feat: Add support for region argument on relevant resources

Author: bryantbiggs

README.md

@@ -443,7 +443,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_kms_key_service_users"></a> [kms\_key\_service\_users](#input\_kms\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
 | <a name="input_kms_key_source_policy_documents"></a> [kms\_key\_source\_policy\_documents](#input\_kms\_key\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_kms_key_users"></a> [kms\_key\_users](#input\_kms\_key\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |
-| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.27`) | `string` | `null` | no |
+| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.33`) | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the EKS cluster | `string` | `""` | no |
 | <a name="input_node_iam_role_additional_policies"></a> [node\_iam\_role\_additional\_policies](#input\_node\_iam\_role\_additional\_policies) | Additional policies to be added to the EKS Auto node IAM role | `map(string)` | `{}` | no |
 | <a name="input_node_iam_role_description"></a> [node\_iam\_role\_description](#input\_node\_iam\_role\_description) | Description of the EKS Auto node IAM role | `string` | `null` | no |
@@ -463,6 +463,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_outpost_config"></a> [outpost\_config](#input\_outpost\_config) | Configuration for the AWS Outpost to provision the cluster on | <pre>object({<br/>    control_plane_instance_type = optional(string)<br/>    control_plane_placement = optional(object({<br/>      group_name = string<br/>    }))<br/>    outpost_arns = list(string)<br/>  })</pre> | `null` | no |
 | <a name="input_prefix_separator"></a> [prefix\_separator](#input\_prefix\_separator) | The separator to use between the prefix and the generated timestamp for resource names | `string` | `"-"` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_remote_network_config"></a> [remote\_network\_config](#input\_remote\_network\_config) | Configuration block for the cluster remote network configuration | <pre>object({<br/>    remote_node_networks = object({<br/>      cidrs = optional(list(string))<br/>    })<br/>    remote_pod_networks = optional(object({<br/>      cidrs = optional(list(string))<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_security_group_additional_rules"></a> [security\_group\_additional\_rules](#input\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source | <pre>map(object({<br/>    protocol                   = optional(string, "tcp")<br/>    from_port                  = number<br/>    to_port                    = number<br/>    type                       = optional(string, "ingress")<br/>    description                = optional(string)<br/>    cidr_blocks                = optional(list(string))<br/>    ipv6_cidr_blocks           = optional(list(string))<br/>    prefix_list_ids            = optional(list(string))<br/>    self                       = optional(bool)<br/>    source_node_security_group = optional(bool, false)<br/>    source_security_group_id   = optional(string)<br/>  }))</pre> | `{}` | no |
 | <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no |

docs/UPGRADE-21.0.md

@@ -0,0 +1,73 @@
+# Upgrade from v20.x to v21.x
+
+If you have any questions regarding this upgrade process, please consult the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples) directory:
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Terraform `v1.5.7` is now minimum supported version
+- AWS provider `v6.0.0` is now minimum supported version
+
+## Additional changes
+
+### Added
+
+- Support for `region` parameter to specify the AWS region for the resources created if different from the provider region.
+
+### Modified
+
+- Variable definitions now contain detailed `object` types in place of the previously used any type.
+
+### Variable and output changes
+
+1. Removed variables:
+
+    -
+
+2. Renamed variables:
+
+    -
+
+3. Added variables:
+
+    -
+
+4. Removed outputs:
+
+    -
+
+5. Renamed outputs:
+
+    -
+
+6. Added outputs:
+
+    -
+
+## Upgrade Migrations
+
+### Before 20.x Example
+
+```hcl
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 20.0"
+
+  # Truncated for brevity ...
+
+}
+```
+
+### After 21.x Example
+
+```hcl
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 21.0"
+
+  # Truncated for brevity ...
+
+}
+```
+
+### State Changes

main.tf

@@ -36,6 +36,8 @@ locals {
 resource "aws_eks_cluster" "this" {
   count = local.create ? 1 : 0
 
+  region = var.region
+
   name                          = var.name
   role_arn                      = local.role_arn
   version                       = var.kubernetes_version
@@ -210,6 +212,8 @@ resource "aws_ec2_tag" "cluster_primary_security_group" {
     k => v if local.create && k != "Name" && var.create_primary_security_group_tags
   }
 
+  region = var.region
+
   resource_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
   key         = each.key
   value       = each.value
@@ -218,6 +222,8 @@ resource "aws_ec2_tag" "cluster_primary_security_group" {
 resource "aws_cloudwatch_log_group" "this" {
   count = local.create && var.create_cloudwatch_log_group ? 1 : 0
 
+  region = var.region
+
   name              = "/aws/eks/${var.name}/cluster"
   retention_in_days = var.cloudwatch_log_group_retention_in_days
   kms_key_id        = var.cloudwatch_log_group_kms_key_id
@@ -283,6 +289,8 @@ locals {
 resource "aws_eks_access_entry" "this" {
   for_each = { for k, v in local.merged_access_entries : k => v if local.create }
 
