Skip to content

feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively #3412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 26 commits into from
Jul 23, 2025
Merged

feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively #3412

merged 26 commits into from
Jul 23, 2025

Conversation

bryantbiggs
Copy link
Member

@bryantbiggs bryantbiggs commented Jul 9, 2025
edited
Loading

Description

List of backwards incompatible changes

  • Terraform v1.5.7 is now minimum supported version
  • AWS provider v6.0.0 is now minimum supported version
  • TLS provider v4.0.0 is now minimum supported version
  • The aws-auth sub-module has been removed. Users who wish to utilize its functionality can continue to do so by specifying a v20.x version, or ~> v20.0 version constraint in their module source.
  • bootstrap_self_managed_addons is now hardcoded to false. This is a legacy setting and instead users should utilize the EKS addons API, which is what this module does by default. In conjunction with this change, the bootstrap_self_managed_addons is now ignored by the module to aid in upgrading without disruption (otherwise it would require cluster re-creation).
  • When enabling enable_efa_support or creating placement groups within a node group, users must now specify the correct subnet_ids; the module no longer tries to automatically select a suitable subnet.
  • EKS managed node group:
    • IMDS now default to a hop limit of 1 (previously was 2)
    • ami_type now defaults to AL2023_x86_64_STANDARD
    • enable_monitoring is now set to false by default
    • enable_efa_only is now set to true by default
    • use_latest_ami_release_version is now set to true by default
    • Support for autoscaling group schedules has been removed
  • Self-managed node group:
    • IMDS now default to a hop limit of 1 (previously was 2)
    • ami_type now defaults to AL2023_x86_64_STANDARD
    • enable_monitoring is now set to false by default
    • enable_efa_only is now set to true by default
    • Support for autoscaling group schedules has been removed
  • Karpenter:
    • Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default
    • Karpenter controller policy for prior to Karpenter v1 have been removed (i.e. v0.33); the v1 policy is now used by default
    • create_pod_identity_association is now set to true by default
  • addons.resolve_conflicts_on_create is now set to "NONE" by default (was "OVERWRITE").
  • addons.most_recent is now set to true by default (was false).
  • cluster_identity_providers.issuer_url is now required to be set by users; the prior incorrect default has been removed. See feat: Starting with 1.30, do not use the cluster OIDC issuer URL by default in the identity provider config #3055 and Prevent conflicts between service account and jwt issuers kubernetes/kubernetes#123561 for more details.
  • The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stackoidc-eks endpoint instead of oidc.eks. This is to align with [EKS] [request]: Support for OIDC endpoint with PrivateLink EKS VPC Endpoint aws/containers-roadmap#2038 (comment)

Additional changes

Added

  • Support for region parameter to specify the AWS region for the resources created if different from the provider region.
  • Both the EKS managed and self-managed node groups now support creating their own security groups (again). This is primarily motivated by the changes for EFA support; previously users would need to specify enable_efa_support both at the cluster level (to add the appropriate security group rules to the shared node security group) as well as the node group level. However, its not always desirable to have these rules across ALL node groups when they are really only required on the node group where EFA is utilized. And similarly for other use cases, users can create custom rules for a specific node group instead of apply across ALL node groups.

Modified

  • Variable definitions now contain detailed object types in place of the previously used any type.
  • The embedded KMS key module definition has been updated to v4.0 to support the same version requirements as well as the new region argument.

Variable and output changes

  1. Removed variables:

    • enable_efa_support - users only need to set this within the node group configuration, as the module no longer manages EFA support at the cluster level.
    • enable_security_groups_for_pods - users can instead attach the arn:aws:iam::aws:policy/AmazonEKSVPCResourceController policy via iam_role_additional_policies if using security groups for pods.
    • eks-managed-node-group sub-module
      • cluster_service_ipv4_cidr - users should use cluster_service_cidr instead (for either IPv4 or IPv6).
      • elastic_gpu_specifications
      • elastic_inference_accelerator
      • platform - this is superseded by ami_type
      • placement_group_strategy - set to cluster by the module
      • placement_group_az - users will need to specify the correct subnet in subnet_ids
      • create_schedule
      • schedules
    • self-managed-node-group sub-module
      • elastic_gpu_specifications
      • elastic_inference_accelerator
      • platform - this is superseded by ami_type
      • create_schedule
      • schedules
      • placement_group_az - users will need to specify the correct subnet in subnet_ids
      • hibernation_options - not valid in EKS
      • min_elb_capacity - not valid in EKS
      • wait_for_elb_capacity - not valid in EKS
      • wait_for_capacity_timeout - not valid in EKS
      • default_cooldown - not valid in EKS
      • target_group_arns - not valid in EKS
      • service_linked_role_arn - not valid in EKS
      • warm_pool - not valid in EKS
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • enable_v1_permissions - v1 permissions are now the default
      • enable_irsa
      • irsa_oidc_provider_arn
      • irsa_namespace_service_accounts
      • irsa_assume_role_condition_test

  2. Renamed variables:

    • Variables prefixed with cluster_* have been stripped of the prefix to better match the underlying API:
      • cluster_name -> name
      • cluster_version -> kubernetes_version
      • cluster_enabled_log_types -> enabled_log_types
      • cluster_force_update_version -> force_update_version
      • cluster_compute_config -> compute_config
      • cluster_upgrade_policy -> upgrade_policy
      • cluster_remote_network_config -> remote_network_config
      • cluster_zonal_shift_config -> zonal_shift_config
      • cluster_additional_security_group_ids -> additional_security_group_ids
      • cluster_endpoint_private_access -> endpoint_private_access
      • cluster_endpoint_public_access -> endpoint_public_access
      • cluster_endpoint_public_access_cidrs -> endpoint_public_access_cidrs
      • cluster_ip_family -> ip_family
      • cluster_service_ipv4_cidr -> service_ipv4_cidr
      • cluster_service_ipv6_cidr -> service_ipv6_cidr
      • cluster_encryption_config -> encryption_config
      • create_cluster_primary_security_group_tags -> create_primary_security_group_tags
      • cluster_timeouts -> timeouts
      • create_cluster_security_group -> create_security_group
      • cluster_security_group_id -> security_group_id
      • cluster_security_group_name -> security_group_name
      • cluster_security_group_use_name_prefix -> security_group_use_name_prefix
      • cluster_security_group_description -> security_group_description
      • cluster_security_group_additional_rules -> security_group_additional_rules
      • cluster_security_group_tags -> security_group_tags
      • cluster_encryption_policy_use_name_prefix -> encryption_policy_use_name_prefix
      • cluster_encryption_policy_name -> encryption_policy_name
      • cluster_encryption_policy_description -> encryption_policy_description
      • cluster_encryption_policy_path -> encryption_policy_path
      • cluster_encryption_policy_tags -> encryption_policy_tags
      • cluster_addons -> addons
      • cluster_addons_timeouts -> addons_timeouts
      • cluster_identity_providers -> identity_providers
    • eks-managed-node-group sub-module
      • cluster_version -> kubernetes_version
    • self-managed-node-group sub-module
      • cluster_version -> kubernetes_version
      • delete_timeout -> timeouts
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  3. Added variables:

    • region
    • eks-managed-node-group sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
      • create_security_group
      • security_group_name
      • security_group_use_name_prefix
      • security_group_description
      • security_group_ingress_rules
      • security_group_egress_rules
      • security_group_tags
    • self-managed-node-group sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
      • create_security_group
      • security_group_name
      • security_group_use_name_prefix
      • security_group_description
      • security_group_ingress_rules
      • security_group_egress_rules
      • security_group_tags
    • fargate-profile sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
    • karpenter sub-module
      • region

  4. Removed outputs:

    • eks-managed-node-group sub-module
      • platform - this is superseded by ami_type
      • autoscaling_group_schedule_arns
    • self-managed-node-group sub-module
      • platform - this is superseded by ami_type
      • autoscaling_group_schedule_arns
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  5. Renamed outputs:

    • eks-managed-node-group sub-module
      • None
    • self-managed-node-group sub-module
      • None
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  6. Added outputs:

    • eks-managed-node-group sub-module
      • security_group_arn
      • security_group_id
    • self-managed-node-group sub-module
      • security_group_arn
      • security_group_id
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

Motivation and Context

Breaking Changes

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@bryantbiggs
Copy link
Member Author

finding the variable optional attributes to be a bit challenging:

which is why this hasn't proceeded. once those are stabilized a bit, we can apply those learnings here and proceed

gecko655
gecko655 reviewed Jul 14, 2025
View reviewed changes
@gecko655 gecko655 mentioned this pull request Jul 14, 2025
Closed
@sanderjochems-capgemini sanderjochems-capgemini mentioned this pull request Jul 15, 2025
Closed
3 tasks
@bryantbiggs bryantbiggs mentioned this pull request Jul 15, 2025
Closed
@roncohen4
Copy link

@bryantbiggs Looking forward for this release, it's blocking me from upgrading AWS provider to 6.x
Any estimation for this to be done any time soon?

@bryantbiggs
Copy link
Member Author

it should land this week - we're just in the final testing/validation phase

bryantbiggs added 20 commits July 21, 2025 14:24
@bryantbiggs
feat!: Upgrade min AWS provider and Terraform versions to 6.0 and `…
7312108 
…1.5.7` respectively
@bryantbiggs
fix: Remove deprecated arguments in AWS v6.0 provider, upgrade Helm p…
43f810d 
…rovider to v3.0, bump VPC module to v6.0
@bryantbiggs
fix: Remove aws-auth sub-module
14a3561
@bryantbiggs
fix: Remove platform and cluster_service_ipv4_cidr variables from…
200d7fb 
… `user-data` sub-module
@bryantbiggs
fix: Resolve all marked todos that have been accumulated
7bee6c5
@bryantbiggs
fix: Set default http_put_response_hop_limit to 1
80d2273
@bryantbiggs
fix: Remove IRSA support from Karpenter sub-module
c3c6772
@bryantbiggs
fix: Avoid making GET requests from data sources unless absolutely ne…
2d79dc2 
…cessary
@bryantbiggs
feat: Add variable optional attribute definitions
200a712
@bryantbiggs
feat: Bump KMS key module version to latest, add remaining variable a…
eb26ecb 
…ttribute definitions
@bryantbiggs
fix: Remove cluster_ prefix from variable names to better match the…
20d9722 
… underlying API
@bryantbiggs
fix: Move all EFA logic to the nodegroup itself
96d79e5
@bryantbiggs
fix: Remove arguments that do not make sense in EKS
8bf26fa
@bryantbiggs
fix: Updates from plan validation
a28e9ae
@bryantbiggs
fix: Remove more self-managed node group attributes that are commonly…
f3df353 
… not used in EKS clusters
@bryantbiggs
fix: Remove data plane compute *_defaults variables that do not wor…
f34758e 
…k with variable optional attributes
@bryantbiggs
fix: Ignore changes to bootstrap_self_managed_addons to aid in upgrade
73762df
@bryantbiggs
feat: Add support for region argument on relevant resources
2fd94b7
@bryantbiggs
feat: Initial pass on upgrade guide
576c2cf
@bryantbiggs
fix: Updates from testing and validating EKS managed node group
e4c63d2
@bryantbiggs bryantbiggs changed the title feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively Jul 21, 2025
@bryantbiggs bryantbiggs marked this pull request as ready for review July 21, 2025 22:10
@bryantbiggs bryantbiggs requested a review from antonbabenko July 21, 2025 22:10
zz-openai
zz-openai reviewed Jul 23, 2025
View reviewed changes
main.tf
node_role_arn = local.auto_mode_enabled && length(try(compute_config.value.node_pools, [])) > 0 ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
enabled = compute_config.value.enabled
node_pools = compute_config.value.node_pools
node_role_arn = compute_config.value.node_pools != null ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
Copy link

@zz-openai zz-openai Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getting some errors

"compute_config" = {
      "enabled" = true
      "node_pools" = tolist([
        "general-purpose",
      ])
      "node_role_arn" = tostring(null)
    }

and the try block get fake passed and then resolves to null. maybe its caused by the new type definition?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't follow - what is the config shown?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the 6.0 upgrade, the issue is fixed here #3433 the config shown is the computed value of compute_config.value, the node_role_arn key exist with a null value that causes the try() chain to not work properly. in previous version the key did not exist and try error will fall back to aws_iam_role.eks_auto[0].arn

antonbabenko
antonbabenko approved these changes Jul 23, 2025
View reviewed changes
Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor question, and looks great! 👍

modules/fargate-profile/variables.tf
description = "Determines whether an IAM role policy is created or not"
type = bool
default = true
nullable = false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need nullable here? We don't have it in many variables.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still trying to wrap my head around these new variable types and nullable - but during testing it was throwing errors like below when I didn't have them set ¯\_(ツ)_/¯

image

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me play around a bit more in my "sandbox" to see if I can better understand the behavior https://github.com/bryantbiggs/terraform-awful-variable-optional-attributes 😅

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bryantbiggs That error would make it seem like somehow the calling module was explicitly setting create_iam_role = null? Which would be invalid, given that expression... If not explicitly testing for null, then personally I think that is exactly what nullable = false is for... That way, a user doesn't have to duplicate the default value in all the places, they can just let their logic evaluate to null.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok I feel a bit better about my understanding of these new variable settings. I made a number of corrections in 3c5d4a0

What I learned -

We use a number of internal modules in this module. With those, we have variables defined in two places (individually in the sub-module, in a larger, singular variable in the root module). Previously I had variable definitions with defaults in both places but this is not how I think its meant to be handled (fun fact, there are numerous ways to set defaults now ¯\_(ツ)_/¯). With the latest change, the variable definition structure needs to be the same in both places (booo!), but we should only need to set the defaults in ONE place - and that place is the very root of where it is used (i.e. - the sub-module). This default value then gets propagated up by setting nullable = false on the sub-module variable (when the default value is not null of course - extremely confusing). This did catch a few issues where try() in the root module was masking it so that was a win, and it also simplified the codebase a little bit.

tl;dr - At least for sub-modules used internally in the root module, I believe we should be setting nullable = false when a default value is provided in order to bubble that up and not need to re-state the default value

@bryantbiggs bryantbiggs merged commit 416515a into terraform-aws-modules:master Jul 23, 2025
20 checks passed
@bryantbiggs bryantbiggs deleted the feat/v21 branch July 23, 2025 20:11
antonbabenko pushed a commit that referenced this pull request Jul 23, 2025
@semantic-release-bot
chore(release): version 21.0.0 [skip ci]
b7eabbd 
## [21.0.0](v20.37.2...v21.0.0) (2025-07-23)

### ⚠ BREAKING CHANGES

* Upgrade min AWS provider and Terraform versions to `6.0` and `1.5.7` respectively (#3412)

### Features

* Upgrade min AWS provider and Terraform versions to `6.0` and `1.5.7` respectively ([#3412](#3412)) ([416515a](416515a))
@antonbabenko
Copy link
Member

This PR is included in version 21.0.0 🎉

@bryantbiggs bryantbiggs mentioned this pull request Jul 23, 2025
Closed
1 task
@ggillies ggillies mentioned this pull request Jul 23, 2025
Closed
@Israphel
Copy link

Israphel commented Jul 24, 2025
edited
Loading

why was IRSA (for karpenter) abandoned in this release?

@bryantbiggs
Copy link
Member Author

why was IRSA (for karpenter) abandoned in this release?

read the PR notes and upgrade guide

Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default

@Israphel
Copy link

why was IRSA (for karpenter) abandoned in this release?

read the PR notes and upgrade guide

Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default

I read it, that's why I'm asking.

@bryantbiggs
Copy link
Member Author

I don't understand the question - EKS Pod Identity is the success to IRSA, and since this is a quite large module we are always looking for ways to simplify. Just like aws-auth ConfigMap used to be a thing and now we have cluster access entries - aws-auth is still supported but it doesn't mean we have to support it here. Pod Identity and cluster access entries are the long term solutions (at the moment) and thats what we are proceeding to support

@Israphel
Copy link

you do understand the question then, because that's a valid answer to "why". That should be in the MD instead of "irsa removed".

@bryantbiggs
Copy link
Member Author

and I should be paid for having to deal with folks like yourself - instead here I am doing this for free, creating clusters and validating changes on my own dime

@Michael-Hammond-wz
Copy link

It looks like eks_managed_node_group_defaults was removed. Is there a rename/replacement for this functionality?

@bryantbiggs
Copy link
Member Author

No

@terraform-aws-modules terraform-aws-modules locked as resolved and limited conversation to collaborators Jul 29, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko antonbabenko approved these changes

+3 more reviewers

@gecko655 gecko655 gecko655 left review comments

@lorengordon lorengordon lorengordon left review comments

@zz-openai zz-openai zz-openai left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
8 participants
@bryantbiggs @roncohen4 @antonbabenko @Israphel @Michael-Hammond-wz @gecko655 @lorengordon @zz-openai