feat: version bumps and improvements #7

Author: dmi-clopez

.terraform.lock.hcl

@@ -19,7 +19,7 @@ resource "helm_release" "cluster_autoscaler" {
   namespace        = "cluster-autoscaler"
   repository       = "https://kubernetes.github.io/autoscaler"
   chart            = "cluster-autoscaler"
-  version          = "9.12.0"
+  version          = "9.21.0"
   create_namespace = true
 
   set {
@@ -41,28 +41,6 @@ resource "helm_release" "cluster_autoscaler" {
   }
 }
 
-
-// Here, we're gonna create the cluster-autoscaler tags so that the cluster-autoscaler can discover the autoscaling groups
-resource "aws_autoscaling_group_tag" "cluster_autoscaler_discovery_name" {
-  for_each               = { for k in toset(module.eks_cluster.self_managed_node_groups_autoscaling_group_names) : k => k if var.enable_cluster_autoscaler == true }
-  autoscaling_group_name = each.key
-  tag {
-    key                 = "k8s.io/cluster-autoscaler/${local.cluster_name}"
-    value               = "owned"
-    propagate_at_launch = false
-  }
-}
-
-resource "aws_autoscaling_group_tag" "cluster_autoscaler_discovery_enabled" {
-  for_each               = { for k in toset(module.eks_cluster.self_managed_node_groups_autoscaling_group_names) : k => k if var.enable_cluster_autoscaler == true }
-  autoscaling_group_name = each.key
-  tag {
-    key                 = "k8s.io/cluster-autoscaler/enabled"
-    value               = "true"
-    propagate_at_launch = false
-  }
-}
-
 resource "helm_release" "metrics_server" {
   depends_on = [
     module.eks_cluster
@@ -72,7 +50,7 @@ resource "helm_release" "metrics_server" {
 
   name             = "metrics-server"
   namespace        = "metrics-server"
-  version          = "3.7.0"
+  version          = "3.8.2"
   repository       = "https://kubernetes-sigs.github.io/metrics-server/"
   chart            = "metrics-server"
   create_namespace = true

addons.tf

@@ -10,31 +10,28 @@ data "aws_eks_cluster_auth" "this" {
 
 module "eks_cluster" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 18.17.0"
+  version = "~> 18.29.0"
 
   cluster_name    = local.cluster_name
   cluster_version = var.kubernetes_version
 
   cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
 
+  manage_aws_auth_configmap = var.manage_aws_auth_configmap
+  create_aws_auth_configmap = var.create_aws_auth_configmap
+
+  aws_auth_roles = var.map_roles
+  aws_auth_users = var.map_users
+
   # # Enabling encryption on AWS EKS secrets using a customer-created key
-  # cluster_encryption_config = [{
-  #   provider_key_arn = aws_kms_key.eks_crypto_key.arn
-  #   resources        = ["secrets"]
-  # }]
+  cluster_encryption_config = [{
+    provider_key_arn = aws_kms_key.eks_kms_key.arn
+    resources        = ["secrets"]
+  }]
 
 
   # Enabling this, we allow EKS to manage this components for us (upgrading and maintaining)
   cluster_addons = {
-
-    # CoreDNS addon was removed from the module because it causes an execution loop
-    #   This module requires the workers to be created, but the dependency is not set-up correctly
-    #    For the time being, it would be advised to manage it outside of the module
-
-    # coredns = {
-    #   resolve_conflicts = "OVERWRITE"
-    # }
-
     kube-proxy = {}
     vpc-cni = {
       resolve_conflicts = "OVERWRITE"
@@ -50,13 +47,6 @@ module "eks_cluster" {
   self_managed_node_group_defaults = {
     update_launch_template_default_version = true
     iam_role_additional_policies           = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
-
-    // This is a workaround that we need to apply in order to prevent the module from tagging all SG
-    //  if more than 1 SG is tagged by the module, then, the Kubernetes Load Balancers won't work
-    security_group_tags = {
-      "kubernetes.io/cluster/${local.cluster_name}" = null
-    }
-
   }
 
 
@@ -99,18 +89,3 @@ module "eks_cluster" {
   }
 
 }
-
-resource "kubernetes_config_map" "aws_auth" {
-
-  metadata {
-    name      = "aws-auth"
-    namespace = "kube-system"
-  }
-
-  data = {
-    mapAccounts = "[]"
-    mapRoles    = local.updated_auth_configmap_data.data.mapRoles
-    mapUsers    = local.updated_auth_configmap_data.data.mapUsers
-  }
-}
-

eks.tf

@@ -1,7 +1,7 @@
 module "eks-cluster" {
   source             = "../."
   environment        = "eks-spot-demo"
-  kubernetes_version = "1.21"
+  kubernetes_version = "1.23"
 
   enable_cluster_autoscaler = true
 
@@ -11,6 +11,8 @@ module "eks-cluster" {
   vpc_public_subnets  = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
 
 
+  create_aws_auth_configmap = true
+
   map_users = [
     {
       userarn  = "arn:aws:iam::xxxxxxxx:user/youremail@yourdomain.com"
@@ -38,7 +40,7 @@ module "eks-cluster" {
     spot_pool = {
       name = "spool-node-pool"
 
-      instance_type = "t2.medium"
+      instance_type = "t3.medium"
 
       max_size     = 6
       desired_size = 2
@@ -60,7 +62,10 @@ module "eks-cluster" {
       sudo systemctl start amazon-ssm-agent
       EOT
 
+      autoscaling_group_tags = {
+        "k8s.io/cluster-autoscaler/eks-spot-demo-eks-cluster" = "owned"
+        "k8s.io/cluster-autoscaler/enabled"                   = "true"
+      }
     }
   }
-
 }

examples/spot_eks_cluster.tf

@@ -11,7 +11,10 @@ resource "aws_iam_policy" "autoscaler_modify_asg" {
           "autoscaling:DescribeAutoScalingInstances",
           "autoscaling:DescribeLaunchConfigurations",
           "autoscaling:DescribeTags",
+          "ec2:DescribeInstanceTypes",
           "ec2:DescribeLaunchTemplateVersions",
+          "ec2:GetInstanceTypesFromInstanceRequirements",
+          "eks:DescribeNodegroup"
         ]
         Effect   = "Allow"
         Resource = "*"

iam_policies.tf

@@ -0,0 +1,5 @@
+resource "aws_kms_key" "eks_kms_key" {
+  description             = "KMS Key generated to encrypt ${local.cluster_name} secrets"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}

kms.tf

@@ -1,6 +1,6 @@
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.13.0"
+  version = "~> 3.14.0"
 
   name            = "${var.environment}-eks-vpc"
   cidr            = var.vpc_cidr