+
+
+
map(object({
# Access entry
kubernetes_groups = optional(list(string))
principal_arn = string
type = optional(string, "STANDARD")
user_name = optional(string)
tags = optional(map(string), {})
# Access policy association
policy_associations = optional(map(object({
policy_arn = string
access_scope = object({
namespaces = optional(list(string))
type = string
})
})), {})
})) | `{}` | no |
+| [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | List of additional, externally created security group IDs to attach to the cluster control plane | `list(string)` | `[]` | no |
+| [addons](#input\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | map(object({
name = optional(string) # will fall back to map key
before_compute = optional(bool, false)
most_recent = optional(bool, true)
addon_version = optional(string)
configuration_values = optional(string)
pod_identity_association = optional(list(object({
role_arn = string
service_account = string
})))
preserve = optional(bool, true)
resolve_conflicts_on_create = optional(string, "NONE")
resolve_conflicts_on_update = optional(string, "OVERWRITE")
service_account_role_arn = optional(string)
timeouts = optional(object({
create = optional(string)
update = optional(string)
delete = optional(string)
}), {})
tags = optional(map(string), {})
})) | `null` | no |
+| [addons\_timeouts](#input\_addons\_timeouts) | Create, update, and delete timeout configurations for the cluster addons | object({
create = optional(string)
update = optional(string)
delete = optional(string)
}) | `{}` | no |
+| [attach\_encryption\_policy](#input\_attach\_encryption\_policy) | Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided | `bool` | `true` | no |
+| [authentication\_mode](#input\_authentication\_mode) | The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP` | `string` | `"API_AND_CONFIG_MAP"` | no |
+| [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
+| [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `null` | no |
+| [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days | `number` | `90` | no |
+| [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | A map of additional tags to add to the cloudwatch log group created | `map(string)` | `{}` | no |
+| [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no |
+| [compute\_config](#input\_compute\_config) | Configuration block for the cluster compute configuration | object({
enabled = optional(bool, false)
node_pools = optional(list(string))
node_role_arn = optional(string)
}) | `null` | no |
+| [control\_plane\_scaling\_config](#input\_control\_plane\_scaling\_config) | Configuration block for the EKS Provisioned Control Plane scaling tier. Valid values for tier are `standard`, `tier-xl`, `tier-2xl`, and `tier-4xl` | object({
tier = string
}) | `null` | no |
+| [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids) | A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane | `list(string)` | `[]` | no |
+| [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no |
+| [create\_auto\_mode\_iam\_resources](#input\_create\_auto\_mode\_iam\_resources) | Determines whether to create/attach IAM resources for EKS Auto Mode. Useful for when using only custom node pools and not built-in EKS Auto Mode node pools | `bool` | `false` | no |
+| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
+| [create\_cni\_ipv6\_iam\_policy](#input\_create\_cni\_ipv6\_iam\_policy) | Determines whether to create an [`AmazonEKS_CNI_IPv6_Policy`](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy) | `bool` | `false` | no |
+| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created for the cluster | `bool` | `true` | no |
+| [create\_kms\_key](#input\_create\_kms\_key) | Controls if a KMS key for cluster encryption should be created | `bool` | `true` | no |
+| [create\_node\_iam\_role](#input\_create\_node\_iam\_role) | Determines whether an EKS Auto node IAM role is created | `bool` | `true` | no |
+| [create\_node\_security\_group](#input\_create\_node\_security\_group) | Determines whether to create a security group for the node groups or use the existing `node_security_group_id` | `bool` | `true` | no |
+| [create\_primary\_security\_group\_tags](#input\_create\_primary\_security\_group\_tags) | Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation | `bool` | `true` | no |
+| [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default | `bool` | `true` | no |
+| [custom\_oidc\_thumbprints](#input\_custom\_oidc\_thumbprints) | Additional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s) | `list(string)` | `[]` | no |
+| [dataplane\_wait\_duration](#input\_dataplane\_wait\_duration) | Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed node group(s), self-managed node group(s), Fargate profile(s)) | `string` | `"30s"` | no |
+| [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection for the cluster. When enabled, the cluster cannot be deleted unless deletion protection is first disabled | `bool` | `null` | no |
+| [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Map of EKS managed node group definitions to create | map(object({
create = optional(bool)
kubernetes_version = optional(string)
# EKS Managed Node Group
name = optional(string) # Will fall back to map key
use_name_prefix = optional(bool)
subnet_ids = optional(list(string))
min_size = optional(number)
max_size = optional(number)
desired_size = optional(number)
ami_id = optional(string)
ami_type = optional(string)
ami_release_version = optional(string)
use_latest_ami_release_version = optional(bool)
capacity_type = optional(string)
disk_size = optional(number)
force_update_version = optional(bool)
instance_types = optional(list(string))
labels = optional(map(string))
node_repair_config = optional(object({
enabled = optional(bool)
max_parallel_nodes_repaired_count = optional(number)
max_parallel_nodes_repaired_percentage = optional(number)
max_unhealthy_node_threshold_count = optional(number)
max_unhealthy_node_threshold_percentage = optional(number)
node_repair_config_overrides = optional(list(object({
min_repair_wait_time_mins = number
node_monitoring_condition = string
node_unhealthy_reason = string
repair_action = string
})))
}))
remote_access = optional(object({
ec2_ssh_key = optional(string)
source_security_group_ids = optional(list(string))
}))
taints = optional(map(object({
key = string
value = optional(string)
effect = string
})))
update_config = optional(object({
max_unavailable = optional(number)
max_unavailable_percentage = optional(number)
update_strategy = optional(string)
}))
timeouts = optional(object({
create = optional(string)
update = optional(string)
delete = optional(string)
}))
# User data
enable_bootstrap_user_data = optional(bool)
pre_bootstrap_user_data = optional(string)
post_bootstrap_user_data = optional(string)
bootstrap_extra_args = optional(string)
user_data_template_path = optional(string)
cloudinit_pre_nodeadm = optional(list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})))
cloudinit_post_nodeadm = optional(list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})))
# Launch Template
create_launch_template = optional(bool)
use_custom_launch_template = optional(bool)
launch_template_id = optional(string)
launch_template_name = optional(string) # Will fall back to map key
launch_template_use_name_prefix = optional(bool)
launch_template_version = optional(string)
launch_template_default_version = optional(string)
update_launch_template_default_version = optional(bool)
launch_template_description = optional(string)
launch_template_tags = optional(map(string))
tag_specifications = optional(list(string))
ebs_optimized = optional(bool)
key_name = optional(string)
disable_api_termination = optional(bool)
kernel_id = optional(string)
ram_disk_id = optional(string)
block_device_mappings = optional(map(object({
device_name = optional(string)
ebs = optional(object({
delete_on_termination = optional(bool)
encrypted = optional(bool)
iops = optional(number)
kms_key_id = optional(string)
snapshot_id = optional(string)
throughput = optional(number)
volume_initialization_rate = optional(number)
volume_size = optional(number)
volume_type = optional(string)
}))
no_device = optional(string)
virtual_name = optional(string)
})))
capacity_reservation_specification = optional(object({
capacity_reservation_preference = optional(string)
capacity_reservation_target = optional(object({
capacity_reservation_id = optional(string)
capacity_reservation_resource_group_arn = optional(string)
}))
}))
cpu_options = optional(object({
amd_sev_snp = optional(string)
core_count = optional(number)
threads_per_core = optional(number)
}))
credit_specification = optional(object({
cpu_credits = optional(string)
}))
enclave_options = optional(object({
enabled = optional(bool)
}))
instance_market_options = optional(object({
market_type = optional(string)
spot_options = optional(object({
block_duration_minutes = optional(number)
instance_interruption_behavior = optional(string)
max_price = optional(string)
spot_instance_type = optional(string)
valid_until = optional(string)
}))
}))
license_specifications = optional(list(object({
license_configuration_arn = string
})))
metadata_options = optional(object({
http_endpoint = optional(string)
http_protocol_ipv6 = optional(string)
http_put_response_hop_limit = optional(number)
http_tokens = optional(string)
instance_metadata_tags = optional(string)
}))
enable_monitoring = optional(bool)
enable_efa_support = optional(bool)
enable_efa_only = optional(bool)
efa_indices = optional(list(string))
create_placement_group = optional(bool)
placement = optional(object({
affinity = optional(string)
availability_zone = optional(string)
group_name = optional(string)
host_id = optional(string)
host_resource_group_arn = optional(string)
partition_number = optional(number)
spread_domain = optional(string)
tenancy = optional(string)
}))
network_interfaces = optional(list(object({
associate_carrier_ip_address = optional(bool)
associate_public_ip_address = optional(bool)
connection_tracking_specification = optional(object({
tcp_established_timeout = optional(number)
udp_stream_timeout = optional(number)
udp_timeout = optional(number)
}))
delete_on_termination = optional(bool)
description = optional(string)
device_index = optional(number)
ena_srd_specification = optional(object({
ena_srd_enabled = optional(bool)
ena_srd_udp_specification = optional(object({
ena_srd_udp_enabled = optional(bool)
}))
}))
interface_type = optional(string)
ipv4_address_count = optional(number)
ipv4_addresses = optional(list(string))
ipv4_prefix_count = optional(number)
ipv4_prefixes = optional(list(string))
ipv6_address_count = optional(number)
ipv6_addresses = optional(list(string))
ipv6_prefix_count = optional(number)
ipv6_prefixes = optional(list(string))
network_card_index = optional(number)
network_interface_id = optional(string)
primary_ipv6 = optional(bool)
private_ip_address = optional(string)
security_groups = optional(list(string), [])
subnet_id = optional(string)
})))
maintenance_options = optional(object({
auto_recovery = optional(string)
}))
private_dns_name_options = optional(object({
enable_resource_name_dns_aaaa_record = optional(bool)
enable_resource_name_dns_a_record = optional(bool)
hostname_type = optional(string)
}))
# IAM role
create_iam_role = optional(bool)
iam_role_arn = optional(string)
iam_role_name = optional(string)
iam_role_use_name_prefix = optional(bool)
iam_role_path = optional(string)
iam_role_description = optional(string)
iam_role_permissions_boundary = optional(string)
iam_role_tags = optional(map(string))
iam_role_attach_cni_policy = optional(bool)
iam_role_additional_policies = optional(map(string))
create_iam_role_policy = optional(bool)
iam_role_policy_statements = optional(list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})))
# Security group
vpc_security_group_ids = optional(list(string), [])
attach_cluster_primary_security_group = optional(bool, false)
cluster_primary_security_group_id = optional(string)
create_security_group = optional(bool)
security_group_name = optional(string)
security_group_use_name_prefix = optional(bool)
security_group_description = optional(string)
security_group_ingress_rules = optional(map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string)
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool)
tags = optional(map(string))
to_port = optional(string)
})))
security_group_egress_rules = optional(map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string)
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool)
tags = optional(map(string))
to_port = optional(string)
})), {})
security_group_tags = optional(map(string))
tags = optional(map(string))
})) | `null` | no |
+| [enable\_auto\_mode\_custom\_tags](#input\_enable\_auto\_mode\_custom\_tags) | Determines whether to enable permissions for custom tags resources created by EKS Auto Mode | `bool` | `true` | no |
+| [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no |
+| [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no |
+| [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
+| [enabled\_log\_types](#input\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | [| no | +| [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster |
"audit",
"api",
"authenticator"
]
object({
provider_key_arn = optional(string)
resources = optional(list(string), ["secrets"])
}) | `{}` | no |
+| [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
+| [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
+| [encryption\_policy\_path](#input\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
+| [encryption\_policy\_tags](#input\_encryption\_policy\_tags) | A map of additional tags to add to the cluster encryption policy created | `map(string)` | `{}` | no |
+| [encryption\_policy\_use\_name\_prefix](#input\_encryption\_policy\_use\_name\_prefix) | Determines whether cluster encryption policy name (`cluster_encryption_policy_name`) is used as a prefix | `bool` | `true` | no |
+| [endpoint\_private\_access](#input\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `true` | no |
+| [endpoint\_public\_access](#input\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `false` | no |
+| [endpoint\_public\_access\_cidrs](#input\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | [| no | +| [fargate\_profiles](#input\_fargate\_profiles) | Map of Fargate Profile definitions to create |
"0.0.0.0/0"
]
map(object({
create = optional(bool)
# Fargate profile
name = optional(string) # Will fall back to map key
subnet_ids = optional(list(string))
selectors = optional(list(object({
labels = optional(map(string))
namespace = string
})))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
}))
# IAM role
create_iam_role = optional(bool)
iam_role_arn = optional(string)
iam_role_name = optional(string)
iam_role_use_name_prefix = optional(bool)
iam_role_path = optional(string)
iam_role_description = optional(string)
iam_role_permissions_boundary = optional(string)
iam_role_tags = optional(map(string))
iam_role_attach_cni_policy = optional(bool)
iam_role_additional_policies = optional(map(string))
create_iam_role_policy = optional(bool)
iam_role_policy_statements = optional(list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})))
tags = optional(map(string))
})) | `null` | no |
+| [force\_update\_version](#input\_force\_update\_version) | Force version update by overriding upgrade-blocking readiness checks when updating a cluster | `bool` | `null` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the cluster. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | The IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [identity\_providers](#input\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | map(object({
client_id = string
groups_claim = optional(string)
groups_prefix = optional(string)
identity_provider_config_name = optional(string) # will fall back to map key
issuer_url = string
required_claims = optional(map(string))
username_claim = optional(string)
username_prefix = optional(string)
tags = optional(map(string), {})
})) | `null` | no |
+| [include\_oidc\_root\_ca\_thumbprint](#input\_include\_oidc\_root\_ca\_thumbprint) | Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s) | `bool` | `true` | no |
+| [ip\_family](#input\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `"ipv4"` | no |
+| [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available | `list(string)` | `[]` | no |
+| [kms\_key\_aliases](#input\_kms\_key\_aliases) | A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values | `list(string)` | `[]` | no |
+| [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30` | `number` | `null` | no |
+| [kms\_key\_description](#input\_kms\_key\_description) | The description of the key as viewed in AWS console | `string` | `null` | no |
+| [kms\_key\_enable\_default\_policy](#input\_kms\_key\_enable\_default\_policy) | Specifies whether to enable the default key policy | `bool` | `true` | no |
+| [kms\_key\_override\_policy\_documents](#input\_kms\_key\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
+| [kms\_key\_owners](#input\_kms\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
+| [kms\_key\_rotation\_period\_in\_days](#input\_kms\_key\_rotation\_period\_in\_days) | Custom period of time between each key rotation date. If you specify a value, it must be between `90` and `2560`, inclusive. If you do not specify a value, it defaults to `365` | `number` | `null` | no |
+| [kms\_key\_service\_users](#input\_kms\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
+| [kms\_key\_source\_policy\_documents](#input\_kms\_key\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
+| [kms\_key\_users](#input\_kms\_key\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |
+| [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes `map(object({
protocol = optional(string, "tcp")
from_port = number
to_port = number
type = optional(string, "ingress")
description = optional(string)
cidr_blocks = optional(list(string))
ipv6_cidr_blocks = optional(list(string))
prefix_list_ids = optional(list(string))
self = optional(bool)
source_cluster_security_group = optional(bool, false)
source_security_group_id = optional(string)
})) | `{}` | no |
+| [node\_security\_group\_description](#input\_node\_security\_group\_description) | Description of the node security group created | `string` | `"EKS node shared security group"` | no |
+| [node\_security\_group\_enable\_recommended\_rules](#input\_node\_security\_group\_enable\_recommended\_rules) | Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic | `bool` | `true` | no |
+| [node\_security\_group\_id](#input\_node\_security\_group\_id) | ID of an existing security group to attach to the node groups created | `string` | `""` | no |
+| [node\_security\_group\_name](#input\_node\_security\_group\_name) | Name to use on node security group created | `string` | `null` | no |
+| [node\_security\_group\_tags](#input\_node\_security\_group\_tags) | A map of additional tags to add to the node security group created | `map(string)` | `{}` | no |
+| [node\_security\_group\_use\_name\_prefix](#input\_node\_security\_group\_use\_name\_prefix) | Determines whether node security group name (`node_security_group_name`) is used as a prefix | `bool` | `true` | no |
+| [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider | `list(string)` | `[]` | no |
+| [outpost\_config](#input\_outpost\_config) | Configuration for the AWS Outpost to provision the cluster on | object({
control_plane_instance_type = optional(string)
control_plane_placement = optional(object({
group_name = string
}))
outpost_arns = list(string)
}) | `null` | no |
+| [prefix\_separator](#input\_prefix\_separator) | The separator to use between the prefix and the generated timestamp for resource names | `string` | `"-"` | no |
+| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| [remote\_network\_config](#input\_remote\_network\_config) | Configuration block for the cluster remote network configuration | object({
remote_node_networks = object({
cidrs = optional(list(string))
})
remote_pod_networks = optional(object({
cidrs = optional(list(string))
}))
}) | `null` | no |
+| [security\_group\_additional\_rules](#input\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source | map(object({
protocol = optional(string, "tcp")
from_port = number
to_port = number
type = optional(string, "ingress")
description = optional(string)
cidr_blocks = optional(list(string))
ipv6_cidr_blocks = optional(list(string))
prefix_list_ids = optional(list(string))
self = optional(bool)
source_node_security_group = optional(bool, false)
source_security_group_id = optional(string)
})) | `{}` | no |
+| [security\_group\_description](#input\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no |
+| [security\_group\_id](#input\_security\_group\_id) | Existing security group ID to be attached to the cluster | `string` | `""` | no |
+| [security\_group\_name](#input\_security\_group\_name) | Name to use on cluster security group created | `string` | `null` | no |
+| [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the cluster security group created | `map(string)` | `{}` | no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether cluster security group name (`cluster_security_group_name`) is used as a prefix | `bool` | `true` | no |
+| [self\_managed\_node\_groups](#input\_self\_managed\_node\_groups) | Map of self-managed node group definitions to create | map(object({
create = optional(bool)
kubernetes_version = optional(string)
# Autoscaling Group
create_autoscaling_group = optional(bool)
name = optional(string) # Will fall back to map key
use_name_prefix = optional(bool)
availability_zones = optional(list(string))
subnet_ids = optional(list(string))
min_size = optional(number)
max_size = optional(number)
desired_size = optional(number)
desired_size_type = optional(string)
capacity_rebalance = optional(bool)
default_instance_warmup = optional(number)
protect_from_scale_in = optional(bool)
context = optional(string)
create_placement_group = optional(bool)
placement_group = optional(string)
health_check_type = optional(string)
health_check_grace_period = optional(number)
ignore_failed_scaling_activities = optional(bool)
force_delete = optional(bool)
termination_policies = optional(list(string))
suspended_processes = optional(list(string))
max_instance_lifetime = optional(number)
enabled_metrics = optional(list(string))
metrics_granularity = optional(string)
initial_lifecycle_hooks = optional(list(object({
default_result = optional(string)
heartbeat_timeout = optional(number)
lifecycle_transition = string
name = string
notification_metadata = optional(string)
notification_target_arn = optional(string)
role_arn = optional(string)
})))
instance_maintenance_policy = optional(object({
max_healthy_percentage = number
min_healthy_percentage = number
}))
instance_refresh = optional(object({
preferences = optional(object({
alarm_specification = optional(object({
alarms = optional(list(string))
}))
auto_rollback = optional(bool)
checkpoint_delay = optional(number)
checkpoint_percentages = optional(list(number))
instance_warmup = optional(number)
max_healthy_percentage = optional(number)
min_healthy_percentage = optional(number)
scale_in_protected_instances = optional(string)
skip_matching = optional(bool)
standby_instances = optional(string)
}))
strategy = optional(string)
triggers = optional(list(string))
})
)
use_mixed_instances_policy = optional(bool)
mixed_instances_policy = optional(object({
instances_distribution = optional(object({
on_demand_allocation_strategy = optional(string)
on_demand_base_capacity = optional(number)
on_demand_percentage_above_base_capacity = optional(number)
spot_allocation_strategy = optional(string)
spot_instance_pools = optional(number)
spot_max_price = optional(string)
}))
launch_template = object({
override = optional(list(object({
instance_requirements = optional(object({
accelerator_count = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_manufacturers = optional(list(string))
accelerator_names = optional(list(string))
accelerator_total_memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_types = optional(list(string))
allowed_instance_types = optional(list(string))
bare_metal = optional(string)
baseline_ebs_bandwidth_mbps = optional(object({
max = optional(number)
min = optional(number)
}))
burstable_performance = optional(string)
cpu_manufacturers = optional(list(string))
excluded_instance_types = optional(list(string))
instance_generations = optional(list(string))
local_storage = optional(string)
local_storage_types = optional(list(string))
max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)
memory_gib_per_vcpu = optional(object({
max = optional(number)
min = optional(number)
}))
memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
network_bandwidth_gbps = optional(object({
max = optional(number)
min = optional(number)
}))
network_interface_count = optional(object({
max = optional(number)
min = optional(number)
}))
on_demand_max_price_percentage_over_lowest_price = optional(number)
require_hibernate_support = optional(bool)
spot_max_price_percentage_over_lowest_price = optional(number)
total_local_storage_gb = optional(object({
max = optional(number)
min = optional(number)
}))
vcpu_count = optional(object({
max = optional(number)
min = optional(number)
}))
}))
instance_type = optional(string)
launch_template_specification = optional(object({
launch_template_id = optional(string)
launch_template_name = optional(string)
version = optional(string)
}))
weighted_capacity = optional(string)
})))
})
}))
timeouts = optional(object({
delete = optional(string)
}))
autoscaling_group_tags = optional(map(string))
# User data
ami_type = optional(string)
additional_cluster_dns_ips = optional(list(string))
pre_bootstrap_user_data = optional(string)
post_bootstrap_user_data = optional(string)
bootstrap_extra_args = optional(string)
user_data_template_path = optional(string)
cloudinit_pre_nodeadm = optional(list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})))
cloudinit_post_nodeadm = optional(list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})))
# Launch Template
create_launch_template = optional(bool)
use_custom_launch_template = optional(bool)
launch_template_id = optional(string)
launch_template_name = optional(string) # Will fall back to map key
launch_template_use_name_prefix = optional(bool)
launch_template_version = optional(string)
launch_template_default_version = optional(string)
update_launch_template_default_version = optional(bool)
launch_template_description = optional(string)
launch_template_tags = optional(map(string))
tag_specifications = optional(list(string))
ebs_optimized = optional(bool)
ami_id = optional(string)
instance_type = optional(string)
key_name = optional(string)
disable_api_termination = optional(bool)
instance_initiated_shutdown_behavior = optional(string)
kernel_id = optional(string)
ram_disk_id = optional(string)
block_device_mappings = optional(map(object({
device_name = optional(string)
ebs = optional(object({
delete_on_termination = optional(bool)
encrypted = optional(bool)
iops = optional(number)
kms_key_id = optional(string)
snapshot_id = optional(string)
throughput = optional(number)
volume_initialization_rate = optional(number)
volume_size = optional(number)
volume_type = optional(string)
}))
no_device = optional(string)
virtual_name = optional(string)
})))
capacity_reservation_specification = optional(object({
capacity_reservation_preference = optional(string)
capacity_reservation_target = optional(object({
capacity_reservation_id = optional(string)
capacity_reservation_resource_group_arn = optional(string)
}))
}))
cpu_options = optional(object({
amd_sev_snp = optional(string)
core_count = optional(number)
threads_per_core = optional(number)
}))
credit_specification = optional(object({
cpu_credits = optional(string)
}))
enclave_options = optional(object({
enabled = optional(bool)
}))
instance_requirements = optional(object({
accelerator_count = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_manufacturers = optional(list(string))
accelerator_names = optional(list(string))
accelerator_total_memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_types = optional(list(string))
allowed_instance_types = optional(list(string))
bare_metal = optional(string)
baseline_ebs_bandwidth_mbps = optional(object({
max = optional(number)
min = optional(number)
}))
burstable_performance = optional(string)
cpu_manufacturers = optional(list(string))
excluded_instance_types = optional(list(string))
instance_generations = optional(list(string))
local_storage = optional(string)
local_storage_types = optional(list(string))
max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)
memory_gib_per_vcpu = optional(object({
max = optional(number)
min = optional(number)
}))
memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
network_bandwidth_gbps = optional(object({
max = optional(number)
min = optional(number)
}))
network_interface_count = optional(object({
max = optional(number)
min = optional(number)
}))
on_demand_max_price_percentage_over_lowest_price = optional(number)
require_hibernate_support = optional(bool)
spot_max_price_percentage_over_lowest_price = optional(number)
total_local_storage_gb = optional(object({
max = optional(number)
min = optional(number)
}))
vcpu_count = optional(object({
max = optional(number)
min = string
}))
}))
instance_market_options = optional(object({
market_type = optional(string)
spot_options = optional(object({
block_duration_minutes = optional(number)
instance_interruption_behavior = optional(string)
max_price = optional(string)
spot_instance_type = optional(string)
valid_until = optional(string)
}))
}))
license_specifications = optional(list(object({
license_configuration_arn = string
})))
metadata_options = optional(object({
http_endpoint = optional(string)
http_protocol_ipv6 = optional(string)
http_put_response_hop_limit = optional(number)
http_tokens = optional(string)
instance_metadata_tags = optional(string)
}))
enable_monitoring = optional(bool)
enable_efa_support = optional(bool)
enable_efa_only = optional(bool)
efa_indices = optional(list(string))
network_interfaces = optional(list(object({
associate_carrier_ip_address = optional(bool)
associate_public_ip_address = optional(bool)
connection_tracking_specification = optional(object({
tcp_established_timeout = optional(number)
udp_stream_timeout = optional(number)
udp_timeout = optional(number)
}))
delete_on_termination = optional(bool)
description = optional(string)
device_index = optional(number)
ena_srd_specification = optional(object({
ena_srd_enabled = optional(bool)
ena_srd_udp_specification = optional(object({
ena_srd_udp_enabled = optional(bool)
}))
}))
interface_type = optional(string)
ipv4_address_count = optional(number)
ipv4_addresses = optional(list(string))
ipv4_prefix_count = optional(number)
ipv4_prefixes = optional(list(string))
ipv6_address_count = optional(number)
ipv6_addresses = optional(list(string))
ipv6_prefix_count = optional(number)
ipv6_prefixes = optional(list(string))
network_card_index = optional(number)
network_interface_id = optional(string)
primary_ipv6 = optional(bool)
private_ip_address = optional(string)
security_groups = optional(list(string))
subnet_id = optional(string)
})))
placement = optional(object({
affinity = optional(string)
availability_zone = optional(string)
group_name = optional(string)
host_id = optional(string)
host_resource_group_arn = optional(string)
partition_number = optional(number)
spread_domain = optional(string)
tenancy = optional(string)
}))
maintenance_options = optional(object({
auto_recovery = optional(string)
}))
private_dns_name_options = optional(object({
enable_resource_name_dns_aaaa_record = optional(bool)
enable_resource_name_dns_a_record = optional(bool)
hostname_type = optional(string)
}))
# IAM role
create_iam_instance_profile = optional(bool)
iam_instance_profile_arn = optional(string)
iam_role_name = optional(string)
iam_role_use_name_prefix = optional(bool)
iam_role_path = optional(string)
iam_role_description = optional(string)
iam_role_permissions_boundary = optional(string)
iam_role_tags = optional(map(string))
iam_role_attach_cni_policy = optional(bool)
iam_role_additional_policies = optional(map(string))
create_iam_role_policy = optional(bool)
iam_role_policy_statements = optional(list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})))
# Access entry
create_access_entry = optional(bool)
iam_role_arn = optional(string)
# Security group
vpc_security_group_ids = optional(list(string), [])
attach_cluster_primary_security_group = optional(bool, false)
create_security_group = optional(bool)
security_group_name = optional(string)
security_group_use_name_prefix = optional(bool)
security_group_description = optional(string)
security_group_ingress_rules = optional(map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string)
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool)
tags = optional(map(string))
to_port = optional(string)
})))
security_group_egress_rules = optional(map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string)
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool)
tags = optional(map(string))
to_port = optional(string)
})))
security_group_tags = optional(map(string))
tags = optional(map(string))
})) | `null` | no |
+| [service\_ipv4\_cidr](#input\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
+| [service\_ipv6\_cidr](#input\_service\_ipv6\_cidr) | The CIDR block to assign Kubernetes pod and service IP addresses from if `ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster | `string` | `null` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs where the nodes/node groups will be provisioned. If `control_plane_subnet_ids` is not provided, the EKS cluster control plane (ENIs) will be provisioned in these subnets | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the cluster | object({
create = optional(string)
update = optional(string)
delete = optional(string)
}) | `null` | no |
+| [upgrade\_policy](#input\_upgrade\_policy) | Configuration block for the cluster upgrade policy | object({
support_type = optional(string)
}) | `null` | no |
+| [vpc\_id](#input\_vpc\_id) | ID of the VPC where the cluster security group will be provisioned | `string` | `null` | no |
+| [zonal\_shift\_config](#input\_zonal\_shift\_config) | Configuration block for the cluster zonal shift | object({
enabled = optional(bool)
}) | `null` | no |
## Outputs
| Name | Description |
|------|-------------|
-| cluster\_certificate\_authority\_data | Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster. |
-| cluster\_endpoint | The endpoint for your EKS Kubernetes API. |
-| cluster\_iam\_role\_arn | IAM role ARN of the EKS cluster. |
-| cluster\_iam\_role\_name | IAM role name of the EKS cluster. |
-| cluster\_id | The name/id of the EKS cluster. |
-| cluster\_security\_group\_id | Security group ID attached to the EKS cluster. |
-| cluster\_version | The Kubernetes server version for the EKS cluster. |
-| config\_map\_aws\_auth | A kubernetes configuration to authenticate to this EKS cluster. |
-| kubeconfig | kubectl config file contents for this EKS cluster. |
-| kubeconfig\_filename | The filename of the generated kubectl config. |
-| worker\_iam\_instance\_profile\_arns | default IAM instance profile ARNs for EKS worker group |
-| worker\_iam\_instance\_profile\_names | default IAM instance profile names for EKS worker group |
-| worker\_iam\_role\_arn | default IAM role ARN for EKS worker groups |
-| worker\_iam\_role\_name | default IAM role name for EKS worker groups |
-| worker\_security\_group\_id | Security group ID attached to the EKS workers. |
-| workers\_asg\_arns | IDs of the autoscaling groups containing workers. |
-| workers\_asg\_names | Names of the autoscaling groups containing workers. |
-
-
+| [access\_entries](#output\_access\_entries) | Map of access entries created and their attributes |
+| [access\_policy\_associations](#output\_access\_policy\_associations) | Map of eks cluster access policy associations created and their attributes |
+| [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created |
+| [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created |
+| [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled |
+| [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster |
+| [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster |
+| [cluster\_control\_plane\_scaling\_tier](#output\_cluster\_control\_plane\_scaling\_tier) | The EKS Provisioned Control Plane scaling tier for the cluster |
+| [cluster\_dualstack\_oidc\_issuer\_url](#output\_cluster\_dualstack\_oidc\_issuer\_url) | Dual-stack compatible URL on the EKS cluster for the OpenID Connect identity provider |
+| [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server |
+| [cluster\_iam\_role\_arn](#output\_cluster\_iam\_role\_arn) | Cluster IAM role ARN |
+| [cluster\_iam\_role\_name](#output\_cluster\_iam\_role\_name) | Cluster IAM role name |
+| [cluster\_iam\_role\_unique\_id](#output\_cluster\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [cluster\_id](#output\_cluster\_id) | The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts |
+| [cluster\_identity\_providers](#output\_cluster\_identity\_providers) | Map of attribute maps for all EKS identity providers enabled |
+| [cluster\_ip\_family](#output\_cluster\_ip\_family) | The IP family used by the cluster (e.g. `ipv4` or `ipv6`) |
+| [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster |
+| [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider |
+| [cluster\_platform\_version](#output\_cluster\_platform\_version) | Platform version for the cluster |
+| [cluster\_primary\_security\_group\_id](#output\_cluster\_primary\_security\_group\_id) | Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console |
+| [cluster\_security\_group\_arn](#output\_cluster\_security\_group\_arn) | Amazon Resource Name (ARN) of the cluster security group |
+| [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | ID of the cluster security group |
+| [cluster\_service\_cidr](#output\_cluster\_service\_cidr) | The CIDR block where Kubernetes pod and service IP addresses are assigned from |
+| [cluster\_status](#output\_cluster\_status) | Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` |
+| [cluster\_tls\_certificate\_sha1\_fingerprint](#output\_cluster\_tls\_certificate\_sha1\_fingerprint) | The SHA1 fingerprint of the public key of the cluster's certificate |
+| [cluster\_version](#output\_cluster\_version) | The Kubernetes version for the cluster |
+| [eks\_managed\_node\_groups](#output\_eks\_managed\_node\_groups) | Map of attribute maps for all EKS managed node groups created |
+| [eks\_managed\_node\_groups\_autoscaling\_group\_names](#output\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups |
+| [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The Amazon Resource Name (ARN) of the key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the key |
+| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
+| [node\_iam\_role\_arn](#output\_node\_iam\_role\_arn) | EKS Auto node IAM role ARN |
+| [node\_iam\_role\_name](#output\_node\_iam\_role\_name) | EKS Auto node IAM role name |
+| [node\_iam\_role\_unique\_id](#output\_node\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
+| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
+| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
+| [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` |
+| [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created |
+| [self\_managed\_node\_groups\_autoscaling\_group\_names](#output\_self\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by self-managed node groups |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
+
+## Additional information for users from Russia and Belarus
+
+* Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine).
+* Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
+* [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!)
diff --git a/aws_auth.tf b/aws_auth.tf
deleted file mode 100644
index abe8d0766f..0000000000
--- a/aws_auth.tf
+++ /dev/null
@@ -1,95 +0,0 @@
-resource "local_file" "config_map_aws_auth" {
- content = "${data.template_file.config_map_aws_auth.rendered}"
- filename = "${var.config_output_path}config-map-aws-auth_${var.cluster_name}.yaml"
- count = "${var.write_aws_auth_config ? 1 : 0}"
-}
-
-resource "null_resource" "update_config_map_aws_auth" {
- depends_on = ["aws_eks_cluster.this"]
-
- provisioner "local-exec" {
- working_dir = "${path.module}"
-
- command = <
+ 
+
+ 
+
list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})) | `[]` | no |
+| [cloudinit\_pre\_nodeadm](#input\_cloudinit\_pre\_nodeadm) | Array of cloud-init document parts that are created before the nodeadm document part | list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})) | `[]` | no |
+| [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no |
+| [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no |
+| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no |
+| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
+| [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no |
+| [create](#input\_create) | Determines whether to create user-data or not | `bool` | `true` | no |
+| [enable\_bootstrap\_user\_data](#input\_enable\_bootstrap\_user\_data) | Determines whether the bootstrap configurations are populated within the user data template | `bool` | `false` | no |
+| [is\_eks\_managed\_node\_group](#input\_is\_eks\_managed\_node\_group) | Determines whether the user data is used on nodes in an EKS managed node group. Used to determine if user data will be appended or not | `bool` | `true` | no |
+| [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
+| [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
+| [user\_data\_template\_path](#input\_user\_data\_template\_path) | Path to a local, custom user data template file to use when rendering user data | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [user\_data](#output\_user\_data) | Base64 encoded user data rendered for the provided inputs |
+
diff --git a/modules/_user_data/main.tf b/modules/_user_data/main.tf
new file mode 100644
index 0000000000..c394421c4c
--- /dev/null
+++ b/modules/_user_data/main.tf
@@ -0,0 +1,136 @@
+# The `cluster_service_cidr` is required when `create == true`
+# This is a hacky way to make that logic work, otherwise Terraform always wants a value
+# and supplying any old value like `""` or `null` is not valid and will silently
+# fail to join nodes to the cluster
+resource "null_resource" "validate_cluster_service_cidr" {
+ lifecycle {
+ precondition {
+ # The length 6 is currently arbitrary, but it's a safe bet that the CIDR will be longer than that
+ # The main point is that a value needs to be provided when `create = true`
+ condition = var.create ? length(var.cluster_service_cidr) > 6 : true
+ error_message = "`cluster_service_cidr` is required when `create = true`."
+ }
+ }
+}
+
+locals {
+ is_al2 = startswith(var.ami_type, "AL2_")
+ is_al2023 = startswith(var.ami_type, "AL2023_")
+
+ # Converts AMI type into user data template path
+ ami_type_to_user_data_path = {
+ AL2_ARM_64 = "${path.module}/../../templates/al2_user_data.tpl"
+ AL2_x86_64 = "${path.module}/../../templates/al2_user_data.tpl"
+ AL2_x86_64_GPU = "${path.module}/../../templates/al2_user_data.tpl"
+
+ AL2023_x86_64_STANDARD = "${path.module}/../../templates/al2023_user_data.tpl"
+ AL2023_ARM_64_STANDARD = "${path.module}/../../templates/al2023_user_data.tpl"
+ AL2023_x86_64_NEURON = "${path.module}/../../templates/al2023_user_data.tpl"
+ AL2023_x86_64_NVIDIA = "${path.module}/../../templates/al2023_user_data.tpl"
+ AL2023_ARM_64_NVIDIA = "${path.module}/../../templates/al2023_user_data.tpl"
+
+ BOTTLEROCKET_ARM_64 = "${path.module}/../../templates/bottlerocket_user_data.tpl"
+ BOTTLEROCKET_x86_64 = "${path.module}/../../templates/bottlerocket_user_data.tpl"
+ BOTTLEROCKET_ARM_64_FIPS = "${path.module}/../../templates/bottlerocket_user_data.tpl"
+ BOTTLEROCKET_x86_64_FIPS = "${path.module}/../../templates/bottlerocket_user_data.tpl"
+ BOTTLEROCKET_ARM_64_NVIDIA = "${path.module}/../../templates/bottlerocket_user_data.tpl"
+ BOTTLEROCKET_x86_64_NVIDIA = "${path.module}/../../templates/bottlerocket_user_data.tpl"
+
+ WINDOWS_CORE_2019_x86_64 = "${path.module}/../../templates/windows_user_data.tpl"
+ WINDOWS_FULL_2019_x86_64 = "${path.module}/../../templates/windows_user_data.tpl"
+ WINDOWS_CORE_2022_x86_64 = "${path.module}/../../templates/windows_user_data.tpl"
+ WINDOWS_FULL_2022_x86_64 = "${path.module}/../../templates/windows_user_data.tpl"
+
+ CUSTOM = var.user_data_template_path
+ }
+ user_data_path = coalesce(var.user_data_template_path, local.ami_type_to_user_data_path[var.ami_type])
+
+ cluster_dns_ips = flatten(concat([try(cidrhost(var.cluster_service_cidr, 10), "")], var.additional_cluster_dns_ips))
+
+ user_data = var.create ? base64encode(templatefile(local.user_data_path,
+ {
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami
+ enable_bootstrap_user_data = var.enable_bootstrap_user_data
+
+ # Required to bootstrap node
+ cluster_name = var.cluster_name
+ cluster_endpoint = var.cluster_endpoint
+ cluster_auth_base64 = var.cluster_auth_base64
+
+ cluster_service_cidr = var.cluster_service_cidr
+ cluster_ip_family = var.cluster_ip_family
+
+ # Bottlerocket
+ cluster_dns_ips = "[${join(", ", formatlist("\"%s\"", local.cluster_dns_ips))}]"
+
+ # Optional
+ bootstrap_extra_args = var.bootstrap_extra_args
+ pre_bootstrap_user_data = var.pre_bootstrap_user_data
+ post_bootstrap_user_data = var.post_bootstrap_user_data
+ }
+ )) : ""
+
+ user_data_type_to_rendered = try(coalesce(
+ local.is_al2 ? try(data.cloudinit_config.al2_eks_managed_node_group[0].rendered, local.user_data) : null,
+ local.is_al2023 ? try(data.cloudinit_config.al2023_eks_managed_node_group[0].rendered, local.user_data) : null,
+ local.user_data,
+ ), "")
+}
+
+# https://github.com/aws/containers-roadmap/issues/596#issuecomment-675097667
+# Managed node group data must in MIME multi-part archive format,
+# as by default, EKS will merge the bootstrapping command required for nodes to join the
+# cluster with your user data. If you use a custom AMI in your launch template,
+# this merging will NOT happen and you are responsible for nodes joining the cluster.
+# See docs for more details -> https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data
+
+data "cloudinit_config" "al2_eks_managed_node_group" {
+ count = var.create && local.is_al2 && var.is_eks_managed_node_group && !var.enable_bootstrap_user_data && var.pre_bootstrap_user_data != "" && var.user_data_template_path == "" ? 1 : 0
+
+ base64_encode = true
+ gzip = false
+ boundary = "//"
+
+ # Prepend to existing user data supplied by AWS EKS
+ part {
+ content = var.pre_bootstrap_user_data
+ content_type = "text/x-shellscript"
+ }
+}
+
+# Scenarios:
+#
+# 1. Do nothing - provide nothing
+# 2. Prepend stuff on EKS MNG (before EKS MNG adds its bit at the end)
+# 3. Own all of the stuff on self-MNG or EKS MNG w/ custom AMI
+
+locals {
+ nodeadm_cloudinit = var.enable_bootstrap_user_data ? concat(
+ var.cloudinit_pre_nodeadm,
+ [{
+ content_type = "application/node.eks.aws"
+ content = base64decode(local.user_data)
+ }],
+ var.cloudinit_post_nodeadm
+ ) : var.cloudinit_pre_nodeadm
+}
+
+data "cloudinit_config" "al2023_eks_managed_node_group" {
+ count = var.create && local.is_al2023 && length(local.nodeadm_cloudinit) > 0 ? 1 : 0
+
+ base64_encode = true
+ gzip = false
+ boundary = "MIMEBOUNDARY"
+
+ dynamic "part" {
+ # Using the index is fine in this context since any change in user data will be a replacement
+ for_each = { for i, v in local.nodeadm_cloudinit : i => v }
+
+ content {
+ content = part.value.content
+ content_type = try(part.value.content_type, null)
+ filename = try(part.value.filename, null)
+ merge_type = try(part.value.merge_type, null)
+ }
+ }
+}
diff --git a/modules/_user_data/outputs.tf b/modules/_user_data/outputs.tf
new file mode 100644
index 0000000000..dda4b5195d
--- /dev/null
+++ b/modules/_user_data/outputs.tf
@@ -0,0 +1,4 @@
+output "user_data" {
+ description = "Base64 encoded user data rendered for the provided inputs"
+ value = local.user_data_type_to_rendered
+}
diff --git a/modules/_user_data/variables.tf b/modules/_user_data/variables.tf
new file mode 100644
index 0000000000..bfc32ab688
--- /dev/null
+++ b/modules/_user_data/variables.tf
@@ -0,0 +1,121 @@
+variable "create" {
+ description = "Determines whether to create user-data or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "ami_type" {
+ description = "Type of Amazon Machine Image (AMI) associated with the EKS Node Group. See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid values"
+ type = string
+ default = "AL2023_x86_64_STANDARD"
+ nullable = false
+}
+
+variable "enable_bootstrap_user_data" {
+ description = "Determines whether the bootstrap configurations are populated within the user data template"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "is_eks_managed_node_group" {
+ description = "Determines whether the user data is used on nodes in an EKS managed node group. Used to determine if user data will be appended or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "cluster_name" {
+ description = "Name of the EKS cluster"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "cluster_endpoint" {
+ description = "Endpoint of associated EKS cluster"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "cluster_auth_base64" {
+ description = "Base64 encoded CA of associated EKS cluster"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "cluster_service_cidr" {
+ description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "cluster_ip_family" {
+ description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
+ type = string
+ default = "ipv4"
+ nullable = false
+}
+
+variable "additional_cluster_dns_ips" {
+ description = "Additional DNS IP addresses to use for the cluster. Only used when `ami_type` = `BOTTLEROCKET_*`"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "pre_bootstrap_user_data" {
+ description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*`"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "post_bootstrap_user_data" {
+ description = "User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*`"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "bootstrap_extra_args" {
+ description = "Additional arguments passed to the bootstrap script. When `ami_type` = `BOTTLEROCKET_*`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "user_data_template_path" {
+ description = "Path to a local, custom user data template file to use when rendering user data"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "cloudinit_pre_nodeadm" {
+ description = "Array of cloud-init document parts that are created before the nodeadm document part"
+ type = list(object({
+ content = string
+ content_type = optional(string)
+ filename = optional(string)
+ merge_type = optional(string)
+ }))
+ default = []
+ nullable = false
+}
+
+variable "cloudinit_post_nodeadm" {
+ description = "Array of cloud-init document parts that are created after the nodeadm document part"
+ type = list(object({
+ content = string
+ content_type = optional(string)
+ filename = optional(string)
+ merge_type = optional(string)
+ }))
+ default = []
+ nullable = false
+}
diff --git a/modules/_user_data/versions.tf b/modules/_user_data/versions.tf
new file mode 100644
index 0000000000..a9802b0dea
--- /dev/null
+++ b/modules/_user_data/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ cloudinit = {
+ source = "hashicorp/cloudinit"
+ version = ">= 2.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = ">= 3.0"
+ }
+ }
+}
diff --git a/modules/capability/README.md b/modules/capability/README.md
new file mode 100644
index 0000000000..42232ebae5
--- /dev/null
+++ b/modules/capability/README.md
@@ -0,0 +1,172 @@
+# EKS Capability Module
+
+Configuration in this directory creates the AWS resources required by EKS capabilities
+
+## Usage
+
+### ACK
+
+```hcl
+module "ack_eks_capability" {
+ source = "terraform-aws-modules/eks/aws//modules/capability"
+
+ name = "example-ack"
+ cluster_name = "example"
+ type = "ACK"
+
+ # IAM Role/Policy
+ iam_role_policies = {
+ AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
+ }
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+### ArgoCD
+
+```hcl
+module "argocd_eks_capability" {
+ source = "terraform-aws-modules/eks/aws//modules/capability"
+
+ name = "example-argocd"
+ cluster_name = "example"
+ type = "ARGOCD"
+
+ configuration = {
+ argo_cd = {
+ aws_idc = {
+ idc_instance_arn = "arn:aws:sso:::instance/ssoins-1234567890abcdef0"
+ }
+ namespace = "argocd"
+ rbac_role_mapping = [{
+ role = "ADMIN"
+ identity = [{
+ id = "686103e0-f051-7068-b225-e6392b959d9e"
+ type = "SSO_GROUP"
+ }]
+ }]
+ }
+ }
+
+ # IAM Role/Policy
+ iam_policy_statements = {
+ ECRRead = {
+ actions = [
+ "ecr:GetAuthorizationToken",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:BatchGetImage",
+ ]
+ resources = ["*"]
+ }
+ }
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+### KRO
+
+```hcl
+module "kro_eks_capability" {
+ source = "terraform-aws-modules/eks/aws//modules/capability"
+
+ name = "example-kro"
+ cluster_name = "example"
+ type = "KRO"
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.28 |
+| [time](#requirement\_time) | >= 0.9 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.28 |
+| [time](#provider\_time) | >= 0.9 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_capability.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_capability) | resource |
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_service_principal.capabilities_eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | `""` | no |
+| [configuration](#input\_configuration) | Configuration for the capability | object({
argo_cd = optional(object({
aws_idc = object({
idc_instance_arn = string
idc_region = optional(string)
})
namespace = optional(string)
network_access = optional(object({
vpce_ids = optional(list(string))
}))
rbac_role_mapping = optional(list(object({
identity = list(object({
id = string
type = string
}))
role = string
})))
}))
}) | `null` | no |
+| [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no |
+| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created | `bool` | `true` | no |
+| [delete\_propagation\_policy](#input\_delete\_propagation\_policy) | The propagation policy to use when deleting the capability. Valid values: `RETAIN` | `string` | `"RETAIN"` | no |
+| [iam\_policy\_description](#input\_iam\_policy\_description) | IAM policy description | `string` | `null` | no |
+| [iam\_policy\_name](#input\_iam\_policy\_name) | Name of the IAM policy | `string` | `null` | no |
+| [iam\_policy\_path](#input\_iam\_policy\_path) | Path of the IAM policy | `string` | `null` | no |
+| [iam\_policy\_statements](#input\_iam\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | map(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [iam\_policy\_use\_name\_prefix](#input\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix | `bool` | `true` | no |
+| [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN of the IAM role that provides permissions for the capability | `string` | `null` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | IAM role description | `string` | `null` | no |
+| [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | Maximum API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `null` | no |
+| [iam\_role\_override\_assume\_policy\_documents](#input\_iam\_role\_override\_assume\_policy\_documents) | A list of IAM policy documents to override the default assume role policy document for the Karpenter controller IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | Path of the IAM role | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary\_arn](#input\_iam\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for the IAM role | `string` | `null` | no |
+| [iam\_role\_policies](#input\_iam\_role\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
+| [iam\_role\_source\_assume\_policy\_documents](#input\_iam\_role\_source\_assume\_policy\_documents) | A list of IAM policy documents to use as a source for the assume role policy document for the Karpenter controller IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add the the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the name of the IAM role (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [name](#input\_name) | The name of the capability to add to the cluster | `string` | `""` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the capability | object({
create = optional(string)
update = optional(string)
delete = optional(string)
}) | `null` | no |
+| [type](#input\_type) | Type of the capability. Valid values: `ACK`, `KRO`, `ARGOCD` | `string` | `""` | no |
+| [wait\_duration](#input\_wait\_duration) | Duration to wait between creating the IAM role/policy and creating the capability | `string` | `"20s"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [argocd\_server\_url](#output\_argocd\_server\_url) | URL of the Argo CD server |
+| [arn](#output\_arn) | The ARN of the EKS Capability |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [version](#output\_version) | The version of the EKS Capability |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
diff --git a/modules/capability/main.tf b/modules/capability/main.tf
new file mode 100644
index 0000000000..51c7bd6bb4
--- /dev/null
+++ b/modules/capability/main.tf
@@ -0,0 +1,222 @@
+data "aws_service_principal" "capabilities_eks" {
+ count = var.create ? 1 : 0
+
+ service_name = "capabilities.eks"
+}
+
+# It appears that the EKS capability API checks for the IAM role trust policy *VERY* early in the process
+# Our standard approach to ordering IAM role/permission dependencies does not work here, so we add an explicit wait
+resource "time_sleep" "this" {
+ count = var.create ? 1 : 0
+
+ create_duration = var.wait_duration
+
+ triggers = {
+ iam_role_arn = local.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
+ }
+}
+
+################################################################################
+# Capability
+################################################################################
+
+resource "aws_eks_capability" "this" {
+ count = var.create ? 1 : 0
+
+ region = var.region
+
+ capability_name = try(coalesce(var.name, lower(var.type)))
+ cluster_name = var.cluster_name
+
+ dynamic "configuration" {
+ for_each = var.configuration != null ? [var.configuration] : []
+
+ content {
+ dynamic "argo_cd" {
+ for_each = configuration.value.argo_cd != null ? [configuration.value.argo_cd] : []
+
+ content {
+ dynamic "aws_idc" {
+ for_each = [argo_cd.value.aws_idc]
+
+ content {
+ idc_instance_arn = aws_idc.value.idc_instance_arn
+ idc_region = aws_idc.value.idc_region
+ }
+ }
+
+ namespace = argo_cd.value.namespace
+
+ dynamic "network_access" {
+ for_each = argo_cd.value.network_access != null ? [argo_cd.value.network_access] : []
+
+ content {
+ vpce_ids = network_access.value.vpce_ids
+ }
+ }
+
+ dynamic "rbac_role_mapping" {
+ for_each = argo_cd.value.rbac_role_mapping != null ? argo_cd.value.rbac_role_mapping : []
+
+ content {
+ dynamic "identity" {
+ for_each = rbac_role_mapping.value.identity
+
+ content {
+ id = identity.value.id
+ type = identity.value.type
+ }
+ }
+
+ role = rbac_role_mapping.value.role
+ }
+ }
+ }
+ }
+ }
+ }
+
+ delete_propagation_policy = var.delete_propagation_policy
+ role_arn = time_sleep.this[0].triggers["iam_role_arn"]
+ type = var.type
+
+ dynamic "timeouts" {
+ for_each = var.timeouts != null ? [var.timeouts] : []
+
+ content {
+ create = timeouts.value.create
+ delete = timeouts.value.delete
+ update = timeouts.value.update
+ }
+ }
+
+ tags = var.tags
+
+ depends_on = [
+ aws_iam_role_policy_attachment.this,
+ aws_iam_role_policy_attachment.additional,
+ ]
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+locals {
+ create_iam_role = var.create && var.create_iam_role
+ iam_role_name = try(coalesce(var.iam_role_name, var.name), "")
+}
+
+data "aws_iam_policy_document" "assume_role" {
+ count = local.create_iam_role ? 1 : 0
+
+ override_policy_documents = var.iam_role_override_assume_policy_documents
+ source_policy_documents = var.iam_role_source_assume_policy_documents
+
+ statement {
+ sid = "EKSCapabilitiesAssumeRole"
+ actions = [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = [data.aws_service_principal.capabilities_eks[0].name]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = local.create_iam_role ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = coalesce(var.iam_role_description, "EKS Capability IAM role for ${var.type} capability in cluster ${var.cluster_name}")
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role[0].json
+ max_session_duration = var.iam_role_max_session_duration
+ permissions_boundary = var.iam_role_permissions_boundary_arn
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+locals {
+ create_iam_role_policy = local.create_iam_role && var.iam_policy_statements != null
+ iam_policy_name = try(coalesce(var.iam_policy_name, local.iam_role_name), "")
+}
+
+data "aws_iam_policy_document" "this" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ dynamic "statement" {
+ for_each = var.iam_policy_statements != null ? var.iam_policy_statements : {}
+
+ content {
+ sid = try(coalesce(statement.value.sid, statement.key))
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+resource "aws_iam_policy" "this" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ name = var.iam_policy_use_name_prefix ? null : local.iam_policy_name
+ name_prefix = var.iam_policy_use_name_prefix ? "${local.iam_policy_name}-" : null
+ path = var.iam_policy_path
+ description = coalesce(var.iam_policy_description, "IAM policy for EKS Capability ${var.type} capability in cluster ${var.cluster_name}")
+ policy = data.aws_iam_policy_document.this[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.this[0].arn
+}
+
+resource "aws_iam_role_policy_attachment" "additional" {
+ for_each = { for k, v in var.iam_role_policies : k => v if local.create_iam_role }
+
+ role = aws_iam_role.this[0].name
+ policy_arn = each.value
+}
diff --git a/modules/capability/outputs.tf b/modules/capability/outputs.tf
new file mode 100644
index 0000000000..b812a91c40
--- /dev/null
+++ b/modules/capability/outputs.tf
@@ -0,0 +1,37 @@
+################################################################################
+# Capability
+################################################################################
+
+output "arn" {
+ description = "The ARN of the EKS Capability"
+ value = try(aws_eks_capability.this[0].arn, null)
+}
+
+output "version" {
+ description = "The version of the EKS Capability"
+ value = try(aws_eks_capability.this[0].version, null)
+}
+
+output "argocd_server_url" {
+ description = "URL of the Argo CD server"
+ value = try(aws_eks_capability.this[0].configuration[0].argo_cd[0].server_url, null)
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, null)
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, null)
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, null)
+}
diff --git a/modules/capability/variables.tf b/modules/capability/variables.tf
new file mode 100644
index 0000000000..4458453bfb
--- /dev/null
+++ b/modules/capability/variables.tf
@@ -0,0 +1,215 @@
+variable "create" {
+ description = "Controls if resources should be created (affects nearly all resources)"
+ type = bool
+ default = true
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+ type = string
+ default = null
+}
+
+################################################################################
+# Capabilities
+################################################################################
+
+variable "name" {
+ description = "The name of the capability to add to the cluster"
+ type = string
+ default = ""
+}
+
+variable "cluster_name" {
+ description = "The name of the EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "configuration" {
+ description = "Configuration for the capability"
+ type = object({
+ argo_cd = optional(object({
+ aws_idc = object({
+ idc_instance_arn = string
+ idc_region = optional(string)
+ })
+ namespace = optional(string)
+ network_access = optional(object({
+ vpce_ids = optional(list(string))
+ }))
+ rbac_role_mapping = optional(list(object({
+ identity = list(object({
+ id = string
+ type = string
+ }))
+ role = string
+ })))
+ }))
+ })
+ default = null
+}
+
+variable "delete_propagation_policy" {
+ description = "The propagation policy to use when deleting the capability. Valid values: `RETAIN`"
+ type = string
+ default = "RETAIN"
+}
+
+variable "type" {
+ description = "Type of the capability. Valid values: `ACK`, `KRO`, `ARGOCD`"
+ type = string
+ default = ""
+}
+
+variable "timeouts" {
+ description = "Create, update, and delete timeout configurations for the capability"
+ type = object({
+ create = optional(string)
+ update = optional(string)
+ delete = optional(string)
+ })
+ default = null
+}
+
+variable "wait_duration" {
+ description = "Duration to wait between creating the IAM role/policy and creating the capability"
+ type = string
+ default = "20s"
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_role" {
+ description = "Determines whether an IAM role is created"
+ type = bool
+ default = true
+}
+
+variable "iam_role_arn" {
+ description = "The ARN of the IAM role that provides permissions for the capability"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name of the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the name of the IAM role (`iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "iam_role_path" {
+ description = "Path of the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "IAM role description"
+ type = string
+ default = null
+}
+
+variable "iam_role_max_session_duration" {
+ description = "Maximum API session duration in seconds between 3600 and 43200"
+ type = number
+ default = null
+}
+
+variable "iam_role_permissions_boundary_arn" {
+ description = "Permissions boundary ARN to use for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add the the IAM role"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+variable "iam_policy_name" {
+ description = "Name of the IAM policy"
+ type = string
+ default = null
+}
+
+variable "iam_policy_use_name_prefix" {
+ description = "Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "iam_policy_path" {
+ description = "Path of the IAM policy"
+ type = string
+ default = null
+}
+
+variable "iam_policy_description" {
+ description = "IAM policy description"
+ type = string
+ default = null
+}
+
+variable "iam_role_override_assume_policy_documents" {
+ description = "A list of IAM policy documents to override the default assume role policy document for the Karpenter controller IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_role_source_assume_policy_documents" {
+ description = "A list of IAM policy documents to use as a source for the assume role policy document for the Karpenter controller IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_policy_statements" {
+ description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = map(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+variable "iam_role_policies" {
+ description = "Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/capability/versions.tf b/modules/capability/versions.tf
new file mode 100644
index 0000000000..25ff202c0f
--- /dev/null
+++ b/modules/capability/versions.tf
@@ -0,0 +1,20 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.28"
+ }
+ time = {
+ source = "hashicorp/time"
+ version = ">= 0.9"
+ }
+ }
+
+ provider_meta "aws" {
+ user_agent = [
+ "github.com/terraform-aws-modules/terraform-aws-eks"
+ ]
+ }
+}
diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md
new file mode 100644
index 0000000000..453410cb40
--- /dev/null
+++ b/modules/eks-managed-node-group/README.md
@@ -0,0 +1,225 @@
+# EKS Managed Node Group Module
+
+Configuration in this directory creates an EKS Managed Node Group along with an IAM role, security group, and launch template
+
+## Usage
+
+```hcl
+module "eks_managed_node_group" {
+ source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
+
+ name = "separate-eks-mng"
+ cluster_name = "my-cluster"
+ cluster_version = "1.31"
+
+ subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+
+ // The following variables are necessary if you decide to use the module outside of the parent EKS module context.
+ // Without it, the security groups of the nodes are empty and thus won't join the cluster.
+ cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
+ vpc_security_group_ids = [module.eks.node_security_group_id]
+
+ // Note: `disk_size`, and `remote_access` can only be set when using the EKS managed node group default launch template
+ // This module defaults to providing a custom launch template to allow for custom security groups, tag propagation, etc.
+ // use_custom_launch_template = false
+ // disk_size = 50
+ //
+ // # Remote access cannot be specified with a launch template
+ // remote_access = {
+ // ec2_ssh_key = module.key_pair.key_pair_name
+ // source_security_group_ids = [aws_security_group.remote_access.id]
+ // }
+
+ min_size = 1
+ max_size = 10
+ desired_size = 1
+
+ instance_types = ["t3.large"]
+ capacity_type = "SPOT"
+
+ labels = {
+ Environment = "test"
+ GithubRepo = "terraform-aws-eks"
+ GithubOrg = "terraform-aws-modules"
+ }
+
+ taints = {
+ dedicated = {
+ key = "dedicated"
+ value = "gpuGroup"
+ effect = "NO_SCHEDULE"
+ }
+ }
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.28 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [user\_data](#module\_user\_data) | ../_user_data | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_node_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
+| [aws_placement_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/placement_group) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_egress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_instance_type.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
+| [aws_eks_cluster_versions.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_versions) | data source |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_ssm_parameter.ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | The AWS account ID - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| [ami\_id](#input\_ami\_id) | The AMI from which to launch the instance. If not supplied, EKS will use its own default image | `string` | `""` | no |
+| [ami\_release\_version](#input\_ami\_release\_version) | The AMI version. Defaults to latest AMI release version for the given Kubernetes version and AMI type | `string` | `null` | no |
+| [ami\_type](#input\_ami\_type) | Type of Amazon Machine Image (AMI) associated with the EKS Node Group. See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid values | `string` | `"AL2023_x86_64_STANDARD"` | no |
+| [block\_device\_mappings](#input\_block\_device\_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI | map(object({
device_name = optional(string)
ebs = optional(object({
delete_on_termination = optional(bool)
encrypted = optional(bool)
iops = optional(number)
kms_key_id = optional(string)
snapshot_id = optional(string)
throughput = optional(number)
volume_initialization_rate = optional(number)
volume_size = optional(number)
volume_type = optional(string)
}))
no_device = optional(string)
virtual_name = optional(string)
})) | `null` | no |
+| [bootstrap\_extra\_args](#input\_bootstrap\_extra\_args) | Additional arguments passed to the bootstrap script. When `ami_type` = `BOTTLEROCKET_*`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data | `string` | `null` | no |
+| [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Targeting for EC2 capacity reservations | object({
capacity_reservation_preference = optional(string)
capacity_reservation_target = optional(object({
capacity_reservation_id = optional(string)
capacity_reservation_resource_group_arn = optional(string)
}))
}) | `null` | no |
+| [capacity\_type](#input\_capacity\_type) | Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT` | `string` | `"ON_DEMAND"` | no |
+| [cloudinit\_post\_nodeadm](#input\_cloudinit\_post\_nodeadm) | Array of cloud-init document parts that are created after the nodeadm document part | list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})) | `null` | no |
+| [cloudinit\_pre\_nodeadm](#input\_cloudinit\_pre\_nodeadm) | Array of cloud-init document parts that are created before the nodeadm document part | list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})) | `null` | no |
+| [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `null` | no |
+| [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `null` | no |
+| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no |
+| [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `""` | no |
+| [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no |
+| [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `null` | no |
+| [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | object({
amd_sev_snp = optional(string)
core_count = optional(number)
threads_per_core = optional(number)
}) | `null` | no |
+| [create](#input\_create) | Determines whether to create EKS managed node group or not | `bool` | `true` | no |
+| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| [create\_iam\_role\_policy](#input\_create\_iam\_role\_policy) | Determines whether an IAM role policy is created or not | `bool` | `true` | no |
+| [create\_launch\_template](#input\_create\_launch\_template) | Determines whether to create a launch template or not. If set to `false`, EKS will use its own default launch template | `bool` | `true` | no |
+| [create\_placement\_group](#input\_create\_placement\_group) | Determines whether a placement group is created & used by the node group | `bool` | `false` | no |
+| [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
+| [credit\_specification](#input\_credit\_specification) | Customize the credit specification of the instance | object({
cpu_credits = optional(string)
}) | `null` | no |
+| [desired\_size](#input\_desired\_size) | Desired number of instances/nodes | `number` | `1` | no |
+| [disable\_api\_termination](#input\_disable\_api\_termination) | If true, enables EC2 instance termination protection | `bool` | `null` | no |
+| [disk\_size](#input\_disk\_size) | Disk size in GiB for nodes. Defaults to `20`. Only valid when `use_custom_launch_template` = `false` | `number` | `null` | no |
+| [ebs\_optimized](#input\_ebs\_optimized) | If true, the launched EC2 instance(s) will be EBS-optimized | `bool` | `null` | no |
+| [efa\_indices](#input\_efa\_indices) | The indices of the network interfaces that should be EFA-enabled. Only valid when `enable_efa_support` = `true` | `list(number)` | [| no | +| [enable\_bootstrap\_user\_data](#input\_enable\_bootstrap\_user\_data) | Determines whether the bootstrap configurations are populated within the user data template. Only valid when using a custom AMI via `ami_id` | `bool` | `false` | no | +| [enable\_efa\_only](#input\_enable\_efa\_only) | Determines whether to enable EFA (`false`, default) or EFA and EFA-only (`true`) network interfaces. Note: requires vpc-cni version `v1.18.4` or later | `bool` | `true` | no | +| [enable\_efa\_support](#input\_enable\_efa\_support) | Determines whether to enable Elastic Fabric Adapter (EFA) support | `bool` | `false` | no | +| [enable\_monitoring](#input\_enable\_monitoring) | Enables/disables detailed monitoring | `bool` | `false` | no | +| [enclave\_options](#input\_enclave\_options) | Enable Nitro Enclaves on launched instances |
0
]
object({
enabled = optional(bool)
}) | `null` | no |
+| [force\_update\_version](#input\_force\_update\_version) | Force version update if existing pods are unable to be drained due to a pod disruption budget issue | `bool` | `null` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the node group. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
+| [iam\_role\_attach\_cni\_policy](#input\_iam\_role\_attach\_cni\_policy) | Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster | `bool` | `true` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `"EKS managed node group IAM role"` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_policy\_statements](#input\_iam\_role\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [instance\_market\_options](#input\_instance\_market\_options) | The market (purchasing) option for the instance | object({
market_type = optional(string)
spot_options = optional(object({
block_duration_minutes = optional(number)
instance_interruption_behavior = optional(string)
max_price = optional(string)
spot_instance_type = optional(string)
valid_until = optional(string)
}))
}) | `null` | no |
+| [instance\_types](#input\_instance\_types) | Set of instance types associated with the EKS Node Group. Defaults to `["t3.medium"]` | `list(string)` | `null` | no |
+| [kernel\_id](#input\_kernel\_id) | The kernel ID | `string` | `null` | no |
+| [key\_name](#input\_key\_name) | The key name that should be used for the instance(s) | `string` | `null` | no |
+| [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version. Defaults to EKS Cluster Kubernetes version | `string` | `null` | no |
+| [labels](#input\_labels) | Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed | `map(string)` | `null` | no |
+| [launch\_template\_default\_version](#input\_launch\_template\_default\_version) | Default version of the launch template | `string` | `null` | no |
+| [launch\_template\_description](#input\_launch\_template\_description) | Description of the launch template | `string` | `null` | no |
+| [launch\_template\_id](#input\_launch\_template\_id) | The ID of an existing launch template to use. Required when `create_launch_template` = `false` and `use_custom_launch_template` = `true` | `string` | `""` | no |
+| [launch\_template\_name](#input\_launch\_template\_name) | Name of launch template to be created | `string` | `null` | no |
+| [launch\_template\_tags](#input\_launch\_template\_tags) | A map of additional tags to add to the tag\_specifications of launch template created | `map(string)` | `{}` | no |
+| [launch\_template\_use\_name\_prefix](#input\_launch\_template\_use\_name\_prefix) | Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix | `bool` | `true` | no |
+| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version number. The default is `$Default` | `string` | `null` | no |
+| [license\_specifications](#input\_license\_specifications) | A list of license specifications to associate with | list(object({
license_configuration_arn = string
})) | `null` | no |
+| [maintenance\_options](#input\_maintenance\_options) | The maintenance options for the instance | object({
auto_recovery = optional(string)
}) | `null` | no |
+| [max\_size](#input\_max\_size) | Maximum number of instances/nodes | `number` | `3` | no |
+| [metadata\_options](#input\_metadata\_options) | Customize the metadata options for the instance | object({
http_endpoint = optional(string, "enabled")
http_protocol_ipv6 = optional(string)
http_put_response_hop_limit = optional(number, 1)
http_tokens = optional(string, "required")
instance_metadata_tags = optional(string)
}) | {
"http_endpoint": "enabled",
"http_put_response_hop_limit": 1,
"http_tokens": "required"
} | no |
+| [min\_size](#input\_min\_size) | Minimum number of instances/nodes | `number` | `1` | no |
+| [name](#input\_name) | Name of the EKS managed node group | `string` | `""` | no |
+| [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | list(object({
associate_carrier_ip_address = optional(bool)
associate_public_ip_address = optional(bool)
connection_tracking_specification = optional(object({
tcp_established_timeout = optional(number)
udp_stream_timeout = optional(number)
udp_timeout = optional(number)
}))
delete_on_termination = optional(bool)
description = optional(string)
device_index = optional(number)
ena_srd_specification = optional(object({
ena_srd_enabled = optional(bool)
ena_srd_udp_specification = optional(object({
ena_srd_udp_enabled = optional(bool)
}))
}))
interface_type = optional(string)
ipv4_address_count = optional(number)
ipv4_addresses = optional(list(string))
ipv4_prefix_count = optional(number)
ipv4_prefixes = optional(list(string))
ipv6_address_count = optional(number)
ipv6_addresses = optional(list(string))
ipv6_prefix_count = optional(number)
ipv6_prefixes = optional(list(string))
network_card_index = optional(number)
network_interface_id = optional(string)
primary_ipv6 = optional(bool)
private_ip_address = optional(string)
security_groups = optional(list(string), [])
})) | `[]` | no |
+| [node\_repair\_config](#input\_node\_repair\_config) | The node auto repair configuration for the node group | object({
enabled = optional(bool, true)
max_parallel_nodes_repaired_count = optional(number)
max_parallel_nodes_repaired_percentage = optional(number)
max_unhealthy_node_threshold_count = optional(number)
max_unhealthy_node_threshold_percentage = optional(number)
node_repair_config_overrides = optional(list(object({
min_repair_wait_time_mins = number
node_monitoring_condition = string
node_unhealthy_reason = string
repair_action = string
})))
}) | `null` | no |
+| [partition](#input\_partition) | The AWS partition - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| [placement](#input\_placement) | The placement of the instance | object({
affinity = optional(string)
availability_zone = optional(string)
group_name = optional(string)
host_id = optional(string)
host_resource_group_arn = optional(string)
partition_number = optional(number)
spread_domain = optional(string)
tenancy = optional(string)
}) | `null` | no |
+| [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `null` | no |
+| [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `null` | no |
+| [private\_dns\_name\_options](#input\_private\_dns\_name\_options) | The options for the instance hostname. The default values are inherited from the subnet | object({
enable_resource_name_dns_aaaa_record = optional(bool)
enable_resource_name_dns_a_record = optional(bool)
hostname_type = optional(string)
}) | `null` | no |
+| [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| [remote\_access](#input\_remote\_access) | Configuration block with remote access settings. Only valid when `use_custom_launch_template` = `false` | object({
ec2_ssh_key = optional(string)
source_security_group_ids = optional(list(string))
}) | `null` | no |
+| [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
+| [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security group egress rules to add to the security group created | map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string, "tcp")
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool, false)
tags = optional(map(string), {})
to_port = optional(string)
})) | `{}` | no |
+| [security\_group\_ingress\_rules](#input\_security\_group\_ingress\_rules) | Security group ingress rules to add to the security group created | map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string, "tcp")
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool, false)
tags = optional(map(string), {})
to_port = optional(string)
})) | `{}` | no |
+| [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
+| [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no |
+| [subnet\_ids](#input\_subnet\_ids) | Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME` | `list(string)` | `null` | no |
+| [tag\_specifications](#input\_tag\_specifications) | The tags to apply to the resources during launch | `list(string)` | [| no | +| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | +| [taints](#input\_taints) | The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group |
"instance",
"volume",
"network-interface"
]
map(object({
key = string
value = optional(string)
effect = string
})) | `null` | no |
+| [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the node group | object({
create = optional(string)
update = optional(string)
delete = optional(string)
}) | `null` | no |
+| [update\_config](#input\_update\_config) | Configuration block of settings for max unavailable resources during node group updates | object({
max_unavailable = optional(number)
max_unavailable_percentage = optional(number)
update_strategy = optional(string)
}) | {
"max_unavailable_percentage": 33
} | no |
+| [update\_launch\_template\_default\_version](#input\_update\_launch\_template\_default\_version) | Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version` | `bool` | `true` | no |
+| [use\_custom\_launch\_template](#input\_use\_custom\_launch\_template) | Determines whether to use a custom launch template or not. If set to `false`, EKS will use its own default launch template | `bool` | `true` | no |
+| [use\_latest\_ami\_release\_version](#input\_use\_latest\_ami\_release\_version) | Determines whether to use the latest AMI release version for the given `ami_type` (except for `CUSTOM`). Note: `ami_type` and `kubernetes_version` must be supplied in order to enable this feature | `bool` | `true` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix | `bool` | `true` | no |
+| [user\_data\_template\_path](#input\_user\_data\_template\_path) | Path to a local, custom user data template file to use when rendering user data | `string` | `null` | no |
+| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | A list of security group IDs to associate | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template |
+| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template |
+| [launch\_template\_latest\_version](#output\_launch\_template\_latest\_version) | The latest version of the launch template |
+| [launch\_template\_name](#output\_launch\_template\_name) | The name of the launch template |
+| [node\_group\_arn](#output\_node\_group\_arn) | Amazon Resource Name (ARN) of the EKS Node Group |
+| [node\_group\_autoscaling\_group\_names](#output\_node\_group\_autoscaling\_group\_names) | List of the autoscaling group names |
+| [node\_group\_id](#output\_node\_group\_id) | EKS Cluster name and EKS Node Group name separated by a colon (`:`) |
+| [node\_group\_labels](#output\_node\_group\_labels) | Map of labels applied to the node group |
+| [node\_group\_resources](#output\_node\_group\_resources) | List of objects containing information about underlying resources |
+| [node\_group\_status](#output\_node\_group\_status) | Status of the EKS Node Group |
+| [node\_group\_taints](#output\_node\_group\_taints) | List of objects containing information about taints applied to the node group |
+| [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
diff --git a/modules/eks-managed-node-group/main.tf b/modules/eks-managed-node-group/main.tf
new file mode 100644
index 0000000000..e153147953
--- /dev/null
+++ b/modules/eks-managed-node-group/main.tf
@@ -0,0 +1,832 @@
+data "aws_partition" "current" {
+ count = var.create && var.partition == "" ? 1 : 0
+}
+data "aws_caller_identity" "current" {
+ count = var.create && var.account_id == "" ? 1 : 0
+}
+
+locals {
+ partition = try(data.aws_partition.current[0].partition, var.partition)
+ account_id = try(data.aws_caller_identity.current[0].account_id, var.account_id)
+}
+
+################################################################################
+# User Data
+################################################################################
+
+module "user_data" {
+ source = "../_user_data"
+
+ create = var.create
+ ami_type = var.ami_type
+
+ cluster_name = var.cluster_name
+ cluster_endpoint = var.cluster_endpoint
+ cluster_auth_base64 = var.cluster_auth_base64
+ cluster_ip_family = var.cluster_ip_family
+ cluster_service_cidr = var.cluster_service_cidr
+
+ enable_bootstrap_user_data = var.enable_bootstrap_user_data
+ pre_bootstrap_user_data = var.pre_bootstrap_user_data
+ post_bootstrap_user_data = var.post_bootstrap_user_data
+ bootstrap_extra_args = var.bootstrap_extra_args
+ user_data_template_path = var.user_data_template_path
+
+ cloudinit_pre_nodeadm = var.cloudinit_pre_nodeadm
+ cloudinit_post_nodeadm = var.cloudinit_post_nodeadm
+}
+
+################################################################################
+# EFA Support
+################################################################################
+
+data "aws_ec2_instance_type" "this" {
+ count = local.enable_efa_support ? 1 : 0
+
+ region = var.region
+
+ instance_type = local.efa_instance_type
+}
+
+locals {
+ enable_efa_support = var.create && var.enable_efa_support
+
+ efa_instance_type = try(element(var.instance_types, 0), "")
+ num_network_cards = try(data.aws_ec2_instance_type.this[0].maximum_network_cards, 0)
+
+ # Primary network interface must be EFA, remaining can be EFA or EFA-only
+ efa_network_interfaces = [
+ for i in range(local.num_network_cards) : {
+ associate_public_ip_address = false
+ delete_on_termination = true
+ device_index = i == 0 ? 0 : 1
+ network_card_index = i
+ interface_type = var.enable_efa_only ? contains(concat([0], var.efa_indices), i) ? "efa" : "efa-only" : "efa"
+
+ # Null out due to error: The true and false result expressions must have consistent types. The 'true' value is tuple, but the 'false' value is list of objects.
+ associate_carrier_ip_address = null
+ connection_tracking_specification = null
+ description = "EFA${var.enable_efa_only ? "-only" : ""} Network Interface ${i}"
+ ena_srd_specification = null
+ ipv4_address_count = null
+ ipv4_addresses = null
+ ipv4_prefix_count = null
+ ipv4_prefixes = null
+ ipv6_address_count = null
+ ipv6_addresses = null
+ ipv6_prefix_count = null
+ ipv6_prefixes = null
+ network_interface_id = null
+ primary_ipv6 = null
+ private_ip_address = null
+ security_groups = []
+ }
+ ]
+
+ network_interfaces = local.enable_efa_support ? local.efa_network_interfaces : var.network_interfaces
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+locals {
+ launch_template_name = coalesce(var.launch_template_name, "${var.name}-eks-node-group")
+ security_group_ids = compact(concat([var.cluster_primary_security_group_id], var.vpc_security_group_ids, aws_security_group.this[*].id))
+}
+
+resource "aws_launch_template" "this" {
+ count = var.create && var.create_launch_template && var.use_custom_launch_template ? 1 : 0
+
+ region = var.region
+
+ dynamic "block_device_mappings" {
+ for_each = var.block_device_mappings != null ? var.block_device_mappings : {}
+
+ content {
+ device_name = block_device_mappings.value.device_name
+
+ dynamic "ebs" {
+ for_each = block_device_mappings.value.ebs != null ? [block_device_mappings.value.ebs] : []
+
+ content {
+ delete_on_termination = ebs.value.delete_on_termination
+ encrypted = ebs.value.encrypted
+ iops = ebs.value.iops
+ kms_key_id = ebs.value.kms_key_id
+ snapshot_id = ebs.value.snapshot_id
+ throughput = ebs.value.throughput
+ volume_initialization_rate = ebs.value.volume_initialization_rate
+ volume_size = ebs.value.volume_size
+ volume_type = ebs.value.volume_type
+ }
+ }
+
+ no_device = block_device_mappings.value.no_device
+ virtual_name = block_device_mappings.value.virtual_name
+ }
+ }
+
+ dynamic "capacity_reservation_specification" {
+ for_each = var.capacity_reservation_specification != null ? [var.capacity_reservation_specification] : []
+
+ content {
+ capacity_reservation_preference = capacity_reservation_specification.value.capacity_reservation_preference
+
+ dynamic "capacity_reservation_target" {
+ for_each = capacity_reservation_specification.value.capacity_reservation_target != null ? [capacity_reservation_specification.value.capacity_reservation_target] : []
+ content {
+ capacity_reservation_id = capacity_reservation_target.value.capacity_reservation_id
+ capacity_reservation_resource_group_arn = capacity_reservation_target.value.capacity_reservation_resource_group_arn
+ }
+ }
+ }
+ }
+
+ dynamic "cpu_options" {
+ for_each = var.cpu_options != null ? [var.cpu_options] : []
+
+ content {
+ amd_sev_snp = cpu_options.value.amd_sev_snp
+ core_count = cpu_options.value.core_count
+ threads_per_core = cpu_options.value.threads_per_core
+ }
+ }
+
+ dynamic "credit_specification" {
+ for_each = var.credit_specification != null ? [var.credit_specification] : []
+
+ content {
+ cpu_credits = credit_specification.value.cpu_credits
+ }
+ }
+
+ default_version = var.launch_template_default_version
+ description = var.launch_template_description
+ disable_api_termination = var.disable_api_termination
+ ebs_optimized = var.ebs_optimized
+
+ dynamic "enclave_options" {
+ for_each = var.enclave_options != null ? [var.enclave_options] : []
+
+ content {
+ enabled = enclave_options.value.enabled
+ }
+ }
+
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # dynamic "hibernation_options" {
+ # for_each = length(var.hibernation_options) > 0 ? [var.hibernation_options] : []
+
+ # content {
+ # configured = hibernation_options.value.configured
+ # }
+ # }
+
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # dynamic "iam_instance_profile" {
+ # for_each = [var.iam_instance_profile]
+ # content {
+ # name = lookup(var.iam_instance_profile, "name", null)
+ # arn = lookup(var.iam_instance_profile, "arn", null)
+ # }
+ # }
+
+ image_id = var.ami_id
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
+
+ dynamic "instance_market_options" {
+ for_each = var.instance_market_options != null ? [var.instance_market_options] : []
+
+ content {
+ market_type = instance_market_options.value.market_type
+
+ dynamic "spot_options" {
+ for_each = instance_market_options.value.spot_options != null ? [instance_market_options.value.spot_options] : []
+
+ content {
+ block_duration_minutes = spot_options.value.block_duration_minutes
+ instance_interruption_behavior = spot_options.value.instance_interruption_behavior
+ max_price = spot_options.value.max_price
+ spot_instance_type = spot_options.value.spot_instance_type
+ valid_until = spot_options.value.valid_until
+ }
+ }
+ }
+ }
+
+ # Instance type(s) are generally set on the node group,
+ # except when a ML capacity block reseravtion is used
+ instance_type = var.capacity_type == "CAPACITY_BLOCK" ? element(var.instance_types, 0) : null
+ kernel_id = var.kernel_id
+ key_name = var.key_name
+
+ dynamic "license_specification" {
+ for_each = var.license_specifications != null ? var.license_specifications : []
+
+ content {
+ license_configuration_arn = license_specification.value.license_configuration_arn
+ }
+ }
+
+ dynamic "maintenance_options" {
+ for_each = var.maintenance_options != null ? [var.maintenance_options] : []
+
+ content {
+ auto_recovery = maintenance_options.value.auto_recovery
+ }
+ }
+
+ dynamic "metadata_options" {
+ for_each = [var.metadata_options]
+
+ content {
+ http_endpoint = metadata_options.value.http_endpoint
+ http_protocol_ipv6 = metadata_options.value.http_protocol_ipv6
+ http_put_response_hop_limit = metadata_options.value.http_put_response_hop_limit
+ http_tokens = metadata_options.value.http_tokens
+ instance_metadata_tags = metadata_options.value.instance_metadata_tags
+ }
+ }
+
+ dynamic "monitoring" {
+ for_each = var.enable_monitoring ? [1] : []
+
+ content {
+ enabled = var.enable_monitoring
+ }
+ }
+
+ name = var.launch_template_use_name_prefix ? null : local.launch_template_name
+ name_prefix = var.launch_template_use_name_prefix ? "${local.launch_template_name}-" : null
+
+ dynamic "network_interfaces" {
+ for_each = length(local.network_interfaces) > 0 ? local.network_interfaces : []
+
+ content {
+ associate_carrier_ip_address = network_interfaces.value.associate_carrier_ip_address
+ associate_public_ip_address = network_interfaces.value.associate_public_ip_address
+
+ dynamic "connection_tracking_specification" {
+ for_each = network_interfaces.value.connection_tracking_specification != null ? [network_interfaces.value.connection_tracking_specification] : []
+
+ content {
+ tcp_established_timeout = connection_tracking_specification.value.tcp_established_timeout
+ udp_stream_timeout = connection_tracking_specification.value.udp_stream_timeout
+ udp_timeout = connection_tracking_specification.value.udp_timeout
+ }
+ }
+
+ delete_on_termination = network_interfaces.value.delete_on_termination
+ description = network_interfaces.value.description
+ device_index = network_interfaces.value.device_index
+
+ dynamic "ena_srd_specification" {
+ for_each = network_interfaces.value.ena_srd_specification != null ? [network_interfaces.value.ena_srd_specification] : []
+
+ content {
+ ena_srd_enabled = ena_srd_specification.value.ena_srd_enabled
+
+ dynamic "ena_srd_udp_specification" {
+ for_each = ena_srd_specification.value.ena_srd_udp_specification != null ? [ena_srd_specification.value.ena_srd_udp_specification] : []
+
+ content {
+ ena_srd_udp_enabled = ena_srd_udp_specification.value.ena_srd_udp_enabled
+ }
+ }
+ }
+ }
+
+ interface_type = network_interfaces.value.interface_type
+ ipv4_address_count = network_interfaces.value.ipv4_address_count
+ ipv4_addresses = network_interfaces.value.ipv4_addresses
+ ipv4_prefix_count = network_interfaces.value.ipv4_prefix_count
+ ipv4_prefixes = network_interfaces.value.ipv4_prefixes
+ ipv6_address_count = network_interfaces.value.ipv6_address_count
+ ipv6_addresses = network_interfaces.value.ipv6_addresses
+ ipv6_prefix_count = network_interfaces.value.ipv6_prefix_count
+ ipv6_prefixes = network_interfaces.value.ipv6_prefixes
+ network_card_index = network_interfaces.value.network_card_index
+ network_interface_id = network_interfaces.value.network_interface_id
+ primary_ipv6 = network_interfaces.value.primary_ipv6
+ private_ip_address = network_interfaces.value.private_ip_address
+ # Ref: https://github.com/hashicorp/terraform-provider-aws/issues/4570
+ security_groups = compact(concat(network_interfaces.value.security_groups, local.security_group_ids))
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # subnet_id = try(network_interfaces.value.subnet_id, null)
+ }
+ }
+
+ dynamic "placement" {
+ for_each = var.placement != null || local.create_placement_group ? [var.placement] : []
+
+ content {
+ affinity = try(placement.value.affinity, null)
+ availability_zone = try(placement.value.availability_zone, null)
+ group_name = try(aws_placement_group.this[0].name, placement.value.group_name)
+ host_id = try(placement.value.host_id, null)
+ host_resource_group_arn = try(placement.value.host_resource_group_arn, null)
+ partition_number = try(placement.value.partition_number, null)
+ spread_domain = try(placement.value.spread_domain, null)
+ tenancy = try(placement.value.tenancy, null)
+ }
+ }
+
+ dynamic "private_dns_name_options" {
+ for_each = var.private_dns_name_options != null ? [var.private_dns_name_options] : []
+
+ content {
+ enable_resource_name_dns_aaaa_record = private_dns_name_options.value.enable_resource_name_dns_aaaa_record
+ enable_resource_name_dns_a_record = private_dns_name_options.value.enable_resource_name_dns_a_record
+ hostname_type = private_dns_name_options.value.hostname_type
+ }
+ }
+
+ ram_disk_id = var.ram_disk_id
+
+ dynamic "tag_specifications" {
+ for_each = toset(var.tag_specifications)
+
+ content {
+ resource_type = tag_specifications.key
+ tags = merge(var.tags, { Name = var.name }, var.launch_template_tags)
+ }
+ }
+
+ update_default_version = var.update_launch_template_default_version
+ user_data = module.user_data.user_data
+ vpc_security_group_ids = length(local.network_interfaces) > 0 ? [] : local.security_group_ids
+
+ tags = merge(
+ var.tags,
+ var.launch_template_tags,
+ )
+
+ # Prevent premature access of policies by pods that
+ # require permissions on create/destroy that depend on nodes
+ depends_on = [
+ aws_iam_role_policy_attachment.this,
+ aws_iam_role_policy_attachment.additional,
+ ]
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+################################################################################
+# AMI SSM Parameter
+################################################################################
+
+data "aws_eks_cluster_versions" "this" {
+ count = var.create && var.kubernetes_version == null ? 1 : 0
+
+ region = var.region
+
+ cluster_type = "eks"
+ version_status = "STANDARD_SUPPORT"
+}
+
+locals {
+ # Just to ensure templating doesn't fail when values are not provided
+ ssm_kubernetes_version = var.kubernetes_version != null ? var.kubernetes_version : try(data.aws_eks_cluster_versions.this[0].cluster_versions[0].cluster_version, "UNSPECIFIED")
+ ssm_ami_type = var.ami_type != null ? var.ami_type : ""
+
+ # Map the AMI type to the respective SSM param path
+ ssm_ami_type_to_ssm_param = {
+ AL2_x86_64 = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2/recommended/release_version"
+ AL2_x86_64_GPU = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2-gpu/recommended/release_version"
+ AL2_ARM_64 = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2-arm64/recommended/release_version"
+ CUSTOM = "NONE"
+ BOTTLEROCKET_ARM_64 = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}/arm64/latest/image_version"
+ BOTTLEROCKET_x86_64 = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}/x86_64/latest/image_version"
+ BOTTLEROCKET_ARM_64_FIPS = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-fips/arm64/latest/image_version"
+ BOTTLEROCKET_x86_64_FIPS = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-fips/x86_64/latest/image_version"
+ BOTTLEROCKET_ARM_64_NVIDIA = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-nvidia/arm64/latest/image_version"
+ BOTTLEROCKET_x86_64_NVIDIA = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-nvidia/x86_64/latest/image_version"
+ WINDOWS_CORE_2019_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-EKS_Optimized-${local.ssm_kubernetes_version}"
+ WINDOWS_FULL_2019_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2019-English-Core-EKS_Optimized-${local.ssm_kubernetes_version}"
+ WINDOWS_CORE_2022_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-EKS_Optimized-${local.ssm_kubernetes_version}"
+ WINDOWS_FULL_2022_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2022-English-Core-EKS_Optimized-${local.ssm_kubernetes_version}"
+ AL2023_x86_64_STANDARD = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/x86_64/standard/recommended/release_version"
+ AL2023_ARM_64_STANDARD = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/arm64/standard/recommended/release_version"
+ AL2023_x86_64_NEURON = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/x86_64/neuron/recommended/release_version"
+ AL2023_x86_64_NVIDIA = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/x86_64/nvidia/recommended/release_version"
+ AL2023_ARM_64_NVIDIA = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/arm64/nvidia/recommended/release_version"
+ }
+
+ # The Windows SSM params currently do not have a release version, so we have to get the full output JSON blob and parse out the release version
+ windows_latest_ami_release_version = var.create && var.use_latest_ami_release_version && startswith(local.ssm_ami_type, "WINDOWS") ? nonsensitive(jsondecode(data.aws_ssm_parameter.ami[0].value)["release_version"]) : null
+ # Based on the steps above, try to get an AMI release version - if not, `null` is returned
+ latest_ami_release_version = startswith(local.ssm_ami_type, "WINDOWS") ? local.windows_latest_ami_release_version : try(nonsensitive(data.aws_ssm_parameter.ami[0].value), null)
+}
+
+data "aws_ssm_parameter" "ami" {
+ count = var.create && var.use_latest_ami_release_version ? 1 : 0
+
+ region = var.region
+
+ name = local.ssm_ami_type_to_ssm_param[var.ami_type]
+}
+
+################################################################################
+# Node Group
+################################################################################
+
+locals {
+ launch_template_id = var.create && var.create_launch_template ? try(aws_launch_template.this[0].id, null) : var.launch_template_id
+ # Change order to allow users to set version priority before using defaults
+ launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
+}
+
+resource "aws_eks_node_group" "this" {
+ count = var.create ? 1 : 0
+
+ region = var.region
+
+ # Required
+ cluster_name = var.cluster_name
+ node_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
+ subnet_ids = var.subnet_ids
+
+ scaling_config {
+ min_size = var.min_size
+ max_size = var.max_size
+ desired_size = var.desired_size
+ }
+
+ # Optional
+ node_group_name = var.use_name_prefix ? null : var.name
+ node_group_name_prefix = var.use_name_prefix ? "${var.name}-" : null
+
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami
+ ami_type = var.ami_id != "" ? null : var.ami_type
+ release_version = var.ami_id != "" ? null : var.use_latest_ami_release_version ? local.latest_ami_release_version : var.ami_release_version
+ version = var.ami_id != "" ? null : var.kubernetes_version
+
+ capacity_type = var.capacity_type
+ disk_size = var.use_custom_launch_template ? null : var.disk_size # if using a custom LT, set disk size on custom LT or else it will error here
+ force_update_version = var.force_update_version
+ # ML capacity block reservation requires instance type to be set on the launch template
+ instance_types = var.capacity_type == "CAPACITY_BLOCK" ? null : var.instance_types
+ labels = var.labels
+
+ dynamic "launch_template" {
+ for_each = var.use_custom_launch_template ? [1] : []
+
+ content {
+ id = local.launch_template_id
+ version = local.launch_template_version
+ }
+ }
+
+ dynamic "remote_access" {
+ for_each = var.remote_access != null ? [var.remote_access] : []
+
+ content {
+ ec2_ssh_key = remote_access.value.ec2_ssh_key
+ source_security_group_ids = remote_access.value.source_security_group_ids
+ }
+ }
+
+ dynamic "taint" {
+ for_each = var.taints != null ? var.taints : {}
+
+ content {
+ key = taint.value.key
+ value = taint.value.value
+ effect = taint.value.effect
+ }
+ }
+
+ dynamic "update_config" {
+ for_each = var.update_config != null ? [var.update_config] : []
+
+ content {
+ max_unavailable_percentage = update_config.value.max_unavailable_percentage
+ max_unavailable = update_config.value.max_unavailable
+ update_strategy = update_config.value.update_strategy
+ }
+ }
+
+ dynamic "node_repair_config" {
+ for_each = var.node_repair_config != null ? [var.node_repair_config] : []
+
+ content {
+ enabled = node_repair_config.value.enabled
+ max_parallel_nodes_repaired_count = node_repair_config.value.max_parallel_nodes_repaired_count
+ max_parallel_nodes_repaired_percentage = node_repair_config.value.max_parallel_nodes_repaired_percentage
+ max_unhealthy_node_threshold_count = node_repair_config.value.max_unhealthy_node_threshold_count
+ max_unhealthy_node_threshold_percentage = node_repair_config.value.max_unhealthy_node_threshold_percentage
+
+ dynamic "node_repair_config_overrides" {
+ for_each = node_repair_config.value.node_repair_config_overrides != null ? node_repair_config.value.node_repair_config_overrides : []
+
+ content {
+ min_repair_wait_time_mins = node_repair_config_overrides.value.min_repair_wait_time_mins
+ node_monitoring_condition = node_repair_config_overrides.value.node_monitoring_condition
+ node_unhealthy_reason = node_repair_config_overrides.value.node_unhealthy_reason
+ repair_action = node_repair_config_overrides.value.repair_action
+ }
+ }
+ }
+ }
+
+ dynamic "timeouts" {
+ for_each = var.timeouts != null ? [var.timeouts] : []
+
+ content {
+ create = var.timeouts.create
+ update = var.timeouts.update
+ delete = var.timeouts.delete
+ }
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ ignore_changes = [
+ scaling_config[0].desired_size,
+ ]
+ }
+
+ tags = merge(
+ var.tags,
+ { Name = var.name }
+ )
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+locals {
+ create_iam_role = var.create && var.create_iam_role
+
+ iam_role_name = coalesce(var.iam_role_name, "${var.name}-eks-node-group")
+ iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
+
+ ipv4_cni_policy = { for k, v in {
+ AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+ } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
+ ipv6_cni_policy = { for k, v in {
+ AmazonEKS_CNI_IPv6_Policy = "arn:${local.partition}:iam::${local.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
+ } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = local.create_iam_role ? 1 : 0
+
+ statement {
+ sid = "EKSNodeAssumeRole"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = local.create_iam_role ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = { for k, v in merge(
