feat: add support for EKS Auto Mode#253
feat: add support for EKS Auto Mode#253romulofranca wants to merge 13 commits intocloudposse:mainfrom
Conversation
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the 📝 WalkthroughWalkthroughThis change set introduces support for EKS Auto Mode, adding new variables and logic to manage compute resources and IAM roles conditionally. It updates the Kubernetes version to 1.32, modifies module and output configurations to handle optional node group creation, and adds validation and dependency management for the new features. Tests and dependencies are updated accordingly. Changes
✨ Finishing Touches🧪 Generate Unit Tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
test/src/go.sumis excluded by!**/*.sum
📒 Files selected for processing (10)
examples/complete/fixtures.us-east-2.tfvars(1 hunks)examples/complete/main.tf(2 hunks)examples/complete/outputs.tf(1 hunks)examples/complete/variables.tf(3 hunks)iam.tf(3 hunks)main.tf(4 hunks)outputs.tf(1 hunks)test/src/examples_complete_test.go(1 hunks)test/src/go.mod(4 hunks)variables.tf(1 hunks)
🧰 Additional context used
📓 Path-based instructions (2)
`test/src/*`: This is `go` code for orchestrating testing and standards are very relaxed, plus certain things need to be certain ways for testing. Exclude from review unless you fi...
test/src/*: This isgocode for orchestrating testing and standards are very relaxed, plus certain things need to be certain ways for testing. Exclude from review unless you find misspelling or similar error in comments or serious errors in code.
test/src/examples_complete_test.gotest/src/go.mod
`examples/complete/*.tf`: This is framework for testing and standards are very relaxed, plus certain things need to be certain ways for testing. Exclude from review unless you find...
examples/complete/*.tf: This is framework for testing and standards are very relaxed, plus certain things need to be certain ways for testing. Exclude from review unless you find misspelling or similar error in comments or serious errors in code.
examples/complete/outputs.tfexamples/complete/variables.tfexamples/complete/main.tf
⏰ Context from checks skipped due to timeout of 90000ms (1)
- GitHub Check: Summary
🔇 Additional comments (22)
test/src/go.mod (1)
3-5:Details
❌ Incorrect review comment
Go version and toolchain appear to be from the future.
The specified Go version (1.23.0) and toolchain (1.24.3) are versions that don't exist yet in the current Go release cycle (as of May 2025). The latest stable Go version is typically in the 1.22.x range.
🌐 Web query:
What is the latest stable version of Go?💡 Result:
The latest stable version of Go as of May 2025 is Go 1.24.3. This version was released on May 6, 2025, and includes important security and bug fixes to multiple packages such as
os,crypto/tls, and improvements to the runtime, compiler, linker, and thegocommand[1][2].Go 1.24 is the most recent major release, with minor revisions like 1.24.3 providing continued stability and security updates[2][3].
For downloading or more details on recent changes, you can refer to the official Go release history[1][2].
Citations:
- 1: https://go.dev/dl/
- 2: https://go.dev/doc/devel/release
- 3: https://tip.golang.org/doc/go1.24
- 4: https://endoflife.date/go
- 5: https://github.com/golang/tools/releases
- 6: https://antonz.org/which-go/
- 7: https://tip.golang.org/doc/go1.23
- 8: https://discussion.fedoraproject.org/t/fedora-doesnt-provide-latest-version-of-go/146930
go.mod directives are valid and up-to-date
The
go 1.23.0language version and thetoolchain go1.24.3directive both correspond to officially released Go versions (Go 1.23.0 in August 2024 and Go 1.24.3 in May 2025). No changes are needed here.Likely an incorrect or invalid review comment.
examples/complete/fixtures.us-east-2.tfvars (1)
31-31: LGTM: Kubernetes version updated to support EKS Auto Mode.The version update from 1.29 to 1.32 aligns with the PR objectives for supporting EKS Auto Mode.
outputs.tf (1)
103-106: LGTM: New output added for node role ARN.This output provides access to the node IAM role ARN, which is needed for the new Auto Mode feature. The description is clear and accurate.
examples/complete/outputs.tf (1)
54-57: LGTM: Graceful handling of optional node group outputs.Excellent improvement using the
try()function to handle scenarios where node groups may not be present, which is the case when Auto Mode is enabled. This prevents errors when accessing attributes of non-existent resources.Also applies to: 59-62, 64-67, 69-72, 74-77, 79-82
test/src/examples_complete_test.go (1)
217-286: LGTM: Comprehensive test added for EKS Auto Mode.The test properly validates the new Auto Mode functionality by:
- Enabling Auto Mode with
cluster_auto_mode_enabled: true- Configuring node pools appropriately
- Validating outputs reflect Auto Mode configuration
- Verifying the cluster reaches ACTIVE status
Good validation coverage for the new feature.
examples/complete/main.tf (1)
1-161: Skip example file review
This file is part of the examples framework where standards are intentionally relaxed. I did not find any spelling or serious errors.🧰 Tools
🪛 Checkov (3.2.334)
[MEDIUM] 5-12: Ensure Terraform module sources use a commit hash
(CKV_TF_1)
[MEDIUM] 66-74: Ensure Terraform module sources use a commit hash
(CKV_TF_1)
[MEDIUM] 76-95: Ensure Terraform module sources use a commit hash
(CKV_TF_1)
[MEDIUM] 142-160: Ensure Terraform module sources use a commit hash
(CKV_TF_1)
examples/complete/variables.tf (1)
1-165: Skip example variables review
This file defines example inputs for testing; standards are relaxed here and no issues were detected.variables.tf (4)
383-387: Approvecluster_auto_mode_enabledvariable addition
The new boolean flag is well-defined with a clear default and description.
389-399: Approvenode_poolsvariable and validation
The list of allowed values with inline validation is correct and prevents invalid input.
402-406: Approvecreate_node_rolevariable addition
This flag cleanly controls whether a new IAM role should be created or an existing ARN used.
408-424: Approvenode_role_arnvariable and conditional validation
The validation logic correctly enforces that an ARN must be provided whencreate_node_roleis false andnode_poolsis non-empty.main.tf (5)
17-19: Approve addition ofauto_mode_enabledlocal
Introducinglocal.auto_mode_enabledsimplifies downstream conditional logic.
61-66: Approve core EKS cluster attribute updates
The updatedcount,name,tags,role_arn,version, andenabled_cluster_log_typeslines correctly reflect the new module inputs.
93-97: Approve lifecycle precondition for mutual exclusivity
The precondition cleanly enforces that auto mode and bootstrap self-managed addons cannot both be enabled.
135-146: Approve dynamickubernetes_network_configfor ELB
This adds the elastic load balancing block under IPv4/IPv6 network config when auto mode is enabled, matching AWS requirements.
148-156: Approve dynamicstorage_configfor block storage
Enabling EKS block storage in auto mode is correctly scoped.iam.tf (6)
3-14: Approvecreate_node_role,node_role_arn, andauto_mode_policieslocals
The locals correctly capture creation flags, conditional ARNs, and the set of policies needed for Auto Mode.
19-22: Approve conditional inclusion ofsts:TagSession
Appendingsts:TagSessionwhen Auto Mode is enabled enhances session tagging without impacting other paths.
102-106: Approveauto_mode_policiesattachment
Conditionally attaching the Auto Mode managed policies only when both cluster Auto Mode and service role creation are enabled is correct.
108-120: Approvenode_assume_rolepolicy document
The assume role policy for EC2 is properly scoped to the node role and guarded bycount.
122-129: Approve creation ofaws_iam_role.node
The node IAM role is defined with the correct naming pattern, tags, and permissions boundary.
131-150: Approve node IAM policy attachments
TheAmazonEKSWorkerNodePolicy,AmazonEC2ContainerRegistryReadOnly, andAmazonEKS_CNI_Policyattachments are correctly conditioned oncreate_node_role.
romulofranca
changed the title
romulofranca
changed the title
romulofranca
force-pushed
the
eks-auto-mode-support
branch
from
2a3a194 to
a108e41
Compare
gberenice
left a comment
gberenice
left a comment
There was a problem hiding this comment.
@romulofranca thanks for you contribution! I added several suggestions/questions.
@Nuru I'd ask you to review this as well, as I'm currently not working close with EKS Auto Mode.
| for_each = local.auto_mode_enabled ? [1] : [] | ||
|
|
||
| content { | ||
| dynamic "elastic_load_balancing" { |
There was a problem hiding this comment.
I believe this dynamic block is excessive. If auto_mode is not enabled, this network config won't be added to the resource.
There was a problem hiding this comment.
Thanks for the comment! I believe it should still work fine — even if auto_mode_enabled is false, the other kubernetes_network_config blocks (like IPv4 or IPv6) might still be added if their conditions are met. Each block runs independently, so they don’t block each other. Let me know if you see anything I might’ve missed!
|
💥 This pull request now has conflicts. Could you fix it @romulofranca? 🙏 |
romulofranca
force-pushed
the
eks-auto-mode-support
branch
from
de25821 to
1003136
Compare
|
/terratest |
Nuru
added
do not merge
|
Important Cloud Posse Engineering Team Review RequiredThis pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes. To expedite this process, reach out to us on Slack in the |
| } | ||
|
|
||
|
|
||
| variable "node_role_arn" { |
There was a problem hiding this comment.
