enable eks auto mode

Author: sohanyadav

.gitignore

@@ -20,4 +20,5 @@ eks/kubeconfig.yaml
 *~
 
 .idea/
-.terraform.lock.hcl
+.terraform.lock.hcl
+*/kubeconfig

cluster.tf

@@ -38,6 +38,34 @@ resource "aws_eks_cluster" "cluster" {
       }
     }
   }
+  bootstrap_self_managed_addons = var.eks_auto_mode_enabled == true ? false : true
+  # Compute Config (conditional setup for Auto Mode)
+  dynamic "compute_config" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+    content {
+      enabled       = true
+      node_pools    = ["general-purpose"]
+      node_role_arn = aws_iam_role.eks_auto[0].arn
+    }
+  }
+  # Kubernetes Network Config (Auto Mode specific)
+  dynamic "kubernetes_network_config" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+    content {
+      elastic_load_balancing {
+        enabled = true
+      }
+    }
+  }
+  # Storage Config (Auto Mode specific)
+  dynamic "storage_config" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+    content {
+      block_storage {
+        enabled = true
+      }
+    }
+  }
   enabled_cluster_log_types = var.cluster_logging
 
   depends_on = [
@@ -76,20 +104,31 @@ data "tls_certificate" "cluster" {
 resource "aws_iam_role" "cluster" {
   name = "${var.environment_name}-cluster"
 
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "eks.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-POLICY
+  assume_role_policy = var.eks_auto_mode_enabled == false ? jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "eks.amazonaws.com"
+      }
+    }]
+    Version = "2012-10-17"
+    }) : jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "EKSClusterAssumeRole",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "eks.amazonaws.com"
+        },
+        "Action" : [
+          "sts:TagSession",
+          "sts:AssumeRole"
+        ]
+      }
+    ]
+  })
 
   tags = local.tags
 }

examples/eks/kubeconfig

@@ -0,0 +1,32 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJVFBjWnMrZUlGRTh3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBeE1UWXdPRE01TURaYUZ3MHpOVEF4TVRRd09EUTBNRFphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNuR0ZSNmg3eFBkMUYycWRRNGhST1BwV3g3TUlyN1p4T1N4ZWU5b0lUelEvTHFmNWMxUmJnb21PZUIKZUFidlR3ajc3bk1pY1Y5QkNTMFE3SU9QQ05jRFNwZ3l0U05DY1g0SUdvUFBWcmgzSHBOS0E3VjVlbTFJVEIvOAo4YTd5L0NGaitoekt5MldpN2JCWkZmSDBaUkRZdGxCTklsdE5KREI4d1UwS09TYWV0WjhPTFI2R0pjQ3plbUhtCmk4cUVzVXJoN2pscHNnTThxL2ZuSzhyajJUY0JRazVmVkZFdXRLeGZUZXlaR0t2Tm8wOHZUS0xkMkQ0MHZZdk0KMmsrZU1uR0hmYnEzVjFESUJTOHdiTEMvdTM2NGdZT3B4RW5zL2lxZi9uQzBzUWJpL0psYTlNd0t1ZXQ1YzhRagpGbmNsZWU4UDNBS0I3Yk1tQ1lxeDc1ZHQ4bnVkQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUMVpOWlNDL3hLSnhZZG1oU0VYNWFlZ0tzNjJUQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1hKcW4zNjNFWgppSzhiVm1vam5MQVNYWG9adGNrRFB6L0ozTUMxZlNUdW1mTWNpeGtSd3hUQ2QyaDhaUngvMEsvVG5KcVAxVlVPCjYrTjAvbVJLb0NGVnFCZlJ0bkJXdzB3SU5FMzdqRmNJYjRub202NzdVVzIwOHFNNGhYM2FpZnp0RTZBd1ducEYKSVUyblNXUElyVEdJb0lYdGltRi9wMFF4TXhiMGdHbFZGYVFjWmhsMzErNzJZdWpDOStKVDJzdWFLd1ZWSDRLSwozWEgySGlEbzQzckY3eGtJeUllaXZmMUNFWTBET1hRd1YwS0hwKzNVeTZuS0hBcjVCUlpMdDlyNkJUY3hSa25iCnpVU0xyUENQMW5LU0dqV0h6NStVTFZqSVUyYUVVNVJ1K1BhUnpTZ1VHVHdIa0lDSU8wVjJMRko3c3JYM1lTK3AKTWU5aWJWcFk1VjEyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    server: https://C6D3754A9A424C41D2F00D4CBEF31519.gr7.us-east-1.eks.amazonaws.com
+  name: arn:aws:eks:us-east-1:908027411800:cluster/auguria-pj5za11
+contexts:
+- context:
+    cluster: arn:aws:eks:us-east-1:908027411800:cluster/auguria-pj5za11
+    user: arn:aws:eks:us-east-1:908027411800:cluster/auguria-pj5za11
+  name: arn:aws:eks:us-east-1:908027411800:cluster/auguria-pj5za11
+current-context: arn:aws:eks:us-east-1:908027411800:cluster/auguria-pj5za11
+kind: Config
+preferences: {}
+users:
+- name: arn:aws:eks:us-east-1:908027411800:cluster/auguria-pj5za11
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - --region
+      - us-east-1
+      - eks
+      - get-token
+      - --cluster-name
+      - auguria-pj5za11
+      - --output
+      - json
+      command: aws
+      env:
+      - name: AWS_PROFILE
+        value: auguria-pj5za

examples/eks/main.tf

@@ -35,7 +35,7 @@ module "opszero-eks" {
     "us-east-1b"
   ]
 
-  cluster_version  = "1.27"
+  cluster_version  = "1.31"
   environment_name = local.environment_name
   iam_users = {
     "abhi@opszero.com" = {
@@ -105,5 +105,4 @@ module "helm-common" {
 
   nginx_min_replicas = 1
   nginx_max_replicas = 3
-}
-
+}

karpenter.tf

@@ -87,13 +87,13 @@ spec:
     httpPutResponseHopLimit: ${var.karpenter_metadata_options.httpPutResponseHopLimit}
     httpTokens: ${var.karpenter_metadata_options.httpTokens}
   blockDeviceMappings:
-  %{ for mapping in var.karpenter_block_device_mappings }
+  %{for mapping in var.karpenter_block_device_mappings}
     - deviceName: ${mapping.deviceName}
       ebs:
         volumeSize: ${mapping.ebs.volumeSize}
         volumeType: ${mapping.ebs.volumeType}
         encrypted: ${mapping.ebs.encrypted}
-  %{ endfor }
+  %{endfor}
   amiFamily: ${var.karpenter_ami_family}
   role: ${aws_iam_role.node.name}
   securityGroupSelectorTerms:
@@ -102,9 +102,9 @@ spec:
   - id: ${aws_subnet.public[0].id}
   - id: ${aws_subnet.public[1].id}
   amiSelectorTerms:
-  %{ for term in var.karpenter_ami_selector_terms }
+  %{for term in var.karpenter_ami_selector_terms}
     - alias: ${term.alias}
-  %{ endfor }
+  %{endfor}
 EOT
 
   depends_on = [

node_role.tf

@@ -30,6 +30,11 @@ resource "aws_iam_role_policy_attachment" "node-AmazonEC2ContainerRegistryReadOn
   role       = aws_iam_role.node.name
 }
 
+resource "aws_iam_role_policy_attachment" "node_AmazonEKSWorkerNodeMinimalPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
+  role       = aws_iam_role.node.name
+}
+
 resource "aws_iam_role_policy_attachment" "node_role_policies" {
   count      = length(var.node_role_policies)
   policy_arn = var.node_role_policies[count.index]
@@ -74,3 +79,207 @@ resource "aws_iam_instance_profile" "node" {
   role = aws_iam_role.node.name
   tags = local.tags
 }
+
+resource "aws_iam_role" "eks_auto" {
+  count = var.eks_auto_mode_enabled ? 1 : 0
+  name  = "${var.environment_name}-eks-auto-mode-node"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "EKSAutoNodeAssumeRole",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "ec2.amazonaws.com"
+        },
+        "Action" : [
+          "sts:TagSession",
+          "sts:AssumeRole"
+        ]
+      }
+    ]
+  })
+
+  tags = local.tags
+}
+
+locals {
+  iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
+  # EKS cluster with EKS auto mode enabled
+  eks_auto_mode_iam_role_policies = { for k, v in {
+    AmazonEKSClusterPolicy       = "${local.iam_role_policy_prefix}/AmazonEKSClusterPolicy"
+    AmazonEKSComputePolicy       = "${local.iam_role_policy_prefix}/AmazonEKSComputePolicy"
+    AmazonEKSBlockStoragePolicy  = "${local.iam_role_policy_prefix}/AmazonEKSBlockStoragePolicy"
+    AmazonEKSLoadBalancingPolicy = "${local.iam_role_policy_prefix}/AmazonEKSLoadBalancingPolicy"
+    AmazonEKSNetworkingPolicy    = "${local.iam_role_policy_prefix}/AmazonEKSNetworkingPolicy"
+  } : k => v if var.eks_auto_mode_enabled }
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  for_each = { for k, v in {
+    AmazonEKSWorkerNodeMinimalPolicy   = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodeMinimalPolicy",
+    AmazonEC2ContainerRegistryPullOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly",
+  } : k => v if var.eks_auto_mode_enabled }
+
+  policy_arn = each.value
+  role       = aws_iam_role.eks_auto[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster" {
+  for_each = { for k, v in merge(
+    local.eks_auto_mode_iam_role_policies,
+  ) : k => v if var.eks_auto_mode_enabled }
+
+  policy_arn = each.value
+  role       = aws_iam_role.cluster.name
+}
+
+data "aws_iam_policy_document" "custom" {
+  count = var.eks_auto_mode_enabled ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+
+    content {
+      sid = "Compute"
+      actions = [
+        "ec2:CreateFleet",
+        "ec2:RunInstances",
+        "ec2:CreateLaunchTemplate",
+      ]
+      resources = ["*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:eks-cluster-name"
+        values   = ["$${aws:PrincipalTag/eks:eks-cluster-name}"]
+      }
+
+      condition {
+        test     = "StringLike"
+        variable = "aws:RequestTag/eks:kubernetes-node-class-name"
+        values   = ["*"]
+      }
+
+      condition {
+        test     = "StringLike"
+        variable = "aws:RequestTag/eks:kubernetes-node-pool-name"
+        values   = ["*"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+
+    content {
+      sid = "Storage"
+      actions = [
+        "ec2:CreateVolume",
+        "ec2:CreateSnapshot",
+      ]
+      resources = [
+        "arn:${local.partition}:ec2:*:*:volume/*",
+        "arn:${local.partition}:ec2:*:*:snapshot/*",
+      ]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:eks-cluster-name"
+        values   = ["$${aws:PrincipalTag/eks:eks-cluster-name}"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+
+    content {
+      sid       = "Networking"
+      actions   = ["ec2:CreateNetworkInterface"]
+      resources = ["*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:eks-cluster-name"
+        values   = ["$${aws:PrincipalTag/eks:eks-cluster-name}"]
+      }
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:kubernetes-cni-node-name"
+        values   = ["*"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+
+    content {
+      sid = "LoadBalancer"
+      actions = [
+        "elasticloadbalancing:CreateLoadBalancer",
+        "elasticloadbalancing:CreateTargetGroup",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:CreateRule",
+        "ec2:CreateSecurityGroup",
+      ]
+      resources = ["*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:eks-cluster-name"
+        values   = ["$${aws:PrincipalTag/eks:eks-cluster-name}"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+
+    content {
+      sid       = "ShieldProtection"
+      actions   = ["shield:CreateProtection"]
+      resources = ["*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:eks-cluster-name"
+        values   = ["$${aws:PrincipalTag/eks:eks-cluster-name}"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.eks_auto_mode_enabled ? [1] : []
+
+    content {
+      sid       = "ShieldTagResource"
+      actions   = ["shield:TagResource"]
+      resources = ["arn:${local.partition}:shield::*:protection/*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks:eks-cluster-name"
+        values   = ["$${aws:PrincipalTag/eks:eks-cluster-name}"]
+      }
+    }
+  }
+}
+
+resource "aws_iam_policy" "custom" {
+  count = var.eks_auto_mode_enabled ? 1 : 0
+
+  name   = "${var.environment_name}-eks-auto-mode-cluster"
+  policy = data.aws_iam_policy_document.custom[0].json
+
+}
+
+resource "aws_iam_role_policy_attachment" "custom" {
+  count = var.eks_auto_mode_enabled ? 1 : 0
+
+  policy_arn = aws_iam_policy.custom[0].arn
+  role       = aws_iam_role.cluster.name
+}