Skip to content

launchbynttdata/tf-aws-module_primitive-eks_cluster

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github
.github
 
 
examples/simple
examples/simple
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.secrets.baseline
.secrets.baseline
 
 
.tool-versions
.tool-versions
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
locals.tf
locals.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

tf-aws-module_primitive-eks_cluster

License License: CC BY-NC-ND 4.0

Overview

This Terraform module creates and manages an AWS EKS (Elastic Kubernetes Service) cluster. It provides a primitive-level interface to the aws_eks_cluster resource with comprehensive configuration options for VPC integration, encryption, access control, logging, and network configuration.

Pre-Commit hooks

.pre-commit-config.yaml file defines certain pre-commit hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.

commitlint hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:

  • fix: a commit of the type fix patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
  • feat: a commit of the type feat introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
  • BREAKING CHANGE: a commit that has a footer BREAKING CHANGE:, or appends a ! after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type. footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
  • build: a commit of the type build adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
  • chore: a commit of the type chore adds changes that don't modify src or test files
  • ci: a commit of the type ci adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
  • docs: a commit of the type docs adds documentation only changes
  • perf: a commit of the type perf adds code change that improves performance
  • refactor: a commit of the type refactor adds code change that neither fixes a bug nor adds a feature
  • revert: a commit of the type revert reverts a previous commit
  • style: a commit of the type style adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
  • test: a commit of the type test adds missing tests or correcting existing tests

Base configuration used for this project is commitlint-config-conventional (based on the Angular convention)

If you are a developer using vscode, this plugin may be helpful.

detect-secrets-hook prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS

In order for pre-commit hooks to work properly

  • You need to have the pre-commit package manager installed. Here are the installation instructions.
  • pre-commit would install all the hooks when commit message is added by default except for commitlint hook. commitlint hook would need to be installed manually using the command below
pre-commit install --hook-type commit-msg

To test the resource group module locally

  1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the configure target in the project's Makefile. Before you can run configure, familiarize yourself with the variables in the Makefile and ensure they're pointing to the right places.
make configure

This adds in several files and directories that are ignored by git. They expose many new Make targets.

  1. THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP. The first target you care about is env. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.

make configure command will bring down azure_env.sh file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.

These environment variables are used by terratest integration suit.

Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.

"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"

Then run this make target to set the environment variables on developer workstation.

make env
  1. The first target you care about is check.

Pre-requisites Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are azure specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.

  • A file named provider.tf with contents below
provider "azurerm" {
  features {}
}
  • A file named terraform.tfvars which contains key value pair of variables used.

Note that since these files are added in gitignore they would not be checked in into primitive/segment's git repo.

After creating these files, for running tests associated with the primitive/segment, run

make check

If make check target is successful, developer is good to commit the code to primitive/segment's git repo.

make check target

  • runs terraform commands to lint,validate and plan terraform code.
  • runs conftests. conftests make sure policy checks are successful.
  • runs terratest. This is integration test suit.
  • runs opa tests
  • runs go lint tests

Features

  • Comprehensive EKS Configuration: Support for all major EKS cluster configuration options
  • VPC Integration: Configurable VPC, subnet, and security group associations
  • Encryption: Optional KMS encryption for cluster secrets
  • Access Control: Configurable API endpoint access (public, private, or both)
  • Logging: Support for all EKS control plane logging types
  • Network Configuration: Configurable Kubernetes network settings (service and pod CIDR)
  • Outpost Support: Configuration options for AWS Outposts
  • Canonical Tagging: Automatic tagging with provisioner=Terraform

Usage

Minimal Example

module "eks_cluster" {
  source = "git::https://github.com/launchbynttdata/tf-aws-module_primitive-eks_cluster.git?ref=1.0.0"

  name               = "my-eks-cluster"
  role_arn           = "arn:aws:iam::123456789012:role/eks-cluster-role"
  kubernetes_version = "1.31"

  vpc_config = {
    subnet_ids = ["subnet-abc123", "subnet-def456"]
  }

  tags = {
    Environment = "development"
    Team        = "platform"
  }
}

Complete Example

module "eks_cluster" {
  source = "git::https://github.com/launchbynttdata/tf-aws-module_primitive-eks_cluster.git?ref=1.0.0"

  name               = "my-production-cluster"
  role_arn           = "arn:aws:iam::123456789012:role/eks-cluster-role"
  kubernetes_version = "1.31"

  vpc_config = {
    subnet_ids              = ["subnet-abc123", "subnet-def456"]
    security_group_ids      = ["sg-12345678"]
    endpoint_private_access = true
    endpoint_public_access  = true
    public_access_cidrs     = ["0.0.0.0/0"]
  }

  encryption_config = {
    provider = {
      key_arn = "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
    }
    resources = ["secrets"]
  }

  enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]

  kubernetes_network_config = {
    service_ipv4_cidr = "172.20.0.0/16"
    ip_family         = "ipv4"
  }

  access_config = {
    authentication_mode                         = "API_AND_CONFIG_MAP"
    bootstrap_cluster_creator_admin_permissions = true
  }

  tags = {
    Environment = "production"
    Team        = "platform"
    CostCenter  = "engineering"
  }
}

For additional examples, see the examples directory:

  • Minimal - Basic cluster configuration
  • Complete - Comprehensive configuration with all features
  • Simple - Balanced configuration for integration testing
  • Private Endpoint - Private-only API endpoint access

Validation

This module includes validation rules to ensure secure and compliant cluster configurations:

  • Kubernetes version must be 1.31 or higher
  • At least 2 subnets must be specified in vpc_config
  • If encryption is enabled, at least one resource type must be specified
  • If Outpost configuration is used, all required fields must be provided

Requirements

Name Version
terraform ~> 1.5
aws ~> 5.100

Providers

Name Version
aws 5.100.0

Modules

No modules.

Resources

Name Type
aws_eks_cluster.this resource

Inputs

Name Description Type Default Required
name Cluster name. string n/a yes
role_arn IAM role ARN that EKS uses to manage other AWS services. string n/a yes
kubernetes_version Desired Kubernetes control-plane version (e.g., 1.30). Null lets EKS choose latest default. string null no
enabled_cluster_log_types EKS control-plane log types to enable. Valid: api, audit, authenticator, controllerManager, scheduler. list(string) [] no
vpc_config VPC configuration for the cluster endpoint and networking.
Required: subnet_ids.
Optional: security_group_ids, endpoint_private_access, endpoint_public_access, public_access_cidrs.		 
object({
    subnet_ids              = list(string)
    security_group_ids      = optional(list(string))
    endpoint_private_access = optional(bool)
    endpoint_public_access  = optional(bool)
    public_access_cidrs     = optional(list(string))
  })
 n/a yes
kubernetes_network_config Kubernetes network settings. ip_family: IPV4 or IPV6.
service_ipv4_cidr is optional (only for IPV4 clusters).		 
object({
    ip_family         = optional(string) # "IPV4"
 "IPV6"
service_ipv4_cidr = optional(string)
})		 null
encryption_config EKS secret encryption config. List of rules.
Each item: { provider_key_arn = KMS key ARN, resources = list of resource types, typically ["secrets"] }.		 
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
 [] no
access_config Cluster access configuration.
authentication_mode: CONFIG_MAP, API_AND_CONFIG_MAP, or API.
bootstrap_cluster_creator_admin_permissions: bool.		 
object({
    authentication_mode                         = optional(string)
    bootstrap_cluster_creator_admin_permissions = optional(bool)
  })
 null no
outpost_config For EKS on Outposts. Typical fields:
- control_plane_instance_type (e.g., m5.large)
- outpost_arns (list of Outpost ARNs)		 
object({
    control_plane_instance_type = string
    outpost_arns                = list(string)
  })
 null no
bootstrap_self_managed_addons Whether to let EKS create and manage default self-managed add-ons (vpc-cni, coredns, kube-proxy) on cluster creation. bool null no
tags Tags to apply to the cluster. map(string) {} no
timeouts Optional timeouts for create/update/delete. 
object({
    create = optional(string)
    update = optional(string)
    delete = optional(string)
  })
 null no

Outputs

Name Description
id Cluster name (resource ID).
arn Cluster ARN.
endpoint Cluster API server endpoint.
certificate_authority_data Base64-encoded certificate data required to communicate with the cluster.
status Cluster status.
version Actual Kubernetes version running on the control plane.
platform_version EKS platform version.
cluster_security_group_id Cluster security group ID created by EKS.
cluster_primary_security_group_id Primary security group ID for the cluster.
identity_oidc_issuer OIDC issuer URL if OIDC is enabled.
tags_all All tags, including provider defaults.

Contributing

Contributions are welcome! Please see our contributing guidelines for details.

License

Apache 2.0 Licensed. See LICENSE for full details.

Requirements

Name Version
terraform ~> 1.5
aws ~> 5.100

Providers

Name Version
aws 5.100.0

Modules

No modules.

Resources

Name Type
aws_eks_cluster.this resource

Inputs

Name Description Type Default Required
access_config Cluster access configuration.
authentication_mode: CONFIG_MAP, API_AND_CONFIG_MAP, or API.
bootstrap_cluster_creator_admin_permissions: bool.		 
object({
    authentication_mode                         = optional(string)
    bootstrap_cluster_creator_admin_permissions = optional(bool)
  })
 null no
bootstrap_self_managed_addons Whether to let EKS create and manage default self-managed add-ons (vpc-cni, coredns, kube-proxy) on cluster creation. bool null no
enabled_cluster_log_types EKS control-plane log types to enable. Valid: api, audit, authenticator, controllerManager, scheduler. list(string) [] no
encryption_config EKS secret encryption config. List of rules.
Each item: { provider_key_arn = KMS key ARN, resources = list of resource types, typically ["secrets"] }.		 
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
 [] no
kubernetes_network_config Kubernetes network settings. ip_family: IPV4 or IPV6.
service_ipv4_cidr is optional (only for IPV4 clusters).		 
object({
    ip_family         = optional(string) # "IPV4"
 "IPV6"
service_ipv4_cidr = optional(string)
})		 null
kubernetes_version Desired Kubernetes control-plane version (e.g., 1.30). Null lets EKS choose latest default. string null no
name Cluster name. string n/a yes
outpost_config For EKS on Outposts. Typical fields:
- control_plane_instance_type (e.g., m5.large)
- outpost_arns (list of Outpost ARNs)		 
object({
    control_plane_instance_type = string
    outpost_arns                = list(string)
  })
 null no
role_arn IAM role ARN that EKS uses to manage other AWS services. string n/a yes
tags Tags to apply to the cluster. map(string) {} no
timeouts Optional timeouts for create/update/delete. 
object({
    create = optional(string)
    update = optional(string)
    delete = optional(string)
  })
 null no
vpc_config VPC configuration for the cluster endpoint and networking.
Required: subnet_ids.
Optional: security_group_ids, endpoint_private_access, endpoint_public_access, public_access_cidrs.		 
object({
    subnet_ids              = list(string)
    security_group_ids      = optional(list(string))
    endpoint_private_access = optional(bool)
    endpoint_public_access  = optional(bool)
    public_access_cidrs     = optional(list(string))
  })
 n/a yes

Outputs

Name Description
arn Cluster ARN.
certificate_authority_data Base64-encoded certificate data required to communicate with the cluster.
cluster_primary_security_group_id Primary security group ID for the cluster.
cluster_security_group_id Cluster security group ID created by EKS.
endpoint Cluster API server endpoint.
id Cluster name (resource ID).
identity_oidc_issuer OIDC issuer URL if OIDC is enabled.
platform_version EKS platform version.
status Cluster status.
tags_all All tags, including provider defaults.
version Actual Kubernetes version running on the control plane.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

0.1.0 Latest
Oct 29, 2025

Packages

No packages published

Languages