+ {
+ AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
+ AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
+ },
+ local.ipv4_cni_policy,
+ local.ipv6_cni_policy
+ ) : k => v if local.create_iam_role }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "additional" {
+ for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+locals {
+ create_iam_role_policy = local.create_iam_role && var.create_iam_role_policy && var.iam_role_policy_statements != null
+}
+
+data "aws_iam_policy_document" "role" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ dynamic "statement" {
+ for_each = var.iam_role_policy_statements != null ? var.iam_role_policy_statements : []
+
+ content {
+ sid = statement.value.sid
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+resource "aws_iam_role_policy" "this" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ policy = data.aws_iam_policy_document.role[0].json
+ role = aws_iam_role.this[0].id
+}
+
+################################################################################
+# Placement Group
+################################################################################
+
+locals {
+ create_placement_group = var.create && (local.enable_efa_support || var.create_placement_group)
+}
+
+resource "aws_placement_group" "this" {
+ count = local.create_placement_group ? 1 : 0
+
+ region = var.region
+
+ name = "${var.cluster_name}-${var.name}"
+ strategy = "cluster"
+
+ tags = var.tags
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+locals {
+ create_security_group = var.create && var.create_security_group && length(merge(local.security_group_ingress_rules, local.security_group_egress_rules)) > 0
+ security_group_name = coalesce(var.security_group_name, "${var.cluster_name}-${var.name}")
+
+ security_group_ingress_rules = merge({ for k, v in
+ {
+ all_self_efa = {
+ description = "Node to node EFA"
+ ip_protocol = "-1"
+ self = true
+
+ # Null out due to variable type and not using `try()` in resource
+ cidr_ipv4 = null
+ cidr_ipv6 = null
+ from_port = null
+ name = null
+ prefix_list_id = null
+ tags = {}
+ }
+ } : k => v if var.enable_efa_support
+ },
+ var.security_group_ingress_rules
+ )
+ security_group_egress_rules = merge({ for k, v in
+ {
+ all_self_efa = {
+ description = "Node to node EFA"
+ ip_protocol = "-1"
+ self = true
+
+ # Null out due to variable type and not using `try()` in resource
+ cidr_ipv4 = null
+ cidr_ipv6 = null
+ to_port = null
+ name = null
+ prefix_list_id = null
+ tags = {}
+ }
+ } : k => v if var.enable_efa_support
+ },
+ var.security_group_egress_rules
+ )
+}
+
+data "aws_subnet" "this" {
+ count = local.create_security_group ? 1 : 0
+
+ region = var.region
+
+ id = element(var.subnet_ids, 0)
+}
+
+resource "aws_security_group" "this" {
+ count = local.create_security_group ? 1 : 0
+
+ region = var.region
+
+ name = var.security_group_use_name_prefix ? null : local.security_group_name
+ name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
+ description = var.security_group_description
+ vpc_id = data.aws_subnet.this[0].vpc_id
+
+ tags = merge(
+ var.tags,
+ { "Name" = local.security_group_name },
+ var.security_group_tags
+ )
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "this" {
+ for_each = { for k, v in local.security_group_ingress_rules : k => v if length(local.security_group_ingress_rules) > 0 && local.create_security_group }
+
+ region = var.region
+
+ cidr_ipv4 = each.value.cidr_ipv4
+ cidr_ipv6 = each.value.cidr_ipv6
+ description = each.value.description
+ from_port = each.value.from_port
+ ip_protocol = each.value.ip_protocol
+ prefix_list_id = each.value.prefix_list_id
+ referenced_security_group_id = each.value.self ? aws_security_group.this[0].id : each.value.referenced_security_group_id
+ security_group_id = aws_security_group.this[0].id
+ tags = merge(
+ var.tags,
+ var.security_group_tags,
+ { "Name" = coalesce(each.value.name, "${local.security_group_name}-${each.key}") },
+ each.value.tags
+ )
+ to_port = try(coalesce(each.value.to_port, each.value.from_port), null)
+}
+
+resource "aws_vpc_security_group_egress_rule" "this" {
+ for_each = { for k, v in local.security_group_egress_rules : k => v if length(local.security_group_egress_rules) > 0 && local.create_security_group }
+
+ region = var.region
+
+ cidr_ipv4 = each.value.cidr_ipv4
+ cidr_ipv6 = each.value.cidr_ipv6
+ description = each.value.description
+ from_port = try(coalesce(each.value.from_port, each.value.to_port), null)
+ ip_protocol = each.value.ip_protocol
+ prefix_list_id = each.value.prefix_list_id
+ referenced_security_group_id = each.value.self ? aws_security_group.this[0].id : each.value.referenced_security_group_id
+ security_group_id = aws_security_group.this[0].id
+ tags = merge(
+ var.tags,
+ var.security_group_tags,
+ { "Name" = coalesce(each.value.name, "${local.security_group_name}-${each.key}") },
+ each.value.tags
+ )
+ to_port = each.value.to_port
+}
diff --git a/modules/eks-managed-node-group/migrations.tf b/modules/eks-managed-node-group/migrations.tf
new file mode 100644
index 0000000000..5d51a7208a
--- /dev/null
+++ b/modules/eks-managed-node-group/migrations.tf
@@ -0,0 +1,20 @@
+################################################################################
+# Migrations: v20.7 -> v20.8
+################################################################################
+
+# Node IAM role policy attachment
+# Commercial partition only - `moved` does now allow multiple moves to same target
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"]
+ to = aws_iam_role_policy_attachment.this["AmazonEKSWorkerNodePolicy"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
+ to = aws_iam_role_policy_attachment.this["AmazonEC2ContainerRegistryReadOnly"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"]
+ to = aws_iam_role_policy_attachment.this["AmazonEKS_CNI_Policy"]
+}
diff --git a/modules/eks-managed-node-group/outputs.tf b/modules/eks-managed-node-group/outputs.tf
new file mode 100644
index 0000000000..a7d6fcf62b
--- /dev/null
+++ b/modules/eks-managed-node-group/outputs.tf
@@ -0,0 +1,95 @@
+################################################################################
+# Launch template
+################################################################################
+
+output "launch_template_id" {
+ description = "The ID of the launch template"
+ value = try(aws_launch_template.this[0].id, null)
+}
+
+output "launch_template_arn" {
+ description = "The ARN of the launch template"
+ value = try(aws_launch_template.this[0].arn, null)
+}
+
+output "launch_template_latest_version" {
+ description = "The latest version of the launch template"
+ value = try(aws_launch_template.this[0].latest_version, null)
+}
+
+output "launch_template_name" {
+ description = "The name of the launch template"
+ value = try(aws_launch_template.this[0].name, null)
+}
+
+################################################################################
+# Node Group
+################################################################################
+
+output "node_group_arn" {
+ description = "Amazon Resource Name (ARN) of the EKS Node Group"
+ value = try(aws_eks_node_group.this[0].arn, null)
+}
+
+output "node_group_id" {
+ description = "EKS Cluster name and EKS Node Group name separated by a colon (`:`)"
+ value = try(aws_eks_node_group.this[0].id, null)
+}
+
+output "node_group_resources" {
+ description = "List of objects containing information about underlying resources"
+ value = try(aws_eks_node_group.this[0].resources, null)
+}
+
+output "node_group_autoscaling_group_names" {
+ description = "List of the autoscaling group names"
+ value = try(flatten(aws_eks_node_group.this[0].resources[*].autoscaling_groups[*].name), [])
+}
+
+output "node_group_status" {
+ description = "Status of the EKS Node Group"
+ value = try(aws_eks_node_group.this[0].status, null)
+}
+
+output "node_group_labels" {
+ description = "Map of labels applied to the node group"
+ value = try(aws_eks_node_group.this[0].labels, {})
+}
+
+output "node_group_taints" {
+ description = "List of objects containing information about taints applied to the node group"
+ value = try(aws_eks_node_group.this[0].taint, [])
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, null)
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, var.iam_role_arn)
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, null)
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+output "security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the security group"
+ value = try(aws_security_group.this[0].arn, null)
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = try(aws_security_group.this[0].id, null)
+}
diff --git a/modules/eks-managed-node-group/variables.tf b/modules/eks-managed-node-group/variables.tf
new file mode 100644
index 0000000000..430d1460a7
--- /dev/null
+++ b/modules/eks-managed-node-group/variables.tf
@@ -0,0 +1,790 @@
+variable "create" {
+ description = "Determines whether to create EKS managed node group or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+ type = string
+ default = null
+}
+
+variable "partition" {
+ description = "The AWS partition - pass through value to reduce number of GET requests from data sources"
+ type = string
+ default = ""
+}
+
+variable "account_id" {
+ description = "The AWS account ID - pass through value to reduce number of GET requests from data sources"
+ type = string
+ default = ""
+}
+
+################################################################################
+# User Data
+################################################################################
+
+variable "enable_bootstrap_user_data" {
+ description = "Determines whether the bootstrap configurations are populated within the user data template. Only valid when using a custom AMI via `ami_id`"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "cluster_name" {
+ description = "Name of associated EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "cluster_endpoint" {
+ description = "Endpoint of associated EKS cluster"
+ type = string
+ default = null
+}
+
+variable "cluster_auth_base64" {
+ description = "Base64 encoded CA of associated EKS cluster"
+ type = string
+ default = null
+}
+
+variable "cluster_service_cidr" {
+ description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
+ type = string
+ default = null
+}
+
+variable "pre_bootstrap_user_data" {
+ description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*`"
+ type = string
+ default = null
+}
+
+variable "post_bootstrap_user_data" {
+ description = "User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*`"
+ type = string
+ default = null
+}
+
+variable "bootstrap_extra_args" {
+ description = "Additional arguments passed to the bootstrap script. When `ami_type` = `BOTTLEROCKET_*`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data"
+ type = string
+ default = null
+}
+
+variable "user_data_template_path" {
+ description = "Path to a local, custom user data template file to use when rendering user data"
+ type = string
+ default = null
+}
+
+variable "cloudinit_pre_nodeadm" {
+ description = "Array of cloud-init document parts that are created before the nodeadm document part"
+ type = list(object({
+ content = string
+ content_type = optional(string)
+ filename = optional(string)
+ merge_type = optional(string)
+ }))
+ default = null
+}
+
+variable "cloudinit_post_nodeadm" {
+ description = "Array of cloud-init document parts that are created after the nodeadm document part"
+ type = list(object({
+ content = string
+ content_type = optional(string)
+ filename = optional(string)
+ merge_type = optional(string)
+ }))
+ default = null
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+variable "create_launch_template" {
+ description = "Determines whether to create a launch template or not. If set to `false`, EKS will use its own default launch template"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "use_custom_launch_template" {
+ description = "Determines whether to use a custom launch template or not. If set to `false`, EKS will use its own default launch template"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "launch_template_id" {
+ description = "The ID of an existing launch template to use. Required when `create_launch_template` = `false` and `use_custom_launch_template` = `true`"
+ type = string
+ default = ""
+}
+
+variable "launch_template_name" {
+ description = "Name of launch template to be created"
+ type = string
+ default = null
+}
+
+variable "launch_template_use_name_prefix" {
+ description = "Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "launch_template_description" {
+ description = "Description of the launch template"
+ type = string
+ default = null
+}
+
+variable "ebs_optimized" {
+ description = "If true, the launched EC2 instance(s) will be EBS-optimized"
+ type = bool
+ default = null
+}
+
+variable "ami_id" {
+ description = "The AMI from which to launch the instance. If not supplied, EKS will use its own default image"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "key_name" {
+ description = "The key name that should be used for the instance(s)"
+ type = string
+ default = null
+}
+
+variable "vpc_security_group_ids" {
+ description = "A list of security group IDs to associate"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "cluster_primary_security_group_id" {
+ description = "The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service"
+ type = string
+ default = null
+}
+
+variable "launch_template_default_version" {
+ description = "Default version of the launch template"
+ type = string
+ default = null
+}
+
+variable "update_launch_template_default_version" {
+ description = "Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version`"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "disable_api_termination" {
+ description = "If true, enables EC2 instance termination protection"
+ type = bool
+ default = null
+}
+
+variable "kernel_id" {
+ description = "The kernel ID"
+ type = string
+ default = null
+}
+
+variable "ram_disk_id" {
+ description = "The ID of the ram disk"
+ type = string
+ default = null
+}
+
+variable "block_device_mappings" {
+ description = "Specify volumes to attach to the instance besides the volumes specified by the AMI"
+ type = map(object({
+ device_name = optional(string)
+ ebs = optional(object({
+ delete_on_termination = optional(bool)
+ encrypted = optional(bool)
+ iops = optional(number)
+ kms_key_id = optional(string)
+ snapshot_id = optional(string)
+ throughput = optional(number)
+ volume_initialization_rate = optional(number)
+ volume_size = optional(number)
+ volume_type = optional(string)
+ }))
+ no_device = optional(string)
+ virtual_name = optional(string)
+ }))
+ default = null
+}
+
+variable "capacity_reservation_specification" {
+ description = "Targeting for EC2 capacity reservations"
+ type = object({
+ capacity_reservation_preference = optional(string)
+ capacity_reservation_target = optional(object({
+ capacity_reservation_id = optional(string)
+ capacity_reservation_resource_group_arn = optional(string)
+ }))
+ })
+ default = null
+}
+
+variable "cpu_options" {
+ description = "The CPU options for the instance"
+ type = object({
+ amd_sev_snp = optional(string)
+ core_count = optional(number)
+ threads_per_core = optional(number)
+ })
+ default = null
+}
+
+variable "credit_specification" {
+ description = "Customize the credit specification of the instance"
+ type = object({
+ cpu_credits = optional(string)
+ })
+ default = null
+}
+
+variable "enclave_options" {
+ description = "Enable Nitro Enclaves on launched instances"
+ type = object({
+ enabled = optional(bool)
+ })
+ default = null
+}
+
+variable "instance_market_options" {
+ description = "The market (purchasing) option for the instance"
+ type = object({
+ market_type = optional(string)
+ spot_options = optional(object({
+ block_duration_minutes = optional(number)
+ instance_interruption_behavior = optional(string)
+ max_price = optional(string)
+ spot_instance_type = optional(string)
+ valid_until = optional(string)
+ }))
+ })
+ default = null
+}
+
+variable "maintenance_options" {
+ description = "The maintenance options for the instance"
+ type = object({
+ auto_recovery = optional(string)
+ })
+ default = null
+}
+
+variable "license_specifications" {
+ description = "A list of license specifications to associate with"
+ type = list(object({
+ license_configuration_arn = string
+ }))
+ default = null
+}
+
+variable "metadata_options" {
+ description = "Customize the metadata options for the instance"
+ type = object({
+ http_endpoint = optional(string, "enabled")
+ http_protocol_ipv6 = optional(string)
+ http_put_response_hop_limit = optional(number, 1)
+ http_tokens = optional(string, "required")
+ instance_metadata_tags = optional(string)
+ })
+ default = {
+ http_endpoint = "enabled"
+ http_put_response_hop_limit = 1
+ http_tokens = "required"
+ }
+ nullable = false
+}
+
+variable "enable_monitoring" {
+ description = "Enables/disables detailed monitoring"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "enable_efa_support" {
+ description = "Determines whether to enable Elastic Fabric Adapter (EFA) support"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "enable_efa_only" {
+ description = "Determines whether to enable EFA (`false`, default) or EFA and EFA-only (`true`) network interfaces. Note: requires vpc-cni version `v1.18.4` or later"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "efa_indices" {
+ description = "The indices of the network interfaces that should be EFA-enabled. Only valid when `enable_efa_support` = `true`"
+ type = list(number)
+ default = [0]
+ nullable = false
+}
+
+variable "network_interfaces" {
+ description = "Customize network interfaces to be attached at instance boot time"
+ type = list(object({
+ associate_carrier_ip_address = optional(bool)
+ associate_public_ip_address = optional(bool)
+ connection_tracking_specification = optional(object({
+ tcp_established_timeout = optional(number)
+ udp_stream_timeout = optional(number)
+ udp_timeout = optional(number)
+ }))
+ delete_on_termination = optional(bool)
+ description = optional(string)
+ device_index = optional(number)
+ ena_srd_specification = optional(object({
+ ena_srd_enabled = optional(bool)
+ ena_srd_udp_specification = optional(object({
+ ena_srd_udp_enabled = optional(bool)
+ }))
+ }))
+ interface_type = optional(string)
+ ipv4_address_count = optional(number)
+ ipv4_addresses = optional(list(string))
+ ipv4_prefix_count = optional(number)
+ ipv4_prefixes = optional(list(string))
+ ipv6_address_count = optional(number)
+ ipv6_addresses = optional(list(string))
+ ipv6_prefix_count = optional(number)
+ ipv6_prefixes = optional(list(string))
+ network_card_index = optional(number)
+ network_interface_id = optional(string)
+ primary_ipv6 = optional(bool)
+ private_ip_address = optional(string)
+ security_groups = optional(list(string), [])
+ }))
+ default = []
+ nullable = false
+}
+
+variable "placement" {
+ description = "The placement of the instance"
+ type = object({
+ affinity = optional(string)
+ availability_zone = optional(string)
+ group_name = optional(string)
+ host_id = optional(string)
+ host_resource_group_arn = optional(string)
+ partition_number = optional(number)
+ spread_domain = optional(string)
+ tenancy = optional(string)
+ })
+ default = null
+}
+
+variable "create_placement_group" {
+ description = "Determines whether a placement group is created & used by the node group"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "private_dns_name_options" {
+ description = "The options for the instance hostname. The default values are inherited from the subnet"
+ type = object({
+ enable_resource_name_dns_aaaa_record = optional(bool)
+ enable_resource_name_dns_a_record = optional(bool)
+ hostname_type = optional(string)
+ })
+ default = null
+}
+
+variable "launch_template_tags" {
+ description = "A map of additional tags to add to the tag_specifications of launch template created"
+ type = map(string)
+ default = {}
+}
+
+variable "tag_specifications" {
+ description = "The tags to apply to the resources during launch"
+ type = list(string)
+ default = ["instance", "volume", "network-interface"]
+ nullable = false
+}
+
+################################################################################
+# EKS Managed Node Group
+################################################################################
+
+variable "subnet_ids" {
+ description = "Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME`"
+ type = list(string)
+ default = null
+}
+
+variable "min_size" {
+ description = "Minimum number of instances/nodes"
+ type = number
+ default = 1
+ nullable = false
+}
+
+variable "max_size" {
+ description = "Maximum number of instances/nodes"
+ type = number
+ default = 3
+ nullable = false
+}
+
+variable "desired_size" {
+ description = "Desired number of instances/nodes"
+ type = number
+ default = 1
+ nullable = false
+}
+
+variable "name" {
+ description = "Name of the EKS managed node group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "ami_type" {
+ description = "Type of Amazon Machine Image (AMI) associated with the EKS Node Group. See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid values"
+ type = string
+ default = "AL2023_x86_64_STANDARD"
+ nullable = false
+}
+
+variable "ami_release_version" {
+ description = "The AMI version. Defaults to latest AMI release version for the given Kubernetes version and AMI type"
+ type = string
+ default = null
+}
+
+variable "use_latest_ami_release_version" {
+ description = "Determines whether to use the latest AMI release version for the given `ami_type` (except for `CUSTOM`). Note: `ami_type` and `kubernetes_version` must be supplied in order to enable this feature"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "capacity_type" {
+ description = "Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT`"
+ type = string
+ default = "ON_DEMAND"
+ nullable = false
+}
+
+variable "disk_size" {
+ description = "Disk size in GiB for nodes. Defaults to `20`. Only valid when `use_custom_launch_template` = `false`"
+ type = number
+ default = null
+}
+
+variable "force_update_version" {
+ description = "Force version update if existing pods are unable to be drained due to a pod disruption budget issue"
+ type = bool
+ default = null
+}
+
+variable "instance_types" {
+ description = "Set of instance types associated with the EKS Node Group. Defaults to `[\"t3.medium\"]`"
+ type = list(string)
+ default = null
+}
+
+variable "labels" {
+ description = "Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed"
+ type = map(string)
+ default = null
+}
+
+variable "kubernetes_version" {
+ description = "Kubernetes version. Defaults to EKS Cluster Kubernetes version"
+ type = string
+ default = null
+}
+
+variable "launch_template_version" {
+ description = "Launch template version number. The default is `$Default`"
+ type = string
+ default = null
+}
+
+variable "remote_access" {
+ description = "Configuration block with remote access settings. Only valid when `use_custom_launch_template` = `false`"
+ type = object({
+ ec2_ssh_key = optional(string)
+ source_security_group_ids = optional(list(string))
+ })
+ default = null
+}
+
+variable "taints" {
+ description = "The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group"
+ type = map(object({
+ key = string
+ value = optional(string)
+ effect = string
+ }))
+ default = null
+}
+
+variable "update_config" {
+ description = "Configuration block of settings for max unavailable resources during node group updates"
+ type = object({
+ max_unavailable = optional(number)
+ max_unavailable_percentage = optional(number)
+ update_strategy = optional(string)
+ })
+ default = {
+ max_unavailable_percentage = 33
+ }
+ nullable = false
+}
+
+variable "node_repair_config" {
+ description = "The node auto repair configuration for the node group"
+ type = object({
+ enabled = optional(bool, true)
+ max_parallel_nodes_repaired_count = optional(number)
+ max_parallel_nodes_repaired_percentage = optional(number)
+ max_unhealthy_node_threshold_count = optional(number)
+ max_unhealthy_node_threshold_percentage = optional(number)
+ node_repair_config_overrides = optional(list(object({
+ min_repair_wait_time_mins = number
+ node_monitoring_condition = string
+ node_unhealthy_reason = string
+ repair_action = string
+ })))
+ })
+ default = null
+}
+
+variable "timeouts" {
+ description = "Create, update, and delete timeout configurations for the node group"
+ type = object({
+ create = optional(string)
+ update = optional(string)
+ delete = optional(string)
+ })
+ default = null
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_role" {
+ description = "Determines whether an IAM role is created or to use an existing IAM role"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "cluster_ip_family" {
+ description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
+ type = string
+ default = "ipv4"
+ nullable = false
+}
+
+variable "iam_role_arn" {
+ description = "Existing IAM role ARN for the node group. Required if `create_iam_role` is set to `false`"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = null
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = "EKS managed node group IAM role"
+ nullable = false
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_attach_cni_policy" {
+ description = "Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+variable "create_iam_role_policy" {
+ description = "Determines whether an IAM role policy is created or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = list(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+variable "create_security_group" {
+ description = "Determines if a security group is created"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "security_group_name" {
+ description = "Name to use on security group created"
+ type = string
+ default = null
+}
+
+variable "security_group_use_name_prefix" {
+ description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "security_group_description" {
+ description = "Description of the security group created"
+ type = string
+ default = null
+}
+
+variable "security_group_ingress_rules" {
+ description = "Security group ingress rules to add to the security group created"
+ type = map(object({
+ name = optional(string)
+
+ cidr_ipv4 = optional(string)
+ cidr_ipv6 = optional(string)
+ description = optional(string)
+ from_port = optional(string)
+ ip_protocol = optional(string, "tcp")
+ prefix_list_id = optional(string)
+ referenced_security_group_id = optional(string)
+ self = optional(bool, false)
+ tags = optional(map(string), {})
+ to_port = optional(string)
+ }))
+ default = {}
+}
+
+variable "security_group_egress_rules" {
+ description = "Security group egress rules to add to the security group created"
+ type = map(object({
+ name = optional(string)
+
+ cidr_ipv4 = optional(string)
+ cidr_ipv6 = optional(string)
+ description = optional(string)
+ from_port = optional(string)
+ ip_protocol = optional(string, "tcp")
+ prefix_list_id = optional(string)
+ referenced_security_group_id = optional(string)
+ self = optional(bool, false)
+ tags = optional(map(string), {})
+ to_port = optional(string)
+ }))
+ default = {}
+}
+
+variable "security_group_tags" {
+ description = "A map of additional tags to add to the security group created"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/eks-managed-node-group/versions.tf b/modules/eks-managed-node-group/versions.tf
new file mode 100644
index 0000000000..af99edcc27
--- /dev/null
+++ b/modules/eks-managed-node-group/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.28"
+ }
+ }
+
+ provider_meta "aws" {
+ user_agent = [
+ "github.com/terraform-aws-modules/terraform-aws-eks"
+ ]
+ }
+}
diff --git a/modules/fargate-profile/README.md b/modules/fargate-profile/README.md
new file mode 100644
index 0000000000..4af5fd327e
--- /dev/null
+++ b/modules/fargate-profile/README.md
@@ -0,0 +1,102 @@
+# EKS Fargate Profile Module
+
+Configuration in this directory creates a Fargate EKS Profile
+
+## Usage
+
+```hcl
+module "fargate_profile" {
+ source = "terraform-aws-modules/eks/aws//modules/fargate-profile"
+
+ name = "separate-fargate-profile"
+ cluster_name = "my-cluster"
+
+ subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+ selectors = [{
+ namespace = "kube-system"
+ }]
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.28 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_fargate_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_fargate_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | The AWS account ID - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no |
+| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
+| [create](#input\_create) | Determines whether to create Fargate profile or not | `bool` | `true` | no |
+| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| [create\_iam\_role\_policy](#input\_create\_iam\_role\_policy) | Determines whether an IAM role policy is created or not | `bool` | `true` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the Fargate profile. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
+| [iam\_role\_attach\_cni\_policy](#input\_iam\_role\_attach\_cni\_policy) | Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster | `bool` | `true` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `"Fargate profile IAM role"` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `""` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_policy\_statements](#input\_iam\_role\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [name](#input\_name) | Name of the EKS Fargate Profile | `string` | `""` | no |
+| [partition](#input\_partition) | The AWS partition - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| [selectors](#input\_selectors) | Configuration block(s) for selecting Kubernetes Pods to execute with this Fargate Profile | list(object({
labels = optional(map(string))
namespace = string
})) | `null` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs for the EKS Fargate Profile | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Create and delete timeout configurations for the Fargate Profile | object({
create = optional(string)
delete = optional(string)
}) | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [fargate\_profile\_arn](#output\_fargate\_profile\_arn) | Amazon Resource Name (ARN) of the EKS Fargate Profile |
+| [fargate\_profile\_id](#output\_fargate\_profile\_id) | EKS Cluster name and EKS Fargate Profile name separated by a colon (`:`) |
+| [fargate\_profile\_pod\_execution\_role\_arn](#output\_fargate\_profile\_pod\_execution\_role\_arn) | Amazon Resource Name (ARN) of the EKS Fargate Profile Pod execution role ARN |
+| [fargate\_profile\_status](#output\_fargate\_profile\_status) | Status of the EKS Fargate Profile |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
diff --git a/modules/fargate-profile/main.tf b/modules/fargate-profile/main.tf
new file mode 100644
index 0000000000..78c94357f4
--- /dev/null
+++ b/modules/fargate-profile/main.tf
@@ -0,0 +1,190 @@
+data "aws_region" "current" {
+ count = var.create ? 1 : 0
+
+ region = var.region
+}
+data "aws_partition" "current" {
+ count = var.create && var.partition == "" ? 1 : 0
+}
+data "aws_caller_identity" "current" {
+ count = var.create && var.account_id == "" ? 1 : 0
+}
+
+locals {
+ account_id = try(data.aws_caller_identity.current[0].account_id, var.account_id)
+ partition = try(data.aws_partition.current[0].partition, var.partition)
+ region = try(data.aws_region.current[0].region, "")
+}
+
+locals {
+ create_iam_role = var.create && var.create_iam_role
+
+ iam_role_name = coalesce(var.iam_role_name, var.name, "fargate-profile")
+ iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
+
+ ipv4_cni_policy = { for k, v in {
+ AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+ } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
+ ipv6_cni_policy = { for k, v in {
+ AmazonEKS_CNI_IPv6_Policy = "arn:${local.partition}:iam::${local.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
+ } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = local.create_iam_role ? 1 : 0
+
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["eks-fargate-pods.amazonaws.com"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:SourceArn"
+
+ values = [
+ "arn:${local.partition}:eks:${local.region}:${local.account_id}:fargateprofile/${var.cluster_name}/*",
+ ]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = local.create_iam_role ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = { for k, v in merge(
+ {
+ AmazonEKSFargatePodExecutionRolePolicy = "${local.iam_role_policy_prefix}/AmazonEKSFargatePodExecutionRolePolicy"
+ },
+ local.ipv4_cni_policy,
+ local.ipv6_cni_policy
+ ) : k => v if local.create_iam_role }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "additional" {
+ for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+locals {
+ create_iam_role_policy = local.create_iam_role && var.create_iam_role_policy && var.iam_role_policy_statements != null
+}
+
+data "aws_iam_policy_document" "role" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ dynamic "statement" {
+ for_each = var.iam_role_policy_statements != null ? var.iam_role_policy_statements : []
+
+ content {
+ sid = statement.value.sid
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+resource "aws_iam_role_policy" "this" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ policy = data.aws_iam_policy_document.role[0].json
+ role = aws_iam_role.this[0].id
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+resource "aws_eks_fargate_profile" "this" {
+ count = var.create ? 1 : 0
+
+ region = var.region
+
+ cluster_name = var.cluster_name
+ fargate_profile_name = var.name
+ pod_execution_role_arn = var.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
+ subnet_ids = var.subnet_ids
+
+ dynamic "selector" {
+ for_each = var.selectors != null ? var.selectors : []
+
+ content {
+ namespace = selector.value.namespace
+ labels = selector.value.labels
+ }
+ }
+
+ dynamic "timeouts" {
+ for_each = var.timeouts != null ? [var.timeouts] : []
+
+ content {
+ create = var.timeouts.create
+ delete = var.timeouts.delete
+ }
+ }
+
+ tags = var.tags
+}
diff --git a/modules/fargate-profile/migrations.tf b/modules/fargate-profile/migrations.tf
new file mode 100644
index 0000000000..02494f6893
--- /dev/null
+++ b/modules/fargate-profile/migrations.tf
@@ -0,0 +1,15 @@
+################################################################################
+# Migrations: v20.8 -> v20.9
+################################################################################
+
+# Node IAM role policy attachment
+# Commercial partition only - `moved` does now allow multiple moves to same target
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
+ to = aws_iam_role_policy_attachment.this["AmazonEKSFargatePodExecutionRolePolicy"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"]
+ to = aws_iam_role_policy_attachment.this["AmazonEKS_CNI_Policy"]
+}
diff --git a/modules/fargate-profile/outputs.tf b/modules/fargate-profile/outputs.tf
new file mode 100644
index 0000000000..96763bfb1f
--- /dev/null
+++ b/modules/fargate-profile/outputs.tf
@@ -0,0 +1,42 @@
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, null)
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, var.iam_role_arn)
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, null)
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+output "fargate_profile_arn" {
+ description = "Amazon Resource Name (ARN) of the EKS Fargate Profile"
+ value = try(aws_eks_fargate_profile.this[0].arn, null)
+}
+
+output "fargate_profile_id" {
+ description = "EKS Cluster name and EKS Fargate Profile name separated by a colon (`:`)"
+ value = try(aws_eks_fargate_profile.this[0].id, null)
+}
+
+output "fargate_profile_status" {
+ description = "Status of the EKS Fargate Profile"
+ value = try(aws_eks_fargate_profile.this[0].status, null)
+}
+
+output "fargate_profile_pod_execution_role_arn" {
+ description = "Amazon Resource Name (ARN) of the EKS Fargate Profile Pod execution role ARN"
+ value = try(aws_eks_fargate_profile.this[0].pod_execution_role_arn, null)
+}
diff --git a/modules/fargate-profile/variables.tf b/modules/fargate-profile/variables.tf
new file mode 100644
index 0000000000..5d87e56447
--- /dev/null
+++ b/modules/fargate-profile/variables.tf
@@ -0,0 +1,186 @@
+variable "create" {
+ description = "Determines whether to create Fargate profile or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+ type = string
+ default = null
+}
+
+variable "partition" {
+ description = "The AWS partition - pass through value to reduce number of GET requests from data sources"
+ type = string
+ default = ""
+}
+
+variable "account_id" {
+ description = "The AWS account ID - pass through value to reduce number of GET requests from data sources"
+ type = string
+ default = ""
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_role" {
+ description = "Determines whether an IAM role is created or to use an existing IAM role"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "cluster_ip_family" {
+ description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
+ type = string
+ default = "ipv4"
+}
+
+variable "iam_role_arn" {
+ description = "Existing IAM role ARN for the Fargate profile. Required if `create_iam_role` is set to `false`"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = ""
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = "Fargate profile IAM role"
+ nullable = false
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_attach_cni_policy" {
+ description = "Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+variable "create_iam_role_policy" {
+ description = "Determines whether an IAM role policy is created or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = list(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+variable "cluster_name" {
+ description = "Name of the EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "name" {
+ description = "Name of the EKS Fargate Profile"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "subnet_ids" {
+ description = "A list of subnet IDs for the EKS Fargate Profile"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "selectors" {
+ description = "Configuration block(s) for selecting Kubernetes Pods to execute with this Fargate Profile"
+ type = list(object({
+ labels = optional(map(string))
+ namespace = string
+ }))
+ default = null
+}
+
+variable "timeouts" {
+ description = "Create and delete timeout configurations for the Fargate Profile"
+ type = object({
+ create = optional(string)
+ delete = optional(string)
+ })
+ default = null
+}
diff --git a/modules/fargate-profile/versions.tf b/modules/fargate-profile/versions.tf
new file mode 100644
index 0000000000..af99edcc27
--- /dev/null
+++ b/modules/fargate-profile/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.28"
+ }
+ }
+
+ provider_meta "aws" {
+ user_agent = [
+ "github.com/terraform-aws-modules/terraform-aws-eks"
+ ]
+ }
+}
diff --git a/modules/hybrid-node-role/README.md b/modules/hybrid-node-role/README.md
new file mode 100644
index 0000000000..874021b26f
--- /dev/null
+++ b/modules/hybrid-node-role/README.md
@@ -0,0 +1,163 @@
+# EKS Hybrid Node Role Module
+
+Terraform module which creates IAM role and policy resources for Amazon EKS Hybrid Node(s).