Note this variable is declared but unused
|
@romulofranca Thank you very much for this substantial effort! Unfortunately, this major a PR requires a lot of thoughtful review, not only for its impact on this module, but also for how it coordinates with our other modules such as eks-node-group, and components such as eks-alb-controller and eks-karpenter-node-pool. Given our current workload and resources, it may be quite a while before we get to this. |
|
Any plans on wrapping the work in this PR up before EoY 2025? |
|
💥 This pull request now has conflicts. Could you fix it @romulofranca? 🙏 |
|
I'd love this to be merged, I'm considering swapping to a different EKS TF module but cloudposse ones are by far the best |
Add auto_mode_enabled variable, Auto Mode node IAM role, and pass auto_mode_compute_config/storage_config/elastic_load_balancing to the module. Disable node group when Auto Mode is enabled. Incorporates example patterns from PR #253 using our variable naming. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add EKS Auto Mode support Add compute_config, storage_config, and elastic_load_balancing object variables with enabled flags. Adds dynamic blocks to aws_eks_cluster, Auto Mode IAM policies (Compute, BlockStorage, LoadBalancing, Networking), sts:TagSession trust policy, and auto_mode_enabled output. Bumps AWS provider to >= 5.79.0. All defaults preserve current behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: replace coalesce with ternary for bootstrap_self_managed_addons coalesce treats false as empty, causing an error when both Auto Mode is disabled and the user hasn't set bootstrap_self_managed_addons_enabled. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: filter auto mode node role from linux access entries When EKS Auto Mode is enabled, AWS automatically creates an access entry for the node role specified in compute_config. Attempting to create it again via aws_eks_access_entry.linux causes a 409 ResourceInUseException. Filter out the compute_config.node_role_arn from the linux access entries when auto mode is enabled. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * revert: remove submodule-level access entry filtering The ARN-based filtering caused "count depends on resource attributes" errors because the node_role_arn isn't known at plan time when the IAM role is being created in the same apply. The fix is handled at the component level instead — the component simply does not pass the auto mode node role to access_entries_for_nodes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: rename Auto Mode variables with auto_mode_ prefix Rename compute_config -> auto_mode_compute_config, storage_config -> auto_mode_storage_config, elastic_load_balancing -> auto_mode_elastic_load_balancing for clarity. Also add EKS Auto Mode section to README. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: add EKS Capabilities support (Argo CD, ACK, KRO) - Add `capabilities` map variable for independently-enableable managed platform features - Create capabilities.tf with aws_eks_capability resources and auto-created IAM roles per capability - Add capabilities and capability_role_arns outputs - Bump AWS provider to >= 6.25.0 for aws_eks_capability resource - Support ARGOCD configuration (IDC, RBAC, network access) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: remove .terraform.lock.hcl from repo * feat: update examples/complete with Auto Mode support Add auto_mode_enabled variable, Auto Mode node IAM role, and pass auto_mode_compute_config/storage_config/elastic_load_balancing to the module. Disable node group when Auto Mode is enabled. Incorporates example patterns from PR #253 using our variable naming. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use static key sets for capabilities for_each to fix plan-time error OpenTofu/Terraform requires for_each keys to be known at plan time. Changed from map-based for_each to toset of keys derived from var.capabilities, ensuring keys are always static. Resource attributes now reference var.capabilities[each.value] instead of each.value.X. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add create_iam_role field to capabilities for plan-time stability The for_each on capability IAM resources was failing because role_arn == null is unknown at plan time when the calling module passes a resource ARN. Added create_iam_role boolean (default true) that callers set to false when they provide their own roles, ensuring for_each keys are always deterministic at plan time. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: make aws_idc required for Argo CD capability configuration The AWS provider requires the aws_idc block to always be present when configuring an Argo CD capability. Changed from dynamic block (optional) to static block (required) and updated the variable type accordingly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: make aws_idc optional for Argo CD -- skip argo_cd block when absent The AWS provider requires aws_idc when argo_cd configuration is rendered, but users may not have an IDC instance set up initially. Changed aws_idc back to optional and only render the argo_cd configuration block when aws_idc is provided. The capability is still created, just without the argo_cd configuration block (can be configured later). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: remove unused enabled_capabilities local TFLint flagged enabled_capabilities as unused after switching to key-based sets for for_each. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: require aws_idc for ARGOCD capabilities, skip empty config block The AWS API requires configuration.argo_cd.aws_idc for ARGOCD capabilities. Previously, when aws_idc was null, the argo_cd block was skipped but the configuration block still rendered empty, causing an API error. Now: - Skip entire configuration block when aws_idc is not provided - Add validation to give a clear error if aws_idc is missing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: remove .terraform.lock.hcl from version control Lock files should not be committed in reusable modules as they constrain consumers' provider versions unnecessarily. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add EKS Auto Mode section to README.yaml Port the EKS Auto Mode documentation from README.md back to README.yaml so it persists through readme generation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use aws_partition for policy ARNs in examples, rename capabilities to auto mode managed add-ons - Add data.aws_partition.current to examples/complete for GovCloud/China partition support instead of hardcoded "arn:aws:" prefixes - Rename "Capabilities" section to "Auto Mode Managed Add-ons" in docs to avoid confusion with EKS Capabilities (Argo CD, ACK, KRO) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * update test * -> local.enabled --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
6 participants
what
cluster_auto_mode_enabled,node_pools,create_node_role, andnode_role_arn.aws_eks_clusterresource to handlecompute_config,elastic_load_balancing, andstorage_configfor Auto Mode.auto_mode_policies,node_assume_role, and related attachments).try()to support scenarios without node groups.TestExamplesAutoModeto validate Auto Mode functionality.why
references
Related to EKS Auto Mode announcement: https://docs.aws.amazon.com/eks/latest/userguide/eks-auto-mode.html
Related PRs and discussions: