0.0/0"]
}
variable "cluster_additional_security_group_ids" {
description = "List of additional, externally created security group IDs to attach to the cluster control plane"
type = list(string)
default = []
}
variable "vpc_id" {
description = "VPC ID to deploy the cluster into"
type = string
}
variable "subnet_ids" {
description = "A list of subnet IDs where the EKS cluster (ENIs) will be provisioned along with the nodes/node groups. Node groups can be deployed within a different set of subnet IDs from within the node group configuration"
type = list(string)
}
variable "cluster_service_ipv4_cidr" {
description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
type = string
default = null
}
variable "create_cluster_security_group" {
description = "Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default"
type = bool
default = true
}
variable "cluster_security_group_name" {
description = "Cluster security group name"
type = string
default = null
}
variable "create_node_security_group" {
description = "Determines whether to create a security group for the node groups or use the existing `node_security_group_id`"
type = bool
default = true
}
variable "node_security_group_tags" {
description = "A map of additional tags to add to the node security group created"
type = map(string)
default = {}
}
variable "worker_security_group_name" {
description = "Worker security group name"
type = string
default = null
}
variable "cluster_security_group_additional_rules" {
description = "List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source"
type = any
default = {}
}
variable "node_security_group_additional_rules" {
description = "List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source"
type = any
default = {}
}
variable "node_security_group_enable_recommended_rules" {
description = "Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic"
type = bool
default = true
}
#######################
# Other IAM
#######################
variable "skip_asg_role" {
description = "Skip creating ASG Service Linked Role if it's already created"
type = bool
default = false
}
#######################
# Nodes Configuration
# It is recommended that users create their own node pools using the relevant submodules
# at https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest
# after the EKS cluster is created.
#
# The configuration here is deliberately kept simpler to avoid overcomplicating things. We use
# some "sane" defaults so that the basic services that an EKS cluster need can run to create a
# "default" node group
#######################
variable "default_group_name" {
description = "Name of the default node group"
type = string
default = "default"
}
variable "default_group_launch_template_name" {
description = "Name of the default node group launch template"
type = string
default = "default"
}
variable "default_group_ami_id" {
description = "The AMI from which to launch the defualt group instance. If not supplied, EKS will use its own default image"
type = string
default = ""
}
variable "default_group_instance_types" {
description = "Instance type for the default node group"
type = list(string)
default = ["m5a.xlarge", "m5.xlarge", "m5n.xlarge", "m5zn.xlarge"]
}
variable "default_group_min_size" {
description = "Configuration for min default node group size"
type = number
default = 1
}
variable "default_group_max_size" {
description = "Configuration for max default node group size"
type = number
default = 5
}
variable "default_group_volume_size" {
description = "Size of the persistentence volume for the default group"
type = number
default = 50
}
variable "default_group_subnet_ids" {
description = "Subnet IDs to create the default group ASGs in"
type = list(string)
default = []
}
variable "default_group_node_labels" {
description = "Additional node label for default group"
type = map(string)
default = {}
}
variable "only_critical_addons_enabled" {
description = "Enabling this option will taint default node group with CriticalAddonsOnly=true:NoSchedule taint. Changing this forces a new resource to be created."
type = bool
default = false
}
variable "eks_managed_node_groups" {
description = "Map of EKS managed node group definitions to create"
type = any
default = {}
}
variable "eks_managed_node_group_defaults" {
description = "Map of EKS managed node group default configurations"
type = any
default = {
disk_size = 50
metadata_options = {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
instance_metadata_tags = "disabled"
http_protocol_ipv6 = "disabled"
}
update_launch_template_default_version = true
protect_from_scale_in = false
ebs_optimized = true
enable_monitoring = true
create_iam_role = false
}
}
variable "force_imdsv2" {
description = "Force IMDSv2 metadata server."
type = bool
default = true
}
variable "force_irsa" {
description = "Force usage of IAM Roles for Service Account"
type = bool
default = true
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
default = {}
}
variable "cloudwatch_log_group_tags" {
description = "A map of additional tags to add to the cloudwatch log group created"
type = map(string)
default = {}
}
variable "fargate_cluster" {
description = "Whether to create eks cluster with fargate mode. If true, default node group also will be fargate, otherwise managed"
type = bool
default = false
}
variable "fargate_profiles" {
description = "Map of maps of `fargate_profiles` to create"
type = any
default = {}
}
variable "fargate_profile_defaults" {
description = "Map of Fargate Profile default configurations"
type = any
default = {}
}
variable "create_aws_observability_ns" {
description = "Whether to create AWS Observability Namespace."
type = bool
default = true
}
variable "create_fargate_logger_configmap" {
description = "Whether to create AWS Fargate logger configmap."
type = bool
default = true
}
#######################
# Ipv6
#######################
variable "create_cni_ipv6_iam_policy" {
description = "Whether to create CNI IPv6 IAM policy."
