terraform-aws-modules · agladboy · Jul 15, 2020 · Jul 20, 2020 · Mar 8, 2021 · Aug 18, 2021
diff --git a/aws_auth.tf b/aws_auth.tf
@@ -1,47 +1,6 @@
 data "aws_caller_identity" "current" {
 }
 
-data "template_file" "launch_template_worker_role_arns" {
-  count    = var.create_eks ? local.worker_group_launch_template_count : 0
-  template = file("${path.module}/templates/worker-role.tpl")
-
-  vars = {
-    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
-      coalescelist(
-        aws_iam_instance_profile.workers_launch_template.*.role,
-        data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name,
-      ),
-      count.index,
-    )}"
-    platform = lookup(
-      var.worker_groups_launch_template[count.index],
-      "platform",
-      local.workers_group_defaults["platform"]
-    )
-  }
-}
-
-data "template_file" "worker_role_arns" {
-  count    = var.create_eks ? local.worker_group_count : 0
-  template = file("${path.module}/templates/worker-role.tpl")
-
-  vars = {
-    worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element(
-      coalescelist(
-        aws_iam_instance_profile.workers.*.role,
-        data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name,
-        [""]
-      ),
-      count.index,
-    )}"
-    platform = lookup(
-      var.worker_groups[count.index],
-      "platform",
-      local.workers_group_defaults["platform"]
-    )
-  }
-}
-
 data "template_file" "node_group_arns" {
   count    = var.create_eks ? length(module.node_groups.aws_auth_roles) : 0
   template = file("${path.module}/templates/worker-role.tpl")
@@ -52,19 +11,34 @@ data "template_file" "node_group_arns" {
 resource "kubernetes_config_map" "aws_auth" {
   count      = var.create_eks && var.manage_aws_auth ? 1 : 0
   depends_on = [null_resource.wait_for_cluster[0]]
+  #depends_on = [null_resource.wait_for_cluster[0], aws_iam_instance_profile.karpenter_node_instance_profile]
 
   metadata {
     name      = "aws-auth"
     namespace = "kube-system"
   }
 
+#   data = {
+#     mapRoles = <<EOF
+# ${join("", distinct(concat(data.template_file.node_group_arns.*.rendered)))}
+# - rolearn: ${aws_iam_role.karpenter_role[0].arn}
+#   username: system:node:{{EC2PrivateDNSName}}
+#   groups:
+#     - system:bootstrappers
+#     - system:nodes
+# %{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
+# EOF
+
+#     mapUsers    = yamlencode(var.map_users)
+#     mapAccounts = yamlencode(var.map_accounts)
+#   }
   data = {
     mapRoles = <<EOF
-${join("", distinct(concat(data.template_file.launch_template_worker_role_arns.*.rendered, data.template_file.worker_role_arns.*.rendered, data.template_file.node_group_arns.*.rendered
+${join("", distinct(concat(data.template_file.node_group_arns.*.rendered
 )))}
-%{if length(var.map_roles) != 0}${yamlencode(var.map_roles)}%{endif}
+%{if length(var.map_roles) != 0}${yamlencode(var.map_roles)} %{endif}
     EOF
-mapUsers    = yamlencode(var.map_users)
-mapAccounts = yamlencode(var.map_accounts)
-}
+      mapUsers    = yamlencode(var.map_users)
+      mapAccounts = yamlencode(var.map_accounts)
+      }
 }
diff --git a/cluster.tf b/cluster.tf
@@ -14,6 +14,10 @@ resource "aws_eks_cluster" "this" {
   version                   = var.cluster_version
   tags                      = var.tags
 
+  access_config {
+    authentication_mode = "API_AND_CONFIG_MAP"
+  }
+
   vpc_config {
     security_group_ids      = [local.cluster_security_group_id]
     subnet_ids              = var.subnets
@@ -22,8 +26,20 @@ resource "aws_eks_cluster" "this" {
     public_access_cidrs     = var.cluster_endpoint_public_access_cidrs
   }
 
+
+
+  dynamic "encryption_config" {
+    for_each = var.encryption ? [1] : []
+    content {
+      provider {
+        key_arn = aws_kms_key.eks_secrets[0].arn
+      }
+      resources = ["secrets"]
+    }
+  }
   timeouts {
     create = var.cluster_create_timeout
+    update = var.cluster_update_timeout
     delete = var.cluster_delete_timeout
   }
 

diff --git a/cluster_addons.tf b/cluster_addons.tf
@@ -0,0 +1,82 @@
+# Installs/configures add ons for the EKS cluster
+resource "aws_eks_addon" "vpc_cni" {
+  # while we're upgrading we don't want these to be created until we're on 1.20 cluster
+  count             = var.create_eks && var.enable_vpc_cni_addon ? 1 : 0
+  cluster_name      = aws_eks_cluster.this[0].name
+  addon_name        = "vpc-cni"
+  addon_version     = var.vpc_cni_version
+  resolve_conflicts = var.vpc_cni_resolve_conflicts
+}
+
+resource "aws_eks_addon" "coredns" {
+  count             = var.create_eks && var.enable_coredns_addon ? 1 : 0
+  cluster_name      = aws_eks_cluster.this[0].name
+  addon_name        = "coredns"
+  addon_version     = var.coredns_version
+  resolve_conflicts = var.coredns_resolve_conflicts
+  configuration_values = jsonencode({
+    autoScaling = {
+      enabled = var.coredns_scaling_enabled
+      minReplicas = var.coredns_minreplicas
+      maxReplicas = var.coredns_maxreplicas
+    }
+    corefile = <<-EOT
+    .:53 {
+      errors
+      health {
+        lameduck 30s
+      }
+      ready
+      kubernetes cluster.local in-addr.arpa ip6.arpa {
+        pods insecure
+        fallthrough in-addr.arpa ip6.arpa
+      }
+      prometheus :9153
+      forward . /etc/resolv.conf
+      cache 30 3600 10
+      loop
+      reload
+      loadbalance
+    }
+EOT
+  })
+}
+
+resource "aws_eks_addon" "kube_proxy" {
+  count             = var.create_eks && var.enable_kube_proxy_addon ? 1 : 0
+  cluster_name      = aws_eks_cluster.this[0].name
+  addon_name        = "kube-proxy"
+  addon_version     = var.kube_proxy_version
+  resolve_conflicts = var.kube_proxy_resolve_conflicts
+}
+
+resource "aws_eks_addon" "aws_ebs_csi_driver" {
+  count                    = var.create_eks && var.enable_aws_ebs_csi_driver_addon ? 1 : 0
+  cluster_name             = aws_eks_cluster.this[0].name
+  addon_name               = "aws-ebs-csi-driver"
+  addon_version            = var.aws_ebs_csi_driver_version
+  resolve_conflicts        = var.aws_ebs_csi_driver_resolve_conflicts
+  service_account_role_arn = var.ebs_csi_driver_role_arn
+}
+
+# EKS EFS CSI ADD-ON Module
+resource "aws_eks_addon" "aws_efs_csi_driver" {
+  count                    = var.create_eks && var.enable_aws_efs_csi_driver_addon ? 1 : 0
+  cluster_name             = aws_eks_cluster.this[0].name
+  addon_name               = "aws-efs-csi-driver"
+  addon_version            = var.aws_efs_csi_driver_version
+  resolve_conflicts        = var.aws_efs_csi_driver_resolve_conflicts
+  service_account_role_arn = var.efs_csi_driver_role_arn
+}
+
+# EKS FSx CSI ADD-ON Module
+resource "aws_eks_addon" "aws_fsx_csi_driver" {
+  count                       = var.create_eks && var.enable_aws_fsx_csi_driver_addon ? 1 : 0
+  cluster_name                = aws_eks_cluster.this[0].name
+  addon_name                  = "aws-fsx-csi-driver"
+  addon_version               = var.aws_fsx_csi_driver_version
+  resolve_conflicts_on_update = var.aws_fsx_csi_driver_resolve_conflicts
+  service_account_role_arn    = module.fsx_csi_irsa[0].iam_role_arn
+
+  tags = var.tags
+}
diff --git a/data.tf b/data.tf
@@ -1,10 +1,5 @@
 locals {
   worker_ami_name_filter = var.worker_ami_name_filter != "" ? var.worker_ami_name_filter : "amazon-eks-node-${var.cluster_version}-v*"
-
-  # Windows nodes are available from k8s 1.14. If cluster version is less than 1.14, fix ami filter to some constant to not fail on 'terraform plan'.
-  worker_ami_name_filter_windows = (var.worker_ami_name_filter_windows != "" ?
-    var.worker_ami_name_filter_windows : "Windows_Server-2019-English-Core-EKS_Optimized-${tonumber(var.cluster_version) >= 1.14 ? var.cluster_version : 1.14}-*"
-  )
 }
 
 data "aws_iam_policy_document" "workers_assume_role_policy" {
@@ -33,23 +28,6 @@ data "aws_ami" "eks_worker" {
   owners = [var.worker_ami_owner_id]
 }
 
-data "aws_ami" "eks_worker_windows" {
-  filter {
-    name   = "name"
-    values = [local.worker_ami_name_filter_windows]
-  }
-
-  filter {
-    name   = "platform"
-    values = ["windows"]
-  }
-
-  most_recent = true
-
-  owners = [var.worker_ami_owner_id_windows]
-}
-
-
 data "aws_iam_policy_document" "cluster_assume_role_policy" {
   statement {
     sid = "EKSClusterAssumeRole"
@@ -103,121 +81,11 @@ EOF
 
   vars = {
     value = values(var.kubeconfig_aws_authenticator_env_variables)[count.index]
-    key   = keys(var.kubeconfig_aws_authenticator_env_variables)[count.index]
+    key = keys(var.kubeconfig_aws_authenticator_env_variables)[count.index]
   }
 }
 
