SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.
This module simplifies the deployment of EKS clusters with dual stack mode for Cluster IP family like IPv6 and IPv4, allowing users to quickly create and manage a production-grade Kubernetes cluster on AWS. The module is highly configurable, allowing users to customize various aspects of the EKS cluster, such as the Kubernetes version, worker node instance type, number of worker nodes, and now with added support for EKS version 1.27.
we've introduced a new functionality that enhances the ease of cluster setup. Users can now choose to create a default nodegroup based on the value of default_addon_enabled.the module now seamlessly integrates default addons, including CoreDNS, Kube-proxy, VPC CNI, and EBS CSI Driver. This ensures that your EKS clusters are equipped with essential components for optimal performance and functionality right from the start.
With this module, users can take advantage of the latest features and improvements offered by EKS 1.27 while maintaining the ease and convenience of automated deployment. The module provides a streamlined solution for setting up EKS clusters, reducing the manual effort required for setup and configuration.
module "eks" {
source = "squareops/eks/aws"
name = "skaf"
vpc_id = "vpc-xyz425342176"
subnet_ids = [module.vpc.private_subnets[0]]
min_size = 2
max_size = 5
desired_size = 2
ebs_volume_size = 50
capacity_type = "ON_DEMAND"
instance_types = ["t3a.large", "t2.large", "t2.xlarge", "t3.large", "m5.large"]
environment = "prod"
kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"
cluster_version = "1.27"
cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
private_subnet_ids = ["subnet-abc123" , "subnet-xyz12324"]
cluster_log_retention_in_days = 30
cluster_endpoint_public_access = true
cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"]
create_aws_auth_configmap = true
default_addon_enabled = true
eks_nodes_keypair_name = module.key_pair_eks.key_pair_name
aws_auth_roles = [
{
rolearn = "arn:aws:iam::222222222222:role/service-role"
username = "username"
groups = ["system:masters"]
}
]
aws_auth_users = [
{
userarn = "arn:aws:iam::222222222222:user/aws-user"
username = "aws-user"
groups = ["system:masters"]
},
]
additional_rules = {
ingress_port_mgmt_tcp = {
description = "mgmt vpc cidr"
protocol = "tcp"
from_port = 443
to_port = 443
type = "ingress"
cidr_blocks = ["10.10.0.0/16"]
}
}
}
module "managed_node_group_production" {
source = "squareops/eks/aws//modules/managed-nodegroup"
depends_on = [module.eks]
name = "Infra"
min_size = 1
max_size = 3
desired_size = 1
subnet_ids = ["subnet-abc123"]
environment = "prod"
kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"
capacity_type = "ON_DEMAND"
ebs_volume_size = 50
instance_types = ["t3a.large", "t2.large", "t2.xlarge", "t3.large", "m5.large"]
kms_policy_arn = module.eks.kms_policy_arn
eks_cluster_name = module.eks.cluster_name
worker_iam_role_name = module.eks.worker_iam_role_name
default_addon_enabled = true
eks_nodes_keypair_name = "key-pair-name"
k8s_labels = {
"Infra-Services" = "true"
}
tags = {
Name = "prod-cluster"
}
}
module "farget_profle" {
source = "squareops/eks/aws//modules/fargate-profile"
depends_on = [module.eks]
profile_name = "app"
subnet_ids = ["subnet-abc123"]
environment = "prod"
cluster_name = module.eks.cluster_name
namespace = "default"
labels = {
"App-Services" = "fargate"
}
}
Refer examples for more details.
The required IAM permissions to create resources from this module can be found here
The EKS module is designed to be used as a standalone Terraform module. We recommend using EKS-Addons module in conjunction to enhance functionality.
Security scanning is graciously provided by Prowler. Prowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.
In this module, we have implemented the following CIS Compliance checks for EKS:
| Benchmark | Description | Status |
|---|---|---|
| Ensure EKS Control Plane Audit Logging is enabled for all log types | Control plane logging enabled and correctly configured for EKS cluster | ✔ |
| Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) | Encryption for Kubernetes secrets is configured for EKS cluster | ✔ |
| Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled | Cluster endpoint access is private for EKS cluster | ✔ |
| Restrict Access to the EKS Control Plane Endpoint | Cluster control plane access is restricted for EKS cluster | ✔ |
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.47 |
| helm | >= 2.6 |
| kubernetes | >= 2.10 |
| time | >= 0.9 |
| tls | >= 3.0 |
| Name | Version |
|---|---|
| aws | >= 4.47 |
| template | n/a |
| Name | Source | Version |
|---|---|---|
| eks_addon | terraform-aws-modules/eks/aws | 19.15.2 |
| eks | terraform-aws-modules/eks/aws | 19.15.2 |
| Name | Type |
|---|---|
| aws_eks_node_group.default_ng | resource |
| aws_iam_policy.eks_cni_ipv6_policy | resource |
| aws_iam_policy.kubernetes_pvc_kms_policy | resource |
| aws_iam_policy.node_autoscaler_policy | resource |
| aws_iam_role.node_role | resource |
| aws_iam_role_policy_attachment.SSMManagedInstanceCore_attachment | resource |
| aws_iam_role_policy_attachment.cni_policy | resource |
| aws_iam_role_policy_attachment.eks_kms_cluster_policy_attachment | resource |
| aws_iam_role_policy_attachment.eks_kms_worker_policy_attachment | resource |
| aws_iam_role_policy_attachment.eks_worker_ecr_policy | resource |
| aws_iam_role_policy_attachment.eks_worker_policy | resource |
| aws_iam_role_policy_attachment.node_autoscaler_policy | resource |
| aws_launch_template.eks_template | resource |
| aws_ami.launch_template_ami | data source |
| aws_iam_policy.SSMManagedInstanceCore | data source |
| template_file.launch_template_userdata | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| environment | Environment identifier for the EKS cluster, such as dev, qa, prod, etc. | string |
"" |
no |
| name | Specify the name of the EKS cluster. | string |
"" |
no |
| cluster_version | Specifies the Kubernetes version (major.minor) to use for the EKS cluster. | string |
"" |
no |
| cluster_endpoint_public_access | Whether the Amazon EKS public API server endpoint is enabled or not. | bool |
true |
no |
| cluster_endpoint_public_access_cidrs | CIDR blocks that can access the Amazon EKS public API server endpoint. | list(string) |
[ |
no |
| vpc_id | ID of the VPC where the EKS cluster will be deployed. | string |
"" |
no |
| kms_key_arn | ARN of the KMS key used to encrypt EKS resources. | string |
"" |
no |
| cluster_log_types | A list of desired control plane logs to enable for the EKS cluster. Valid values include: api, audit, authenticator, controllerManager, scheduler. | list(string) |
[ |
no |
| cluster_log_retention_in_days | Retention period for EKS cluster logs in days. Default is set to 90 days. | number |
90 |
no |
| private_subnet_ids | Private subnets of the VPC which can be used by EKS | list(string) |
[ |
no |
| create_kms_key | Controls if a KMS key for cluster encryption should be created | bool |
false |
no |
| additional_rules | List of additional security group rules to add to the cluster security group created. | any |
{} |
no |
| create_aws_auth_configmap | Determines whether to manage the aws-auth configmap | bool |
false |
no |
| aws_auth_users | List of user maps to add to the aws-auth configmap | any |
[] |
no |
| aws_auth_roles | List of role maps to add to the aws-auth configmap | list(any) |
[] |
no |
| ipv6_enabled | Enable cluster IP family as Ipv6 | bool |
false |
no |
| default_addon_enabled | Enable deafult addons(vpc-cni, ebs-csi) at the time of cluster creation | bool |
false |
no |
| eks_nodes_keypair_name | The public key to be used for EKS cluster worker nodes. | string |
"" |
no |
| eks_cluster_name | Name of EKS cluster | string |
"" |
no |
| instance_types | The instance types to be used for the EKS node group (e.g., t2.medium). | list(any) |
[ |
no |
| capacity_type | The capacity type for the EKS node group (ON_DEMAND or SPOT). | string |
"ON_DEMAND" |
no |
| image_high_threshold_percent | The percentage of disk usage at which garbage collection should be triggered. | number |
60 |
no |
| image_low_threshold_percent | The percentage of disk usage at which garbage collection took place. | number |
40 |
no |
| eventRecordQPS | The maximum number of events created per second. | number |
5 |
no |
| associate_public_ip_address | Set to true to enable network interface for launch template. | bool |
false |
no |
| enable_monitoring | Specify whether to enable monitoring for nodes. | bool |
true |
no |
| min_size | The minimum number of nodes for the node group. | string |
"1" |
no |
| max_size | The maximum number of nodes that can be added to the node group. | string |
"3" |
no |
| desired_size | The desired number of nodes for the node group. | string |
"1" |
no |
| ebs_volume_size | The type of EBS volume for nodes. | string |
"50" |
no |
| ebs_volume_type | Specify the type of EBS volume for nodes. | string |
"gp3" |
no |
| ebs_encrypted | Specify whether to encrypt the EBS volume for nodes. | bool |
true |
no |
| subnet_ids | The IDs of the subnets in the VPC that can be used by EKS. | list(string) |
[ |
no |
| tags | Tags to be applied to the node group. | any |
{} |
no |
| k8s_labels | Labels to be applied to the Kubernetes node groups. | map(any) |
{} |
no |
| worker_iam_role_arn | The ARN of the worker role for EKS. | string |
"" |
no |
| worker_iam_role_name | The name of the EKS Worker IAM role. | string |
"" |
no |
| Name | Description |
|---|---|
| cluster_name | Name of the Kubernetes cluster. |
| cluster_endpoint | Endpoint URL for the EKS control plane. |
| cluster_security_group_id | Security group IDs that are attached to the control plane of the EKS cluster. |
| cluster_arn | ARN of the EKS Cluster. |
| cluster_oidc_issuer_url | URL of the OpenID Connect identity provider on the EKS cluster. |
| worker_iam_role_arn | ARN of the IAM role assigned to the EKS worker nodes. |
| worker_iam_role_name | Name of the IAM role assigned to the EKS worker nodes. |
| kms_policy_arn | ARN of the KMS policy that is used by the EKS cluster. |
| cluster_certificate_authority_data | Base64 encoded certificate data required to communicate with the cluster |
| default_ng_node_group_arn | ARN for the nodegroup |
| default_ng_min_node | n/a |
| default_ng_max_node | n/a |
| default_ng_desired_node | n/a |
| default_ng_capacity_type | n/a |
| default_ng_instance_types | n/a |
| default_ng_ebs_volume_size | n/a |
To report an issue with a project:
- Check the repository's issue tracker on GitHub
- Search to see if the issue has already been reported
- If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.
Apache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).
To support a GitHub project by liking it, you can follow these steps:
-
Visit the repository: Navigate to the GitHub repository.
-
Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.
-
Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.
Starring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.
We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.
- We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 4 years.
- Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
- Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
- DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
- Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
- 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.
We provide support on all of our projects, no matter how small or large they may be.
To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.