type = bool
default = false
}
variable "cluster_service_ipv6_cidr" {
description = "The CIDR block to assign Kubernetes pod and service IP addresses from if `ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster"
type = string
default = null
}
variable "cluster_ip_family" {
description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created"
type = string
default = "ipv4"
validation {
condition = contains(["ipv4", "ipv6"], var.cluster_ip_family)
error_message = "Invalid IP family. Valid values are `ipv4` and `ipv6`"
}
}
##########
## MODE ##
##########
variable "autoscaling_mode" {
description = "Autoscaling mode: cluster_autoscaler or karpenter"
type = string
default = "karpenter"
}
##############################
## KARPENTER DEFAULT CONFIG ##
##############################
variable "karpenter_nodepools" {
description = "List of Provisioner maps"
type = list(object({
nodepool_name = string
nodeclass_name = string
karpenter_nodepool_node_labels = map(string)
karpenter_nodepool_annotations = map(string)
karpenter_nodepool_node_taints = list(map(string))
karpenter_nodepool_startup_taints = list(map(string))
karpenter_requirements = list(object({
key = string
operator = string
values = list(string)
})
)
karpenter_nodepool_disruption = object({
consolidation_policy = string
consolidate_after = string
expire_after = string
})
karpenter_nodepool_disruption_budgets = list(map(any))
karpenter_nodepool_weight = number
}))
default = [{
nodepool_name = "default"
nodeclass_name = "default"
karpenter_nodepool_node_labels = {
"bottlerocket.aws/updater-interface-version" = "2.0.0"
}
karpenter_nodepool_annotations = {}
karpenter_nodepool_node_taints = []
karpenter_nodepool_startup_taints = []
karpenter_requirements = [{
key = "karpenter.k8s.aws/instance-category"
operator = "In"
values = ["t", "m"]
}, {
key = "karpenter.k8s.aws/instance-cpu"
operator = "In"
values = ["2", "4"]
}, {
key = "karpenter.k8s.aws/instance-memory"
operator = "Gt"
values = ["2048"]
}, {
key = "karpenter.k8s.aws/instance-generation"
operator = "Gt"
values = ["2"]
}, {
key = "karpenter.sh/capacity-type"
operator = "In"
values = ["on-demand"]
}, {
key = "kubernetes.io/arch"
operator = "In"
values = ["amd64"]
}, {
key = "kubernetes.io/os"
operator = "In"
values = ["linux"]
}
]
karpenter_nodepool_disruption = {
consolidation_policy = "WhenEmptyOrUnderutilized" # WhenEmptyOrUnderutilized or WhenEmpty
consolidate_after = "10m"
expire_after = "168h" # 7d | 168h | 1w
}
karpenter_nodepool_disruption_budgets = [{
nodes = "10%"
}]
karpenter_nodepool_weight = 10
}]
}
variable "karpenter_nodeclasses" {
description = "List of nodetemplate maps"
type = list(object({
nodeclass_name = string
karpenter_subnet_selector_maps = list(map(any))
karpenter_security_group_selector_maps = list(map(any))
karpenter_ami_selector_maps = list(map(any))
karpenter_node_role = string
karpenter_node_tags_map = map(string)
karpenter_ami_family = string
karpenter_node_user_data = string
karpenter_node_metadata_options = map(any)
karpenter_block_device_mapping = list(object({
deviceName = string
ebs = object({
encrypted = bool
volumeSize = string
volumeType = string
kmsKeyID = optional(string)
deleteOnTermination = bool
})
}))
}))
default = []
}
variable "create_fargate_profile_for_karpenter" {
description = "Create fargate profile flag"
type = bool
default = false
}
variable "create_aws_observability_ns_for_karpenter" {
description = "Create aws-observability namespace flag"
type = bool
default = false
}
variable "create_fargate_logger_configmap_for_karpenter" {
description = "create_fargate_logger_configmap flag"
type = bool
default = false
}
variable "create_fargate_log_group_for_karpenter" {
description = "value for create_fargate_log_group"
type = bool
default = false
}
variable "create_fargate_logging_policy_for_karpenter" {
description = "value for create_fargate_logging_policy"
type = bool
default = false
}
variable "karpenter_chart_version" {
description = "Chart version for Karpenter"
type = string
default = "1.0.8"
}
variable "karpenter_crd_chart_version" {
description = "Chart version for Karpenter CRDs same version as `karpenter_chart_version`"
type = string
default = "1.0.8"
}
variable "karpenter_default_subnet_selector_tags" {
description = "Subnet selector tags for Karpenter default node class"
type = map(string)
default = {
"kubernetes.io/role/internal-elb" = "1"
}
}
variable "additional_karpenter_security_group_selector_tags" {
description = "Additional security group tags to add to the Karpenter node groups"
type = map(string)
default = {}
}
variable "karpenter_pod_resources" {
description = "Karpenter Pod Resource"
type = object({
requests = object({
cpu = string
memory = string
})
limits = object({
cpu = string
memory = string
})
})
default = {
requests = {
cpu = "1"
memory = "2Gi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
}
# TODO - make v1 permssions the default policy at next breaking change
variable "enable_v1_permissions_for_karpenter" {
description = "Determines whether to enable permissions suitable for v1+ (`true`) or for v0.33.x-v0.37.x (`false`)"
type = bool
default = true
}
variable "karpenter_upgrade" {
description = "Karpenter Upgrade"
type = bool
default = false
}
variable "enable_pod_identity_for_karpenter" {
description = "Enable pod identity for karpenter"
type = bool
default = false
}
variable "enable_pod_identity_for_eks_addons" {
description = "Enable pod identity for eks addons, Note - Default is `false` because AWS Terraform Provider still DOESN'T Support Pod Identity Association for EKS Addons"
type = bool
default = true
}
################################################################################
# Access Entry
################################################################################
variable "access_entries" {
description = "Map of access entries to add to the cluster"
type = any
default = {}
}
variable "enable_cluster_creator_admin_permissions" {
description = "Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry"
type = bool
default = true
}