-data "template_file" "userdata" {
-  count = var.create_eks ? local.worker_group_count : 0
-  template = lookup(
-    var.worker_groups[count.index],
-    "userdata_template_file",
-    file(
-      lookup(var.worker_groups[count.index], "platform", local.workers_group_defaults["platform"]) == "windows"
-      ? "${path.module}/templates/userdata_windows.tpl"
-      : "${path.module}/templates/userdata.sh.tpl"
-    )
-  )
-
-  vars = merge({
-    platform            = lookup(var.worker_groups[count.index], "platform", local.workers_group_defaults["platform"])
-    cluster_name        = aws_eks_cluster.this[0].name
-    endpoint            = aws_eks_cluster.this[0].endpoint
-    cluster_auth_base64 = aws_eks_cluster.this[0].certificate_authority[0].data
-    pre_userdata = lookup(
-      var.worker_groups[count.index],
-      "pre_userdata",
-      local.workers_group_defaults["pre_userdata"],
-    )
-    additional_userdata = lookup(
-      var.worker_groups[count.index],
-      "additional_userdata",
-      local.workers_group_defaults["additional_userdata"],
-    )
-    bootstrap_extra_args = lookup(
-      var.worker_groups[count.index],
-      "bootstrap_extra_args",
-      local.workers_group_defaults["bootstrap_extra_args"],
-    )
-    kubelet_extra_args = lookup(
-      var.worker_groups[count.index],
-      "kubelet_extra_args",
-      local.workers_group_defaults["kubelet_extra_args"],
-    )
-    },
-    lookup(
-      var.worker_groups[count.index],
-      "userdata_template_extra_args",
-      local.workers_group_defaults["userdata_template_extra_args"]
-    )
-  )
-}
-
-data "template_file" "launch_template_userdata" {
-  count = var.create_eks ? local.worker_group_launch_template_count : 0
-  template = lookup(
-    var.worker_groups_launch_template[count.index],
-    "userdata_template_file",
-    file(
-      lookup(var.worker_groups_launch_template[count.index], "platform", local.workers_group_defaults["platform"]) == "windows"
-      ? "${path.module}/templates/userdata_windows.tpl"
-      : "${path.module}/templates/userdata.sh.tpl"
-    )
-  )
-
-  vars = merge({
-    platform            = lookup(var.worker_groups_launch_template[count.index], "platform", local.workers_group_defaults["platform"])
-    cluster_name        = aws_eks_cluster.this[0].name
-    endpoint            = aws_eks_cluster.this[0].endpoint
-    cluster_auth_base64 = aws_eks_cluster.this[0].certificate_authority[0].data
-    pre_userdata = lookup(
-      var.worker_groups_launch_template[count.index],
-      "pre_userdata",
-      local.workers_group_defaults["pre_userdata"],
-    )
-    additional_userdata = lookup(
-      var.worker_groups_launch_template[count.index],
-      "additional_userdata",
-      local.workers_group_defaults["additional_userdata"],
-    )
-    bootstrap_extra_args = lookup(
-      var.worker_groups_launch_template[count.index],
-      "bootstrap_extra_args",
-      local.workers_group_defaults["bootstrap_extra_args"],
-    )
-    kubelet_extra_args = lookup(
-      var.worker_groups_launch_template[count.index],
-      "kubelet_extra_args",
-      local.workers_group_defaults["kubelet_extra_args"],
-    )
-    },
-    lookup(
-      var.worker_groups_launch_template[count.index],
-      "userdata_template_extra_args",
-      local.workers_group_defaults["userdata_template_extra_args"]
-    )
-  )
-}
-
 data "aws_iam_role" "custom_cluster_iam_role" {
   count = var.manage_cluster_iam_resources ? 0 : 1
-  name  = var.cluster_iam_role_name
-}
-
-data "aws_iam_instance_profile" "custom_worker_group_iam_instance_profile" {
-  count = var.manage_worker_iam_resources ? 0 : local.worker_group_count
-  name = lookup(
-    var.worker_groups[count.index],
-    "iam_instance_profile_name",
-    local.workers_group_defaults["iam_instance_profile_name"],
-  )
-}
-
-data "aws_iam_instance_profile" "custom_worker_group_launch_template_iam_instance_profile" {
-  count = var.manage_worker_iam_resources ? 0 : local.worker_group_launch_template_count
-  name = lookup(
-    var.worker_groups_launch_template[count.index],
-    "iam_instance_profile_name",
-    local.workers_group_defaults["iam_instance_profile_name"],
-  )
+  name = var.cluster_iam_role_name
 }