+
+## Usage
+
+EKS Hybrid nodes use the AWS IAM Authenticator and temporary IAM credentials provisioned by AWS SSM or AWS IAM Roles Anywhere to authenticate with the EKS cluster. This module supports both SSM and IAM Roles Anywhere based IAM permissions.
+
+### SSM
+
+```hcl
+module "eks" {
+ source = "terraform-aws-modules/eks/aws"
+
+ ...
+ access_entries = {
+ hybrid-node-role = {
+ principal_arn = module.eks_hybrid_node_role.arn
+ type = "HYBRID_LINUX"
+ }
+ }
+}
+
+module "eks_hybrid_node_role" {
+ source = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"
+
+ name = "hybrid"
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+### IAM Roles Anywhere
+
+```hcl
+module "eks" {
+ source = "terraform-aws-modules/eks/aws"
+
+ ...
+ access_entries = {
+ hybrid-node-role = {
+ principal_arn = module.eks_hybrid_node_role.arn
+ type = "HYBRID_LINUX"
+ }
+ }
+}
+
+module "eks_hybrid_node_role" {
+ source = "terraform-aws-modules/eks/aws//modules/hybrid-node-role"
+
+ name = "hybrid-ira"
+
+ enable_ira = true
+
+ ira_trust_anchor_source_type = "CERTIFICATE_BUNDLE"
+ ira_trust_anchor_x509_certificate_data = <<-EOT
+ MIIFMzCCAxugAwIBAgIRAMnVXU7ncv/+Cl16eJbZ9hswDQYJKoZIhvcNAQELBQAw
+ ...
+ MGx/BMRkrNUVcg3xA0lhECo/olodCkmZo5/mjybbjFQwJzDSKFoW
+ EOT
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.28 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.intermediate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.intermediate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.intermediate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_rolesanywhere_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rolesanywhere_profile) | resource |
+| [aws_rolesanywhere_trust_anchor.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rolesanywhere_trust_anchor) | resource |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.intermediate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.intermediate_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cluster\_arns](#input\_cluster\_arns) | List of EKS cluster ARNs to allow the node to describe | `list(string)` | [| no | +| [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no | +| [description](#input\_description) | IAM role description | `string` | `"EKS Hybrid Node IAM role"` | no | +| [enable\_ira](#input\_enable\_ira) | Enables IAM Roles Anywhere based IAM permissions on the node | `bool` | `false` | no | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enables EKS Pod Identity based IAM permissions on the node | `bool` | `true` | no | +| [intermediate\_policy\_name](#input\_intermediate\_policy\_name) | Name of the IAM policy | `string` | `null` | no | +| [intermediate\_policy\_statements](#input\_intermediate\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed |
"*"
]
list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [intermediate\_policy\_use\_name\_prefix](#input\_intermediate\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`intermediate_policy_name`) is used as a prefix | `bool` | `true` | no |
+| [intermediate\_role\_description](#input\_intermediate\_role\_description) | IAM role description | `string` | `"EKS Hybrid Node IAM Roles Anywhere intermediate IAM role"` | no |
+| [intermediate\_role\_name](#input\_intermediate\_role\_name) | Name of the IAM role | `string` | `null` | no |
+| [intermediate\_role\_path](#input\_intermediate\_role\_path) | Path of the IAM role | `string` | `"/"` | no |
+| [intermediate\_role\_policies](#input\_intermediate\_role\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
+| [intermediate\_role\_use\_name\_prefix](#input\_intermediate\_role\_use\_name\_prefix) | Determines whether the name of the IAM role (`intermediate_role_name`) is used as a prefix | `bool` | `true` | no |
+| [ira\_profile\_duration\_seconds](#input\_ira\_profile\_duration\_seconds) | The number of seconds the vended session credentials are valid for. Defaults to `3600` | `number` | `null` | no |
+| [ira\_profile\_managed\_policy\_arns](#input\_ira\_profile\_managed\_policy\_arns) | A list of managed policy ARNs that apply to the vended session credentials | `list(string)` | `[]` | no |
+| [ira\_profile\_name](#input\_ira\_profile\_name) | Name of the Roles Anywhere profile | `string` | `null` | no |
+| [ira\_profile\_require\_instance\_properties](#input\_ira\_profile\_require\_instance\_properties) | Specifies whether instance properties are required in [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateSession.html) requests with this profile | `bool` | `null` | no |
+| [ira\_profile\_session\_policy](#input\_ira\_profile\_session\_policy) | A session policy that applies to the trust boundary of the vended session credentials | `string` | `null` | no |
+| [ira\_trust\_anchor\_acm\_pca\_arn](#input\_ira\_trust\_anchor\_acm\_pca\_arn) | The ARN of the ACM PCA that issued the trust anchor certificate | `string` | `null` | no |
+| [ira\_trust\_anchor\_name](#input\_ira\_trust\_anchor\_name) | Name of the Roles Anywhere trust anchor | `string` | `null` | no |
+| [ira\_trust\_anchor\_notification\_settings](#input\_ira\_trust\_anchor\_notification\_settings) | Notification settings for the trust anchor | list(object({
channel = optional(string)
enabled = optional(bool)
event = optional(string)
threshold = optional(number)
})) | `null` | no |
+| [ira\_trust\_anchor\_source\_type](#input\_ira\_trust\_anchor\_source\_type) | The source type of the trust anchor | `string` | `null` | no |
+| [ira\_trust\_anchor\_x509\_certificate\_data](#input\_ira\_trust\_anchor\_x509\_certificate\_data) | The X.509 certificate data of the trust anchor | `string` | `null` | no |
+| [max\_session\_duration](#input\_max\_session\_duration) | Maximum API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| [name](#input\_name) | Name of the IAM role | `string` | `"EKSHybridNode"` | no |
+| [path](#input\_path) | Path of the IAM role | `string` | `"/"` | no |
+| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for the IAM role | `string` | `null` | no |
+| [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
+| [policy\_description](#input\_policy\_description) | IAM policy description | `string` | `"EKS Hybrid Node IAM role policy"` | no |
+| [policy\_name](#input\_policy\_name) | Name of the IAM policy | `string` | `"EKSHybridNode"` | no |
+| [policy\_path](#input\_policy\_path) | Path of the IAM policy | `string` | `"/"` | no |
+| [policy\_statements](#input\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [policy\_use\_name\_prefix](#input\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`policy_name`) is used as a prefix | `bool` | `true` | no |
+| [tags](#input\_tags) | A map of additional tags to add the the IAM role | `map(string)` | `{}` | no |
+| [trust\_anchor\_arns](#input\_trust\_anchor\_arns) | List of IAM Roles Anywhere trust anchor ARNs. Required if `enable_ira` is set to `true` | `list(string)` | `[]` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the name of the IAM role (`name`) is used as a prefix | `bool` | `true` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [arn](#output\_arn) | The Amazon Resource Name (ARN) specifying the node IAM role |
+| [intermediate\_role\_arn](#output\_intermediate\_role\_arn) | The Amazon Resource Name (ARN) specifying the node IAM role |
+| [intermediate\_role\_name](#output\_intermediate\_role\_name) | The name of the node IAM role |
+| [intermediate\_role\_unique\_id](#output\_intermediate\_role\_unique\_id) | Stable and unique string identifying the node IAM role |
+| [name](#output\_name) | The name of the node IAM role |
+| [unique\_id](#output\_unique\_id) | Stable and unique string identifying the node IAM role |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
diff --git a/modules/hybrid-node-role/main.tf b/modules/hybrid-node-role/main.tf
new file mode 100644
index 0000000000..71e89aa58d
--- /dev/null
+++ b/modules/hybrid-node-role/main.tf
@@ -0,0 +1,396 @@
+data "aws_partition" "current" {
+ count = var.create ? 1 : 0
+}
+
+locals {
+ partition = try(data.aws_partition.current[0].partition, "")
+}
+
+################################################################################
+# Node IAM Role
+################################################################################
+
+data "aws_iam_policy_document" "assume_role" {
+ count = var.create ? 1 : 0
+
+ # SSM
+ dynamic "statement" {
+ for_each = var.enable_ira ? [] : [1]
+
+ content {
+ actions = [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = ["ssm.amazonaws.com"]
+ }
+ }
+ }
+
+ # IAM Roles Anywhere
+ dynamic "statement" {
+ for_each = var.enable_ira ? [1] : []
+
+ content {
+ actions = [
+ "sts:TagSession",
+ "sts:SetSourceIdentity",
+ ]
+
+ principals {
+ type = "AWS"
+ identifiers = [aws_iam_role.intermediate[0].arn]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ for_each = var.enable_ira ? [1] : []
+
+ content {
+ actions = [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ ]
+
+ principals {
+ type = "AWS"
+ identifiers = [aws_iam_role.intermediate[0].arn]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "sts:RoleSessionName"
+ values = ["$${aws:PrincipalTag/x509Subject/CN}"]
+ }
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = var.create ? 1 : 0
+
+ name = var.use_name_prefix ? null : var.name
+ name_prefix = var.use_name_prefix ? "${var.name}-" : null
+ path = var.path
+ description = var.description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role[0].json
+ max_session_duration = var.max_session_duration
+ permissions_boundary = var.permissions_boundary_arn
+ force_detach_policies = true
+
+ tags = var.tags
+}
+
+################################################################################
+# Node IAM Role Policy
+################################################################################
+
+data "aws_iam_policy_document" "this" {
+ count = var.create ? 1 : 0
+
+ dynamic "statement" {
+ for_each = var.enable_ira ? [] : [1]
+
+ content {
+ sid = "AllowDeregisterOwnInstance"
+ actions = ["ssm:DeregisterManagedInstance"]
+ resources = ["arn:${local.partition}:ssm:*:*:managed-instance/*"]
+
+ condition {
+ test = "ArnLike"
+ variable = "ssm:SourceInstanceARN"
+ values = ["arn:${local.partition}:ssm:*:*:managed-instance/*"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ for_each = var.enable_ira ? [] : [1]
+
+ content {
+ sid = "AllowDescribeInstances"
+ actions = ["ssm:DescribeInstanceInformation"]
+ resources = ["*"]
+
+ condition {
+ test = "ArnLike"
+ variable = "ssm:SourceInstanceARN"
+ values = ["arn:${local.partition}:ssm:*:*:managed-instance/*"]
+ }
+ }
+ }
+
+ statement {
+ sid = "DescribeEKSCluster"
+ actions = [
+ "eks:DescribeCluster",
+ "eks:ListAccessEntries",
+ ]
+ resources = var.cluster_arns
+ }
+
+ dynamic "statement" {
+ for_each = var.enable_pod_identity ? [1] : []
+
+ content {
+ actions = ["eks-auth:AssumeRoleForPodIdentity"]
+ resources = ["*"]
+ }
+ }
+
+ dynamic "statement" {
+ for_each = var.policy_statements != null ? var.policy_statements : []
+
+ content {
+ sid = statement.value.sid
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+resource "aws_iam_policy" "this" {
+ count = var.create ? 1 : 0
+
+ name = var.policy_use_name_prefix ? null : var.policy_name
+ name_prefix = var.policy_use_name_prefix ? "${var.policy_name}-" : null
+ path = var.policy_path
+ description = var.policy_description
+ policy = data.aws_iam_policy_document.this[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = { for k, v in merge(
+ {
+ node = try(aws_iam_policy.this[0].arn, null)
+ AmazonSSMManagedInstanceCore = "arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ AmazonEC2ContainerRegistryPullOnly = "arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
+ },
+ var.policies
+ ) : k => v if var.create }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+################################################################################
+# Roles Anywhere Profile
+################################################################################
+
+locals {
+ enable_ira = var.create && var.enable_ira
+}
+
+resource "aws_rolesanywhere_profile" "this" {
+ count = local.enable_ira ? 1 : 0
+
+ duration_seconds = var.ira_profile_duration_seconds
+ managed_policy_arns = var.ira_profile_managed_policy_arns
+ name = try(coalesce(var.ira_profile_name, var.name), null)
+ require_instance_properties = var.ira_profile_require_instance_properties
+ role_arns = [aws_iam_role.intermediate[0].arn]
+ session_policy = var.ira_profile_session_policy
+
+ tags = var.tags
+}
+
+################################################################################
+# Roles Anywhere Trust Anchor
+################################################################################
+
+resource "aws_rolesanywhere_trust_anchor" "this" {
+ count = local.enable_ira ? 1 : 0
+
+ name = try(coalesce(var.ira_trust_anchor_name, var.name), null)
+
+ dynamic "notification_settings" {
+ for_each = var.ira_trust_anchor_notification_settings != null ? var.ira_trust_anchor_notification_settings : []
+
+ content {
+ channel = try(notification_settings.value.channel, null)
+ enabled = try(notification_settings.value.enabled, null)
+ event = try(notification_settings.value.event, null)
+ threshold = try(notification_settings.value.threshold, null)
+ }
+ }
+
+ source {
+ source_data {
+ acm_pca_arn = var.ira_trust_anchor_acm_pca_arn
+ x509_certificate_data = var.ira_trust_anchor_x509_certificate_data
+ }
+ source_type = var.ira_trust_anchor_source_type
+ }
+
+ tags = var.tags
+}
+
+################################################################################
+# Intermediate IAM Role
+################################################################################
+
+data "aws_iam_policy_document" "intermediate_assume_role" {
+ count = local.enable_ira ? 1 : 0
+
+ statement {
+ actions = [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ "sts:SetSourceIdentity",
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = ["rolesanywhere.amazonaws.com"]
+ }
+
+ condition {
+ test = "ArnEquals"
+ variable = "aws:SourceArn"
+ values = concat(var.trust_anchor_arns, aws_rolesanywhere_trust_anchor.this[*].arn)
+ }
+ }
+}
+
+locals {
+ intermediate_role_use_name_prefix = coalesce(var.intermediate_role_use_name_prefix, var.use_name_prefix)
+ intermediate_role_name = coalesce(var.intermediate_role_name, "${var.name}-inter")
+}
+
+resource "aws_iam_role" "intermediate" {
+ count = local.enable_ira ? 1 : 0
+
+ name = local.intermediate_role_use_name_prefix ? null : local.intermediate_role_name
+ name_prefix = local.intermediate_role_use_name_prefix ? "${local.intermediate_role_name}-" : null
+ path = coalesce(var.intermediate_role_path, var.path)
+ description = var.intermediate_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.intermediate_assume_role[0].json
+ max_session_duration = var.max_session_duration
+ permissions_boundary = var.permissions_boundary_arn
+ force_detach_policies = true
+
+ tags = var.tags
+}
+
+################################################################################
+# Intermediate IAM Role Policy
+################################################################################
+
+data "aws_iam_policy_document" "intermediate" {
+ count = local.enable_ira ? 1 : 0
+
+ statement {
+ actions = ["eks:DescribeCluster"]
+ resources = var.cluster_arns
+ }
+
+ dynamic "statement" {
+ for_each = var.intermediate_policy_statements != null ? var.intermediate_policy_statements : []
+
+ content {
+ sid = statement.value.sid
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+locals {
+ intermediate_policy_use_name_prefix = coalesce(var.intermediate_policy_use_name_prefix, var.policy_use_name_prefix)
+ intermediate_policy_name = coalesce(var.intermediate_policy_name, var.policy_name)
+}
+
+resource "aws_iam_policy" "intermediate" {
+ count = local.enable_ira ? 1 : 0
+
+ name = local.intermediate_policy_use_name_prefix ? null : local.intermediate_policy_name
+ name_prefix = local.intermediate_policy_use_name_prefix ? "${local.intermediate_policy_name}-" : null
+ path = var.policy_path
+ description = var.policy_description
+ policy = data.aws_iam_policy_document.intermediate[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "intermediate" {
+ for_each = { for k, v in merge(
+ {
+ intermediate = try(aws_iam_policy.intermediate[0].arn, null)
+ AmazonEC2ContainerRegistryPullOnly = "arn:${local.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
+ },
+ var.intermediate_role_policies
+ ) : k => v if local.enable_ira }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
diff --git a/modules/hybrid-node-role/outputs.tf b/modules/hybrid-node-role/outputs.tf
new file mode 100644
index 0000000000..dc4e26e519
--- /dev/null
+++ b/modules/hybrid-node-role/outputs.tf
@@ -0,0 +1,37 @@
+################################################################################
+# Node IAM Role
+################################################################################
+
+output "name" {
+ description = "The name of the node IAM role"
+ value = try(aws_iam_role.this[0].name, null)
+}
+
+output "arn" {
+ description = "The Amazon Resource Name (ARN) specifying the node IAM role"
+ value = try(aws_iam_role.this[0].arn, null)
+}
+
+output "unique_id" {
+ description = "Stable and unique string identifying the node IAM role"
+ value = try(aws_iam_role.this[0].unique_id, null)
+}
+
+################################################################################
+# Intermedaite IAM Role
+################################################################################
+
+output "intermediate_role_name" {
+ description = "The name of the node IAM role"
+ value = try(aws_iam_role.intermediate[0].name, null)
+}
+
+output "intermediate_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the node IAM role"
+ value = try(aws_iam_role.intermediate[0].arn, null)
+}
+
+output "intermediate_role_unique_id" {
+ description = "Stable and unique string identifying the node IAM role"
+ value = try(aws_iam_role.intermediate[0].unique_id, null)
+}
diff --git a/modules/hybrid-node-role/variables.tf b/modules/hybrid-node-role/variables.tf
new file mode 100644
index 0000000000..34e1247667
--- /dev/null
+++ b/modules/hybrid-node-role/variables.tf
@@ -0,0 +1,284 @@
+variable "create" {
+ description = "Controls if resources should be created (affects nearly all resources)"
+ type = bool
+ default = true
+}
+
+################################################################################
+# Node IAM Role
+################################################################################
+
+variable "name" {
+ description = "Name of the IAM role"
+ type = string
+ default = "EKSHybridNode"
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether the name of the IAM role (`name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "path" {
+ description = "Path of the IAM role"
+ type = string
+ default = "/"
+}
+
+variable "description" {
+ description = "IAM role description"
+ type = string
+ default = "EKS Hybrid Node IAM role"
+}
+
+variable "max_session_duration" {
+ description = "Maximum API session duration in seconds between 3600 and 43200"
+ type = number
+ default = null
+}
+
+variable "permissions_boundary_arn" {
+ description = "Permissions boundary ARN to use for the IAM role"
+ type = string
+ default = null
+}
+
+variable "tags" {
+ description = "A map of additional tags to add the the IAM role"
+ type = map(string)
+ default = {}
+}
+
+variable "enable_ira" {
+ description = "Enables IAM Roles Anywhere based IAM permissions on the node"
+ type = bool
+ default = false
+}
+
+variable "trust_anchor_arns" {
+ description = "List of IAM Roles Anywhere trust anchor ARNs. Required if `enable_ira` is set to `true`"
+ type = list(string)
+ default = []
+}
+
+################################################################################
+# Node IAM Role Policy
+################################################################################
+
+variable "policy_name" {
+ description = "Name of the IAM policy"
+ type = string
+ default = "EKSHybridNode"
+}
+
+variable "policy_use_name_prefix" {
+ description = "Determines whether the name of the IAM policy (`policy_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "policy_path" {
+ description = "Path of the IAM policy"
+ type = string
+ default = "/"
+}
+
+variable "policy_description" {
+ description = "IAM policy description"
+ type = string
+ default = "EKS Hybrid Node IAM role policy"
+}
+
+variable "policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = list(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+variable "policies" {
+ description = "Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format"
+ type = map(string)
+ default = {}
+}
+
+variable "cluster_arns" {
+ description = "List of EKS cluster ARNs to allow the node to describe"
+ type = list(string)
+ default = ["*"]
+}
+
+variable "enable_pod_identity" {
+ description = "Enables EKS Pod Identity based IAM permissions on the node"
+ type = bool
+ default = true
+}
+
+################################################################################
+# IAM Roles Anywhere Profile
+################################################################################
+
+variable "ira_profile_name" {
+ description = "Name of the Roles Anywhere profile"
+ type = string
+ default = null
+}
+
+variable "ira_profile_duration_seconds" {
+ description = "The number of seconds the vended session credentials are valid for. Defaults to `3600`"
+ type = number
+ default = null
+}
+
+variable "ira_profile_managed_policy_arns" {
+ description = "A list of managed policy ARNs that apply to the vended session credentials"
+ type = list(string)
+ default = []
+}
+
+variable "ira_profile_require_instance_properties" {
+ description = "Specifies whether instance properties are required in [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateSession.html) requests with this profile"
+ type = bool
+ default = null
+}
+
+variable "ira_profile_session_policy" {
+ description = "A session policy that applies to the trust boundary of the vended session credentials"
+ type = string
+ default = null
+}
+
+################################################################################
+# Roles Anywhere Trust Anchor
+################################################################################
+
+variable "ira_trust_anchor_name" {
+ description = "Name of the Roles Anywhere trust anchor"
+ type = string
+ default = null
+}
+
+variable "ira_trust_anchor_notification_settings" {
+ description = "Notification settings for the trust anchor"
+ type = list(object({
+ channel = optional(string)
+ enabled = optional(bool)
+ event = optional(string)
+ threshold = optional(number)
+ }))
+ default = null
+}
+
+variable "ira_trust_anchor_acm_pca_arn" {
+ description = "The ARN of the ACM PCA that issued the trust anchor certificate"
+ type = string
+ default = null
+}
+
+variable "ira_trust_anchor_x509_certificate_data" {
+ description = "The X.509 certificate data of the trust anchor"
+ type = string
+ default = null
+}
+
+variable "ira_trust_anchor_source_type" {
+ description = "The source type of the trust anchor"
+ type = string
+ default = null
+}
+
+################################################################################
+# Intermediate IAM Role
+################################################################################
+
+variable "intermediate_role_name" {
+ description = "Name of the IAM role"
+ type = string
+ default = null
+}
+
+variable "intermediate_role_use_name_prefix" {
+ description = "Determines whether the name of the IAM role (`intermediate_role_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "intermediate_role_path" {
+ description = "Path of the IAM role"
+ type = string
+ default = "/"
+}
+
+variable "intermediate_role_description" {
+ description = "IAM role description"
+ type = string
+ default = "EKS Hybrid Node IAM Roles Anywhere intermediate IAM role"
+}
+
+################################################################################
+# Intermediate IAM Role Policy
+################################################################################
+
+variable "intermediate_policy_name" {
+ description = "Name of the IAM policy"
+ type = string
+ default = null
+}
+
+variable "intermediate_policy_use_name_prefix" {
+ description = "Determines whether the name of the IAM policy (`intermediate_policy_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "intermediate_policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = list(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+variable "intermediate_role_policies" {
+ description = "Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/hybrid-node-role/versions.tf b/modules/hybrid-node-role/versions.tf
new file mode 100644
index 0000000000..af99edcc27
--- /dev/null
+++ b/modules/hybrid-node-role/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.28"
+ }
+ }
+
+ provider_meta "aws" {
+ user_agent = [
+ "github.com/terraform-aws-modules/terraform-aws-eks"
+ ]
+ }
+}
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
new file mode 100644
index 0000000000..69c03af907
--- /dev/null
+++ b/modules/karpenter/README.md
@@ -0,0 +1,208 @@
+# Karpenter Module
+
+Configuration in this directory creates the AWS resources required by Karpenter
+
+## Usage
+
+### All Resources (Default)
+
+In the following example, the Karpenter module will create:
+
+- An IAM role for use with Pod Identity and a scoped IAM policy for the Karpenter controller
+- A Pod Identity association to grant Karpenter controller access provided by the IAM Role
+- A Node IAM role that Karpenter will use to create an Instance Profile for the nodes to receive IAM permissions
+- An access entry for the Node IAM role to allow nodes to join the cluster
+- SQS queue and EventBridge event rules for Karpenter to utilize for spot termination handling, capacity re-balancing, etc.
+
+```hcl
+module "eks" {
+ source = "terraform-aws-modules/eks/aws"
+
+ ...
+}
+
+module "karpenter" {
+ source = "terraform-aws-modules/eks/aws//modules/karpenter"
+
+ cluster_name = module.eks.cluster_name
+
+ # Attach additional IAM policies to the Karpenter node IAM role
+ node_iam_role_additional_policies = {
+ AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ }
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+### Re-Use Existing Node IAM Role
+
+In the following example, the Karpenter module will create:
+
+- An IAM role for use with Pod Identity and a scoped IAM policy for the Karpenter controller
+- SQS queue and EventBridge event rules for Karpenter to utilize for spot termination handling, capacity re-balancing, etc.
+
+In this scenario, Karpenter will re-use an existing Node IAM role from the EKS managed node group which already has the necessary access entry permissions:
+
+```hcl
+module "eks" {
+ source = "terraform-aws-modules/eks"
+
+ # Shown just for connection between cluster and Karpenter sub-module below
+ eks_managed_node_groups = {
+ initial = {
+ instance_types = ["t3.medium"]
+
+ min_size = 1
+ max_size = 3
+ desired_size = 1
+ }
+ }
+ ...
