Service Catalog Version 0.74.0
Amazon EKS Workers
Deploy EC2 instances as Kubernetes workers for Amazon Elastic Kubernetes Service (EKS)
Reference
- Inputs
- Outputs
- additional_security_groups_for_workers— A list of additional security group IDs to be attached on worker groups.
- alarms_sns_topic_arn— The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications.
- allow_inbound_ssh_from_cidr_blocks— The list of CIDR blocks to allow inbound SSH access to the worker groups.
- allow_inbound_ssh_from_security_groups— The list of security group IDs to allow inbound SSH access to the worker groups.
- asg_custom_iam_role_name— Custom name for the IAM role for the Self-managed workers. When null, a default name based on- worker_name_prefixwill be used. One of- asg_custom_iam_role_nameand- asg_iam_role_arnis required (must be non-null) if- asg_iam_role_already_existsis true.
- asg_default_instance_root_volume_encryption— Default value for the- asg_instance_root_volume_encryptionfield of- autoscaling_group_configurations. Any map entry that does not specify- asg_instance_root_volume_encryptionwill use this value.
- asg_default_instance_root_volume_size— Default value for the- asg_instance_root_volume_sizefield of- autoscaling_group_configurations. Any map entry that does not specify- asg_instance_root_volume_sizewill use this value.
- asg_default_instance_root_volume_type— Default value for the- asg_instance_root_volume_typefield of- autoscaling_group_configurations. Any map entry that does not specify- asg_instance_root_volume_typewill use this value.
- asg_default_instance_type— Default value for the- asg_instance_typefield of- autoscaling_group_configurations. Any map entry that does not specify- asg_instance_typewill use this value.
- asg_default_max_size— Default value for the- max_sizefield of- autoscaling_group_configurations. Any map entry that does not specify- max_sizewill use this value.
- asg_default_min_size— Default value for the- min_sizefield of- autoscaling_group_configurations. Any map entry that does not specify- min_sizewill use this value.
- asg_default_multi_instance_overrides— Default value for the- multi_instance_overridesfield of- autoscaling_group_configurations. Any map entry that does not specify- multi_instance_overrideswill use this value.
- asg_default_on_demand_allocation_strategy— Default value for the- on_demand_allocation_strategyfield of- autoscaling_group_configurations. Any map entry that does not specify- on_demand_allocation_strategywill use this value.
- asg_default_on_demand_base_capacity— Default value for the- on_demand_base_capacityfield of- autoscaling_group_configurations. Any map entry that does not specify- on_demand_base_capacitywill use this value.
- asg_default_on_demand_percentage_above_base_capacity— Default value for the- on_demand_percentage_above_base_capacityfield of- autoscaling_group_configurations. Any map entry that does not specify- on_demand_percentage_above_base_capacitywill use this value.
- asg_default_spot_allocation_strategy— Default value for the- spot_allocation_strategyfield of- autoscaling_group_configurations. Any map entry that does not specify- spot_allocation_strategywill use this value.
- asg_default_spot_instance_pools— Default value for the- spot_instance_poolsfield of- autoscaling_group_configurations. Any map entry that does not specify- spot_instance_poolswill use this value.
- asg_default_spot_max_price— Default value for the- spot_max_pricefield of- autoscaling_group_configurations. Any map entry that does not specify- spot_max_pricewill use this value. Set to empty string (default) to mean on-demand price.
- asg_default_tags— Default value for the tags field of- autoscaling_group_configurations. Any map entry that does not specify tags will use this value.
- asg_default_use_multi_instances_policy— Default value for the- use_multi_instances_policyfield of- autoscaling_group_configurations. Any map entry that does not specify- use_multi_instances_policywill use this value.
- asg_iam_instance_profile_name— Custom name for the IAM instance profile for the Self-managed workers. When null, the IAM role name will be used. If- asg_use_resource_name_prefixis true, this will be used as a name prefix.
- asg_iam_role_already_exists— Whether or not the IAM role used for the Self-managed workers already exists. When false, this module will create a new IAM role.
- asg_iam_role_arn— ARN of the IAM role to use if- iam_role_already_exists= true. When null, uses- asg_custom_iam_role_nameto lookup the ARN. One of- asg_custom_iam_role_nameand- asg_iam_role_arnis required (must be non-null) if- asg_iam_role_already_existsis true.
- asg_security_group_tags— A map of tags to apply to the Security Group of the ASG for the self managed worker pool. The key is the tag name and the value is the tag value.
- asg_use_resource_name_prefix— When true, all the relevant resources for self managed workers will be set to use the- name_prefixattribute so that unique names are generated for them. This allows those resources to support recreation through- create_before_destroylifecycle rules. Set to false if you were using any version before 0.65.0 and wish to avoid recreating the entire worker pool on your cluster.
- autoscaling_group_configurations— Configure one or more self-managed Auto Scaling Groups (ASGs) to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure self-managed ASGs.
- autoscaling_group_include_autoscaler_discovery_tags— Adds additional tags to each ASG that allow a cluster autoscaler to auto-discover them. Only used for self-managed workers.
- aws_auth_merger_namespace— Namespace where the AWS Auth Merger is deployed. If configured, the worker IAM role will be mapped to the Kubernetes RBAC group for Nodes using a ConfigMap in the auth merger namespace.
- cloud_init_parts— Cloud init scripts to run on the EKS worker nodes when it is booting. See the part blocks in- https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. To override the default boot script installed as part of the module, use the key- default.
- cluster_instance_ami— The AMI to run on each instance in the EKS cluster. You can build the AMI using the Packer template eks-node-al2.json. One of- cluster_instance_amior- cluster_instance_ami_filtersis required. Only used if- cluster_instance_ami_filtersis null. Set to null if- cluster_instance_ami_filtersis set.
- cluster_instance_ami_filters— Properties on the AMI that can be used to lookup a prebuilt AMI for use with self managed workers. You can build the AMI using the Packer template eks-node-al2.json. One of- cluster_instance_amior- cluster_instance_ami_filtersis required. If both are defined,- cluster_instance_ami_filterswill be used. Set to null if- cluster_instance_amiis set.
- cluster_instance_associate_public_ip_address— Whether or not to associate a public IP address to the instances of the self managed ASGs. Will only work if the instances are launched in a public subnet.
- cluster_instance_keypair_name— The name of the Key Pair that can be used to SSH to each instance in the EKS cluster.
- custom_egress_security_group_rules— A map of unique identifiers to egress security group rules to attach to the worker groups.
- custom_ingress_security_group_rules— A map of unique identifiers to ingress security group rules to attach to the worker groups.
- dashboard_cpu_usage_widget_parameters— Parameters for the worker cpu usage widget to output for use in a CloudWatch dashboard.
- dashboard_disk_usage_widget_parameters— Parameters for the worker disk usage widget to output for use in a CloudWatch dashboard.
- dashboard_memory_usage_widget_parameters— Parameters for the worker memory usage widget to output for use in a CloudWatch dashboard.
- eks_cluster_name— The name of the EKS cluster. The cluster must exist/already be deployed.
- enable_cloudwatch_alarms— Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using- alarms_sns_topic_arn.
- enable_cloudwatch_metrics— Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host.
- enable_fail2ban— Enable fail2ban to block brute force log in attempts. Defaults to true.
- external_account_ssh_grunt_role_arn— If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).
- managed_node_group_configurations— Configure one or more Node Groups to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure managed node groups.
- managed_node_group_custom_iam_role_name— Custom name for the IAM role for the Managed Node Groups. When null, a default name based on- worker_name_prefixwill be used. One of- managed_node_group_custom_iam_role_nameand- managed_node_group_iam_role_arnis required (must be non-null) if- managed_node_group_iam_role_already_existsis true.
- managed_node_group_iam_role_already_exists— Whether or not the IAM role used for the Managed Node Group workers already exists. When false, this module will create a new IAM role.
- managed_node_group_iam_role_arn— ARN of the IAM role to use if- iam_role_already_exists= true. When null, uses- managed_node_group_custom_iam_role_nameto lookup the ARN. One of- managed_node_group_custom_iam_role_nameand- managed_node_group_iam_role_arnis required (must be non-null) if- managed_node_group_iam_role_already_existsis true.
- node_group_default_capacity_type— Default value for- capacity_typefield of- managed_node_group_configurations.
- node_group_default_desired_size— Default value for- desired_sizefield of- managed_node_group_configurations.
- node_group_default_instance_root_volume_encryption— Default value for the- instance_root_volume_encryptionfield of- managed_node_group_configurations.
- node_group_default_instance_root_volume_size— Default value for the- instance_root_volume_sizefield of- managed_node_group_configurations.
- node_group_default_instance_root_volume_type— Default value for the- instance_root_volume_typefield of- managed_node_group_configurations.
- node_group_default_instance_types— Default value for- instance_typesfield of- managed_node_group_configurations.
- node_group_default_labels— Default value for labels field of- managed_node_group_configurations. Unlike- common_labelswhich will always be merged in, these labels are only used if the labels field is omitted from the configuration.
- node_group_default_max_size— Default value for- max_sizefield of- managed_node_group_configurations.
- node_group_default_min_size— Default value for- min_sizefield of- managed_node_group_configurations.
- node_group_default_subnet_ids— Default value for- subnet_idsfield of- managed_node_group_configurations.
- node_group_default_tags— Default value for tags field of- managed_node_group_configurations. Unlike- common_tagswhich will always be merged in, these tags are only used if the tags field is omitted from the configuration.
- node_group_launch_template_instance_type— The instance type to configure in the launch template. This value will be used when the- instance_typesfield is set to null (NOT omitted, in which case- node_group_default_instance_typeswill be used).
- node_group_names— The names of the node groups. When null, this value is automatically calculated from the- managed_node_group_configurationsmap. This variable must be set if any of the values of the- managed_node_group_configurationsmap depends on a resource that is not available at plan time to work around terraform limitations with- for_each.
- node_group_security_group_tags— A map of tags to apply to the Security Group of the ASG for the managed node group pool. The key is the tag name and the value is the tag value.
- ssh_grunt_iam_group— If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).
- ssh_grunt_iam_group_sudo— If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).
- tenancy— The tenancy of the servers in the self-managed worker ASG. Must be one of: default, dedicated, or host.
- use_exec_plugin_for_auth— If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the- use_kubergrunt_to_fetch_tokeninput variable to control whether kubergrunt or aws is used to fetch tokens.
- use_kubergrunt_to_fetch_token— EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if- use_exec_plugin_for_authis set to true.
- use_prefix_mode_to_calculate_max_pods— When true, assumes prefix delegation mode is in use for the AWS VPC CNI component of the EKS cluster when computing max pods allowed on the node. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node.
- worker_k8s_role_mapping_name— Name of the IAM role to Kubernetes RBAC group mapping ConfigMap. Only used if- aws_auth_merger_namespaceis not null.
- worker_name_prefix— Prefix EKS worker resource names with this string. When you have multiple worker groups for the cluster, you can use this to namespace the resources. Defaults to empty string so that resource names are not excessively long by default.
- managed_node_group_arns— Map of Node Group names to ARNs of the created EKS Node Groups.
- managed_node_group_worker_iam_role_arn— The ARN of the IAM role associated with the Managed Node Group EKS workers.
- managed_node_group_worker_iam_role_name— The name of the IAM role associated with the Managed Node Group EKS workers.
- managed_node_group_worker_security_group_ids— Map of Node Group names to Auto Scaling Group security group IDs. Empty if- cluster_instance_keypair_nameis not set.
- managed_node_group_worker_shared_security_group_id— The ID of the common AWS Security Group associated with all the managed EKS workers.
- metric_widget_managed_node_group_worker_cpu_usage— A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the Managed Node Group EKS workers.
- metric_widget_managed_node_group_worker_disk_usage— A CloudWatch Dashboard widget that graphs disk usage (percentage) of the Managed Node Group EKS workers.
- metric_widget_managed_node_group_worker_memory_usage— A CloudWatch Dashboard widget that graphs memory usage (percentage) of the Managed Node Group EKS workers.
- metric_widget_self_managed_worker_cpu_usage— A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the self-managed EKS workers.
- metric_widget_self_managed_worker_disk_usage— A CloudWatch Dashboard widget that graphs disk usage (percentage) of the self-managed EKS workers.
- metric_widget_self_managed_worker_memory_usage— A CloudWatch Dashboard widget that graphs memory usage (percentage) of the self-managed EKS workers.
- self_managed_worker_iam_role_arn— The ARN of the IAM role associated with the self-managed EKS workers.
- self_managed_worker_iam_role_name— The name of the IAM role associated with the self-managed EKS workers.
- self_managed_worker_security_group_id— The ID of the AWS Security Group associated with the self-managed EKS workers.
- worker_asg_names— The list of names of the ASGs that were deployed to act as EKS workers.