README.md

AWS EKS Terraform module

SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.

This module simplifies the deployment of EKS clusters with dual stack mode for Cluster IP family like IPv6 and IPv4, allowing users to quickly create and manage a production-grade Kubernetes cluster on AWS. The module is highly configurable, allowing users to customize various aspects of the EKS cluster, such as the Kubernetes version, worker node instance type, number of worker nodes, and now with added support for EKS version 1.30.
With this module, users can take advantage of the latest features and improvements offered by EKS 1.30 while maintaining the ease and convenience of automated deployment. The module provides a streamlined solution for setting up EKS clusters, reducing the manual effort required for setup and configuration.

Usage Example

module "eks" {
  source                                   = "squareops/eks/aws"
  name                                     = "skaf"
  vpc_id                                   = "vpc-xyz425342176"
  vpc_subnet_ids                           = [module.vpc.private_subnets[0]]
  environment                              = "prod"
  eks_kms_key_arn                          = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"
  eks_cluster_version                      = "1.30"
  eks_cluster_log_types                    = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  eks_cluster_log_retention_in_days        = 30
  eks_cluster_endpoint_public_access       = true
  eks_cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"]
  eks_nodes_keypair_name                   = module.key_pair_eks.key_pair_name
  access_entry_enabled                     = false
  access_entries = {
    "example" = {
      kubernetes_groups = ["cluster-admins"]
      principal_arn     = "arn:aws:iam::767398031518:role/role-name"
      policy_associations = {
        example = {
          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
          access_scope = {
            namespaces = ["default"]
            type       = "namespace"
          }
        }
      }
    }
  }
  enable_cluster_creator_admin_permissions = true
  authentication_mode                      = "API_AND_CONFIG_MAP"
  eks_cluster_security_group_additional_rules = {
    ingress_port_mgmt_tcp = {
      description = "mgmt vpc cidr"
      protocol    = "tcp"
      from_port   = 443
      to_port     = 443
      type        = "ingress"
      cidr_blocks = ["10.10.0.0/16"]
    }
  }
}

module "managed_node_group_addons" {
  source                        = "squareops/eks/aws//modules/managed-nodegroup"
  depends_on                    = [module.eks]
  managed_ng_name               = "addons"
  managed_ng_min_size           = 2
  managed_ng_max_size           = 2
  managed_ng_desired_size       = 2
  vpc_subnet_ids                = ["subnet-abc123"]
  environment                   = "prod"
  managed_ng_kms_key_arn        = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"
  managed_ng_capacity_type      = "ON_DEMAND"
  managed_ng_ebs_volume_size    = 50
  managed_ng_instance_types     = ["t3a.large", "t2.large", "t2.xlarge", "t3.large", "m5.large"]
  managed_ng_kms_policy_arn     = module.eks.kms_policy_arn
  eks_cluster_name              = module.eks.eks_cluster_name
  worker_iam_role_name          = module.eks.worker_iam_role_name
  worker_iam_role_arn           = module.eks.worker_iam_role_arn
  managed_ng_pod_capacity       = 90
  managed_ng_monitoring_enabled = true
  eks_nodes_keypair_name        = "key-pair-name"
  launch_template_name          = local.launch_template_name
  enable_bottlerocket_ami       = local.enable_bottlerocket_ami
  bottlerocket_node_config = {
    bottlerocket_eks_node_admin_container_enabled = false
    bottlerocket_eks_enable_control_container     = true
  }
  k8s_labels = {
    "Addons-Services" = "true"
  }
  tags = {
    Name = "prod-cluster"
  }
}

module "fargate_profle" {
  source               = "squareops/eks/aws//modules/fargate-profile"
  depends_on           = [module.eks]
  fargate_profile_name = "app"
  fargate_subnet_ids   = ["subnet-abc123"]
  environment          = "prod"
  eks_cluster_name     = module.eks.cluster_name
  fargate_namespace    = "default"
  k8s_labels = {
    "App-Services" = "fargate"
  }
}

Refer examples for more details.

IAM Permissions

The required IAM permissions to create resources from this module can be found here

EKS-Addons

The EKS module is designed to be used as a standalone Terraform module. We recommend using EKS-Addons module in conjunction to enhance functionality.

CIS COMPLIANCE

Security scanning is graciously provided by Prowler. Prowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.

In this module, we have implemented the following CIS Compliance checks for EKS:

Benchmark	Description	Status
Ensure EKS Control Plane Audit Logging is enabled for all log types	Control plane logging enabled and correctly configured for EKS cluster	✔
Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)	Encryption for Kubernetes secrets is configured for EKS cluster	✔
Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled	Cluster endpoint access is private for EKS cluster	✔
Restrict Access to the EKS Control Plane Endpoint	Cluster control plane access is restricted for EKS cluster	✔

Requirements

Name	Version
terraform	>= 1.0
aws	>= 5.0.0
helm	>= 2.10.0
kubernetes	>= 2.20.0
time	>= 0.9.2
tls	>= 4.0.0

Providers

Name	Version
aws	>= 5.0.0

Modules

Name	Source	Version
eks	terraform-aws-modules/eks/aws	20.16.0

Resources

Name	Type
aws_iam_policy.cni_ipv6_policy	resource
aws_iam_policy.kubernetes_pvc_kms_policy	resource
aws_iam_policy.node_autoscaler_policy	resource
aws_iam_role.node_role	resource
aws_iam_role_policy_attachment.S3Access_attachment	resource
aws_iam_role_policy_attachment.SSMManagedInstanceCore_attachment	resource
aws_iam_role_policy_attachment.cni_policy	resource
aws_iam_role_policy_attachment.kms_cluster_policy_attachment	resource
aws_iam_role_policy_attachment.kms_worker_policy_attachment	resource
aws_iam_role_policy_attachment.node_autoscaler_policy	resource
aws_iam_role_policy_attachment.worker_ecr_policy	resource
aws_iam_role_policy_attachment.worker_policy	resource
aws_iam_policy.S3Access	data source
aws_iam_policy.SSMManagedInstanceCore	data source

Inputs

Name	Description	Type	Default	Required
additional_aws_tags	Additional tags to be applied to AWS resources	map(string)	{}	no
environment	Environment identifier for the EKS cluster, such as dev, qa, prod, etc.	string	""	no
name	Specify the name of the EKS cluster.	string	""	no
cluster_version	Specifies the Kubernetes version (major.minor) to use for the EKS cluster.	string	""	no
irsa_enabled	Set to true to associate an AWS IAM role with a Kubernetes service account.	bool	true	no
cluster_endpoint_public_access	Whether the Amazon EKS public API server endpoint is enabled or not.	bool	true	no
cluster_endpoint_private_access	Whether the Amazon EKS private API server endpoint is enabled or not.	bool	true	no
cluster_endpoint_public_access_cidrs	CIDR blocks that can access the Amazon EKS public API server endpoint.	list(string)	[ "" ]	no
vpc_id	ID of the VPC where the EKS cluster will be deployed.	string	""	no
kms_key_arn	ARN of the KMS key used to encrypt EKS resources.	string	""	no
cluster_log_types	A list of desired control plane logs to enable for the EKS cluster. Valid values include: api, audit, authenticator, controllerManager, scheduler.	list(string)	[]	no
cluster_log_retention_in_days	Retention period for EKS cluster logs in days. Default is set to 90 days.	number	90	no
vpc_private_subnet_ids	Private subnets of the VPC which can be used by EKS	list(string)	[ "" ]	no
kms_key_enabled	Controls if a KMS key for cluster encryption should be created	bool	false	no
cluster_security_group_additional_rules	List of additional security group rules to add to the cluster security group created.	any	{}	no
ipv6_enabled	Enable cluster IP family as Ipv6	bool	false	no
default_addon_enabled	Enable deafult addons(vpc-cni, ebs-csi) at the time of cluster creation	bool	false	no
nodes_keypair_name	The public key to be used for EKS cluster worker nodes.	string	""	no
cluster_name	Name of EKS cluster	string	""	no
vpc_subnet_ids	The IDs of the subnets in the VPC that can be used by EKS.	list(string)	[ "" ]	no
tags	Tags to be applied to the node group.	any	{}	no
k8s_labels	Labels to be applied to the Kubernetes node groups.	map(any)	{}	no
authentication_mode	The authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP	string	"API_AND_CONFIG_MAP"	no
access_entry_enabled	Whether to enable access entry or not for eks cluster.	bool	true	no
access_entries	Map of access entries to add to the cluster	any	{}	no
enable_cluster_creator_admin_permissions	Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry	bool	false	no

Outputs

Name	Description
cluster_name	Name of the Kubernetes cluster.
cluster_endpoint	Endpoint URL for the EKS control plane.
cluster_security_group_id	Security group IDs that are attached to the control plane of the EKS cluster.
cluster_arn	ARN of the EKS Cluster.
cluster_oidc_issuer_url	URL of the OpenID Connect identity provider on the EKS cluster.
worker_iam_role_arn	ARN of the IAM role assigned to the EKS worker nodes.
worker_iam_role_name	Name of the IAM role assigned to the EKS worker nodes.
kms_policy_arn	ARN of the KMS policy that is used by the EKS cluster.
cluster_certificate_authority_data	Base64 encoded certificate data required to communicate with the cluster

Contribution & Issue Reporting

To report an issue with a project:

1. Check the repository's issue tracker on GitHub
2. Search to see if the issue has already been reported
3. If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.

License

Apache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).

Support Us

To support a GitHub project by liking it, you can follow these steps:

1. Visit the repository: Navigate to the GitHub repository.

2. Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.

3. Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.

Starring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.

Who we are

We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.

1. We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 4 years.
2. Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
3. Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
4. DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
5. Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
6. 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.

We provide support on all of our projects, no matter how small or large they may be.

To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.