cloudposse
diff --git a/‎README.md‎
Lines changed: 24 additions & 41 deletions b/‎README.md‎
Lines changed: 24 additions & 41 deletions
diff --git a/‎docs/targets.md‎
Lines changed: 3 additions & 1 deletion b/‎docs/targets.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎docs/terraform.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/terraform.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/complete/fixtures.us-east-2.tfvars‎
Lines changed: 8 additions & 2 deletions b/‎examples/complete/fixtures.us-east-2.tfvars‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎examples/complete/main.tf‎
Lines changed: 38 additions & 17 deletions b/‎examples/complete/main.tf‎
Lines changed: 38 additions & 17 deletions
diff --git a/‎examples/complete/outputs.tf‎
Lines changed: 20 additions & 0 deletions b/‎examples/complete/outputs.tf‎
Lines changed: 20 additions & 0 deletions
@@ -1,24 +1,20 @@
-<!-- 
-
-
-
-
-
-
-
+# terraform-aws-eks-node-group [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-eks-node-group.svg)](https://github.com/cloudposse/terraform-aws-eks-node-group/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
+[![README Header][readme_header_img]][readme_header_link]
 
+[![Cloud Posse][logo]](https://cpco.io/homepage)
 
+<!--
 
 
 
 
   ** DO NOT EDIT THIS FILE
-  ** 
-  ** This file was automatically generated by the `build-harness`. 
-  ** 1) Make all changes to `README.yaml` 
+  **
+  ** This file was automatically generated by the `build-harness`.
+  ** 1) Make all changes to `README.yaml`
   ** 2) Run `make init` (you only need to do this once)
-  ** 3) Run`make readme` to rebuild this file. 
+  ** 3) Run`make readme` to rebuild this file.
   **
   ** (We maintain HUNDREDS of open source projects. This is how we maintain our sanity.)
   **
@@ -27,23 +23,7 @@
 
 
 
-
-
-
-
-
-
-
-
-
-
-  -->
-[![README Header][readme_header_img]][readme_header_link]
-
-[![Cloud Posse][logo]](https://cpco.io/homepage)
-
-# terraform-aws-eks-node-group [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-eks-node-group.svg)](https://github.com/cloudposse/terraform-aws-eks-node-group/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
-
+-->
 
 Terraform module to provision an EKS Node Group for [Elastic Container Service for Kubernetes](https://aws.amazon.com/eks/).
 
@@ -52,7 +32,7 @@ Instantiate it multiple times to create many EKS node groups with specific setti
 
 ---
 
-This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. 
+This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
 [<img align="right" title="Share via Email" src="https://docs.cloudposse.com/images/ionicons/ios-email-outline-2.0.1-16x16-999999.svg"/>][share_email]
 [<img align="right" title="Share on Google+" src="https://docs.cloudposse.com/images/ionicons/social-googleplus-outline-2.0.1-16x16-999999.svg" />][share_googleplus]
 [<img align="right" title="Share on Facebook" src="https://docs.cloudposse.com/images/ionicons/social-facebook-outline-2.0.1-16x16-999999.svg" />][share_facebook]
@@ -73,7 +53,7 @@ It's 100% Open Source and licensed under the [APACHE2](LICENSE).
 
 
 
-We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out! 
+We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out!
 
 
 
@@ -180,8 +160,9 @@ For automated tests of the complete example using [bats](https://github.com/bats
 
 
 
+<!-- markdownlint-disable -->
 ## Makefile Targets
-```
+```text
 Available targets:
 
   help                                Help screen
@@ -190,6 +171,7 @@ Available targets:
   lint                                Lint terraform code
 
 ```
+<!-- markdownlint-restore -->
 ## Requirements
 
 | Name | Version |
@@ -219,6 +201,7 @@ Available targets:
 | ec2\_ssh\_key | SSH key name that should be used to access the worker nodes | `string` | `null` | no |
 | enable\_cluster\_autoscaler | Whether to enable node group to scale the Auto Scaling Group | `bool` | `false` | no |
 | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
+| environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no |
 | existing\_workers\_role\_policy\_arns | List of existing policy ARNs that will be attached to the workers default role on creation | `list(string)` | `[]` | no |
 | existing\_workers\_role\_policy\_arns\_count | Count of existing policy ARNs that will be attached to the workers default role on creation. Needed to prevent Terraform error `count can't be computed` | `number` | `0` | no |
 | instance\_types | Set of instance types associated with the EKS Node Group. Defaults to ["t3.medium"]. Terraform will only perform drift detection if a configuration value is provided | `list(string)` | n/a | yes |
@@ -248,9 +231,9 @@ Available targets:
 
 
 
-## Share the Love 
+## Share the Love
 
-Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-eks-node-group)! (it helps us **a lot**) 
+Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-eks-node-group)! (it helps us **a lot**)
 
 Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)
 
@@ -275,7 +258,7 @@ Check out these related projects.
 
 ## Help
 
-**Got a question?** We got answers. 
+**Got a question?** We got answers.
 
 File a GitHub [issue](https://github.com/cloudposse/terraform-aws-eks-node-group/issues), send us an [email][email] or join our [Slack Community][slack].
 
@@ -284,7 +267,7 @@ File a GitHub [issue](https://github.com/cloudposse/terraform-aws-eks-node-group
 ## DevOps Accelerator for Startups
 
 
-We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us. 
+We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.
 
 [![Learn More](https://img.shields.io/badge/learn%20more-success.svg?style=for-the-badge)][commercial_support]
 
@@ -313,11 +296,11 @@ Participate in our [Discourse Forums][discourse]. Here you'll find answers to co
 
 ## Newsletter
 
-Sign up for [our newsletter][newsletter] that covers everything on our technology radar.  Receive updates on what we're up to on GitHub as well as awesome new projects we discover. 
+Sign up for [our newsletter][newsletter] that covers everything on our technology radar.  Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
 
 ## Office Hours
 
-[Join us every Wednesday via Zoom][office_hours] for our weekly "Lunch & Learn" sessions. It's **FREE** for everyone! 
+[Join us every Wednesday via Zoom][office_hours] for our weekly "Lunch & Learn" sessions. It's **FREE** for everyone!
 
 [![zoom](https://img.cloudposse.com/fit-in/200x200/https://cloudposse.com/wp-content/uploads/2019/08/Powered-by-Zoom.png")][office_hours]
 
@@ -348,9 +331,9 @@ Copyright © 2017-2020 [Cloud Posse, LLC](https://cpco.io/copyright)
 
 
 
-## License 
+## License
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
 See [LICENSE](LICENSE) for full details.
 
@@ -391,7 +374,7 @@ This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? P
 
 We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️  [Open Source Software][we_love_open_source].
 
-We offer [paid support][commercial_support] on all of our projects.  
+We offer [paid support][commercial_support] on all of our projects.
 
 Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.
 
 
@@ -1,5 +1,6 @@
+<!-- markdownlint-disable -->
 ## Makefile Targets
-```
+```text
 Available targets:
 
   help                                Help screen
@@ -8,3 +9,4 @@ Available targets:
   lint                                Lint terraform code
 
 ```
+<!-- markdownlint-restore -->
@@ -27,6 +27,7 @@
 | ec2\_ssh\_key | SSH key name that should be used to access the worker nodes | `string` | `null` | no |
 | enable\_cluster\_autoscaler | Whether to enable node group to scale the Auto Scaling Group | `bool` | `false` | no |
 | enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
+| environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no |
 | existing\_workers\_role\_policy\_arns | List of existing policy ARNs that will be attached to the workers default role on creation | `list(string)` | `[]` | no |
 | existing\_workers\_role\_policy\_arns\_count | Count of existing policy ARNs that will be attached to the workers default role on creation. Needed to prevent Terraform error `count can't be computed` | `number` | `0` | no |
 | instance\_types | Set of instance types associated with the EKS Node Group. Defaults to ["t3.medium"]. Terraform will only perform drift detection if a configuration value is provided | `list(string)` | n/a | yes |
 
@@ -10,6 +10,14 @@ stage = "test"
 
 name = "eks-node-group"
 
+kubernetes_version = "1.15"
+
+oidc_provider_enabled = true
+
+enabled_cluster_log_types = ["audit"]
+
+cluster_log_retention_period = 7
+
 instance_types = ["t3.small"]
 
 desired_size = 2
@@ -20,6 +28,4 @@ min_size = 2
 
 disk_size = 20
 
-kubeconfig_path = "/.kube/config"
-
 kubernetes_labels = {}
@@ -13,7 +13,17 @@ module "label" {
 }
 
 locals {
+  # The usage of the specific kubernetes.io/cluster/* resource tags below are required
+  # for EKS and Kubernetes to discover and manage networking resources
+  # https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#base-vpc-networking
   tags = merge(module.label.tags, map("kubernetes.io/cluster/${module.label.id}", "shared"))
+
+  # Unfortunately, most_recent (https://github.com/cloudposse/terraform-aws-eks-workers/blob/34a43c25624a6efb3ba5d2770a601d7cb3c0d391/main.tf#L141)
+  # variable does not work as expected, if you are not going to use custom ami you should
+  # enforce usage of eks_worker_ami_name_filter variable to set the right kubernetes version for EKS workers,
+  # otherwise will be used the first version of Kubernetes supported by AWS (v1.11) for EKS workers but
+  # EKS control plane will use the version specified by kubernetes_version variable.
+  eks_worker_ami_name_filter = "amazon-eks-node-${var.kubernetes_version}*"
 }
 
 module "vpc" {
@@ -22,12 +32,12 @@ module "vpc" {
   stage      = var.stage
   name       = var.name
   attributes = var.attributes
-  cidr_block = var.vpc_cidr_block
+  cidr_block = "172.16.0.0/16"
   tags       = local.tags
 }
 
 module "subnets" {
-  source               = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.18.1"
+  source               = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.19.0"
   availability_zones   = var.availability_zones
   namespace            = var.namespace
   stage                = var.stage
@@ -42,21 +52,32 @@ module "subnets" {
 }
 
 module "eks_cluster" {
-  source                = "git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=tags/0.16.0"
-  namespace             = var.namespace
-  stage                 = var.stage
-  name                  = var.name
-  attributes            = var.attributes
-  tags                  = var.tags
-  region                = var.region
-  vpc_id                = module.vpc.vpc_id
-  subnet_ids            = module.subnets.public_subnet_ids
-  kubernetes_version    = var.kubernetes_version
-  kubeconfig_path       = var.kubeconfig_path
-  oidc_provider_enabled = var.oidc_provider_enabled
+  source                       = "git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=tags/0.24.0"
+  namespace                    = var.namespace
+  stage                        = var.stage
+  name                         = var.name
+  attributes                   = var.attributes
+  tags                         = var.tags
+  region                       = var.region
+  vpc_id                       = module.vpc.vpc_id
+  subnet_ids                   = module.subnets.public_subnet_ids
+  kubernetes_version           = var.kubernetes_version
+  local_exec_interpreter       = var.local_exec_interpreter
+  oidc_provider_enabled        = var.oidc_provider_enabled
+  enabled_cluster_log_types    = var.enabled_cluster_log_types
+  cluster_log_retention_period = var.cluster_log_retention_period
+}
 
-  workers_role_arns          = [module.eks_node_group.eks_node_group_role_arn]
-  workers_security_group_ids = []
+# Ensure ordering of resource creation to eliminate the race conditions when applying the Kubernetes Auth ConfigMap.
+# Do not create Node Group before the EKS cluster is created and the `aws-auth` Kubernetes ConfigMap is applied.
+# Otherwise, EKS will create the ConfigMap first and add the managed node role ARNs to it,
+# and the kubernetes provider will throw an error that the ConfigMap already exists (because it can't update the map, only create it).
+# If we create the ConfigMap first (to add additional roles/users/accounts), EKS will just update it by adding the managed node role ARNs.
+data "null_data_source" "wait_for_cluster_and_kubernetes_configmap" {
+  inputs = {
+    cluster_name             = module.eks_cluster.eks_cluster_id
+    kubernetes_config_map_id = module.eks_cluster.kubernetes_config_map_id
+  }
 }
 
 module "eks_node_group" {
@@ -67,11 +88,11 @@ module "eks_node_group" {
   attributes         = var.attributes
   tags               = var.tags
   subnet_ids         = module.subnets.public_subnet_ids
+  cluster_name       = data.null_data_source.wait_for_cluster_and_kubernetes_configmap.outputs["cluster_name"]
   instance_types     = var.instance_types
   desired_size       = var.desired_size
   min_size           = var.min_size
   max_size           = var.max_size
-  cluster_name       = module.eks_cluster.eks_cluster_id
   kubernetes_version = var.kubernetes_version
   kubernetes_labels  = var.kubernetes_labels
   disk_size          = var.disk_size
 
@@ -13,6 +13,21 @@ output "vpc_cidr" {
   description = "VPC ID"
 }
 
+output "eks_cluster_security_group_id" {
+  description = "ID of the EKS cluster Security Group"
+  value       = module.eks_cluster.security_group_id
+}
+
+output "eks_cluster_security_group_arn" {
+  description = "ARN of the EKS cluster Security Group"
+  value       = module.eks_cluster.security_group_arn
+}
+
+output "eks_cluster_security_group_name" {
+  description = "Name of the EKS cluster Security Group"
+  value       = module.eks_cluster.security_group_name
+}
+
 output "eks_cluster_id" {
   description = "The name of the cluster"
   value       = module.eks_cluster.eks_cluster_id
@@ -38,6 +53,11 @@ output "eks_cluster_identity_oidc_issuer" {
   value       = module.eks_cluster.eks_cluster_identity_oidc_issuer
 }
 
+output "eks_cluster_managed_security_group_id" {
+  description = "Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads"
+  value       = module.eks_cluster.eks_cluster_managed_security_group_id
+}
+
 output "eks_node_group_role_arn" {
   description = "ARN of the worker nodes IAM role"
   value       = module.eks_node_group.eks_node_group_role_arn