+  region = var.region
+
   cluster_name      = aws_eks_cluster.this[0].id
   kubernetes_groups = try(each.value.kubernetes_groups, null)
   principal_arn     = each.value.principal_arn
@@ -298,6 +306,8 @@ resource "aws_eks_access_entry" "this" {
 resource "aws_eks_access_policy_association" "this" {
   for_each = { for k, v in local.flattened_access_entries : "${v.entry_key}_${v.pol_key}" => v if local.create }
 
+  region = var.region
+
   access_scope {
     namespaces = each.value.association_access_scope_namespaces
     type       = each.value.association_access_scope_type
@@ -323,6 +333,8 @@ module "kms" {
 
   create = local.create && var.create_kms_key && local.enable_encryption_config # not valid on Outposts
 
+  region = var.region
+
   description             = coalesce(var.kms_key_description, "${var.name} cluster encryption key")
   key_usage               = "ENCRYPT_DECRYPT"
   deletion_window_in_days = var.kms_key_deletion_window_in_days
@@ -377,6 +389,8 @@ locals {
 resource "aws_security_group" "cluster" {
   count = local.create_security_group ? 1 : 0
 
+  region = var.region
+
   name        = var.security_group_use_name_prefix ? null : local.security_group_name
   name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}${var.prefix_separator}" : null
   description = var.security_group_description
@@ -399,6 +413,8 @@ resource "aws_security_group_rule" "cluster" {
     var.security_group_additional_rules
   ) : k => v if local.create_security_group }
 
+  region = var.region
+
   security_group_id        = aws_security_group.cluster[0].id
   protocol                 = each.value.protocol
   from_port                = each.value.from_port
@@ -734,6 +750,8 @@ resource "aws_iam_role_policy_attachment" "custom" {
 data "aws_eks_addon_version" "this" {
   for_each = var.addons != null && local.create && !local.create_outposts_local_cluster ? var.addons : {}
 
+  region = var.region
+
   addon_name         = coalesce(each.value.name, each.key)
   kubernetes_version = coalesce(var.kubernetes_version, aws_eks_cluster.this[0].version)
   most_recent        = each.value.most_recent
@@ -743,6 +761,8 @@ resource "aws_eks_addon" "this" {
   # Not supported on outposts
   for_each = var.addons != null && local.create && !local.create_outposts_local_cluster ? { for k, v in var.addons : k => v if !v.before_compute } : {}
 
+  region = var.region
+
   cluster_name = aws_eks_cluster.this[0].id
   addon_name   = coalesce(each.value.name, each.key)
 
@@ -786,6 +806,8 @@ resource "aws_eks_addon" "before_compute" {
   # Not supported on outposts
   for_each = var.addons != null && local.create && !local.create_outposts_local_cluster ? { for k, v in var.addons : k => v if v.before_compute } : {}
 
+  region = var.region
+
   cluster_name = aws_eks_cluster.this[0].id
   addon_name   = coalesce(each.value.name, each.key)
 
@@ -826,6 +848,8 @@ resource "aws_eks_addon" "before_compute" {
 resource "aws_eks_identity_provider_config" "this" {
   for_each = var.identity_providers != null && local.create && !local.create_outposts_local_cluster ? var.identity_providers : {}
 
+  region = var.region
+
   cluster_name = aws_eks_cluster.this[0].id
 
   oidc {

modules/eks-managed-node-group/README.md

@@ -177,6 +177,7 @@ module "eks_managed_node_group" {
 | <a name="input_pre_bootstrap_user_data"></a> [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
 | <a name="input_private_dns_name_options"></a> [private\_dns\_name\_options](#input\_private\_dns\_name\_options) | The options for the instance hostname. The default values are inherited from the subnet | <pre>object({<br/>    enable_resource_name_dns_aaaa_record = optional(bool)<br/>    enable_resource_name_dns_a_record    = optional(bool)<br/>    hostname_type                        = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_ram_disk_id"></a> [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_remote_access"></a> [remote\_access](#input\_remote\_access) | Configuration block with remote access settings. Only valid when `use_custom_launch_template` = `false` | <pre>object({<br/>    ec2_ssh_key               = optional(string)<br/>    source_security_group_ids = optional(list(string))<br/>  })</pre> | `null` | no |
 | <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
 | <a name="input_security_group_egress_rules"></a> [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security group egress rules to add to the security group created | <pre>map(object({<br/>    name = optional(string)<br/><br/>    cidr_ipv4                    = optional(string)<br/>    cidr_ipv6                    = optional(string)<br/>    description                  = optional(string)<br/>    from_port                    = optional(string)<br/>    ip_protocol                  = optional(string, "tcp")<br/>    prefix_list_id               = optional(string)<br/>    referenced_security_group_id = optional(string)<br/>    self                         = optional(bool, false)<br/>    tags                         = optional(map(string), {})<br/>    to_port                      = optional(string)<br/>  }))</pre> | `{}` | no |

modules/eks-managed-node-group/main.tf

@@ -43,6 +43,8 @@ module "user_data" {
 data "aws_ec2_instance_type" "this" {
   count = var.create && var.enable_efa_support ? 1 : 0
 
+  region = var.region
+
   instance_type = local.efa_instance_type
 }
 
@@ -78,6 +80,8 @@ locals {
 resource "aws_launch_template" "this" {
   count = var.create && var.create_launch_template && var.use_custom_launch_template ? 1 : 0
 
+  region = var.region
+
   dynamic "block_device_mappings" {
     for_each = var.block_device_mappings != null ? var.block_device_mappings : {}
 
@@ -364,6 +368,8 @@ resource "aws_launch_template" "this" {
 data "aws_eks_cluster_versions" "this" {
   count = var.create && var.kubernetes_version == null ? 1 : 0
 
+  region = var.region
+
   cluster_type   = "eks"
   version_status = "STANDARD_SUPPORT"
 }
@@ -405,6 +411,8 @@ locals {
 data "aws_ssm_parameter" "ami" {
   count = var.create && var.use_latest_ami_release_version ? 1 : 0
 
+  region = var.region
+
   name = local.ssm_ami_type_to_ssm_param[var.ami_type]
 }
 
@@ -421,6 +429,8 @@ locals {
 resource "aws_eks_node_group" "this" {
   count = var.create ? 1 : 0
 
+  region = var.region
+
   # Required
   cluster_name  = var.cluster_name
   node_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
@@ -658,6 +668,8 @@ locals {
 resource "aws_placement_group" "this" {
   count = local.create_placement_group ? 1 : 0
 
+  region = var.region
+
   name     = "${var.cluster_name}-${var.name}"
   strategy = "cluster"
 
@@ -701,12 +713,16 @@ locals {
 data "aws_subnet" "this" {
   count = local.create_security_group ? 1 : 0
 
+  region = var.region
+
   id = element(var.subnet_ids, 0)
 }
 
 resource "aws_security_group" "this" {
   count = local.create_security_group ? 1 : 0
 
+  region = var.region
+
   name        = var.security_group_use_name_prefix ? null : local.security_group_name
   name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
   description = var.security_group_description
@@ -726,6 +742,8 @@ resource "aws_security_group" "this" {
 resource "aws_vpc_security_group_ingress_rule" "this" {
   for_each = { for k, v in local.security_group_ingress_rules : k => v if length(local.security_group_ingress_rules) > 0 && local.create_security_group }
 
+  region = var.region
+
   cidr_ipv4                    = each.value.cidr_ipv4
   cidr_ipv6                    = each.value.cidr_ipv6
   description                  = each.value.description
@@ -746,6 +764,8 @@ resource "aws_vpc_security_group_ingress_rule" "this" {
 resource "aws_vpc_security_group_egress_rule" "this" {
   for_each = { for k, v in local.security_group_egress_rules : k => v if length(local.security_group_egress_rules) > 0 && local.create_security_group }
 
+  region = var.region
+
   cidr_ipv4                    = each.value.cidr_ipv4
   cidr_ipv6                    = each.value.cidr_ipv6
   description                  = each.value.description

modules/eks-managed-node-group/variables.tf

@@ -11,6 +11,12 @@ variable "tags" {
   default     = {}
 }
 
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "partition" {
   description = "The AWS partition - pass through value to reduce number of GET requests from data sources"
   type        = string

modules/fargate-profile/README.md

@@ -78,6 +78,7 @@ No modules.
 | <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the EKS Fargate Profile | `string` | `""` | no |
 | <a name="input_partition"></a> [partition](#input\_partition) | The AWS partition - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_selectors"></a> [selectors](#input\_selectors) | Configuration block(s) for selecting Kubernetes Pods to execute with this Fargate Profile | <pre>list(object({<br/>    labels    = optional(map(string))<br/>    namespace = string<br/>  }))</pre> | `null` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs for the EKS Fargate Profile | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

modules/fargate-profile/main.tf

@@ -1,5 +1,7 @@
 data "aws_region" "current" {
   count = var.create ? 1 : 0
+
+  region = var.region
 }
 data "aws_partition" "current" {
   count = var.create && var.partition == "" ? 1 : 0
@@ -159,6 +161,8 @@ resource "aws_iam_role_policy" "this" {
 resource "aws_eks_fargate_profile" "this" {
   count = var.create ? 1 : 0
 
+  region = var.region
+
   cluster_name           = var.cluster_name
   fargate_profile_name   = var.name
   pod_execution_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn

modules/fargate-profile/variables.tf

@@ -11,6 +11,12 @@ variable "tags" {
   default     = {}
 }
 
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "partition" {
   description = "The AWS partition - pass through value to reduce number of GET requests from data sources"
   type        = string

modules/karpenter/README.md

@@ -168,6 +168,7 @@ No modules.
 | <a name="input_queue_kms_master_key_id"></a> [queue\_kms\_master\_key\_id](#input\_queue\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
 | <a name="input_queue_managed_sse_enabled"></a> [queue\_managed\_sse\_enabled](#input\_queue\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no |
 | <a name="input_queue_name"></a> [queue\_name](#input\_queue\_name) | Name of the SQS queue | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_rule_name_prefix"></a> [rule\_name\_prefix](#input\_rule\_name\_prefix) | Prefix used for all event bridge rules | `string` | `"Karpenter"` | no |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to associate with the Karpenter Pod Identity | `string` | `"karpenter"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |