Bootstrap module for AWS EKS cluster.
Due to issue on amazon-cloudwatch-observability EKS addon, the fluent-bit and the CloudWatch Agent are not deployed on tainted nodes.
The feature is in "Proposed" state aws/containers-roadmap#2195.
Ultil the feature is released, you must manually add tolerations in the AmazonCloudWatchAgent CRD and fluent-bit daemonset resources.
You can find the patch files in the eks-add-ons-patches directory. You can apply the patches using the kubectl as follows:
# Patch the FluentBit DaemonSet
kubectl -n amazon-cloudwatch patch daemonset fluent-bit --type merge --patch-file eks-add-ons-patches/fluent-bit.yaml
# Patch the AmazonCloudWatchAgent resource (which produces the cloudwatch-agent daemonset)
kubectl -n amazon-cloudwatch patch AmazonCloudWatchAgent cloudwatch-agent --type merge --patch-file eks-add-ons-patches/cloudwatch-agent.yamlThe patches will add the special toleration to the resources, allowing them to be scheduled on tainted nodes, as described here:
An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything.
| Name | Version |
|---|---|
| aws | >= 4.63 |
| helm | >= 2.9 |
| kubectl | >= 1.14 |
| kubernetes | >= 2.26 |
| random | >= 3.5 |
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.63 |
| helm | >= 2.9 |
| kubectl | >= 1.14 |
| kubernetes | >= 2.26 |
| random | >= 3.5 |
| template | >= 2.2 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_users | n/a | list(any) |
n/a | yes |
| aws_alb_controller_helm_config | AWS Load Balancer Controller Helm Chart Configuration | any |
{} |
no |
| aws_ebs_csi_driver_helm_config | AWS EBS csi driver Helm Chart Configuration | any |
{} |
no |
| aws_node_termination_handler_helm_config | Node Termination handler Helm Chart Configuration | any |
{} |
no |
| calico_helm_config | Calico Helm Chart Configuration | any |
{} |
no |
| cert_manager_helm_config | Cert Manager Helm Chart Configuration | any |
{} |
no |
| cloudwatch_log_group_retention_in_days | Number of days to retain log events. | number |
7 |
no |
| cluster_access_admin_groups | The list of groups that will be mapped to the admin role in the application namespaces. | list(string) |
n/a | yes |
| cluster_access_developer_groups | The list of groups that will be mapped to the developer role in the application namespaces. | list(string) |
n/a | yes |
| cluster_access_map_users | Cluster access | list( |
[] |
no |
| cluster_additional_addons | Additional addons to install for EKS cluster. | map(any) |
{} |
no |
| cluster_autoscaler_chart_version | Cluster Autoscaler Helm Chart Version | string |
"9.35.0" |
no |
| cluster_autoscaler_helm_config | Cluster Autoscaler Helm Chart Configuration | any |
{} |
no |
| cluster_enable_amazon_cloudwatch_observability_addon | Indicates whether to enable the Amazon CloudWatch Container Insights for Kubernetes. | bool |
true |
no |
| cluster_enabled_log_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Cluster Logging in the Amazon EKS User Guide. | list(string) |
[] |
no |
| cluster_endpoint_private_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is true | bool |
true |
no |
| cluster_endpoint_public_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is true | bool |
true |
no |
| cluster_endpoint_public_access_cidrs | List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. | list(string) |
[ |
no |
| cluster_iam_role_additional_policies | Additional policies to be added to the IAM role. | map(string) |
{} |
no |
| cluster_name | The name of the EKS cluster | string |
n/a | yes |
| cluster_version | The Kubernetes version to use for the EKS cluster. | string |
"1.24" |
no |
| customer_application | Customer application | map(object({ |
n/a | yes |
| developer_users | n/a | list(any) |
n/a | yes |
| ecr_enable_lifecycle_policy | Enable lifecycle policy for ECR repositories. | bool |
true |
no |
| ecr_lifecycle_expiration_days | Number of days after which untagged images expire. Only applies if enable_ecr_lifecycle_policy is true. | number |
30 |
no |
| ecr_lifecycle_policy_excluded_repositories | A list of ECR repository names to exclude from the default lifecycle policy. | list(string) |
[] |
no |
| ecr_protected_tag_patterns | List of tag patterns to keep in ECR lifecycle policy. | list(string) |
[ |
no |
| eks_managed_node_groups | Cluster node group | any |
{ |
no |
| enable_aws_alb_controller | Enable AWS Load Balancer Controller | bool |
false |
no |
| enable_aws_ebs_csi_driver | Enable AWS EBS CSI Driver | bool |
true |
no |
| enable_aws_node_termination_handler | Enable AWS Node Termination Handler | bool |
true |
no |
| enable_calico | Enable Calico | bool |
false |
no |
| enable_cert_manager | Enable Cert Manager | bool |
true |
no |
| enable_cluster_autoscaler | Enable Cluster Autoscaler | bool |
true |
no |
| enable_default_eks_addons | Value to enable default eks addons vpc-cni. | bool |
true |
no |
| enable_firestarter_operations | Enable Firestarter Operations | bool |
false |
no |
| enable_fluentbit | Enable Fluentbit | bool |
true |
no |
| enable_gitlab_runner | Enable Gitlab Runner | bool |
true |
no |
| enable_ingress_nginx | Enable Ingress Nginx | bool |
true |
no |
| enable_kube_prometheus_stack | Enable Kube Prometheus Stack | bool |
false |
no |
| enable_metric_server | Enable Metric Server | bool |
true |
no |
| enable_velero | Enable Velero | bool |
false |
no |
| enable_velero_bucket_lifecycle | Enable Velero Bucket Lifecycle | bool |
true |
no |
| enhanced_container_insights_enabled | Indicates whether to enable the enhanced CloudWatch Container Insights for Kubernetes. | bool |
true |
no |
| fluentbit_additional_exclude_from_application_log_group | List of application logs to exclude log group | list(string) |
[] |
no |
| fluentbit_additional_include_in_platform_log_group | List of platform logs to include log group | list(string) |
[] |
no |
| gitlab_runner_additional_policy_arns | Gitlab Runner Additional Policy ARNs | list(string) |
[] |
no |
| gitlab_runner_registration_token | Gitlab Runner Registration Token | string |
"" |
no |
| gitlab_runner_tags | Gitlab Runner Helm Chart Configuration | list(string) |
[ |
no |
| ingress_nginx_helm_config | Ingress Nginx Helm Chart Configuration | any |
{} |
no |
| install_letsencrypt_issuers | Install Let's Encrypt Issuers | bool |
true |
no |
| kube_prometheus_grafana_hostname | n/a | string |
"" |
no |
| kube_prometheus_storage_zone | n/a | list(string) |
[] |
no |
| letsencrypt_email | Email address for expiration emails from Let's Encrypt. | string |
"example@example.com" |
no |
| metric_server_chart_version | Metric Server Helm Chart Version | string |
"3.12.0" |
no |
| metric_server_helm_config | Metric Server Helm Chart Configuration | any |
{} |
no |
| private_subnet_ids | n/a | list(string) |
n/a | yes |
| project | Project name | string |
n/a | yes |
| prometheus_stack_additional_values | Additional values for Kube Prometheus Stack | list(string) |
[] |
no |
| velero_bucket_expiration_days | n/a | number |
90 |
no |
| velero_bucket_glacier_days | n/a | number |
60 |
no |
| velero_bucket_infrequently_access_days | n/a | number |
30 |
no |
| velero_chart_version | Velero Helm Chart Version | string |
"6.0.0" |
no |
| velero_helm_config | Velero Helm Chart Configuration | any |
{} |
no |
| velero_helm_values | Velero helm chart values | string |
"" |
no |
| velero_schedule_cron | Velero Schedule Cron | string |
"0 4 * * *" |
no |
| vpc_cidr_block | n/a | string |
n/a | yes |
| vpc_id | VPC | string |
n/a | yes |
| Name | Description |
|---|---|
| aws_eks_cluster_auth_token | n/a |
| cluster_arn | n/a |
| cluster_certificate_authority_data | n/a |
| cluster_endpoint | n/a |
| customer_application_ecr_repository | n/a |
| customer_application_namespaces | n/a |
| grafana_admin_password | # Grafana password |
| ingress_nginx_dns_name | n/a |
| ingress_nginx_zone_id | n/a |
| managed_node_group_iam_roles | IAM role names of the EKS managed node groups |
| Name | Source | Version |
|---|---|---|
| aws_ebs_csi_driver_identity | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
| cluster_access | github.com/sparkfabrik/terraform-kubernetes-cluster-access | 0.3.0 |
| cluster_autoscaler_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |
| eks | terraform-aws-modules/eks/aws | ~> 19.13 |
| firestarter_operations | ./modules/firestarter-operations | n/a |
| fluentbit | github.com/sparkfabrik/terraform-helm-fluentbit | 0.4.0 |
| gitlab_runner | github.com/sparkfabrik/terraform-aws-eks-gitlab-runner | 4e020f8 |
| iam_assumable_role_with_oidc_for_eks_addons | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
| ingress_nginx | github.com/sparkfabrik/terraform-helm-ingress-nginx | 0.8.0 |
| kube_prometheus_stack | github.com/sparkfabrik/terraform-sparkfabrik-prometheus-stack | 4.0.0 |
| load_balancer_controller_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |
| node_termination_handler_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.17 |
| velero_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |