forked from cloudposse/terraform-aws-eks-cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
290 lines (244 loc) · 9.63 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
variable "region" {
type = string
description = "AWS Region"
}
variable "vpc_id" {
type = string
description = "VPC ID for the EKS cluster"
}
variable "subnet_ids" {
description = "A list of subnet IDs to launch the cluster in"
type = list(string)
}
variable "allowed_security_groups" {
type = list(string)
default = []
description = "List of Security Group IDs to be allowed to connect to the EKS cluster"
}
variable "allowed_cidr_blocks" {
type = list(string)
default = []
description = "List of CIDR blocks to be allowed to connect to the EKS cluster"
}
variable "create_eks_service_role" {
type = bool
default = true
description = "Set `false` to use existing `eks_cluster_service_role_arn` instead of creating one"
}
variable "eks_cluster_service_role_arn" {
type = string
description = <<-EOT
The ARN of an IAM role for the EKS cluster to use that provides permissions
for the Kubernetes control plane to perform needed AWS API operations.
Required if `create_eks_service_role` is `false`, ignored otherwise.
EOT
default = null
}
variable "workers_role_arns" {
type = list(string)
description = "List of Role ARNs of the worker nodes"
default = []
}
variable "workers_security_group_ids" {
type = list(string)
description = "Security Group IDs of the worker nodes"
default = []
}
variable "kubernetes_version" {
type = string
default = "1.15"
description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used"
}
variable "oidc_provider_enabled" {
type = bool
default = false
description = "Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html"
}
variable "endpoint_private_access" {
type = bool
default = false
description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false"
}
variable "endpoint_public_access" {
type = bool
default = true
description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true"
}
variable "public_access_cidrs" {
type = list(string)
default = ["0.0.0.0/0"]
description = "Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0."
}
variable "enabled_cluster_log_types" {
type = list(string)
default = []
description = "A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`]"
}
variable "cluster_log_retention_period" {
type = number
default = 0
description = "Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html."
}
variable "apply_config_map_aws_auth" {
type = bool
default = true
description = "Whether to apply the ConfigMap to allow worker nodes to join the EKS cluster and allow additional users, accounts and roles to acces the cluster"
}
variable "map_additional_aws_accounts" {
description = "Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap"
type = list(string)
default = []
}
variable "map_additional_iam_roles" {
description = "Additional IAM roles to add to `config-map-aws-auth` ConfigMap"
type = list(object({
rolearn = string
username = string
groups = list(string)
}))
default = []
}
variable "map_additional_iam_users" {
description = "Additional IAM users to add to `config-map-aws-auth` ConfigMap"
type = list(object({
userarn = string
username = string
groups = list(string)
}))
default = []
}
variable "local_exec_interpreter" {
type = list(string)
default = ["/bin/sh", "-c"]
description = "shell to use for local_exec"
}
variable "wait_for_cluster_command" {
type = string
default = "curl --silent --fail --retry 60 --retry-delay 5 --retry-connrefused --insecure --output /dev/null $ENDPOINT/healthz"
description = "`local-exec` command to execute to determine if the EKS cluster is healthy. Cluster endpoint are available as environment variable `ENDPOINT`"
}
variable "kubernetes_config_map_ignore_role_changes" {
type = bool
default = true
description = "Set to `true` to ignore IAM role changes in the Kubernetes Auth ConfigMap"
}
variable "cluster_encryption_config_enabled" {
type = bool
default = true
description = "Set to `true` to enable Cluster Encryption Configuration"
}
variable "cluster_encryption_config_kms_key_id" {
type = string
default = ""
description = "KMS Key ID to use for cluster encryption config"
}
variable "cluster_encryption_config_kms_key_enable_key_rotation" {
type = bool
default = true
description = "Cluster Encryption Config KMS Key Resource argument - enable kms key rotation"
}
variable "cluster_encryption_config_kms_key_deletion_window_in_days" {
type = number
default = 10
description = "Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction"
}
variable "cluster_encryption_config_kms_key_policy" {
type = string
default = null
description = "Cluster Encryption Config KMS Key Resource argument - key policy"
}
variable "cluster_encryption_config_resources" {
type = list(any)
default = ["secrets"]
description = "Cluster Encryption Config Resources to encrypt, e.g. ['secrets']"
}
variable "permissions_boundary" {
type = string
default = null
description = "If provided, all IAM roles will be created with this permissions boundary attached."
}
##################
# All the following variables are just about configuring the Kubernetes provider
# to be able to modify the aws-auth ConfigMap. Once EKS provides a normal
# AWS API for modifying it, we can do away with all of this.
#
# The reason there are so many options is because at various times, each
# one of them has had problems, so we give you a choice.
#
# The reason there are so many "enabled" inputs rather than automatically
# detecting whether or not they are enabled based on the value of the input
# is that any logic based on input values requires the values to be known during
# the "plan" phase of Terraform, and often they are not, which causes problems.
#
variable "kubeconfig_path_enabled" {
type = bool
default = false
description = "If `true`, configure the Kubernetes provider with `kubeconfig_path` and use it for authenticating to the EKS cluster"
}
variable "kubeconfig_path" {
type = string
default = ""
description = "The Kubernetes provider `config_path` setting to use when `kubeconfig_path_enabled` is `true`"
}
variable "kube_data_auth_enabled" {
type = bool
default = true
description = <<-EOT
If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_path_enabled` or `kube_exec_auth_enabled`.
EOT
}
variable "kube_exec_auth_enabled" {
type = bool
default = false
description = <<-EOT
If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_path_enabled`, overrides `kube_data_auth_enabled`.
EOT
}
variable "kube_exec_auth_role_arn" {
type = string
default = ""
description = "The role ARN for `aws eks get-token` to use"
}
variable "kube_exec_auth_role_arn_enabled" {
type = bool
default = false
description = "If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token`"
}
variable "kube_exec_auth_aws_profile" {
type = string
default = ""
description = "The AWS config profile for `aws eks get-token` to use"
}
variable "kube_exec_auth_aws_profile_enabled" {
type = bool
default = false
description = "If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token`"
}
variable "aws_auth_yaml_strip_quotes" {
type = bool
default = true
description = "If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans"
}
variable "dummy_kubeapi_server" {
type = string
default = "https://jsonplaceholder.typicode.com"
description = <<-EOT
URL of a dummy API server for the Kubernetes server to use when the real one is unknown.
This is a workaround to ignore connection failures that break Terraform even though the results do not matter.
You can disable it by setting it to `null`; however, as of Kubernetes provider v2.3.2, doing so _will_
cause Terraform to fail in several situations unless you provide a valid `kubeconfig` file
via `kubeconfig_path` and set `kubeconfig_path_enabled` to `true`.
EOT
}
variable "addons" {
type = list(object({
addon_name = string
addon_version = string
resolve_conflicts = string
service_account_role_arn = string
}))
default = []
description = "Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources."
}