You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: Incorporate AWS provider v6.15 corrections for EKS Auto Mode to support enabling/disabling EKS Auto Mode without affecting non-Auto Mode users (#3526)
* fix: Raise min supported version of AWS provider for EKS Auto Mode corrections
* docs: Add note on encryption config settings
* fix: Revert forcing a value for all EKS Auto Mode fields now that provider handles this
Copy file name to clipboardExpand all lines: README.md
+17-3Lines changed: 17 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,6 +28,17 @@ Please note that we strive to provide a comprehensive suite of documentation for
28
28
29
29
### EKS Auto Mode
30
30
31
+
> [!CAUTION]
32
+
> Due to the current EKS Auto Mode API, to disable EKS Auto Mode you will have to explicity set:
33
+
>
34
+
>```hcl
35
+
>compute_config = {
36
+
> enabled = false
37
+
> }
38
+
>```
39
+
>
40
+
> If you try to disable by simply removing the `compute_config` block, this will fail to disble EKS Auto Mode. Only after applying with `enabled = false` can you then remove the `compute_config` block from your configurations.
41
+
31
42
```hcl
32
43
module "eks" {
33
44
source = "terraform-aws-modules/eks/aws"
@@ -75,6 +86,9 @@ module "eks" {
75
86
76
87
# Create just the IAM resources for EKS Auto Mode for use with custom node pools
@@ -422,7 +436,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
422
436
| <aname="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days)| Number of days to retain log events. Default retention - 90 days |`number`|`90`| no |
423
437
| <aname="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags)| A map of additional tags to add to the cloudwatch log group created |`map(string)`|`{}`| no |
424
438
| <aname="input_cluster_tags"></a> [cluster\_tags](#input\_cluster\_tags)| A map of additional tags to add to the cluster |`map(string)`|`{}`| no |
425
-
| <aname="input_compute_config"></a> [compute\_config](#input\_compute\_config)| Configuration block for the cluster compute configuration | <pre>object({<br/> enabled = optional(bool, false)<br/> node_pools = optional(list(string))<br/> node_role_arn = optional(string)<br/> })</pre> |`{}`| no |
439
+
| <aname="input_compute_config"></a> [compute\_config](#input\_compute\_config)| Configuration block for the cluster compute configuration | <pre>object({<br/> enabled = optional(bool, false)<br/> node_pools = optional(list(string))<br/> node_role_arn = optional(string)<br/> })</pre> |`null`| no |
426
440
| <aname="input_control_plane_subnet_ids"></a> [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids)| A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane |`list(string)`|`[]`| no |
427
441
| <aname="input_create"></a> [create](#input\_create)| Controls if resources should be created (affects nearly all resources) |`bool`|`true`| no |
428
442
| <aname="input_create_auto_mode_iam_resources"></a> [create\_auto\_mode\_iam\_resources](#input\_create\_auto\_mode\_iam\_resources)| Determines whether to create/attach IAM resources for EKS Auto Mode. Useful for when using only custom node pools and not built-in EKS Auto Mode node pools |`bool`|`false`| no |
Copy file name to clipboardExpand all lines: docs/UPGRADE-21.0.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,6 +32,7 @@ If you find a bug, please open an issue with supporting configuration to reprodu
32
32
-`addons.most_recent` is now set to `true` by default (was `false`).
33
33
-`cluster_identity_providers.issuer_url` is now required to be set by users; the prior incorrect default has been removed. See https://github.com/terraform-aws-modules/terraform-aws-eks/pull/3055 and https://github.com/kubernetes/kubernetes/pull/123561 for more details.
34
34
- The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stack`oidc-eks` endpoint instead of `oidc.eks`. This is to align with https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
35
+
- With the changes to the variable type definition for `encryption_config` (formerly `cluster_encryption_config`), if you wish to disable secret encryption with a custom KMS key you should set `encryption_config = null` (In `v20.x`, you would previously have set `encryption_config = {}` to achieve the same outcome). Secret encryption can no longer be disabled - it is either enabled by default with the AWS managed key (`encryption_config = null`), or with a custom KMS key ( either leaving as is by not specifying or passing your own custom key ARN). EKS now encrypts secrets at rest by default docs.aws.amazon.com/eks/latest/userguide/envelope-encryption.html and the default secret encryption w/ custom KMS key creation/usage by default was made years prior starting in version `v19.0` of this module. Removing this default behavior will be evaluated at the next breaking change given that secrets are now automatically encrypted at rest by AWS.
0 commit comments