All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v17.0.3 - 2021-05-28
BUG FIXES:
- Fix AMI filtering when the default platform is provided in
var.workers_group_defaults
(#1413) - Remove duplicated security group rule for EKS private access endpoint (#1412)
NOTES:
- In this bug fix, we remove a duplicated security rule introduced during a merge conflict resolution in [#1274](terraform-aws-modules#1274)
v17.0.2 - 2021-05-28
BUG FIXES:
- Don't add tags on network interfaces because it's not supported yet in
terraform-provider-aws
(#1407)
v17.0.1 - 2021-05-28
BUG FIXES:
- Default
root_volume_type
must begp2
(#1404)
v17.0.0 - 2021-05-28
FEATURES:
- Add ability to use Security Groups as source for private endpoint access (#1274)
- Define Root device name for Windows self-managed worker groups (#1401)
- Drop random pets from Managed Node Groups (#1372)
- Add multiple selectors on the creation of Fargate profile (#1378)
- Rename
config_output_path
intokubeconfig_output_path
for naming consistency (#1399) - Kubeconfig file should not be world or group readable by default (#1114)
- Add tags on network interfaces (#1362)
- Add instance store volume option for instances with local disk (#1213)
BUG FIXES:
- Add back
depends_on
fordata.wait_for_cluster
(#1389)
DOCS:
- Clarify about the
cluster_endpoint_private_access_cidrs
usage (#1400) - Add KMS aliases handling to IAM permissions (#1288)
BREAKING CHANGES:
- The private endpoint security group rule has been renamed to allow the use of CIDR blocks and Security Groups as source. This will delete the
cluster_private_access
Security Group Rule for existing cluster. Please rename byaws_security_group_rule.cluster_private_access[0]
intoaws_security_group_rule.cluster_private_access_cidrs_source[0]
. - We now decided to remove
random_pet
resources in Managed Node Groups (MNG). Those were used to recreate MNG if something change and also simulate the newly added argumentnode_group_name_prefix
. But they were causing a lot of troubles. To upgrade the module without recreating your MNG, you will need to explicitly reuse their previous name and set them in your MNGname
argument. Please see upgrade docs for more details. - To support multiple selectors for Fargate profiles, we introduced the
selectors
argument which is a list of map. This will break previous configuration with a single selectornamespace
andlabels
. You'll need to rewrite your configuration to use theselectors
argument. See examples dans docs for details. - The variable
config_output_path
is renamed intokubeconfig_output_path
for naming consistency. Please upgrade your configuration accordingly.
NOTES:
- Since we now search only for Linux or Windows AMI if there is a worker groups for the corresponding plateform, we can now define different default root block device name for each plateform. Use locals
root_block_device_name
androot_block_device_name_windows
to define your owns. - The kubeconfig file permission is not world and group readable anymore. The default permission is now
600
. This value can be changed with the variablevar.kubeconfig_file_permission
.
v16.2.0 - 2021-05-24
FEATURES:
- Add ability to forcefully update nodes in managed node groups (#1380)
BUG FIXES:
- Bump
terraform-provider-http
required version to 2.4.1 to avoid TLS Cert Pool issue on Windows (#1387)
DOCS:
- Update license to Apache 2 License (#1375)
v16.1.0 - 2021-05-19
FEATURES:
- Search for Windows or Linux AMIs only if they are needed (#1371)
BUG FIXES:
- Set an ASG's launch template version to an explicit version to automatically trigger instance refresh (#1370)
- Add description for private API ingress Security Group Rule (#1299)
DOCS:
NOTES:
- Set an ASG's launch template version to an explicit version automatically. This will ensure that an instance refresh will be triggered whenever the launch template changes. The default
launch_template_version
is now used to determine the latest or default version of the created launch template for self-managed worker groups.
v16.0.1 - 2021-05-19
BUG FIXES:
- Bump
terraform-aws-modules/http
provider version to support darwin arm64 release (#1369)
DOCS:
- Use IRSA for Node Termination Handler IAM policy attachement in Instance Refresh example (#1373)
v16.0.0 - 2021-05-17
FEATURES:
- Add support for Auto Scaling Group Instance Refresh for self-managed worker groups (#1224)
- Drop
asg_recreate_on_change
feature to encourage the usage of Instance Refresh for EC2 Auto Scaling (#1360) - Add timeout of 5mn when waiting for cluster (#1359)
- Remove dependency on deprecated
hashicorp/template
provider (#1297) - Replace the local-exec script with a http datasource for waiting cluster (#1339)
BUG FIXES:
- Remove provider from required providers (#1357)
- Bump AWS provider version to add Warm Pool support (#1340)
CI:
- Bump terraform-docs to 0.13 (#1335)
BREAKING CHANGES:
- This module used
random_pet
resources to create a random name for the autoscaling group to force the autoscaling group to be re-created when the launch configuration or launch template was changed (ifrecreate_asg_when_lc_changes = true
was set), causing the instances to be removed and re-provisioned each time there was an update. Those random_pet resources has been removed and in its place there is now a set of functionality provided by AWS and the Terraform AWS provider - Instance Refresh. We encourage those users to move on Instance Refresh for EC2 Auto Scaling. - We remove the dependency on the deprecated
hashicorp/template
provider and use the Terraform built intemplatefile
function. This will broke some workflows due to previously being able to pass in the raw contents of a template file for processing. Thetemplatefile
function requires a template file that exists before running a plan.
NOTES:
- Using the terraform-aws-modules/http provider is a more platform agnostic way to wait for the cluster availability than using a local-exec. With this change we're able to provision EKS clusters and manage the
aws_auth
configmap while still using thehashicorp/tfc-agent
docker image.
v15.2.0 - 2021-05-04
FEATURES:
- Add tags on additional IAM resources like IAM policies, instance profile, OIDC provider (#1321)
- Allow to override cluster and workers egress CIDRs (#1237)
- Allow to specify the managed cluster IAM role name (#1199)
- Add support for ASG Warm Pools (#1310)
- Add support for specifying elastic inference accelerator (#1176)
- Create launch template for Managed Node Groups (#1138)
BUG FIXES:
- Replace
list
withtolist
function for working with terraform v0.15.0 (#1317) - Limit cluster_name when creating fargate IAM Role (#1270)
- Add mission metadata block for launch configuration (#1301)
- Add missing IAM permission for NLB with EIPs (#1226)
- Change back the default disk type to
gp2
(#1208)
DOCS:
- Update helm instructions for irsa example (#1251)
v15.1.0 - 2021-04-16
BUG FIXES:
- Fixed list and map usage (#1307)
v15.0.0 - 2021-04-16
BUG FIXES:
- Updated code and version requirements to work with Terraform 0.15 (#1165)
v14.0.0 - 2021-01-29
FEATURES:
- Add nitro enclave support for EKS (#1185)
- Add support for
service_ipv4_cidr
for the EKS cluster (#1139) - Add the SPOT support for Managed Node Groups (#1129)
- Use
gp3
as default as it saves 20% and is more performant (#1134) - Allow the overwrite of subnets for Fargate profiles (#1117)
- Add support for throughput parameter for
gp3
volumes (#1146) - Add customizable Auto Scaling Group health check type (#1118)
- Add permissions boundary to fargate execution IAM role (#1108)
ENHANCEMENTS:
- Dont set -x in userdata to avoid printing sensitive informations in logs (#1187)
BUG FIXES:
- Merge tags from Fargate profiles with common tags from cluster (#1159)
DOCS:
- Update changelog generation to use custom sort with git-chglog v0.10.0 (#1202)
- Bump IRSA example dependencies to versions which work with TF 0.14 (#1184)
- Change instance type from
t2
tot3
in examples (#1169) - Fix typos in README and CONTRIBUTING (#1167)
- Make it more obvious that
var.cluster_iam_role_name
will allow reusing an existing IAM Role for the cluster. (#1133) - Fixes typo in variables description (#1154)
- Fix a typo in the
aws-auth
section of the README (#1099)
BREAKING CHANGES:
- To add add SPOT support for MNG, the
instance_type
is now a list and renamed asinstance_types
. This will probably rebuild existing Managed Node Groups. - The default root volume type is now
gp3
as it saves 20% and is more performant
NOTES:
- The EKS cluster can be provisioned with both private and public subnets. But Fargate only accepts private ones. This new variable allows to override the subnets to explicitly pass the private subnets to Fargate and work around that issue.
v13.2.1 - 2020-11-12
ENHANCEMENTS:
- Tags passed into worker groups should also be excluded from Launch Template tag specification (#1095)
BUG FIXES:
- Don’t add empty Roles ARN in aws-auth configmap, specifically when no Fargate profiles are specified (#1096)
DOCS:
- Clarify usage of both AWS-Managed Node Groups and Self-Managed Worker Groups (#1094)
v13.2.0 - 2020-11-07
FEATURES:
- Add EKS Fargate support (#1067)
- Tags passed into worker groups override tags from
var.tags
for Autoscaling Groups (#1092)
BUG FIXES:
- Change the default
launch_template_id
tonull
for Managed Node Groups (#1088)
DOCS:
- Fix IRSA example when deploying cluster-autoscaler from the latest kubernetes/autoscaler helm repo (#1090)
- Explain node_groups and worker_groups difference in FAQ (#1081)
- Update autoscaler installation in IRSA example (#1063)
NOTES:
- Tags that are passed into
var.worker_groups_launch_template
orvar.worker_groups
now override tags passed in viavar.tags
for Autoscaling Groups only. This allow ASG Tags to be overwritten, so thatpropagate_at_launch
can be tweaked for a particular key.
v13.1.0 - 2020-11-02
FEATURES:
- Add Launch Template support for Managed Node Groups (#997)
- Add
cloudwatch_log_group_arn
to outputs (#1071) - Add kubernetes standard labels to avoid manual mistakes on the managed
aws-auth
configmap (#989)
BUG FIXES:
- The type of the output
cloudwatch_log_group_name
should be a string instead of a list of strings (#1061) - Use splat syntax to avoid errors during destroy with an empty state (#1041)
- Fix cycle error during the destroy phase when we change workers order (#1043)
- Set IAM Path for
cluster_elb_sl_role_creation
IAM policy (#1045) - Use the amazon
ImageOwnerAlias
for worker ami owner instead of owner id (#1038)
CI:
- Use ubuntu-latest instead of MacOS for docs checks (#1074)
- Fix GitHub Actions CI macOS build errors (#1065)
NOTES:
- Managed Node Groups now support Launch Templates. The Launch Template it self is not managed by this module, so you have to create it by your self and pass it's id to this module. See docs and
examples/launch_templates_with_managed_node_groups/
for more details. - The output
cloudwatch_log_group_name
was incorrectly returning the log group name as a list of strings. As a workaround, people were usingmodule.eks_cluster.cloudwatch_log_group_name[0]
but that was totally inconsistent with output name. Those users can now usemodule.eks_cluster.cloudwatch_log_group_name
directly. - Keep in mind that changing the order of workers group is a destructive operation. All workers group are destroyed and recreated. If you want to do this safely, you should move then in state with
terraform state mv
until we manage workers groups as maps.
v13.0.0 - 2020-10-06
FEATURES:
- Add
load_balancers
parameter to associate a CLB (Classic Load Balancer) to worker groups ASG (#992) - Dynamic Partition for IRSA to support AWS-CN Deployments (#1028)
- Add AmazonEKSVPCResourceController to cluster policy to be able to set AWS Security Groups for pod (#1011)
- Cluster version is now a required variable. (#972)
ENHANCEMENTS:
- Make the
cpu_credits
optional for workers launch template (#1030) - Update the
wait_for_cluster_cmd
logic to usecurl
ifwget
doesn't exist (#1002)
BUG FIXES:
- Use customer managed policy instead of inline policy for
cluster_elb_sl_role_creation
(#1039) - More compatibility fixes for Terraform v0.13 and aws v3 (#976)
- Create
cluster_private_access
security group rules when it should (#981) - Random_pet with LT workers under 0.13.0 (#940)
DOCS:
- Add important notes about the retry logic and the
wget
requirement (#999) - Update README about
cluster_version
variable requirement (#988) - Mixed spot + on-demand instance documentation (#967)
- Describe key_name is about AWS EC2 key pairs (#970)
- Better documentation of
cluster_id
output blocking (#955)
CI:
- Bump terraform pre-commit hook version and re-run terraform-docs with the latest version to fix the CI (#1033)
- Fix CI lint job (#973)
BREAKING CHANGES:
- Default for
cluster_endpoint_private_access_cidrs
is nownull
instead of["0.0.0.0/0"]
. It makes the variable required whencluster_create_endpoint_private_access_sg_rule
is set totrue
. This will force everyone who want to have a private access to set explicitly their allowed subnets for the sake of the principle of least access by default. cluster_version
variable is now required.
NOTES:
credit_specification
for worker groups launch template can now be set tonull
so that we can use non burstable EC2 families- Starting in v12.1.0 the
cluster_id
output depends on thewait_for_cluster
null resource. This means that initialisation of the kubernetes provider will be blocked until the cluster is really ready, if the module is set to manage the aws_auth ConfigMap and user followed the typical Usage Example. kubernetes resources in the same plan do not need to depend on anything explicitly.
v12.2.0 - 2020-07-13
FEATURES:
- IMDSv2 metadata configuration in Launch Templates (#938)
- Worker launch templates and configurations depend on security group rules and IAM policies (#933)
- Add IAM permissions for ELB svc-linked role creation by EKS cluster (#902)
- Add a homemade
depends_on
for MNG submodule to ensure ordering of resource creation (#867)
BUG FIXES:
- Strip user Name tag from asg_tags #946)
- Get
on_demand_allocation_strategy
fromlocal.workers_group_defaults
when deciding to usemixed_instances_policy
(#908) - Remove unnecessary conditional in private access security group (#915)
DOCS:
- Update required IAM permissions list (#936)
- Improve FAQ on how to deploy from Windows (#927)
- Autoscaler X.Y version must match (#928)
NOTES:
- Addition of the IMDSv2 metadata configuration block to Launch Templates will cause a diff to be generated for existing Launch Templates on first Terraform apply. The defaults match existing behaviour.
v12.1.0 - 2020-06-06
FEATURES:
- Add aws_security_group_rule.cluster_https_worker_ingress to output values (#901)
- Allow communication between pods on workers and pods using the primary cluster security group (optional) (#892)
BUG FIXES:
- Revert removal of templates provider (#883)
- Ensure kubeconfig ends with \n (#880)
- Work around path bug in aws-iam-authenticator (#894)
DOCS:
- Update FAQ (#891)
NOTES:
- New variable
worker_create_cluster_primary_security_group_rules
to allow communication between pods on workers and pods using the primary cluster security group (Managed Node Groups or Fargate). It defaults tofalse
to avoid potential conflicts with existing security group rules users may have implemented.
v12.0.0 - 2020-05-09
FEATURES:
ENHANCEMENTS:
- Remove dependency on external template provider (#854)
BUG FIXES:
- Fix Launch Templates error with aws 2.61.0 (#875)
- Use splat syntax for cluster name to avoid
(known after apply)
in managed node groups (#868)
DOCS:
BREAKING CHANGES:
- The default
cluster_version
is now 1.16. Kubernetes 1.16 includes a number of deprecated API removals, and you need to ensure your applications and add ons are updated, or workloads could fail after the upgrade is complete. For more information on the API removals, see the Kubernetes blog post. For action you may need to take before upgrading, see the steps in the EKS documentation. Please set explicitly yourcluster_version
to an older EKS version until your workloads are ready for Kubernetes 1.16.
v11.1.0 - 2020-04-23
FEATURES:
- Add support for EC2 principal in assume worker role policy for China (#827)
BUG FIXES:
- Add
vpc_config.cluster_security_group
output as primary cluster security group id (#828) - Wrap
local.configmap_roles.groups
with tolist() to avoid panic (#846) - Prevent
coalescelist
null argument error when destroying worker_group_launch_templates (#842)
v11.0.0 - 2020-03-31
FEATURES:
- Add instance tag specifications to Launch Template (#822)
- Add support for additional volumes in launch templates and launch configurations (#800)
- Add interpreter option to
wait_for_cluster_cmd
(#795)
ENHANCEMENTS:
- Require kubernetes provider >=1.11.1 (#784)
- Use
aws_partition
to build IAM policy ARNs (#820) - Generate
aws-auth
configmap's roles from Object. No more string concat. (#790) - Add timeout to default wait_for_cluster_cmd (#791)
- Automate changelog management (#786)
BUG FIXES:
- Fix destroy failure when talking to EKS endpoint on private network (#815)
- Add ip address when manage_aws_auth is true and public_access is false (#745)
- Add node_group direct dependency on eks_cluster (#796)
- Do not recreate cluster when no SG given (#798)
- Create
false
and avoid waiting forever for a non-existent cluster to respond (#789) - Fix git-chglog template to format changelog
Type
nicely (#803) - Fix git-chglog configuration (#802)
TESTS:
- Remove unused kitchen test related stuff (#787)
CI:
- Restrict sementic PR to validate PR title only (#804)