terraform-aws-modules · bryantbiggs · Aug 15, 2025 · Aug 9, 2025 · Aug 15, 2025 · Aug 15, 2025
diff --git a/README.md b/README.md
@@ -318,15 +318,15 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.9 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.9 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.9 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0 |
 
@@ -406,6 +406,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default | `bool` | `true` | no |
 | <a name="input_custom_oidc_thumbprints"></a> [custom\_oidc\_thumbprints](#input\_custom\_oidc\_thumbprints) | Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) | `list(string)` | `[]` | no |
 | <a name="input_dataplane_wait_duration"></a> [dataplane\_wait\_duration](#input\_dataplane\_wait\_duration) | Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed node group(s), self-managed node group(s), Fargate profile(s)) | `string` | `"30s"` | no |
+| <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection for the cluster. When enabled, the cluster cannot be deleted unless deletion protection is first disabled | `bool` | `null` | no |
 | <a name="input_eks_managed_node_groups"></a> [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Map of EKS managed node group definitions to create | <pre>map(object({<br/>    create             = optional(bool)<br/>    kubernetes_version = optional(string)<br/><br/>    # EKS Managed Node Group<br/>    name                           = optional(string) # Will fall back to map key<br/>    use_name_prefix                = optional(bool)<br/>    subnet_ids                     = optional(list(string))<br/>    min_size                       = optional(number)<br/>    max_size                       = optional(number)<br/>    desired_size                   = optional(number)<br/>    ami_id                         = optional(string)<br/>    ami_type                       = optional(string)<br/>    ami_release_version            = optional(string)<br/>    use_latest_ami_release_version = optional(bool)<br/>    capacity_type                  = optional(string)<br/>    disk_size                      = optional(number)<br/>    force_update_version           = optional(bool)<br/>    instance_types                 = optional(list(string))<br/>    labels                         = optional(map(string))<br/>    node_repair_config = optional(object({<br/>      enabled = optional(bool)<br/>    }))<br/>    remote_access = optional(object({<br/>      ec2_ssh_key               = optional(string)<br/>      source_security_group_ids = optional(list(string))<br/>    }))<br/>    taints = optional(map(object({<br/>      key    = string<br/>      value  = optional(string)<br/>      effect = string<br/>    })))<br/>    update_config = optional(object({<br/>      max_unavailable            = optional(number)<br/>      max_unavailable_percentage = optional(number)<br/>    }))<br/>    timeouts = optional(object({<br/>      create = optional(string)<br/>      update = optional(string)<br/>      delete = optional(string)<br/>    }))<br/>    # User data<br/>    enable_bootstrap_user_data = optional(bool)<br/>    pre_bootstrap_user_data    = optional(string)<br/>    post_bootstrap_user_data   = optional(string)<br/>    bootstrap_extra_args       = optional(string)<br/>    user_data_template_path    = optional(string)<br/>    cloudinit_pre_nodeadm = optional(list(object({<br/>      content      = string<br/>      content_type = optional(string)<br/>      filename     = optional(string)<br/>      merge_type   = optional(string)<br/>    })))<br/>    cloudinit_post_nodeadm = optional(list(object({<br/>      content      = string<br/>      content_type = optional(string)<br/>      filename     = optional(string)<br/>      merge_type   = optional(string)<br/>    })))<br/>    # Launch Template<br/>    create_launch_template                 = optional(bool)<br/>    use_custom_launch_template             = optional(bool)<br/>    launch_template_id                     = optional(string)<br/>    launch_template_name                   = optional(string) # Will fall back to map key<br/>    launch_template_use_name_prefix        = optional(bool)<br/>    launch_template_version                = optional(string)<br/>    launch_template_default_version        = optional(string)<br/>    update_launch_template_default_version = optional(bool)<br/>    launch_template_description            = optional(string)<br/>    launch_template_tags                   = optional(map(string))<br/>    tag_specifications                     = optional(list(string))<br/>    ebs_optimized                          = optional(bool)<br/>    key_name                               = optional(string)<br/>    disable_api_termination                = optional(bool)<br/>    kernel_id                              = optional(string)<br/>    ram_disk_id                            = optional(string)<br/>    block_device_mappings = optional(map(object({<br/>      device_name = optional(string)<br/>      ebs = optional(object({<br/>        delete_on_termination      = optional(bool)<br/>        encrypted                  = optional(bool)<br/>        iops                       = optional(number)<br/>        kms_key_id                 = optional(string)<br/>        snapshot_id                = optional(string)<br/>        throughput                 = optional(number)<br/>        volume_initialization_rate = optional(number)<br/>        volume_size                = optional(number)<br/>        volume_type                = optional(string)<br/>      }))<br/>      no_device    = optional(string)<br/>      virtual_name = optional(string)<br/>    })))<br/>    capacity_reservation_specification = optional(object({<br/>      capacity_reservation_preference = optional(string)<br/>      capacity_reservation_target = optional(object({<br/>        capacity_reservation_id                 = optional(string)<br/>        capacity_reservation_resource_group_arn = optional(string)<br/>      }))<br/>    }))<br/>    cpu_options = optional(object({<br/>      amd_sev_snp      = optional(string)<br/>      core_count       = optional(number)<br/>      threads_per_core = optional(number)<br/>    }))<br/>    credit_specification = optional(object({<br/>      cpu_credits = optional(string)<br/>    }))<br/>    enclave_options = optional(object({<br/>      enabled = optional(bool)<br/>    }))<br/>    instance_market_options = optional(object({<br/>      market_type = optional(string)<br/>      spot_options = optional(object({<br/>        block_duration_minutes         = optional(number)<br/>        instance_interruption_behavior = optional(string)<br/>        max_price                      = optional(string)<br/>        spot_instance_type             = optional(string)<br/>        valid_until                    = optional(string)<br/>      }))<br/>    }))<br/>    license_specifications = optional(list(object({<br/>      license_configuration_arn = string<br/>    })))<br/>    metadata_options = optional(object({<br/>      http_endpoint               = optional(string)<br/>      http_protocol_ipv6          = optional(string)<br/>      http_put_response_hop_limit = optional(number)<br/>      http_tokens                 = optional(string)<br/>      instance_metadata_tags      = optional(string)<br/>    }))<br/>    enable_monitoring      = optional(bool)<br/>    enable_efa_support     = optional(bool)<br/>    enable_efa_only        = optional(bool)<br/>    efa_indices            = optional(list(string))<br/>    create_placement_group = optional(bool)<br/>    placement = optional(object({<br/>      affinity                = optional(string)<br/>      availability_zone       = optional(string)<br/>      group_name              = optional(string)<br/>      host_id                 = optional(string)<br/>      host_resource_group_arn = optional(string)<br/>      partition_number        = optional(number)<br/>      spread_domain           = optional(string)<br/>      tenancy                 = optional(string)<br/>    }))<br/>    network_interfaces = optional(list(object({<br/>      associate_carrier_ip_address = optional(bool)<br/>      associate_public_ip_address  = optional(bool)<br/>      connection_tracking_specification = optional(object({<br/>        tcp_established_timeout = optional(number)<br/>        udp_stream_timeout      = optional(number)<br/>        udp_timeout             = optional(number)<br/>      }))<br/>      delete_on_termination = optional(bool)<br/>      description           = optional(string)<br/>      device_index          = optional(number)<br/>      ena_srd_specification = optional(object({<br/>        ena_srd_enabled = optional(bool)<br/>        ena_srd_udp_specification = optional(object({<br/>          ena_srd_udp_enabled = optional(bool)<br/>        }))<br/>      }))<br/>      interface_type       = optional(string)<br/>      ipv4_address_count   = optional(number)<br/>      ipv4_addresses       = optional(list(string))<br/>      ipv4_prefix_count    = optional(number)<br/>      ipv4_prefixes        = optional(list(string))<br/>      ipv6_address_count   = optional(number)<br/>      ipv6_addresses       = optional(list(string))<br/>      ipv6_prefix_count    = optional(number)<br/>      ipv6_prefixes        = optional(list(string))<br/>      network_card_index   = optional(number)<br/>      network_interface_id = optional(string)<br/>      primary_ipv6         = optional(bool)<br/>      private_ip_address   = optional(string)<br/>      security_groups      = optional(list(string), [])<br/>      subnet_id            = optional(string)<br/>    })))<br/>    maintenance_options = optional(object({<br/>      auto_recovery = optional(string)<br/>    }))<br/>    private_dns_name_options = optional(object({<br/>      enable_resource_name_dns_aaaa_record = optional(bool)<br/>      enable_resource_name_dns_a_record    = optional(bool)<br/>      hostname_type                        = optional(string)<br/>    }))<br/>    # IAM role<br/>    create_iam_role               = optional(bool)<br/>    iam_role_arn                  = optional(string)<br/>    iam_role_name                 = optional(string)<br/>    iam_role_use_name_prefix      = optional(bool)<br/>    iam_role_path                 = optional(string)<br/>    iam_role_description          = optional(string)<br/>    iam_role_permissions_boundary = optional(string)<br/>    iam_role_tags                 = optional(map(string))<br/>    iam_role_attach_cni_policy    = optional(bool)<br/>    iam_role_additional_policies  = optional(map(string))<br/>    create_iam_role_policy        = optional(bool)<br/>    iam_role_policy_statements = optional(list(object({<br/>      sid           = optional(string)<br/>      actions       = optional(list(string))<br/>      not_actions   = optional(list(string))<br/>      effect        = optional(string)<br/>      resources     = optional(list(string))<br/>      not_resources = optional(list(string))<br/>      principals = optional(list(object({<br/>        type        = string<br/>        identifiers = list(string)<br/>      })))<br/>      not_principals = optional(list(object({<br/>        type        = string<br/>        identifiers = list(string)<br/>      })))<br/>      condition = optional(list(object({<br/>        test     = string<br/>        values   = list(string)<br/>        variable = string<br/>      })))<br/>    })))<br/>    # Security group<br/>    vpc_security_group_ids                = optional(list(string), [])<br/>    attach_cluster_primary_security_group = optional(bool, false)<br/>    cluster_primary_security_group_id     = optional(string)<br/>    create_security_group                 = optional(bool)<br/>    security_group_name                   = optional(string)<br/>    security_group_use_name_prefix        = optional(bool)<br/>    security_group_description            = optional(string)<br/>    security_group_ingress_rules = optional(map(object({<br/>      name                         = optional(string)<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = optional(string)<br/>      from_port                    = optional(string)<br/>      ip_protocol                  = optional(string)<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      self                         = optional(bool)<br/>      tags                         = optional(map(string))<br/>      to_port                      = optional(string)<br/>    })))<br/>    security_group_egress_rules = optional(map(object({<br/>      name                         = optional(string)<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = optional(string)<br/>      from_port                    = optional(string)<br/>      ip_protocol                  = optional(string)<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      self                         = optional(bool)<br/>      tags                         = optional(map(string))<br/>      to_port                      = optional(string)<br/>    })), {})<br/>    security_group_tags = optional(map(string))<br/><br/>    tags = optional(map(string))<br/>  }))</pre> | `null` | no |
 | <a name="input_enable_auto_mode_custom_tags"></a> [enable\_auto\_mode\_custom\_tags](#input\_enable\_auto\_mode\_custom\_tags) | Determines whether to enable permissions for custom tags resources created by EKS Auto Mode | `bool` | `true` | no |
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no |

diff --git a/examples/eks-auto-mode/README.md b/examples/eks-auto-mode/README.md
@@ -25,13 +25,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.9 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.9 |
 
 ## Modules
 

diff --git a/examples/eks-auto-mode/main.tf b/examples/eks-auto-mode/main.tf
@@ -35,6 +35,7 @@ module "eks" {
   name                   = local.name
   kubernetes_version     = local.kubernetes_version
   endpoint_public_access = true
+  deletion_protection    = true
 
   enable_cluster_creator_admin_permissions = true
 

diff --git a/examples/eks-auto-mode/versions.tf b/examples/eks-auto-mode/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.9"
     }
   }
 }
diff --git a/examples/eks-hybrid-nodes/README.md b/examples/eks-hybrid-nodes/README.md
@@ -26,7 +26,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.9 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.4 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.5 |
@@ -36,8 +36,8 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
-| <a name="provider_aws.remote"></a> [aws.remote](#provider\_aws.remote) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.9 |
+| <a name="provider_aws.remote"></a> [aws.remote](#provider\_aws.remote) | >= 6.9 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 3.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3.4 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 2.5 |

diff --git a/examples/eks-hybrid-nodes/versions.tf b/examples/eks-hybrid-nodes/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.9"
     }
     helm = {
       source  = "hashicorp/helm"

diff --git a/examples/eks-managed-node-group/versions.tf b/examples/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.9"
     }
   }
 }
diff --git a/examples/karpenter/README.md b/examples/karpenter/README.md
@@ -94,16 +94,16 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
-| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.9 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
-| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | >= 6.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 3.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.9 |
+| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | >= 6.9 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 3.0 |
 
 ## Modules
 

diff --git a/examples/karpenter/versions.tf b/examples/karpenter/versions.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.9"
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">= 3.0.0"
+      version = ">= 3.0"
     }
   }
 }
diff --git a/examples/self-managed-node-group/versions.tf b/examples/self-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.9"
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -42,6 +42,7 @@ resource "aws_eks_cluster" "this" {
   role_arn                      = local.role_arn
   version                       = var.kubernetes_version
   enabled_cluster_log_types     = var.enabled_log_types
+  deletion_protection           = var.deletion_protection
   bootstrap_self_managed_addons = false
   force_update_version          = var.force_update_version
 

diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md
@@ -64,13 +64,13 @@ module "eks_managed_node_group" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.9 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.9 |
 
 ## Modules
 

diff --git a/modules/eks-managed-node-group/versions.tf b/modules/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.9"
     }
   }
 }