Skip to content

nebari-dev/terraform-aws-eks-cluster

BranchesTags

Repository files navigation

terraform-aws-eks-cluster

Module Documentation

The following section contains auto-generated documentation for this Terraform module using terraform-docs:

Usage

module "cluster" {
  source = "github.com/nebari-dev/terraform-aws-eks-cluster"

  project_name = "eks-cluster"

  # VPC configuration
  create_vpc         = true
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
  vpc_cidr_block     = "10.10.0.0/16"

  # Cluster configuration
  kubernetes_version        = "1.34"
  endpoint_private_access   = true
  endpoint_public_access    = true
  cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  node_groups = {
    general = {
      instance  = "m6i.large"
      min_nodes = 1
      max_nodes = 5
      disk_size = 100
      labels = {
        role = "general"
      }
    }
    worker = {
      instance  = "t3.medium"
      spot      = true
      min_nodes = 1
      max_nodes = 6
      taints = [{
        key    = "dedicated"
        value  = "batch-jobs"
        effect = "NO_SCHEDULE"
      }]
    }
  }

  # EFS configuration
  efs_enabled          = true
  efs_performance_mode = "generalPurpose"
  efs_throughput_mode  = "elastic"
  efs_encrypted        = true

  # Node security group rules
  # Open ports for Longhorn admission (9502) and conversion (9501) webhooks
  # so the EKS control plane can reach them on the nodes.
  node_security_group_additional_rules = {
    longhorn_webhook_admission = {
      description                   = "Cluster API to Longhorn admission webhook"
      protocol                      = "tcp"
      from_port                     = 9502
      to_port                       = 9502
      type                          = "ingress"
      source_cluster_security_group = true
    }
    longhorn_webhook_conversion = {
      description                   = "Cluster API to Longhorn conversion webhook"
      protocol                      = "tcp"
      from_port                     = 9501
      to_port                       = 9501
      type                          = "ingress"
      source_cluster_security_group = true
    }
  }

  tags = {
    Example = "eks-cluster"
    Project = "terraform-aws-eks-cluster"
  }
}

Requirements

Name Version
terraform >= 1.9
aws >= 6.0

Providers

Name Version
aws >= 6.0

Modules

Name Source Version
aws_lb_controller_pod_identity terraform-aws-modules/eks-pod-identity/aws 2.7.0
ebs_csi_pod_identity terraform-aws-modules/eks-pod-identity/aws 2.7.0
efs terraform-aws-modules/efs/aws 2.0.0
efs_csi_pod_identity terraform-aws-modules/eks-pod-identity/aws 2.7.0
eks terraform-aws-modules/eks/aws 21.11.0
iam ./modules/iam n/a
vpc terraform-aws-modules/vpc/aws 6.5.1
vpc_endpoints ./modules/vpc-endpoints n/a

Resources

Name Type
aws_availability_zones.available data source
aws_region.current data source

Inputs

Name Description Type Default Required
availability_zones List of availability zones to use. If not specified, automatically selects up to 3 available AZs in the region. list(string) [] no
cluster_enabled_log_types List of control plane logging types to enable. Default: ['authenticator']. Valid values: api, audit, authenticator, controllerManager, scheduler list(string) 
[
  "authenticator"
]
 no
create_iam_roles Whether to create new IAM roles for the EKS cluster and node groups. If false, existing_cluster_iam_role_arn and existing_node_iam_role_arn must be provided. bool true no
create_security_group Whether to create a new security group for the EKS cluster. If false, existing_security_group_id must be provided. bool true no
create_vpc Whether to create a new VPC with subnets. If false, existing private subnet IDs and security group ID must be provided. bool true no
efs_enabled Whether to create an EFS file system for the cluster. bool false no
efs_encrypted Whether to enable encryption at rest for the EFS file system. bool true no
efs_kms_key_arn The ARN of the KMS key to use for encryption at rest. string null no
efs_performance_mode The performance mode of the EFS file system. Default is generalPurpose. string "generalPurpose" no
efs_provisioned_throughput_in_mibps The provisioned throughput in MiB/s for the EFS file system. Required if throughput_mode is set to provisioned. number null no
efs_throughput_mode The throughput mode of the EFS file system. Default is bursting. string "bursting" no
eks_kms_arn The ARN of the KMS key to use for encrypting EKS secrets. If not provided, EKS secrets will not be encrypted. string null no
enable_aws_load_balancer_controller_pod_identity Whether to provision the IAM role and EKS Pod Identity association for the AWS Load Balancer Controller. The role is bound to the aws-load-balancer-controller service account in kube-system. The controller itself is not installed by this module - consumers (e.g., nebari-infrastructure-core) are expected to install the Helm chart after cluster creation. Recommended for all new clusters. If you set this to false, you will need to create your own IAM role and pod identity association bool true no
enable_cluster_creator_admin_permissions Whether to grant admin permissions to the IAM user or role that creates the EKS cluster. This allows the creator to manage the cluster after creation. bool false no
endpoint_private_access Indicates whether the Amazon EKS private API server endpoint is enabled. bool true no
endpoint_public_access Indicates whether the Amazon EKS public API server endpoint is enabled. bool false no
endpoint_public_access_cidrs List of CIDR blocks which can access the Amazon EKS public API server endpoint. list(string) 
[
  "0.0.0.0/0"
]
 no
existing_cluster_iam_role_arn ARN of an existing IAM role to use for the EKS cluster. Required when create_iam_roles is false. string null no
existing_node_iam_role_arn ARN of an existing IAM role to use for the EKS node groups. Required when create_iam_roles is false. string null no
existing_private_subnet_ids List of existing private subnet IDs to use if not creating a new VPC. list(string) [] no
existing_security_group_id ID of an existing security group to use. Required when create_security_group is false. string null no
existing_vpc_id ID of an existing VPC to use. Required when create_vpc is false. string null no
iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for IAM roles created by this module. string null no
kubernetes_version Kubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.33) string null no
node_groups Map of node groups to create. Each node group supports the following attributes:
- instance (required): EC2 instance type (e.g., "m5.xlarge")
- min_nodes: Minimum number of nodes (default: 0)
- max_nodes: Maximum number of nodes (default: 1)
- ami_type: Override AMI type (AL2023_x86_64_STANDARD, AL2023_ARM_64_STANDARD, AL2023_x86_64_NVIDIA, etc.)
- spot: Use Spot instances for cost savings (default: false)
- disk_size: Root disk size in GB (default: 20)
- labels: Map of Kubernetes labels to apply to nodes (default: {})
- taints: List of Kubernetes taints with keys: key, value, effect		 
map(object({
    instance  = string
    min_nodes = optional(number, 0)
    max_nodes = optional(number, 1)
    ami_type  = optional(string, "AL2023_x86_64_STANDARD")
    spot      = optional(bool, false)
    disk_size = optional(number, null)
    labels    = optional(map(string), {})
    taints = optional(list(object({
      key    = string
      value  = string
      effect = string # NO_SCHEDULE, NO_EXECUTE, or PREFER_NO_SCHEDULE
    })), [])
  }))
 n/a yes
node_security_group_additional_rules Additional security group rules to add to the node security group created by the EKS module. Set source_cluster_security_group = true to allow traffic from the cluster security group. any {} no
project_name The name of the project. string n/a yes
tags A map of tags to add to all resources map(string) {} no
vpc_cidr_block The CIDR block for the VPC. string "10.0.0.0/16" no

Outputs

Name Description
aws_load_balancer_controller_role_arn IAM role ARN for the AWS Load Balancer Controller pod identity association (null if enable_aws_load_balancer_controller_pod_identity is false)
cluster_arn The Amazon Resource Name (ARN) of the cluster
cluster_certificate_authority_data Base64 encoded certificate data required to communicate with the cluster
cluster_endpoint Endpoint for your Kubernetes API server
cluster_iam_role_arn IAM role ARN of the EKS cluster
cluster_id The ID of the EKS cluster
cluster_name The name of the EKS cluster
cluster_oidc_issuer_url The URL on the EKS cluster for the OpenID Connect identity provider
cluster_security_group_id Security group ID attached to the EKS cluster
efs_arn The ARN of the EFS file system (null if EFS not enabled)
efs_csi_driver_role_arn IAM role ARN for the EFS CSI driver (null if EFS not enabled)
efs_dns_name The DNS name of the EFS file system (null if EFS not enabled)
efs_id The ID of the EFS file system (null if EFS not enabled)
kubeconfig_command Command to update kubeconfig
node_groups Outputs from EKS node groups
node_iam_role_arn IAM role ARN used by EKS node groups
node_security_group_id ID of the node shared security group
oidc_provider_arn ARN of the OIDC Provider for EKS (for IRSA)
private_subnet_ids List of IDs of private subnets used by the EKS cluster
public_subnet_ids List of IDs of created public subnets (empty list if using existing subnets)
vpc_endpoints_security_group_id Security group ID used by VPC endpoints (null if VPC endpoints not created)
vpc_id The ID of the VPC used by the EKS cluster

About

Production-ready Terraform module for AWS EKS clusters with VPC and networking configuration

search.opentofu.org/module/nebari-dev/eks-cluster/aws/latest

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 3

v0.3.0 Latest
Apr 17, 2026
+ 2 releases

Contributors

Languages