+}
+
+module "karpenter" {
+ source = "terraform-aws-modules/eks/aws//modules/karpenter"
+
+ cluster_name = module.eks.cluster_name
+
+ create_node_iam_role = false
+ node_iam_role_arn = module.eks.eks_managed_node_groups["initial"].iam_role_arn
+
+ # Since the node group role will already have an access entry
+ create_access_entry = false
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.28 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_eks_access_entry.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
+| [aws_eks_pod_identity_association.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource |
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_policy.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.controller_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.node_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_sqs_queue.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.controller_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.node_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [access\_entry\_type](#input\_access\_entry\_type) | Type of the access entry. `EC2_LINUX`, `FARGATE_LINUX`, or `EC2_WINDOWS`; defaults to `EC2_LINUX` | `string` | `"EC2_LINUX"` | no |
+| [ami\_id\_ssm\_parameter\_arns](#input\_ami\_id\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that Karpenter controller is allowed read access (for retrieving AMI IDs) | `list(string)` | `[]` | no |
+| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. Note: If `ipv6` is specified, the `AmazonEKS_CNI_IPv6_Policy` must exist in the account. This policy is created by the EKS module with `create_cni_ipv6_iam_policy = true` | `string` | `"ipv4"` | no |
+| [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | `""` | no |
+| [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no |
+| [create\_access\_entry](#input\_create\_access\_entry) | Determines whether an access entry is created for the IAM role used by the node IAM role | `bool` | `true` | no |
+| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created | `bool` | `true` | no |
+| [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an IAM instance profile | `bool` | `false` | no |
+| [create\_node\_iam\_role](#input\_create\_node\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| [create\_pod\_identity\_association](#input\_create\_pod\_identity\_association) | Determines whether to create pod identity association | `bool` | `true` | no |
+| [enable\_inline\_policy](#input\_enable\_inline\_policy) | Determines whether the controller policy is created as a standard IAM policy or inline IAM policy. This can be enabled when the error `LimitExceeded: Cannot exceed quota for PolicySize: 6144` is received since standard IAM policies have a limit of 6,144 characters versus an inline role policy's limit of 10,240 ([Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html)) | `bool` | `false` | no |
+| [enable\_spot\_termination](#input\_enable\_spot\_termination) | Determines whether to enable native spot termination handling | `bool` | `true` | no |
+| [iam\_policy\_description](#input\_iam\_policy\_description) | IAM policy description | `string` | `"Karpenter controller IAM policy"` | no |
+| [iam\_policy\_name](#input\_iam\_policy\_name) | Name of the IAM policy | `string` | `"KarpenterController"` | no |
+| [iam\_policy\_path](#input\_iam\_policy\_path) | Path of the IAM policy | `string` | `"/"` | no |
+| [iam\_policy\_statements](#input\_iam\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | list(object({ # TODO - change to `map(object({...}))` in next major version
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [iam\_policy\_use\_name\_prefix](#input\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix | `bool` | `true` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | IAM role description | `string` | `"Karpenter controller IAM role"` | no |
+| [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | Maximum API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"KarpenterController"` | no |
+| [iam\_role\_override\_assume\_policy\_documents](#input\_iam\_role\_override\_assume\_policy\_documents) | A list of IAM policy documents to override the default assume role policy document for the Karpenter controller IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | Path of the IAM role | `string` | `"/"` | no |
+| [iam\_role\_permissions\_boundary\_arn](#input\_iam\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for the IAM role | `string` | `null` | no |
+| [iam\_role\_policies](#input\_iam\_role\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
+| [iam\_role\_source\_assume\_policy\_documents](#input\_iam\_role\_source\_assume\_policy\_documents) | A list of IAM policy documents to use as a source for the assume role policy document for the Karpenter controller IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add the the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the name of the IAM role (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [namespace](#input\_namespace) | Namespace to associate with the Karpenter Pod Identity | `string` | `"kube-system"` | no |
+| [node\_iam\_role\_additional\_policies](#input\_node\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
+| [node\_iam\_role\_arn](#input\_node\_iam\_role\_arn) | Existing IAM role ARN for the IAM instance profile. Required if `create_node_iam_role` is set to `false` | `string` | `null` | no |
+| [node\_iam\_role\_attach\_cni\_policy](#input\_node\_iam\_role\_attach\_cni\_policy) | Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster | `bool` | `true` | no |
+| [node\_iam\_role\_description](#input\_node\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| [node\_iam\_role\_max\_session\_duration](#input\_node\_iam\_role\_max\_session\_duration) | Maximum API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| [node\_iam\_role\_name](#input\_node\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [node\_iam\_role\_path](#input\_node\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
+| [node\_iam\_role\_permissions\_boundary](#input\_node\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [node\_iam\_role\_tags](#input\_node\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [node\_iam\_role\_use\_name\_prefix](#input\_node\_iam\_role\_use\_name\_prefix) | Determines whether the Node IAM role name (`node_iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [queue\_kms\_data\_key\_reuse\_period\_seconds](#input\_queue\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again | `number` | `null` | no |
+| [queue\_kms\_master\_key\_id](#input\_queue\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
+| [queue\_managed\_sse\_enabled](#input\_queue\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no |
+| [queue\_name](#input\_queue\_name) | Name of the SQS queue | `string` | `null` | no |
+| [queue\_policy\_statements](#input\_queue\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific SQS queue policy permissions as needed | map(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| [rule\_name\_prefix](#input\_rule\_name\_prefix) | Prefix used for all event bridge rules | `string` | `"Karpenter"` | no |
+| [service\_account](#input\_service\_account) | Service account to associate with the Karpenter Pod Identity | `string` | `"karpenter"` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [event\_rules](#output\_event\_rules) | Map of the event rules created and their attributes |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the controller IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the controller IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the controller IAM role |
+| [instance\_profile\_arn](#output\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [instance\_profile\_id](#output\_instance\_profile\_id) | Instance profile's ID |
+| [instance\_profile\_name](#output\_instance\_profile\_name) | Name of the instance profile |
+| [instance\_profile\_unique](#output\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [namespace](#output\_namespace) | Namespace associated with the Karpenter Pod Identity |
+| [node\_access\_entry\_arn](#output\_node\_access\_entry\_arn) | Amazon Resource Name (ARN) of the node Access Entry |
+| [node\_iam\_role\_arn](#output\_node\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the node IAM role |
+| [node\_iam\_role\_name](#output\_node\_iam\_role\_name) | The name of the node IAM role |
+| [node\_iam\_role\_unique\_id](#output\_node\_iam\_role\_unique\_id) | Stable and unique string identifying the node IAM role |
+| [queue\_arn](#output\_queue\_arn) | The ARN of the SQS queue |
+| [queue\_name](#output\_queue\_name) | The name of the created Amazon SQS queue |
+| [queue\_url](#output\_queue\_url) | The URL for the created Amazon SQS queue |
+| [service\_account](#output\_service\_account) | Service Account associated with the Karpenter Pod Identity |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
new file mode 100644
index 0000000000..af0e947e76
--- /dev/null
+++ b/modules/karpenter/main.tf
@@ -0,0 +1,417 @@
+data "aws_region" "current" {
+ count = var.create ? 1 : 0
+
+ region = var.region
+}
+
+data "aws_partition" "current" {
+ count = var.create ? 1 : 0
+}
+
+data "aws_caller_identity" "current" {
+ count = var.create ? 1 : 0
+}
+
+data "aws_service_principal" "ec2" {
+ count = var.create ? 1 : 0
+
+ service_name = "ec2"
+}
+
+locals {
+ account_id = try(data.aws_caller_identity.current[0].account_id, "")
+ ec2_sp_name = try(data.aws_service_principal.ec2[0].name, "")
+ partition = try(data.aws_partition.current[0].partition, "")
+ region = try(data.aws_region.current[0].region, "")
+}
+
+################################################################################
+# Karpenter controller IAM Role
+################################################################################
+
+locals {
+ create_iam_role = var.create && var.create_iam_role
+}
+
+data "aws_iam_policy_document" "controller_assume_role" {
+ count = local.create_iam_role ? 1 : 0
+
+ override_policy_documents = var.iam_role_override_assume_policy_documents
+ source_policy_documents = var.iam_role_source_assume_policy_documents
+
+ # Pod Identity
+ statement {
+ sid = "PodIdentity"
+ actions = [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = ["pods.eks.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "controller" {
+ count = local.create_iam_role ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : var.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${var.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.controller_assume_role[0].json
+ max_session_duration = var.iam_role_max_session_duration
+ permissions_boundary = var.iam_role_permissions_boundary_arn
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+resource "aws_iam_role_policy" "controller" {
+ count = local.create_iam_role && var.enable_inline_policy ? 1 : 0
+
+ name = var.iam_policy_use_name_prefix ? null : var.iam_policy_name
+ name_prefix = var.iam_policy_use_name_prefix ? "${var.iam_policy_name}-" : null
+ role = aws_iam_role.controller[0].name
+ policy = data.aws_iam_policy_document.controller[0].json
+}
+
+resource "aws_iam_policy" "controller" {
+ count = local.create_iam_role && !var.enable_inline_policy ? 1 : 0
+
+ name = var.iam_policy_use_name_prefix ? null : var.iam_policy_name
+ name_prefix = var.iam_policy_use_name_prefix ? "${var.iam_policy_name}-" : null
+ path = var.iam_policy_path
+ description = var.iam_policy_description
+ policy = data.aws_iam_policy_document.controller[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "controller" {
+ count = local.create_iam_role && !var.enable_inline_policy ? 1 : 0
+
+ role = aws_iam_role.controller[0].name
+ policy_arn = aws_iam_policy.controller[0].arn
+}
+
+resource "aws_iam_role_policy_attachment" "controller_additional" {
+ for_each = { for k, v in var.iam_role_policies : k => v if local.create_iam_role }
+
+ role = aws_iam_role.controller[0].name
+ policy_arn = each.value
+}
+
+################################################################################
+# Pod Identity Association
+################################################################################
+
+resource "aws_eks_pod_identity_association" "karpenter" {
+ count = local.create_iam_role && var.create_pod_identity_association ? 1 : 0
+
+ region = var.region
+
+ cluster_name = var.cluster_name
+ namespace = var.namespace
+ service_account = var.service_account
+ role_arn = aws_iam_role.controller[0].arn
+
+ tags = var.tags
+}
+
+################################################################################
+# Node Termination Queue
+################################################################################
+
+locals {
+ enable_spot_termination = var.create && var.enable_spot_termination
+
+ queue_name = coalesce(var.queue_name, "Karpenter-${var.cluster_name}")
+}
+
+resource "aws_sqs_queue" "this" {
+ count = local.enable_spot_termination ? 1 : 0
+
+ region = var.region
+
+ name = local.queue_name
+ message_retention_seconds = 300
+ sqs_managed_sse_enabled = var.queue_managed_sse_enabled ? var.queue_managed_sse_enabled : null
+ kms_master_key_id = var.queue_kms_master_key_id
+ kms_data_key_reuse_period_seconds = var.queue_kms_data_key_reuse_period_seconds
+
+ tags = var.tags
+}
+
+data "aws_iam_policy_document" "queue" {
+ count = local.enable_spot_termination ? 1 : 0
+
+ statement {
+ sid = "SqsWrite"
+ actions = ["sqs:SendMessage"]
+ resources = [aws_sqs_queue.this[0].arn]
+
+ principals {
+ type = "Service"
+ identifiers = [
+ "events.amazonaws.com",
+ "sqs.amazonaws.com",
+ ]
+ }
+ }
+
+ statement {
+ sid = "DenyHTTP"
+ effect = "Deny"
+ actions = [
+ "sqs:*"
+ ]
+ resources = [aws_sqs_queue.this[0].arn]
+ condition {
+ test = "Bool"
+ variable = "aws:SecureTransport"
+ values = [
+ "false"
+ ]
+ }
+ principals {
+ type = "*"
+ identifiers = [
+ "*"
+ ]
+ }
+ }
+
+ dynamic "statement" {
+ for_each = var.queue_policy_statements != null ? var.queue_policy_statements : {}
+
+ content {
+ sid = try(coalesce(statement.value.sid, statement.key))
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+resource "aws_sqs_queue_policy" "this" {
+ count = local.enable_spot_termination ? 1 : 0
+
+ region = var.region
+
+ queue_url = aws_sqs_queue.this[0].url
+ policy = data.aws_iam_policy_document.queue[0].json
+}
+
+################################################################################
+# Node Termination Event Rules
+################################################################################
+
+locals {
+ events = {
+ health_event = {
+ name = "HealthEvent"
+ description = "Karpenter interrupt - AWS health event"
+ event_pattern = {
+ source = ["aws.health"]
+ detail-type = ["AWS Health Event"]
+ }
+ }
+ spot_interrupt = {
+ name = "SpotInterrupt"
+ description = "Karpenter interrupt - EC2 spot instance interruption warning"
+ event_pattern = {
+ source = ["aws.ec2"]
+ detail-type = ["EC2 Spot Instance Interruption Warning"]
+ }
+ }
+ instance_rebalance = {
+ name = "InstanceRebalance"
+ description = "Karpenter interrupt - EC2 instance rebalance recommendation"
+ event_pattern = {
+ source = ["aws.ec2"]
+ detail-type = ["EC2 Instance Rebalance Recommendation"]
+ }
+ }
+ instance_state_change = {
+ name = "InstanceStateChange"
+ description = "Karpenter interrupt - EC2 instance state-change notification"
+ event_pattern = {
+ source = ["aws.ec2"]
+ detail-type = ["EC2 Instance State-change Notification"]
+ }
+ }
+ }
+}
+
+resource "aws_cloudwatch_event_rule" "this" {
+ for_each = { for k, v in local.events : k => v if local.enable_spot_termination }
+
+ region = var.region
+
+ name_prefix = "${var.rule_name_prefix}${each.value.name}-"
+ description = each.value.description
+ event_pattern = jsonencode(each.value.event_pattern)
+
+ tags = merge(
+ { "ClusterName" : var.cluster_name },
+ var.tags,
+ )
+}
+
+resource "aws_cloudwatch_event_target" "this" {
+ for_each = { for k, v in local.events : k => v if local.enable_spot_termination }
+
+ region = var.region
+
+ rule = aws_cloudwatch_event_rule.this[each.key].name
+ target_id = "KarpenterInterruptionQueueTarget"
+ arn = aws_sqs_queue.this[0].arn
+}
+
+################################################################################
+# Node IAM Role
+# This is used by the nodes launched by Karpenter
+################################################################################
+
+locals {
+ create_node_iam_role = var.create && var.create_node_iam_role
+
+ node_iam_role_name = coalesce(var.node_iam_role_name, "Karpenter-${var.cluster_name}")
+ node_iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
+
+ ipv4_cni_policy = { for k, v in {
+ AmazonEKS_CNI_Policy = "${local.node_iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+ } : k => v if var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
+ ipv6_cni_policy = { for k, v in {
+ AmazonEKS_CNI_IPv6_Policy = "arn:${local.partition}:iam::${local.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
+ } : k => v if var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
+}
+
+data "aws_iam_policy_document" "node_assume_role" {
+ count = local.create_node_iam_role ? 1 : 0
+
+ statement {
+ sid = "EKSNodeAssumeRole"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = [local.ec2_sp_name]
+ }
+ }
+}
+
+resource "aws_iam_role" "node" {
+ count = local.create_node_iam_role ? 1 : 0
+
+ name = var.node_iam_role_use_name_prefix ? null : local.node_iam_role_name
+ name_prefix = var.node_iam_role_use_name_prefix ? "${local.node_iam_role_name}-" : null
+ path = var.node_iam_role_path
+ description = var.node_iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.node_assume_role[0].json
+ max_session_duration = var.node_iam_role_max_session_duration
+ permissions_boundary = var.node_iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.node_iam_role_tags)
+}
+
+# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
+resource "aws_iam_role_policy_attachment" "node" {
+ for_each = { for k, v in merge(
+ {
+ AmazonEKSWorkerNodePolicy = "${local.node_iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
+ AmazonEC2ContainerRegistryPullOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly"
+ },
+ local.ipv4_cni_policy,
+ local.ipv6_cni_policy
+ ) : k => v if local.create_node_iam_role }
+
+ policy_arn = each.value
+ role = aws_iam_role.node[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "node_additional" {
+ for_each = { for k, v in var.node_iam_role_additional_policies : k => v if local.create_node_iam_role }
+
+ policy_arn = each.value
+ role = aws_iam_role.node[0].name
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+resource "aws_eks_access_entry" "node" {
+ count = var.create && var.create_access_entry ? 1 : 0
+
+ region = var.region
+
+ cluster_name = var.cluster_name
+ principal_arn = var.create_node_iam_role ? aws_iam_role.node[0].arn : var.node_iam_role_arn
+ type = var.access_entry_type
+
+ tags = var.tags
+
+ depends_on = [
+ # If we try to add this too quickly, it fails. So .... we wait
+ aws_sqs_queue_policy.this,
+ ]
+}
+
+################################################################################
+# Node IAM Instance Profile
+# This is used by the nodes launched by Karpenter
+# Starting with Karpenter 0.32 this is no longer required as Karpenter will
+# create the Instance Profile
+################################################################################
+
+locals {
+ external_role_name = try(replace(var.node_iam_role_arn, "/^(.*role/)/", ""), null)
+}
+
+resource "aws_iam_instance_profile" "this" {
+ count = var.create && var.create_instance_profile ? 1 : 0
+
+ name = var.node_iam_role_use_name_prefix ? null : local.node_iam_role_name
+ name_prefix = var.node_iam_role_use_name_prefix ? "${local.node_iam_role_name}-" : null
+ path = var.node_iam_role_path
+ role = var.create_node_iam_role ? aws_iam_role.node[0].name : local.external_role_name
+
+ tags = merge(var.tags, var.node_iam_role_tags)
+}
diff --git a/modules/karpenter/migrations.tf b/modules/karpenter/migrations.tf
new file mode 100644
index 0000000000..b40040f330
--- /dev/null
+++ b/modules/karpenter/migrations.tf
@@ -0,0 +1,77 @@
+################################################################################
+# Migrations: v19.21 -> v20.0
+################################################################################
+
+# Node IAM role
+moved {
+ from = aws_iam_role.this
+ to = aws_iam_role.node
+}
+
+moved {
+ from = aws_iam_policy.this
+ to = aws_iam_policy.node
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.this
+ to = aws_iam_role_policy_attachment.node
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.additional
+ to = aws_iam_role_policy_attachment.node_additional
+}
+
+# Controller IAM role
+moved {
+ from = aws_iam_role.irsa
+ to = aws_iam_role.controller
+}
+
+moved {
+ from = aws_iam_policy.irsa
+ to = aws_iam_policy.controller
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.irsa
+ to = aws_iam_role_policy_attachment.controller
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.irsa_additional
+ to = aws_iam_role_policy_attachment.controller_additional
+}
+
+# Spelling correction
+moved {
+ from = aws_cloudwatch_event_target.this["spot_interupt"]
+ to = aws_cloudwatch_event_target.this["spot_interrupt"]
+}
+
+moved {
+ from = aws_cloudwatch_event_rule.this["spot_interupt"]
+ to = aws_cloudwatch_event_rule.this["spot_interrupt"]
+}
+
+################################################################################
+# Migrations: v20.7 -> v20.8
+################################################################################
+
+# Node IAM role policy attachment
+# Commercial partition only - `moved` does now allow multiple moves to same target
+moved {
+ from = aws_iam_role_policy_attachment.node["arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"]
+ to = aws_iam_role_policy_attachment.node["AmazonEKSWorkerNodePolicy"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.node["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
+ to = aws_iam_role_policy_attachment.node["AmazonEC2ContainerRegistryReadOnly"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.node["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"]
+ to = aws_iam_role_policy_attachment.node["AmazonEKS_CNI_Policy"]
+}
diff --git a/modules/karpenter/outputs.tf b/modules/karpenter/outputs.tf
new file mode 100644
index 0000000000..a71d47242d
--- /dev/null
+++ b/modules/karpenter/outputs.tf
@@ -0,0 +1,112 @@
+################################################################################
+# Karpenter controller IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the controller IAM role"
+ value = try(aws_iam_role.controller[0].name, null)
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the controller IAM role"
+ value = try(aws_iam_role.controller[0].arn, null)
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the controller IAM role"
+ value = try(aws_iam_role.controller[0].unique_id, null)
+}
+
+################################################################################
+# Node Termination Queue
+################################################################################
+
+output "queue_arn" {
+ description = "The ARN of the SQS queue"
+ value = try(aws_sqs_queue.this[0].arn, null)
+}
+
+output "queue_name" {
+ description = "The name of the created Amazon SQS queue"
+ value = try(aws_sqs_queue.this[0].name, null)
+}
+
+output "queue_url" {
+ description = "The URL for the created Amazon SQS queue"
+ value = try(aws_sqs_queue.this[0].url, null)
+}
+
+################################################################################
+# Node Termination Event Rules
+################################################################################
+
+output "event_rules" {
+ description = "Map of the event rules created and their attributes"
+ value = aws_cloudwatch_event_rule.this
+}
+
+################################################################################
+# Node IAM Role
+################################################################################
+
+output "node_iam_role_name" {
+ description = "The name of the node IAM role"
+ value = try(aws_iam_role.node[0].name, null)
+}
+
+output "node_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the node IAM role"
+ value = try(aws_iam_role.node[0].arn, var.node_iam_role_arn)
+}
+
+output "node_iam_role_unique_id" {
+ description = "Stable and unique string identifying the node IAM role"
+ value = try(aws_iam_role.node[0].unique_id, null)
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+output "node_access_entry_arn" {
+ description = "Amazon Resource Name (ARN) of the node Access Entry"
+ value = try(aws_eks_access_entry.node[0].access_entry_arn, null)
+}
+
+################################################################################
+# Node IAM Instance Profile
+################################################################################
+
+output "instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = try(aws_iam_instance_profile.this[0].arn, null)
+}
+
+output "instance_profile_id" {
+ description = "Instance profile's ID"
+ value = try(aws_iam_instance_profile.this[0].id, null)
+}
+
+output "instance_profile_name" {
+ description = "Name of the instance profile"
+ value = try(aws_iam_instance_profile.this[0].name, null)
+}
+
+output "instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = try(aws_iam_instance_profile.this[0].unique_id, null)
+}
+
+################################################################################
+# Pod Identity
+################################################################################
+
+output "namespace" {
+ description = "Namespace associated with the Karpenter Pod Identity"
+ value = var.namespace
+}
+
+output "service_account" {
+ description = "Service Account associated with the Karpenter Pod Identity"
+ value = var.service_account
+}
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
new file mode 100644
index 0000000000..34937f36eb
--- /dev/null
+++ b/modules/karpenter/policy.tf
@@ -0,0 +1,405 @@
+data "aws_iam_policy_document" "controller" {
+ count = local.create_iam_role ? 1 : 0
+
+ statement {
+ sid = "AllowScopedEC2InstanceAccessActions"
+ resources = [
+ "arn:${local.partition}:ec2:${local.region}::image/*",
+ "arn:${local.partition}:ec2:${local.region}::snapshot/*",
+ "arn:${local.partition}:ec2:${local.region}:*:security-group/*",
+ "arn:${local.partition}:ec2:${local.region}:*:subnet/*",
+ "arn:${local.partition}:ec2:${local.region}:*:capacity-reservation/*",
+ ]
+
+ actions = [
+ "ec2:RunInstances",
+ "ec2:CreateFleet"
+ ]
+ }
+
+ statement {
+ sid = "AllowScopedEC2LaunchTemplateAccessActions"
+ resources = [
+ "arn:${local.partition}:ec2:${local.region}:*:launch-template/*"
+ ]
+
+ actions = [
+ "ec2:RunInstances",
+ "ec2:CreateFleet"
+ ]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:ResourceTag/karpenter.sh/nodepool"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowScopedEC2InstanceActionsWithTags"
+ resources = [
+ "arn:${local.partition}:ec2:${local.region}:*:fleet/*",
+ "arn:${local.partition}:ec2:${local.region}:*:instance/*",
+ "arn:${local.partition}:ec2:${local.region}:*:volume/*",
+ "arn:${local.partition}:ec2:${local.region}:*:network-interface/*",
+ "arn:${local.partition}:ec2:${local.region}:*:launch-template/*",
+ "arn:${local.partition}:ec2:${local.region}:*:spot-instances-request/*",
+ "arn:${local.partition}:ec2:${local.region}:*:capacity-reservation/*"
+ ]
+ actions = [
+ "ec2:RunInstances",
+ "ec2:CreateFleet",
+ "ec2:CreateLaunchTemplate"
+ ]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/eks:eks-cluster-name"
+ values = [var.cluster_name]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/karpenter.sh/nodepool"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowScopedResourceCreationTagging"
+ resources = [
+ "arn:${local.partition}:ec2:${local.region}:*:fleet/*",
+ "arn:${local.partition}:ec2:${local.region}:*:instance/*",
+ "arn:${local.partition}:ec2:${local.region}:*:volume/*",
+ "arn:${local.partition}:ec2:${local.region}:*:network-interface/*",
+ "arn:${local.partition}:ec2:${local.region}:*:launch-template/*",
+ "arn:${local.partition}:ec2:${local.region}:*:spot-instances-request/*",
+ ]
+ actions = ["ec2:CreateTags"]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/eks:eks-cluster-name"
+ values = [var.cluster_name]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "ec2:CreateAction"
+ values = [
+ "RunInstances",
+ "CreateFleet",
+ "CreateLaunchTemplate",
+ ]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/karpenter.sh/nodepool"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowScopedResourceTagging"
+ resources = ["arn:${local.partition}:ec2:${local.region}:*:instance/*"]
+ actions = ["ec2:CreateTags"]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:ResourceTag/karpenter.sh/nodepool"
+ values = ["*"]
+ }
+
+ condition {
+ test = "StringEqualsIfExists"
+ variable = "aws:RequestTag/eks:eks-cluster-name"
+ values = [var.cluster_name]
+ }
+
+ condition {
+ test = "ForAllValues:StringEquals"
+ variable = "aws:TagKeys"
+ values = [
+ "eks:eks-cluster-name",
+ "karpenter.sh/nodeclaim",
+ "Name",
+ ]
+ }
+ }
+
+ statement {
+ sid = "AllowScopedDeletion"
+ resources = [
+ "arn:${local.partition}:ec2:${local.region}:*:instance/*",
+ "arn:${local.partition}:ec2:${local.region}:*:launch-template/*"
+ ]
+
+ actions = [
+ "ec2:TerminateInstances",
+ "ec2:DeleteLaunchTemplate"
+ ]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:ResourceTag/karpenter.sh/nodepool"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowRegionalReadActions"
+ resources = ["*"]
+ actions = [
+ "ec2:DescribeCapacityReservations",
+ "ec2:DescribeAvailabilityZones",
+ "ec2:DescribeImages",
+ "ec2:DescribeInstances",
+ "ec2:DescribeInstanceTypeOfferings",
+ "ec2:DescribeInstanceTypes",
+ "ec2:DescribeLaunchTemplates",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSpotPriceHistory",
+ "ec2:DescribeSubnets"
+ ]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestedRegion"
+ values = [local.region]
+ }
+ }
+
+ statement {
+ sid = "AllowSSMReadActions"
+ resources = coalescelist(var.ami_id_ssm_parameter_arns, ["arn:${local.partition}:ssm:${local.region}::parameter/aws/service/*"])
+ actions = ["ssm:GetParameter"]
+ }
+
+ statement {
+ sid = "AllowPricingReadActions"
+ resources = ["*"]
+ actions = ["pricing:GetProducts"]
+ }
+
+ dynamic "statement" {
+ for_each = local.enable_spot_termination ? [1] : []
+
+ content {
+ sid = "AllowInterruptionQueueActions"
+ resources = [try(aws_sqs_queue.this[0].arn, null)]
+ actions = [
+ "sqs:DeleteMessage",
+ "sqs:GetQueueUrl",
+ "sqs:ReceiveMessage"
+ ]
+ }
+ }
+
+ statement {
+ sid = "AllowPassingInstanceRole"
+ resources = var.create_node_iam_role ? [aws_iam_role.node[0].arn] : [var.node_iam_role_arn]
+ actions = ["iam:PassRole"]
+
+ condition {
+ test = "StringEquals"
+ variable = "iam:PassedToService"
+ values = distinct([local.ec2_sp_name, "ec2.amazonaws.com"])
+ }
+ }
+
+ statement {
+ sid = "AllowScopedInstanceProfileCreationActions"
+ resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
+ actions = ["iam:CreateInstanceProfile"]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/eks:eks-cluster-name"
+ values = [var.cluster_name]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/topology.kubernetes.io/region"
+ values = [local.region]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowScopedInstanceProfileTagActions"
+ resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
+ actions = ["iam:TagInstanceProfile"]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/topology.kubernetes.io/region"
+ values = [local.region]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/eks:eks-cluster-name"
+ values = [var.cluster_name]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:RequestTag/topology.kubernetes.io/region"
+ values = [local.region]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
+ values = ["*"]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowScopedInstanceProfileActions"
+ resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
+ actions = [
+ "iam:AddRoleToInstanceProfile",
+ "iam:RemoveRoleFromInstanceProfile",
+ "iam:DeleteInstanceProfile"
+ ]
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_name}"
+ values = ["owned"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:ResourceTag/topology.kubernetes.io/region"
+ values = [local.region]
+ }
+
+ condition {
+ test = "StringLike"
+ variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ sid = "AllowInstanceProfileReadActions"
+ resources = ["arn:${local.partition}:iam::${local.account_id}:instance-profile/*"]
+ actions = ["iam:GetInstanceProfile"]
+ }
+
+ statement {
+ sid = "AllowUnscopedInstanceProfileListAction"
+ resources = ["*"]
+ actions = ["iam:ListInstanceProfiles"]
+ }
+
+ statement {
+ sid = "AllowAPIServerEndpointDiscovery"
+ resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${var.cluster_name}"]
+ actions = ["eks:DescribeCluster"]
+ }
+
+ dynamic "statement" {
+ for_each = var.iam_policy_statements != null ? var.iam_policy_statements : []
+
+ content {
+ sid = statement.value.sid
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
new file mode 100644
index 0000000000..7e73a3883f
--- /dev/null
+++ b/modules/karpenter/variables.tf
@@ -0,0 +1,349 @@
+variable "create" {
+ description = "Controls if resources should be created (affects nearly all resources)"
+ type = bool
+ default = true
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "cluster_name" {
+ description = "The name of the EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+ type = string
+ default = null
+}
+
+################################################################################
+# Karpenter controller IAM Role
+################################################################################
+
+variable "create_iam_role" {
+ description = "Determines whether an IAM role is created"
+ type = bool
+ default = true
+}
+
+variable "enable_inline_policy" {
+ description = "Determines whether the controller policy is created as a standard IAM policy or inline IAM policy. This can be enabled when the error `LimitExceeded: Cannot exceed quota for PolicySize: 6144` is received since standard IAM policies have a limit of 6,144 characters versus an inline role policy's limit of 10,240 ([Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html))"
+ type = bool
+ default = false
+}
+
+variable "iam_role_name" {
+ description = "Name of the IAM role"
+ type = string
+ default = "KarpenterController"
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the name of the IAM role (`iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "iam_role_path" {
+ description = "Path of the IAM role"
+ type = string
+ default = "/"
+}
+
+variable "iam_role_description" {
+ description = "IAM role description"
+ type = string
+ default = "Karpenter controller IAM role"
+}
+
+variable "iam_role_max_session_duration" {
+ description = "Maximum API session duration in seconds between 3600 and 43200"
+ type = number
+ default = null
+}
+
+variable "iam_role_permissions_boundary_arn" {
+ description = "Permissions boundary ARN to use for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add the the IAM role"
+ type = map(string)
+ default = {}
+}
+
+variable "iam_policy_name" {
+ description = "Name of the IAM policy"
+ type = string
+ default = "KarpenterController"
+}
+
+variable "iam_policy_use_name_prefix" {
+ description = "Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "iam_policy_path" {
+ description = "Path of the IAM policy"
+ type = string
+ default = "/"
+}
+
+variable "iam_policy_description" {
+ description = "IAM policy description"
+ type = string
+ default = "Karpenter controller IAM policy"
+}
+
+variable "iam_role_override_assume_policy_documents" {
+ description = "A list of IAM policy documents to override the default assume role policy document for the Karpenter controller IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_role_source_assume_policy_documents" {
+ description = "A list of IAM policy documents to use as a source for the assume role policy document for the Karpenter controller IAM role"
+ type = list(string)
+ default = []
+}
+
+variable "iam_policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = list(object({ # TODO - change to `map(object({...}))` in next major version
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+variable "iam_role_policies" {
+ description = "Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format"
+ type = map(string)
+ default = {}
+}
+
+variable "ami_id_ssm_parameter_arns" {
+ description = "List of SSM Parameter ARNs that Karpenter controller is allowed read access (for retrieving AMI IDs)"
+ type = list(string)
+ default = []
+}
+
+################################################################################
+# Pod Identity Association
+################################################################################
+
+variable "create_pod_identity_association" {
+ description = "Determines whether to create pod identity association"
+ type = bool
+ default = true
+}
+
+variable "namespace" {
+ description = "Namespace to associate with the Karpenter Pod Identity"
+ type = string
+ default = "kube-system"
+}
+
+variable "service_account" {
+ description = "Service account to associate with the Karpenter Pod Identity"
+ type = string
+ default = "karpenter"
+}
+
+################################################################################
+# Node Termination Queue
+################################################################################
+
+variable "enable_spot_termination" {
+ description = "Determines whether to enable native spot termination handling"
+ type = bool
+ default = true
+}
+
+variable "queue_name" {
+ description = "Name of the SQS queue"
+ type = string
+ default = null
+}
+
+variable "queue_managed_sse_enabled" {
+ description = "Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys"
+ type = bool
+ default = true
+}
+
+variable "queue_kms_master_key_id" {
+ description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK"
+ type = string
+ default = null
+}
+
+variable "queue_kms_data_key_reuse_period_seconds" {
+ description = "The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again"
+ type = number
+ default = null
+}
+
+variable "queue_policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific SQS queue policy permissions as needed"
+ type = map(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+################################################################################
+# Node IAM Role
+################################################################################
+
+variable "create_node_iam_role" {
+ description = "Determines whether an IAM role is created or to use an existing IAM role"
+ type = bool
+ default = true
+}
+
+variable "cluster_ip_family" {
+ description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. Note: If `ipv6` is specified, the `AmazonEKS_CNI_IPv6_Policy` must exist in the account. This policy is created by the EKS module with `create_cni_ipv6_iam_policy = true`"
+ type = string
+ default = "ipv4"
+}
+
+variable "node_iam_role_arn" {
+ description = "Existing IAM role ARN for the IAM instance profile. Required if `create_node_iam_role` is set to `false`"
+ type = string
+ default = null
+}
+
+variable "node_iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = null
+}
+
+variable "node_iam_role_use_name_prefix" {
+ description = "Determines whether the Node IAM role name (`node_iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "node_iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = "/"
+}
+
+variable "node_iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = null
+}
+
+variable "node_iam_role_max_session_duration" {
+ description = "Maximum API session duration in seconds between 3600 and 43200"
+ type = number
+ default = null
+}
+
+variable "node_iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "node_iam_role_attach_cni_policy" {
+ description = "Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster"
+ type = bool
+ default = true
+}
+
+variable "node_iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = map(string)
+ default = {}
+}
+
+variable "node_iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+variable "create_access_entry" {
+ description = "Determines whether an access entry is created for the IAM role used by the node IAM role"
+ type = bool
+ default = true
+}
+
+variable "access_entry_type" {
+ description = "Type of the access entry. `EC2_LINUX`, `FARGATE_LINUX`, or `EC2_WINDOWS`; defaults to `EC2_LINUX`"
+ type = string
+ default = "EC2_LINUX"
+}
+
+################################################################################
+# Node IAM Instance Profile
+################################################################################
+
+variable "create_instance_profile" {
+ description = "Whether to create an IAM instance profile"
+ type = bool
+ default = false
+}
+
+################################################################################
+# Event Bridge Rules
+################################################################################
+
+variable "rule_name_prefix" {
+ description = "Prefix used for all event bridge rules"
+ type = string
+ default = "Karpenter"
+}
diff --git a/modules/karpenter/versions.tf b/modules/karpenter/versions.tf
new file mode 100644
index 0000000000..af99edcc27
--- /dev/null
+++ b/modules/karpenter/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.28"
+ }
+ }
+
+ provider_meta "aws" {
+ user_agent = [
+ "github.com/terraform-aws-modules/terraform-aws-eks"
+ ]
+ }
+}
diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md
new file mode 100644
index 0000000000..fb267b246a
--- /dev/null
+++ b/modules/self-managed-node-group/README.md
@@ -0,0 +1,231 @@
+# Self Managed Node Group Module
+
+Configuration in this directory creates a Self Managed Node Group (AutoScaling Group) along with an IAM role, security group, and launch template
+
+## Usage
+
+```hcl
+module "self_managed_node_group" {
+ source = "terraform-aws-modules/eks/aws//modules/self-managed-node-group"
+
+ name = "separate-self-mng"
+ cluster_name = "my-cluster"
+ kubernetes_version = "1.31"
+ cluster_endpoint = "https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com"
+ cluster_auth_base64 = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
+
+ subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+
+ // The following variables are necessary if you decide to use the module outside of the parent EKS module context.
+ // Without it, the security groups of the nodes are empty and thus won't join the cluster.
+ vpc_security_group_ids = [
+ module.eks.cluster_primary_security_group_id,
+ module.eks.cluster_security_group_id,
+ ]
+
+ min_size = 1
+ max_size = 10
+ desired_size = 1
+
+ launch_template_name = "separate-self-mng"
+ instance_type = "m5.large"
+
+ tags = {
+ Environment = "dev"
+ Terraform = "true"
+ }
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 6.28 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [user\_data](#module\_user\_data) | ../_user_data | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
+| [aws_eks_access_entry.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry) | resource |
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
+| [aws_placement_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/placement_group) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_egress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_instance_type.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_ssm_parameter.ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | The AWS account ID - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| [additional\_cluster\_dns\_ips](#input\_additional\_cluster\_dns\_ips) | Additional DNS IP addresses to use for the cluster. Only used when `ami_type` = `BOTTLEROCKET_*` | `list(string)` | `null` | no |
+| [ami\_id](#input\_ami\_id) | The AMI from which to launch the instance | `string` | `""` | no |
+| [ami\_type](#input\_ami\_type) | Type of Amazon Machine Image (AMI) associated with the node group. See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid values | `string` | `"AL2023_x86_64_STANDARD"` | no |
+| [autoscaling\_group\_tags](#input\_autoscaling\_group\_tags) | A map of additional tags to add to the autoscaling group created. Tags are applied to the autoscaling group only and are NOT propagated to instances | `map(string)` | `{}` | no |
+| [availability\_zones](#input\_availability\_zones) | A list of one or more availability zones for the group. Used for EC2-Classic and default subnets when not specified with `subnet_ids` argument. Conflicts with `subnet_ids` | `list(string)` | `null` | no |
+| [block\_device\_mappings](#input\_block\_device\_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI | map(object({
device_name = optional(string)
ebs = optional(object({
delete_on_termination = optional(bool)
encrypted = optional(bool)
iops = optional(number)
kms_key_id = optional(string)
snapshot_id = optional(string)
throughput = optional(number)
volume_initialization_rate = optional(number)
volume_size = optional(number)
volume_type = optional(string)
}))
no_device = optional(string)
virtual_name = optional(string)
})) | `null` | no |
+| [bootstrap\_extra\_args](#input\_bootstrap\_extra\_args) | Additional arguments passed to the bootstrap script. When `ami_type` = `BOTTLEROCKET_*`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data | `string` | `null` | no |
+| [capacity\_rebalance](#input\_capacity\_rebalance) | Indicates whether capacity rebalance is enabled | `bool` | `null` | no |
+| [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Targeting for EC2 capacity reservations | object({
capacity_reservation_preference = optional(string)
capacity_reservation_target = optional(object({
capacity_reservation_id = optional(string)
capacity_reservation_resource_group_arn = optional(string)
}))
}) | `null` | no |
+| [cloudinit\_post\_nodeadm](#input\_cloudinit\_post\_nodeadm) | Array of cloud-init document parts that are created after the nodeadm document part | list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})) | `null` | no |
+| [cloudinit\_pre\_nodeadm](#input\_cloudinit\_pre\_nodeadm) | Array of cloud-init document parts that are created before the nodeadm document part | list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
})) | `null` | no |
+| [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `null` | no |
+| [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `null` | no |
+| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `null` | no |
+| [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `""` | no |
+| [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no |
+| [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `null` | no |
+| [context](#input\_context) | Reserved | `string` | `null` | no |
+| [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | object({
amd_sev_snp = optional(string)
core_count = optional(number)
threads_per_core = optional(number)
}) | `null` | no |
+| [create](#input\_create) | Determines whether to create self managed node group or not | `bool` | `true` | no |
+| [create\_access\_entry](#input\_create\_access\_entry) | Determines whether an access entry is created for the IAM role used by the node group | `bool` | `true` | no |
+| [create\_autoscaling\_group](#input\_create\_autoscaling\_group) | Determines whether to create autoscaling group or not | `bool` | `true` | no |
+| [create\_iam\_instance\_profile](#input\_create\_iam\_instance\_profile) | Determines whether an IAM instance profile is created or to use an existing IAM instance profile | `bool` | `true` | no |
+| [create\_iam\_role\_policy](#input\_create\_iam\_role\_policy) | Determines whether an IAM role policy is created or not | `bool` | `true` | no |
+| [create\_launch\_template](#input\_create\_launch\_template) | Determines whether to create launch template or not | `bool` | `true` | no |
+| [create\_placement\_group](#input\_create\_placement\_group) | Determines whether a placement group is created & used by the node group | `bool` | `false` | no |
+| [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
+| [credit\_specification](#input\_credit\_specification) | Customize the credit specification of the instance | object({
cpu_credits = optional(string)
}) | `null` | no |
+| [default\_instance\_warmup](#input\_default\_instance\_warmup) | Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data | `number` | `null` | no |
+| [desired\_size](#input\_desired\_size) | The number of Amazon EC2 instances that should be running in the autoscaling group | `number` | `1` | no |
+| [desired\_size\_type](#input\_desired\_size\_type) | The unit of measurement for the value specified for `desired_size`. Supported for attribute-based instance type selection only. Valid values: `units`, `vcpu`, `memory-mib` | `string` | `null` | no |
+| [disable\_api\_termination](#input\_disable\_api\_termination) | If true, enables EC2 instance termination protection | `bool` | `null` | no |
+| [ebs\_optimized](#input\_ebs\_optimized) | If true, the launched EC2 instance will be EBS-optimized | `bool` | `null` | no |
+| [efa\_indices](#input\_efa\_indices) | The indices of the network interfaces that should be EFA-enabled. Only valid when `enable_efa_support` = `true` | `list(number)` | [| no | +| [enable\_efa\_only](#input\_enable\_efa\_only) | Determines whether to enable EFA (`false`, default) or EFA and EFA-only (`true`) network interfaces. Note: requires vpc-cni version `v1.18.4` or later | `bool` | `true` | no | +| [enable\_efa\_support](#input\_enable\_efa\_support) | Determines whether to enable Elastic Fabric Adapter (EFA) support | `bool` | `false` | no | +| [enable\_monitoring](#input\_enable\_monitoring) | Enables/disables detailed monitoring | `bool` | `false` | no | +| [enabled\_metrics](#input\_enabled\_metrics) | A list of metrics to collect. The allowed values are `GroupDesiredCapacity`, `GroupInServiceCapacity`, `GroupPendingCapacity`, `GroupMinSize`, `GroupMaxSize`, `GroupInServiceInstances`, `GroupPendingInstances`, `GroupStandbyInstances`, `GroupStandbyCapacity`, `GroupTerminatingCapacity`, `GroupTerminatingInstances`, `GroupTotalCapacity`, `GroupTotalInstances` | `list(string)` | `[]` | no | +| [enclave\_options](#input\_enclave\_options) | Enable Nitro Enclaves on launched instances |
0
]
object({
enabled = optional(bool)
}) | `null` | no |
+| [force\_delete](#input\_force\_delete) | Allows deleting the Auto Scaling Group without waiting for all instances in the pool to terminate. You can force an Auto Scaling Group to delete even if it's in the process of scaling a resource. Normally, Terraform drains all the instances before deleting the group. This bypasses that behavior and potentially leaves resources dangling | `bool` | `null` | no |
+| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | Time (in seconds) after instance comes into service before checking health | `number` | `null` | no |
+| [health\_check\_type](#input\_health\_check\_type) | `EC2` or `ELB`. Controls how health checking is done | `string` | `null` | no |
+| [iam\_instance\_profile\_arn](#input\_iam\_instance\_profile\_arn) | Amazon Resource Name (ARN) of an existing IAM instance profile that provides permissions for the node group. Required if `create_iam_instance_profile` = `false` | `string` | `null` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_arn](#input\_iam\_role\_arn) | ARN of the IAM role used by the instance profile. Required when `create_access_entry = true` and `create_iam_instance_profile = false` | `string` | `null` | no |
+| [iam\_role\_attach\_cni\_policy](#input\_iam\_role\_attach\_cni\_policy) | Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster | `bool` | `true` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `"Self managed node group IAM role"` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_policy\_statements](#input\_iam\_role\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether cluster IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| [ignore\_failed\_scaling\_activities](#input\_ignore\_failed\_scaling\_activities) | Whether to ignore failed Auto Scaling scaling activities while waiting for capacity | `bool` | `null` | no |
+| [initial\_lifecycle\_hooks](#input\_initial\_lifecycle\_hooks) | One or more Lifecycle Hooks to attach to the Auto Scaling Group before instances are launched. The syntax is exactly the same as the separate `aws_autoscaling_lifecycle_hook` resource, without the `autoscaling_group_name` attribute. Please note that this will only work when creating a new Auto Scaling Group. For all other use-cases, please use `aws_autoscaling_lifecycle_hook` resource | list(object({
default_result = optional(string)
heartbeat_timeout = optional(number)
lifecycle_transition = string
name = string
notification_metadata = optional(string)
notification_target_arn = optional(string)
role_arn = optional(string)
})) | `null` | no |
+| [instance\_initiated\_shutdown\_behavior](#input\_instance\_initiated\_shutdown\_behavior) | Shutdown behavior for the instance. Can be `stop` or `terminate`. (Default: `stop`) | `string` | `null` | no |
+| [instance\_maintenance\_policy](#input\_instance\_maintenance\_policy) | If this block is configured, add a instance maintenance policy to the specified Auto Scaling group | object({
max_healthy_percentage = number
min_healthy_percentage = number
}) | `null` | no |
+| [instance\_market\_options](#input\_instance\_market\_options) | The market (purchasing) option for the instance | object({
market_type = optional(string)
spot_options = optional(object({
block_duration_minutes = optional(number)
instance_interruption_behavior = optional(string)
max_price = optional(string)
spot_instance_type = optional(string)
valid_until = optional(string)
}))
}) | `null` | no |
+| [instance\_refresh](#input\_instance\_refresh) | If this block is configured, start an Instance Refresh when this Auto Scaling Group is updated | object({
preferences = optional(object({
alarm_specification = optional(object({
alarms = optional(list(string))
}))
auto_rollback = optional(bool)
checkpoint_delay = optional(number)
checkpoint_percentages = optional(list(number))
instance_warmup = optional(number)
max_healthy_percentage = optional(number)
min_healthy_percentage = optional(number)
scale_in_protected_instances = optional(string)
skip_matching = optional(bool)
standby_instances = optional(string)
}))
strategy = optional(string)
triggers = optional(list(string))
}) | {
"preferences": {
"min_healthy_percentage": 66
},
"strategy": "Rolling"
} | no |
+| [instance\_requirements](#input\_instance\_requirements) | The attribute requirements for the type of instance. If present then `instance_type` cannot be present | object({
accelerator_count = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_manufacturers = optional(list(string))
accelerator_names = optional(list(string))
accelerator_total_memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_types = optional(list(string))
allowed_instance_types = optional(list(string))
bare_metal = optional(string)
baseline_ebs_bandwidth_mbps = optional(object({
max = optional(number)
min = optional(number)
}))
burstable_performance = optional(string)
cpu_manufacturers = optional(list(string))
excluded_instance_types = optional(list(string))
instance_generations = optional(list(string))
local_storage = optional(string)
local_storage_types = optional(list(string))
max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)
memory_gib_per_vcpu = optional(object({
max = optional(number)
min = optional(number)
}))
memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
network_bandwidth_gbps = optional(object({
max = optional(number)
min = optional(number)
}))
network_interface_count = optional(object({
max = optional(number)
min = optional(number)
}))
on_demand_max_price_percentage_over_lowest_price = optional(number)
require_hibernate_support = optional(bool)
spot_max_price_percentage_over_lowest_price = optional(number)
total_local_storage_gb = optional(object({
max = optional(number)
min = optional(number)
}))
vcpu_count = optional(object({
max = optional(number)
min = string
}))
}) | `null` | no |
+| [instance\_type](#input\_instance\_type) | The type of the instance to launch | `string` | `"m6i.large"` | no |
+| [kernel\_id](#input\_kernel\_id) | The kernel ID | `string` | `null` | no |
+| [key\_name](#input\_key\_name) | The key name that should be used for the instance | `string` | `null` | no |
+| [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes cluster version - used to lookup default AMI ID if one is not provided | `string` | `null` | no |
+| [launch\_template\_default\_version](#input\_launch\_template\_default\_version) | Default Version of the launch template | `string` | `null` | no |
+| [launch\_template\_description](#input\_launch\_template\_description) | Description of the launch template | `string` | `null` | no |
+| [launch\_template\_id](#input\_launch\_template\_id) | The ID of an existing launch template to use. Required when `create_launch_template` = `false` | `string` | `""` | no |
+| [launch\_template\_name](#input\_launch\_template\_name) | Name of launch template to be created | `string` | `null` | no |
+| [launch\_template\_tags](#input\_launch\_template\_tags) | A map of additional tags to add to the tag\_specifications of launch template created | `map(string)` | `{}` | no |
+| [launch\_template\_use\_name\_prefix](#input\_launch\_template\_use\_name\_prefix) | Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix | `bool` | `true` | no |
+| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version. Can be version number, `$Latest`, or `$Default` | `string` | `null` | no |
+| [license\_specifications](#input\_license\_specifications) | A list of license specifications to associate with | list(object({
license_configuration_arn = string
})) | `null` | no |
+| [maintenance\_options](#input\_maintenance\_options) | The maintenance options for the instance | object({
auto_recovery = optional(string)
}) | `null` | no |
+| [max\_instance\_lifetime](#input\_max\_instance\_lifetime) | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | `number` | `null` | no |
+| [max\_size](#input\_max\_size) | The maximum size of the autoscaling group | `number` | `3` | no |
+| [metadata\_options](#input\_metadata\_options) | Customize the metadata options for the instance | object({
http_endpoint = optional(string, "enabled")
http_protocol_ipv6 = optional(string)
http_put_response_hop_limit = optional(number, 1)
http_tokens = optional(string, "required")
instance_metadata_tags = optional(string)
}) | {
"http_endpoint": "enabled",
"http_put_response_hop_limit": 1,
"http_tokens": "required"
} | no |
+| [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is `1Minute` | `string` | `null` | no |
+| [min\_size](#input\_min\_size) | The minimum size of the autoscaling group | `number` | `1` | no |
+| [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | Configuration block containing settings to define launch targets for Auto Scaling groups | object({
instances_distribution = optional(object({
on_demand_allocation_strategy = optional(string)
on_demand_base_capacity = optional(number)
on_demand_percentage_above_base_capacity = optional(number)
spot_allocation_strategy = optional(string)
spot_instance_pools = optional(number)
spot_max_price = optional(string)
}))
launch_template = object({
override = optional(list(object({
instance_requirements = optional(object({
accelerator_count = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_manufacturers = optional(list(string))
accelerator_names = optional(list(string))
accelerator_total_memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
accelerator_types = optional(list(string))
allowed_instance_types = optional(list(string))
bare_metal = optional(string)
baseline_ebs_bandwidth_mbps = optional(object({
max = optional(number)
min = optional(number)
}))
burstable_performance = optional(string)
cpu_manufacturers = optional(list(string))
excluded_instance_types = optional(list(string))
instance_generations = optional(list(string))
local_storage = optional(string)
local_storage_types = optional(list(string))
max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)
memory_gib_per_vcpu = optional(object({
max = optional(number)
min = optional(number)
}))
memory_mib = optional(object({
max = optional(number)
min = optional(number)
}))
network_bandwidth_gbps = optional(object({
max = optional(number)
min = optional(number)
}))
network_interface_count = optional(object({
max = optional(number)
min = optional(number)
}))
on_demand_max_price_percentage_over_lowest_price = optional(number)
require_hibernate_support = optional(bool)
spot_max_price_percentage_over_lowest_price = optional(number)
total_local_storage_gb = optional(object({
max = optional(number)
min = optional(number)
}))
vcpu_count = optional(object({
max = optional(number)
min = optional(number)
}))
}))
instance_type = optional(string)
launch_template_specification = optional(object({
launch_template_id = optional(string)
launch_template_name = optional(string)
version = optional(string)
}))
weighted_capacity = optional(string)
})))
})
}) | `null` | no |
+| [name](#input\_name) | Name of the Self managed Node Group | `string` | `""` | no |
+| [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | list(object({
associate_carrier_ip_address = optional(bool)
associate_public_ip_address = optional(bool)
connection_tracking_specification = optional(object({
tcp_established_timeout = optional(number)
udp_stream_timeout = optional(number)
udp_timeout = optional(number)
}))
delete_on_termination = optional(bool)
description = optional(string)
device_index = optional(number)
ena_srd_specification = optional(object({
ena_srd_enabled = optional(bool)
ena_srd_udp_specification = optional(object({
ena_srd_udp_enabled = optional(bool)
}))
}))
interface_type = optional(string)
ipv4_address_count = optional(number)
ipv4_addresses = optional(list(string))
ipv4_prefix_count = optional(number)
ipv4_prefixes = optional(list(string))
ipv6_address_count = optional(number)
ipv6_addresses = optional(list(string))
ipv6_prefix_count = optional(number)
ipv6_prefixes = optional(list(string))
network_card_index = optional(number)
network_interface_id = optional(string)
primary_ipv6 = optional(bool)
private_ip_address = optional(string)
security_groups = optional(list(string), [])
})) | `[]` | no |
+| [partition](#input\_partition) | The AWS partition - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
+| [placement](#input\_placement) | The placement of the instance | object({
affinity = optional(string)
availability_zone = optional(string)
group_name = optional(string)
host_id = optional(string)
host_resource_group_arn = optional(string)
partition_number = optional(number)
spread_domain = optional(string)
tenancy = optional(string)
}) | `null` | no |
+| [placement\_group](#input\_placement\_group) | The name of the placement group into which you'll launch your instances | `string` | `null` | no |
+| [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `null` | no |
+| [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `null` | no |
+| [private\_dns\_name\_options](#input\_private\_dns\_name\_options) | The options for the instance hostname. The default values are inherited from the subnet | object({
enable_resource_name_dns_aaaa_record = optional(bool)
enable_resource_name_dns_a_record = optional(bool)
hostname_type = optional(string)
}) | `null` | no |
+| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events | `bool` | `false` | no |
+| [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
+| [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security group egress rules to add to the security group created | map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string, "tcp")
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool, false)
tags = optional(map(string), {})
to_port = optional(string)
})) | `{}` | no |
+| [security\_group\_ingress\_rules](#input\_security\_group\_ingress\_rules) | Security group ingress rules to add to the security group created | map(object({
name = optional(string)
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = optional(string)
from_port = optional(string)
ip_protocol = optional(string, "tcp")
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
self = optional(bool, false)
tags = optional(map(string), {})
to_port = optional(string)
})) | `{}` | no |
+| [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
+| [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch resources in. Subnets automatically determine which availability zones the group will reside. Conflicts with `availability_zones` | `list(string)` | `null` | no |
+| [suspended\_processes](#input\_suspended\_processes) | A list of processes to suspend for the Auto Scaling Group. The allowed values are `Launch`, `Terminate`, `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, `ScheduledActions`, `AddToLoadBalancer`. Note that if you suspend either the `Launch` or `Terminate` process types, it can prevent your Auto Scaling Group from functioning properly | `list(string)` | `[]` | no |
+| [tag\_specifications](#input\_tag\_specifications) | The tags to apply to the resources during launch | `list(string)` | [| no | +| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | +| [termination\_policies](#input\_termination\_policies) | A list of policies to decide how the instances in the Auto Scaling Group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `OldestLaunchTemplate`, `AllocationStrategy`, `Default` | `list(string)` | `[]` | no | +| [timeouts](#input\_timeouts) | Timeout configurations for the autoscaling group |
"instance",
"volume",
"network-interface"
]
object({
delete = optional(string)
}) | `null` | no |
+| [update\_launch\_template\_default\_version](#input\_update\_launch\_template\_default\_version) | Whether to update Default Version each update. Conflicts with `launch_template_default_version` | `bool` | `true` | no |
+| [use\_mixed\_instances\_policy](#input\_use\_mixed\_instances\_policy) | Determines whether to use a mixed instances policy in the autoscaling group or not | `bool` | `false` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix | `bool` | `true` | no |
+| [user\_data\_template\_path](#input\_user\_data\_template\_path) | Path to a local, custom user data template file to use when rendering user data | `string` | `null` | no |
+| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | A list of security group IDs to associate | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [access\_entry\_arn](#output\_access\_entry\_arn) | Amazon Resource Name (ARN) of the Access Entry |
+| [autoscaling\_group\_arn](#output\_autoscaling\_group\_arn) | The ARN for this autoscaling group |
+| [autoscaling\_group\_availability\_zones](#output\_autoscaling\_group\_availability\_zones) | The availability zones of the autoscaling group |
+| [autoscaling\_group\_default\_cooldown](#output\_autoscaling\_group\_default\_cooldown) | Time between a scaling activity and the succeeding scaling activity |
+| [autoscaling\_group\_desired\_capacity](#output\_autoscaling\_group\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the group |
+| [autoscaling\_group\_health\_check\_grace\_period](#output\_autoscaling\_group\_health\_check\_grace\_period) | Time after instance comes into service before checking health |
+| [autoscaling\_group\_health\_check\_type](#output\_autoscaling\_group\_health\_check\_type) | EC2 or ELB. Controls how health checking is done |
+| [autoscaling\_group\_id](#output\_autoscaling\_group\_id) | The autoscaling group id |
+| [autoscaling\_group\_max\_size](#output\_autoscaling\_group\_max\_size) | The maximum size of the autoscaling group |
+| [autoscaling\_group\_min\_size](#output\_autoscaling\_group\_min\_size) | The minimum size of the autoscaling group |
+| [autoscaling\_group\_name](#output\_autoscaling\_group\_name) | The autoscaling group name |
+| [autoscaling\_group\_vpc\_zone\_identifier](#output\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
+| [iam\_instance\_profile\_arn](#output\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [iam\_instance\_profile\_id](#output\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [iam\_instance\_profile\_unique](#output\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [image\_id](#output\_image\_id) | ID of the image |
+| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template |
+| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template |
+| [launch\_template\_latest\_version](#output\_launch\_template\_latest\_version) | The latest version of the launch template |
+| [launch\_template\_name](#output\_launch\_template\_name) | The name of the launch template |
+| [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
+| [user\_data](#output\_user\_data) | Base64 encoded user data |
+
+
+## License
+
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
diff --git a/modules/self-managed-node-group/main.tf b/modules/self-managed-node-group/main.tf
new file mode 100644
index 0000000000..8a65dc6a66
--- /dev/null
+++ b/modules/self-managed-node-group/main.tf
@@ -0,0 +1,1104 @@
+data "aws_partition" "current" {
+ count = var.create && var.partition == "" ? 1 : 0
+}
+data "aws_caller_identity" "current" {
+ count = var.create && var.account_id == "" ? 1 : 0
+}
+
+locals {
+ partition = try(data.aws_partition.current[0].partition, var.partition)
+ account_id = try(data.aws_caller_identity.current[0].account_id, var.account_id)
+}
+
+################################################################################
+# AMI SSM Parameter
+################################################################################
+
+locals {
+ # Just to ensure templating doesn't fail when values are not provided
+ ssm_kubernetes_version = var.kubernetes_version != null ? var.kubernetes_version : ""
+
+ # Map the AMI type to the respective SSM param path
+ ami_type_to_ssm_param = {
+ AL2_x86_64 = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2/recommended/image_id"
+ AL2_x86_64_GPU = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2-gpu/recommended/image_id"
+ AL2_ARM_64 = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2-arm64/recommended/image_id"
+ BOTTLEROCKET_ARM_64 = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}/arm64/latest/image_id"
+ BOTTLEROCKET_x86_64 = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}/x86_64/latest/image_id"
+ BOTTLEROCKET_ARM_64_FIPS = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-fips/arm64/latest/image_id"
+ BOTTLEROCKET_x86_64_FIPS = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-fips/x86_64/latest/image_id"
+ BOTTLEROCKET_ARM_64_NVIDIA = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-nvidia/arm64/latest/image_id"
+ BOTTLEROCKET_x86_64_NVIDIA = "/aws/service/bottlerocket/aws-k8s-${local.ssm_kubernetes_version}-nvidia/x86_64/latest/image_id"
+ WINDOWS_CORE_2019_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-EKS_Optimized-${local.ssm_kubernetes_version}/image_id"
+ WINDOWS_FULL_2019_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2019-English-Core-EKS_Optimized-${local.ssm_kubernetes_version}/image_id"
+ WINDOWS_CORE_2022_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-EKS_Optimized-${local.ssm_kubernetes_version}/image_id"
+ WINDOWS_FULL_2022_x86_64 = "/aws/service/ami-windows-latest/Windows_Server-2022-English-Core-EKS_Optimized-${local.ssm_kubernetes_version}/image_id"
+ AL2023_x86_64_STANDARD = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/x86_64/standard/recommended/image_id"
+ AL2023_ARM_64_STANDARD = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/arm64/standard/recommended/image_id"
+ AL2023_x86_64_NEURON = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/x86_64/neuron/recommended/image_id"
+ AL2023_x86_64_NVIDIA = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/x86_64/nvidia/recommended/image_id"
+ AL2023_ARM_64_NVIDIA = "/aws/service/eks/optimized-ami/${local.ssm_kubernetes_version}/amazon-linux-2023/arm64/nvidia/recommended/image_id"
+ }
+}
+
+data "aws_ssm_parameter" "ami" {
+ count = var.create ? 1 : 0
+
+ region = var.region
+
+ name = local.ami_type_to_ssm_param[var.ami_type]
+}
+
+################################################################################
+# User Data
+################################################################################
+
+module "user_data" {
+ source = "../_user_data"
+
+ create = var.create
+ ami_type = var.ami_type
+ is_eks_managed_node_group = false
+
+ cluster_name = var.cluster_name
+ cluster_endpoint = var.cluster_endpoint
+ cluster_auth_base64 = var.cluster_auth_base64
+ cluster_ip_family = var.cluster_ip_family
+ cluster_service_cidr = var.cluster_service_cidr
+ additional_cluster_dns_ips = var.additional_cluster_dns_ips
+
+ enable_bootstrap_user_data = true
+ pre_bootstrap_user_data = var.pre_bootstrap_user_data
+ post_bootstrap_user_data = var.post_bootstrap_user_data
+ bootstrap_extra_args = var.bootstrap_extra_args
+ user_data_template_path = var.user_data_template_path
+
+ cloudinit_pre_nodeadm = var.cloudinit_pre_nodeadm
+ cloudinit_post_nodeadm = var.cloudinit_post_nodeadm
+}
+
+################################################################################
+# EFA Support
+################################################################################
+
+data "aws_ec2_instance_type" "this" {
+ count = local.enable_efa_support ? 1 : 0
+
+ region = var.region
+
+ instance_type = var.instance_type
+}
+
+locals {
+ enable_efa_support = var.create && var.enable_efa_support && local.instance_type_provided
+
+ instance_type_provided = var.instance_type != ""
+ num_network_cards = try(data.aws_ec2_instance_type.this[0].maximum_network_cards, 0)
+
+ # Primary network interface must be EFA, remaining can be EFA or EFA-only
+ efa_network_interfaces = [
+ for i in range(local.num_network_cards) : {
+ associate_public_ip_address = false
+ delete_on_termination = true
+ device_index = i == 0 ? 0 : 1
+ network_card_index = i
+ interface_type = var.enable_efa_only ? contains(concat([0], var.efa_indices), i) ? "efa" : "efa-only" : "efa"
+
+ # Null out due to error: The true and false result expressions must have consistent types. The 'true' value is tuple, but the 'false' value is list of objects.
+ associate_carrier_ip_address = null
+ connection_tracking_specification = null
+ description = "EFA${var.enable_efa_only ? "-only" : ""} Network Interface ${i}"
+ ena_srd_specification = null
+ ipv4_address_count = null
+ ipv4_addresses = null
+ ipv4_prefix_count = null
+ ipv4_prefixes = null
+ ipv6_address_count = null
+ ipv6_addresses = null
+ ipv6_prefix_count = null
+ ipv6_prefixes = null
+ network_interface_id = null
+ primary_ipv6 = null
+ private_ip_address = null
+ security_groups = []
+ }
+ ]
+
+ network_interfaces = local.enable_efa_support ? local.efa_network_interfaces : var.network_interfaces
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+locals {
+ launch_template_name = coalesce(var.launch_template_name, "${var.name}-node-group")
+ security_group_ids = compact(concat([var.cluster_primary_security_group_id], var.vpc_security_group_ids))
+}
+
+resource "aws_launch_template" "this" {
+ count = var.create && var.create_launch_template ? 1 : 0
+
+ region = var.region
+
+ dynamic "block_device_mappings" {
+ for_each = var.block_device_mappings != null ? var.block_device_mappings : {}
+
+ content {
+ device_name = block_device_mappings.value.device_name
+
+ dynamic "ebs" {
+ for_each = block_device_mappings.value.ebs != null ? [block_device_mappings.value.ebs] : []
+
+ content {
+ delete_on_termination = ebs.value.delete_on_termination
+ encrypted = ebs.value.encrypted
+ iops = ebs.value.iops
+ kms_key_id = ebs.value.kms_key_id
+ snapshot_id = ebs.value.snapshot_id
+ throughput = ebs.value.throughput
+ volume_initialization_rate = ebs.value.volume_initialization_rate
+ volume_size = ebs.value.volume_size
+ volume_type = ebs.value.volume_type
+ }
+ }
+
+ no_device = block_device_mappings.value.no_device
+ virtual_name = block_device_mappings.value.virtual_name
+ }
+ }
+
+ dynamic "capacity_reservation_specification" {
+ for_each = var.capacity_reservation_specification != null ? [var.capacity_reservation_specification] : []
+
+ content {
+ capacity_reservation_preference = capacity_reservation_specification.value.capacity_reservation_preference
+
+ dynamic "capacity_reservation_target" {
+ for_each = capacity_reservation_specification.value.capacity_reservation_target != null ? [capacity_reservation_specification.value.capacity_reservation_target] : []
+ content {
+ capacity_reservation_id = capacity_reservation_target.value.capacity_reservation_id
+ capacity_reservation_resource_group_arn = capacity_reservation_target.value.capacity_reservation_resource_group_arn
+ }
+ }
+ }
+ }
+
+ dynamic "cpu_options" {
+ for_each = var.cpu_options != null ? [var.cpu_options] : []
+
+ content {
+ amd_sev_snp = cpu_options.value.amd_sev_snp
+ core_count = cpu_options.value.core_count
+ threads_per_core = cpu_options.value.threads_per_core
+ }
+ }
+
+ dynamic "credit_specification" {
+ for_each = var.credit_specification != null ? [var.credit_specification] : []
+
+ content {
+ cpu_credits = credit_specification.value.cpu_credits
+ }
+ }
+
+ default_version = var.launch_template_default_version
+ description = var.launch_template_description
+ disable_api_termination = var.disable_api_termination
+ ebs_optimized = var.ebs_optimized
+
+ dynamic "enclave_options" {
+ for_each = var.enclave_options != null ? [var.enclave_options] : []
+
+ content {
+ enabled = enclave_options.value.enabled
+ }
+ }
+
+ iam_instance_profile {
+ arn = var.create_iam_instance_profile ? aws_iam_instance_profile.this[0].arn : var.iam_instance_profile_arn
+ }
+
+ image_id = coalesce(var.ami_id, nonsensitive(data.aws_ssm_parameter.ami[0].value))
+ instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
+
+ dynamic "instance_market_options" {
+ for_each = var.instance_market_options != null ? [var.instance_market_options] : []
+
+ content {
+ market_type = instance_market_options.value.market_type
+
+ dynamic "spot_options" {
+ for_each = instance_market_options.value.spot_options != null ? [instance_market_options.value.spot_options] : []
+
+ content {
+ block_duration_minutes = spot_options.value.block_duration_minutes
+ instance_interruption_behavior = spot_options.value.instance_interruption_behavior
+ max_price = spot_options.value.max_price
+ spot_instance_type = spot_options.value.spot_instance_type
+ valid_until = spot_options.value.valid_until
+ }
+ }
+ }
+ }
+
+ dynamic "instance_requirements" {
+ for_each = var.instance_requirements != null ? [var.instance_requirements] : []
+
+ content {
+ dynamic "accelerator_count" {
+ for_each = instance_requirements.value.accelerator_count != null ? [instance_requirements.value.accelerator_count] : []
+
+ content {
+ max = accelerator_count.value.max
+ min = accelerator_count.value.min
+ }
+ }
+
+ accelerator_manufacturers = instance_requirements.value.accelerator_manufacturers
+ accelerator_names = instance_requirements.value.accelerator_names
+
+ dynamic "accelerator_total_memory_mib" {
+ for_each = instance_requirements.value.accelerator_total_memory_mib != null ? [instance_requirements.value.accelerator_total_memory_mib] : []
+
+ content {
+ max = accelerator_total_memory_mib.value.max
+ min = accelerator_total_memory_mib.value.min
+ }
+ }
+
+ accelerator_types = instance_requirements.value.accelerator_types
+ allowed_instance_types = instance_requirements.value.allowed_instance_types
+ bare_metal = instance_requirements.value.bare_metal
+
+ dynamic "baseline_ebs_bandwidth_mbps" {
+ for_each = instance_requirements.value.baseline_ebs_bandwidth_mbps != null ? [instance_requirements.value.baseline_ebs_bandwidth_mbps] : []
+
+ content {
+ max = baseline_ebs_bandwidth_mbps.value.max
+ min = baseline_ebs_bandwidth_mbps.value.min
+ }
+ }
+
+ burstable_performance = instance_requirements.value.burstable_performance
+ cpu_manufacturers = instance_requirements.value.cpu_manufacturers
+ excluded_instance_types = instance_requirements.value.excluded_instance_types
+ instance_generations = instance_requirements.value.instance_generations
+ local_storage = instance_requirements.value.local_storage
+ local_storage_types = instance_requirements.value.local_storage_types
+ max_spot_price_as_percentage_of_optimal_on_demand_price = instance_requirements.value.max_spot_price_as_percentage_of_optimal_on_demand_price
+
+ dynamic "memory_gib_per_vcpu" {
+ for_each = instance_requirements.value.memory_gib_per_vcpu != null ? [instance_requirements.value.memory_gib_per_vcpu] : []
+
+ content {
+ max = memory_gib_per_vcpu.value.max
+ min = memory_gib_per_vcpu.value.min
+ }
+ }
+
+ dynamic "memory_mib" {
+ for_each = instance_requirements.value.memory_mib != null ? [instance_requirements.value.memory_mib] : []
+
+ content {
+ max = memory_mib.value.max
+ min = memory_mib.value.min
+ }
+ }
+
+ dynamic "network_interface_count" {
+ for_each = instance_requirements.value.network_interface_count != null ? [instance_requirements.value.network_interface_count] : []
+
+ content {
+ max = network_interface_count.value.max
+ min = network_interface_count.value.min
+ }
+ }
+
+ on_demand_max_price_percentage_over_lowest_price = instance_requirements.value.on_demand_max_price_percentage_over_lowest_price
+ require_hibernate_support = instance_requirements.value.require_hibernate_support
+ spot_max_price_percentage_over_lowest_price = instance_requirements.value.spot_max_price_percentage_over_lowest_price
+
+ dynamic "total_local_storage_gb" {
+ for_each = instance_requirements.value.total_local_storage_gb != null ? [instance_requirements.value.total_local_storage_gb] : []
+
+ content {
+ max = total_local_storage_gb.value.max
+ min = total_local_storage_gb.value.min
+ }
+ }
+
+ dynamic "vcpu_count" {
+ for_each = instance_requirements.value.vcpu_count != null ? [instance_requirements.value.vcpu_count] : []
+
+ content {
+ max = vcpu_count.value.max
+ min = vcpu_count.value.min
+ }
+ }
+ }
+ }
+
+ instance_type = var.instance_requirements != null ? null : var.instance_type
+ kernel_id = var.kernel_id
+ key_name = var.key_name
+
+ dynamic "license_specification" {
+ for_each = var.license_specifications != null ? var.license_specifications : []
+
+ content {
+ license_configuration_arn = license_specification.value.license_configuration_arn
+ }
+ }
+
+ dynamic "maintenance_options" {
+ for_each = var.maintenance_options != null ? [var.maintenance_options] : []
+
+ content {
+ auto_recovery = maintenance_options.value.auto_recovery
+ }
+ }
+
+ dynamic "metadata_options" {
+ for_each = [var.metadata_options]
+
+ content {
+ http_endpoint = metadata_options.value.http_endpoint
+ http_protocol_ipv6 = metadata_options.value.http_protocol_ipv6
+ http_put_response_hop_limit = metadata_options.value.http_put_response_hop_limit
+ http_tokens = metadata_options.value.http_tokens
+ instance_metadata_tags = metadata_options.value.instance_metadata_tags
+ }
+ }
+
+ dynamic "monitoring" {
+ for_each = var.enable_monitoring ? [1] : []
+
+ content {
+ enabled = var.enable_monitoring
+ }
+ }
+
+ name = var.launch_template_use_name_prefix ? null : local.launch_template_name
+ name_prefix = var.launch_template_use_name_prefix ? "${local.launch_template_name}-" : null
+
+ dynamic "network_interfaces" {
+ for_each = length(local.network_interfaces) > 0 ? local.network_interfaces : []
+
+ content {
+ associate_carrier_ip_address = network_interfaces.value.associate_carrier_ip_address
+ associate_public_ip_address = network_interfaces.value.associate_public_ip_address
+
+ dynamic "connection_tracking_specification" {
+ for_each = network_interfaces.value.connection_tracking_specification != null ? [network_interfaces.value.connection_tracking_specification] : []
+
+ content {
+ tcp_established_timeout = connection_tracking_specification.value.tcp_established_timeout
+ udp_stream_timeout = connection_tracking_specification.value.udp_stream_timeout
+ udp_timeout = connection_tracking_specification.value.udp_timeout
+ }
+ }
+
+ delete_on_termination = network_interfaces.value.delete_on_termination
+ description = network_interfaces.value.description
+ device_index = network_interfaces.value.device_index
+
+ dynamic "ena_srd_specification" {
+ for_each = network_interfaces.value.ena_srd_specification != null ? [network_interfaces.value.ena_srd_specification] : []
+
+ content {
+ ena_srd_enabled = ena_srd_specification.value.ena_srd_enabled
+
+ dynamic "ena_srd_udp_specification" {
+ for_each = ena_srd_specification.value.ena_srd_udp_specification != null ? [ena_srd_specification.value.ena_srd_udp_specification] : []
+
+ content {
+ ena_srd_udp_enabled = ena_srd_udp_specification.value.ena_srd_udp_enabled
+ }
+ }
+ }
+ }
+
+ interface_type = network_interfaces.value.interface_type
+ ipv4_address_count = network_interfaces.value.ipv4_address_count
+ ipv4_addresses = network_interfaces.value.ipv4_addresses
+ ipv4_prefix_count = network_interfaces.value.ipv4_prefix_count
+ ipv4_prefixes = network_interfaces.value.ipv4_prefixes
+ ipv6_address_count = network_interfaces.value.ipv6_address_count
+ ipv6_addresses = network_interfaces.value.ipv6_addresses
+ ipv6_prefix_count = network_interfaces.value.ipv6_prefix_count
+ ipv6_prefixes = network_interfaces.value.ipv6_prefixes
+ network_card_index = network_interfaces.value.network_card_index
+ network_interface_id = network_interfaces.value.network_interface_id
+ primary_ipv6 = network_interfaces.value.primary_ipv6
+ private_ip_address = network_interfaces.value.private_ip_address
+ # Ref: https://github.com/hashicorp/terraform-provider-aws/issues/4570
+ security_groups = compact(concat(network_interfaces.value.security_groups, local.security_group_ids))
+ # Set on EKS managed node group, will fail if set here
+ # https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-basics
+ # subnet_id = try(network_interfaces.value.subnet_id, null)
+ }
+ }
+
+ dynamic "placement" {
+ for_each = var.placement != null || local.create_placement_group ? [var.placement] : []
+
+ content {
+ affinity = try(placement.value.affinity, null)
+ availability_zone = try(placement.value.availability_zone, null)
+ group_name = try(aws_placement_group.this[0].name, placement.value.group_name)
+ host_id = try(placement.value.host_id, null)
+ host_resource_group_arn = try(placement.value.host_resource_group_arn, null)
+ partition_number = try(placement.value.partition_number, null)
+ spread_domain = try(placement.value.spread_domain, null)
+ tenancy = try(placement.value.tenancy, null)
+ }
+ }
+
+ dynamic "private_dns_name_options" {
+ for_each = var.private_dns_name_options != null ? [var.private_dns_name_options] : []
+
+ content {
+ enable_resource_name_dns_aaaa_record = private_dns_name_options.value.enable_resource_name_dns_aaaa_record
+ enable_resource_name_dns_a_record = private_dns_name_options.value.enable_resource_name_dns_a_record
+ hostname_type = private_dns_name_options.value.hostname_type
+ }
+ }
+
+ ram_disk_id = var.ram_disk_id
+
+ dynamic "tag_specifications" {
+ for_each = toset(var.tag_specifications)
+
+ content {
+ resource_type = tag_specifications.key
+ tags = merge(var.tags, { Name = var.name }, var.launch_template_tags)
+ }
+ }
+
+ update_default_version = var.update_launch_template_default_version
+ user_data = module.user_data.user_data
+ vpc_security_group_ids = length(local.network_interfaces) > 0 ? [] : local.security_group_ids
+
+ tags = var.tags
+
+ # Prevent premature access of policies by pods that
+ # require permissions on create/destroy that depend on nodes
+ depends_on = [
+ aws_iam_role_policy_attachment.this,
+ aws_iam_role_policy_attachment.additional,
+ ]
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+################################################################################
+# Node Group
+################################################################################
+
+locals {
+ launch_template_id = var.create && var.create_launch_template ? aws_launch_template.this[0].id : var.launch_template_id
+ # Change order to allow users to set version priority before using defaults
+ launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
+}
+
+resource "aws_autoscaling_group" "this" {
+ count = var.create && var.create_autoscaling_group ? 1 : 0
+
+ region = var.region
+
+ availability_zones = var.availability_zones
+ capacity_rebalance = var.capacity_rebalance
+ context = var.context
+ default_instance_warmup = var.default_instance_warmup
+ desired_capacity = var.desired_size
+ desired_capacity_type = var.desired_size_type
+ enabled_metrics = var.enabled_metrics
+ force_delete = var.force_delete
+ health_check_grace_period = var.health_check_grace_period
+ health_check_type = var.health_check_type
+
+ dynamic "initial_lifecycle_hook" {
+ for_each = var.initial_lifecycle_hooks != null ? var.initial_lifecycle_hooks : []
+
+ content {
+ default_result = initial_lifecycle_hook.value.default_result
+ heartbeat_timeout = initial_lifecycle_hook.value.heartbeat_timeout
+ lifecycle_transition = initial_lifecycle_hook.value.lifecycle_transition
+ name = initial_lifecycle_hook.value.name
+ notification_metadata = initial_lifecycle_hook.value.notification_metadata
+ notification_target_arn = initial_lifecycle_hook.value.notification_target_arn
+ role_arn = initial_lifecycle_hook.value.role_arn
+ }
+ }
+
+ dynamic "instance_maintenance_policy" {
+ for_each = var.instance_maintenance_policy != null ? [var.instance_maintenance_policy] : []
+
+ content {
+ min_healthy_percentage = instance_maintenance_policy.value.min_healthy_percentage
+ max_healthy_percentage = instance_maintenance_policy.value.max_healthy_percentage
+ }
+ }
+
+ dynamic "instance_refresh" {
+ for_each = length({ for k, v in var.instance_refresh : k => v if v != null }) > 0 ? [var.instance_refresh] : []
+
+ content {
+ dynamic "preferences" {
+ for_each = instance_refresh.value.preferences != null ? [instance_refresh.value.preferences] : []
+
+ content {
+ dynamic "alarm_specification" {
+ for_each = preferences.value.alarm_specification != null ? [preferences.value.alarm_specification] : []
+
+ content {
+ alarms = alarm_specification.value.alarms
+ }
+ }
+
+ auto_rollback = preferences.value.auto_rollback
+ checkpoint_delay = preferences.value.checkpoint_delay
+ checkpoint_percentages = preferences.value.checkpoint_percentages
+ instance_warmup = preferences.value.instance_warmup
+ max_healthy_percentage = preferences.value.max_healthy_percentage
+ min_healthy_percentage = preferences.value.min_healthy_percentage
+ scale_in_protected_instances = preferences.value.scale_in_protected_instances
+ skip_matching = preferences.value.skip_matching
+ standby_instances = preferences.value.standby_instances
+ }
+ }
+
+ strategy = instance_refresh.value.strategy
+ triggers = instance_refresh.value.triggers
+ }
+ }
+
+ dynamic "launch_template" {
+ for_each = var.use_mixed_instances_policy ? [] : [1]
+
+ content {
+ id = local.launch_template_id
+ version = local.launch_template_version
+ }
+ }
+
+ max_instance_lifetime = var.max_instance_lifetime
+ max_size = var.max_size
+ metrics_granularity = var.metrics_granularity
+ min_size = var.min_size
+
+ ignore_failed_scaling_activities = var.ignore_failed_scaling_activities
+
+ dynamic "mixed_instances_policy" {
+ for_each = var.use_mixed_instances_policy ? [var.mixed_instances_policy] : []
+
+ content {
+ dynamic "instances_distribution" {
+ for_each = mixed_instances_policy.value.instances_distribution != null ? [mixed_instances_policy.value.instances_distribution] : []
+
+ content {
+ on_demand_allocation_strategy = instances_distribution.value.on_demand_allocation_strategy
+ on_demand_base_capacity = instances_distribution.value.on_demand_base_capacity
+ on_demand_percentage_above_base_capacity = instances_distribution.value.on_demand_percentage_above_base_capacity
+ spot_allocation_strategy = instances_distribution.value.spot_allocation_strategy
+ spot_instance_pools = instances_distribution.value.spot_instance_pools
+ spot_max_price = instances_distribution.value.spot_max_price
+ }
+ }
+
+ dynamic "launch_template" {
+ for_each = [mixed_instances_policy.value.launch_template]
+
+ content {
+ launch_template_specification {
+ launch_template_id = local.launch_template_id
+ version = local.launch_template_version
+ }
+
+ dynamic "override" {
+ for_each = launch_template.value.override != null ? launch_template.value.override : []
+
+ content {
+ dynamic "instance_requirements" {
+ for_each = override.value.instance_requirements != null ? [override.value.instance_requirements] : []
+
+ content {
+ dynamic "accelerator_count" {
+ for_each = instance_requirements.value.accelerator_count != null ? [instance_requirements.value.accelerator_count] : []
+
+ content {
+ max = accelerator_count.value.max
+ min = accelerator_count.value.min
+ }
+ }
+
+ accelerator_manufacturers = instance_requirements.value.accelerator_manufacturers
+ accelerator_names = instance_requirements.value.accelerator_names
+
+ dynamic "accelerator_total_memory_mib" {
+ for_each = instance_requirements.value.accelerator_total_memory_mib != null ? [instance_requirements.value.accelerator_total_memory_mib] : []
+
+ content {
+ max = accelerator_total_memory_mib.value.max
+ min = accelerator_total_memory_mib.value.min
+ }
+ }
+
+ accelerator_types = instance_requirements.value.accelerator_types
+ allowed_instance_types = instance_requirements.value.allowed_instance_types
+ bare_metal = instance_requirements.value.bare_metal
+
+ dynamic "baseline_ebs_bandwidth_mbps" {
+ for_each = instance_requirements.value.baseline_ebs_bandwidth_mbps != null ? [instance_requirements.value.baseline_ebs_bandwidth_mbps] : []
+
+ content {
+ max = baseline_ebs_bandwidth_mbps.value.max
+ min = baseline_ebs_bandwidth_mbps.value.min
+ }
+ }
+
+ burstable_performance = instance_requirements.value.burstable_performance
+ cpu_manufacturers = instance_requirements.value.cpu_manufacturers
+ excluded_instance_types = instance_requirements.value.excluded_instance_types
+ instance_generations = instance_requirements.value.instance_generations
+ local_storage = instance_requirements.value.local_storage
+ local_storage_types = instance_requirements.value.local_storage_types
+ max_spot_price_as_percentage_of_optimal_on_demand_price = instance_requirements.value.max_spot_price_as_percentage_of_optimal_on_demand_price
+
+ dynamic "memory_gib_per_vcpu" {
+ for_each = instance_requirements.value.memory_gib_per_vcpu != null ? [instance_requirements.value.memory_gib_per_vcpu] : []
+
+ content {
+ max = memory_gib_per_vcpu.value.max
+ min = memory_gib_per_vcpu.value.min
+ }
+ }
+
+ dynamic "memory_mib" {
+ for_each = instance_requirements.value.memory_mib != null ? [instance_requirements.value.memory_mib] : []
+
+ content {
+ max = memory_mib.value.max
+ min = memory_mib.value.min
+ }
+ }
+
+ dynamic "network_bandwidth_gbps" {
+ for_each = instance_requirements.value.network_bandwidth_gbps != null ? [instance_requirements.value.network_bandwidth_gbps] : []
+
+ content {
+ max = network_bandwidth_gbps.value.max
+ min = network_bandwidth_gbps.value.min
+ }
+ }
+
+ dynamic "network_interface_count" {
+ for_each = instance_requirements.value.network_interface_count != null ? [instance_requirements.value.network_interface_count] : []
+
+ content {
+ max = network_interface_count.value.max
+ min = network_interface_count.value.min
+ }
+ }
+
+ on_demand_max_price_percentage_over_lowest_price = instance_requirements.value.on_demand_max_price_percentage_over_lowest_price
+ require_hibernate_support = instance_requirements.value.require_hibernate_support
+ spot_max_price_percentage_over_lowest_price = instance_requirements.value.spot_max_price_percentage_over_lowest_price
+
+ dynamic "total_local_storage_gb" {
+ for_each = instance_requirements.value.total_local_storage_gb != null ? [instance_requirements.value.total_local_storage_gb] : []
+
+ content {
+ max = total_local_storage_gb.value.max
+ min = total_local_storage_gb.value.min
+ }
+ }
+
+ dynamic "vcpu_count" {
+ for_each = instance_requirements.value.vcpu_count != null ? [instance_requirements.value.vcpu_count] : []
+
+ content {
+ max = vcpu_count.value.max
+ min = vcpu_count.value.min
+ }
+ }
+ }
+ }
+
+ instance_type = override.value.instance_type
+
+ dynamic "launch_template_specification" {
+ for_each = override.value.launch_template_specification != null ? [override.value.launch_template_specification] : []
+
+ content {
+ launch_template_id = launch_template_specification.value.launch_template_id
+ launch_template_name = launch_template_specification.value.launch_template_name
+ version = launch_template_specification.value.version
+ }
+ }
+
+ weighted_capacity = override.value.weighted_capacity
+ }
+ }
+ }
+ }
+ }
+ }
+
+ name = var.use_name_prefix ? null : var.name
+ name_prefix = var.use_name_prefix ? "${var.name}-" : null
+ placement_group = var.placement_group
+ protect_from_scale_in = var.protect_from_scale_in
+ suspended_processes = var.suspended_processes
+
+ dynamic "tag" {
+ for_each = merge(
+ {
+ "Name" = var.name
+ "kubernetes.io/cluster/${var.cluster_name}" = "owned"
+ "k8s.io/cluster/${var.cluster_name}" = "owned"
+ },
+ var.tags
+ )
+
+ content {
+ key = tag.key
+ value = tag.value
+ propagate_at_launch = true
+ }
+ }
+
+ dynamic "tag" {
+ for_each = var.autoscaling_group_tags
+
+ content {
+ key = tag.key
+ value = tag.value
+ propagate_at_launch = false
+ }
+ }
+
+ termination_policies = var.termination_policies
+ vpc_zone_identifier = var.subnet_ids
+
+ dynamic "timeouts" {
+ for_each = var.timeouts != null ? [var.timeouts] : []
+
+ content {
+ delete = var.timeouts.delete
+ }
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ ignore_changes = [
+ desired_capacity
+ ]
+ }
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+locals {
+ create_iam_instance_profile = var.create && var.create_iam_instance_profile
+
+ iam_role_name = coalesce(var.iam_role_name, "${var.name}-node-group")
+ iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
+
+ ipv4_cni_policy = { for k, v in {
+ AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+ } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
+ ipv6_cni_policy = { for k, v in {
+ AmazonEKS_CNI_IPv6_Policy = "arn:${local.partition}:iam::${local.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
+ } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = local.create_iam_instance_profile ? 1 : 0
+
+ statement {
+ sid = "EKSNodeAssumeRole"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = local.create_iam_instance_profile ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = { for k, v in merge(
+ {
+ AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
+ AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
+ },
+ local.ipv4_cni_policy,
+ local.ipv6_cni_policy
+ ) : k => v if local.create_iam_instance_profile }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "additional" {
+ for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_instance_profile }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+resource "aws_iam_instance_profile" "this" {
+ count = local.create_iam_instance_profile ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ path = var.iam_role_path
+
+ tags = merge(var.tags, var.iam_role_tags)
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+locals {
+ create_iam_role_policy = local.create_iam_instance_profile && var.create_iam_role_policy && var.iam_role_policy_statements != null
+}
+
+data "aws_iam_policy_document" "role" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ dynamic "statement" {
+ for_each = var.iam_role_policy_statements != null ? var.iam_role_policy_statements : []
+
+ content {
+ sid = statement.value.sid
+ actions = statement.value.actions
+ not_actions = statement.value.not_actions
+ effect = statement.value.effect
+ resources = statement.value.resources
+ not_resources = statement.value.not_resources
+
+ dynamic "principals" {
+ for_each = statement.value.principals != null ? statement.value.principals : []
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = statement.value.condition != null ? statement.value.condition : []
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
+}
+
+resource "aws_iam_role_policy" "this" {
+ count = local.create_iam_role_policy ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
+ policy = data.aws_iam_policy_document.role[0].json
+ role = aws_iam_role.this[0].id
+}
+
+################################################################################
+# Placement Group
+################################################################################
+
+locals {
+ create_placement_group = var.create && (local.enable_efa_support || var.create_placement_group)
+}
+
+resource "aws_placement_group" "this" {
+ count = local.create_placement_group ? 1 : 0
+
+ region = var.region
+
+ name = "${var.cluster_name}-${var.name}"
+ strategy = "cluster"
+
+ tags = var.tags
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+resource "aws_eks_access_entry" "this" {
+ count = var.create && var.create_access_entry ? 1 : 0
+
+ region = var.region
+
+ cluster_name = var.cluster_name
+ principal_arn = var.create_iam_instance_profile ? aws_iam_role.this[0].arn : var.iam_role_arn
+ type = startswith(var.ami_type, "WINDOWS_") ? "EC2_WINDOWS" : "EC2_LINUX"
+
+ tags = var.tags
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+locals {
+ create_security_group = var.create && var.create_security_group && length(merge(local.security_group_ingress_rules, local.security_group_egress_rules)) > 0
+ security_group_name = coalesce(var.security_group_name, "${var.cluster_name}-${var.name}")
+
+ security_group_ingress_rules = merge({ for k, v in
+ {
+ all_self_efa = {
+ description = "Node to node EFA"
+ ip_protocol = "-1"
+ self = true
+
+ # Null out due to variable type and not using `try()` in resource
+ cidr_ipv4 = null
+ cidr_ipv6 = null
+ from_port = null
+ name = null
+ prefix_list_id = null
+ tags = {}
+ }
+ } : k => v if var.enable_efa_support
+ },
+ var.security_group_ingress_rules
+ )
+ security_group_egress_rules = merge({ for k, v in
+ {
+ all_self_efa = {
+ description = "Node to node EFA"
+ ip_protocol = "-1"
+ self = true
+
+ # Null out due to variable type and not using `try()` in resource
+ cidr_ipv4 = null
+ cidr_ipv6 = null
+ to_port = null
+ name = null
+ prefix_list_id = null
+ tags = {}
+ }
+ } : k => v if var.enable_efa_support
+ },
+ var.security_group_egress_rules
+ )
+}
+
+data "aws_subnet" "this" {
+ count = local.create_security_group ? 1 : 0
+
+ region = var.region
+
+ id = element(var.subnet_ids, 0)
+}
+
+resource "aws_security_group" "this" {
+ count = local.create_security_group ? 1 : 0
+
+ region = var.region
+
+ name = var.security_group_use_name_prefix ? null : local.security_group_name
+ name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
+ description = var.security_group_description
+ vpc_id = data.aws_subnet.this[0].vpc_id
+
+ tags = merge(
+ var.tags,
+ { "Name" = local.security_group_name },
+ var.security_group_tags
+ )
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "this" {
+ for_each = { for k, v in local.security_group_ingress_rules : k => v if length(local.security_group_ingress_rules) > 0 && local.create_security_group }
+
+ region = var.region
+
+ cidr_ipv4 = each.value.cidr_ipv4
+ cidr_ipv6 = each.value.cidr_ipv6
+ description = each.value.description
+ from_port = each.value.from_port
+ ip_protocol = each.value.ip_protocol
+ prefix_list_id = each.value.prefix_list_id
+ referenced_security_group_id = each.value.self ? aws_security_group.this[0].id : each.value.referenced_security_group_id
+ security_group_id = aws_security_group.this[0].id
+ tags = merge(
+ var.tags,
+ var.security_group_tags,
+ { "Name" = coalesce(each.value.name, "${local.security_group_name}-${each.key}") },
+ each.value.tags
+ )
+ to_port = try(coalesce(each.value.to_port, each.value.from_port), null)
+}
+
+resource "aws_vpc_security_group_egress_rule" "this" {
+ for_each = { for k, v in local.security_group_egress_rules : k => v if length(local.security_group_egress_rules) > 0 && local.create_security_group }
+
+ region = var.region
+
+ cidr_ipv4 = each.value.cidr_ipv4
+ cidr_ipv6 = each.value.cidr_ipv6
+ description = each.value.description
+ from_port = try(coalesce(each.value.from_port, each.value.to_port), null)
+ ip_protocol = each.value.ip_protocol
+ prefix_list_id = each.value.prefix_list_id
+ referenced_security_group_id = each.value.self ? aws_security_group.this[0].id : each.value.referenced_security_group_id
+ security_group_id = aws_security_group.this[0].id
+ tags = merge(
+ var.tags,
+ var.security_group_tags,
+ { "Name" = coalesce(each.value.name, "${local.security_group_name}-${each.key}") },
+ each.value.tags
+ )
+ to_port = each.value.to_port
+}
diff --git a/modules/self-managed-node-group/migrations.tf b/modules/self-managed-node-group/migrations.tf
new file mode 100644
index 0000000000..5d51a7208a
--- /dev/null
+++ b/modules/self-managed-node-group/migrations.tf
@@ -0,0 +1,20 @@
+################################################################################
+# Migrations: v20.7 -> v20.8
+################################################################################
+
+# Node IAM role policy attachment
+# Commercial partition only - `moved` does now allow multiple moves to same target
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"]
+ to = aws_iam_role_policy_attachment.this["AmazonEKSWorkerNodePolicy"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
+ to = aws_iam_role_policy_attachment.this["AmazonEC2ContainerRegistryReadOnly"]
+}
+
+moved {
+ from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"]
+ to = aws_iam_role_policy_attachment.this["AmazonEKS_CNI_Policy"]
+}
diff --git a/modules/self-managed-node-group/outputs.tf b/modules/self-managed-node-group/outputs.tf
new file mode 100644
index 0000000000..ad8710b890
--- /dev/null
+++ b/modules/self-managed-node-group/outputs.tf
@@ -0,0 +1,157 @@
+################################################################################
+# Launch template
+################################################################################
+
+output "launch_template_id" {
+ description = "The ID of the launch template"
+ value = try(aws_launch_template.this[0].id, null)
+}
+
+output "launch_template_arn" {
+ description = "The ARN of the launch template"
+ value = try(aws_launch_template.this[0].arn, null)
+}
+
+output "launch_template_latest_version" {
+ description = "The latest version of the launch template"
+ value = try(aws_launch_template.this[0].latest_version, null)
+}
+
+output "launch_template_name" {
+ description = "The name of the launch template"
+ value = try(aws_launch_template.this[0].name, null)
+}
+
+################################################################################
+# autoscaling group
+################################################################################
+
+output "autoscaling_group_arn" {
+ description = "The ARN for this autoscaling group"
+ value = try(aws_autoscaling_group.this[0].arn, null)
+}
+
+output "autoscaling_group_id" {
+ description = "The autoscaling group id"
+ value = try(aws_autoscaling_group.this[0].id, null)
+}
+
+output "autoscaling_group_name" {
+ description = "The autoscaling group name"
+ value = try(aws_autoscaling_group.this[0].name, null)
+}
+
+output "autoscaling_group_min_size" {
+ description = "The minimum size of the autoscaling group"
+ value = try(aws_autoscaling_group.this[0].min_size, null)
+}
+
+output "autoscaling_group_max_size" {
+ description = "The maximum size of the autoscaling group"
+ value = try(aws_autoscaling_group.this[0].max_size, null)
+}
+
+output "autoscaling_group_desired_capacity" {
+ description = "The number of Amazon EC2 instances that should be running in the group"
+ value = try(aws_autoscaling_group.this[0].desired_capacity, null)
+}
+
+output "autoscaling_group_default_cooldown" {
+ description = "Time between a scaling activity and the succeeding scaling activity"
+ value = try(aws_autoscaling_group.this[0].default_cooldown, null)
+}
+
+output "autoscaling_group_health_check_grace_period" {
+ description = "Time after instance comes into service before checking health"
+ value = try(aws_autoscaling_group.this[0].health_check_grace_period, null)
+}
+
+output "autoscaling_group_health_check_type" {
+ description = "EC2 or ELB. Controls how health checking is done"
+ value = try(aws_autoscaling_group.this[0].health_check_type, null)
+}
+
+output "autoscaling_group_availability_zones" {
+ description = "The availability zones of the autoscaling group"
+ value = try(aws_autoscaling_group.this[0].availability_zones, null)
+}
+
+output "autoscaling_group_vpc_zone_identifier" {
+ description = "The VPC zone identifier"
+ value = try(aws_autoscaling_group.this[0].vpc_zone_identifier, null)
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, null)
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, null)
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, null)
+}
+
+################################################################################
+# IAM Instance Profile
+################################################################################
+
+output "iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = try(aws_iam_instance_profile.this[0].arn, var.iam_instance_profile_arn)
+}
+
+output "iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = try(aws_iam_instance_profile.this[0].id, null)
+}
+
+output "iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = try(aws_iam_instance_profile.this[0].unique_id, null)
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+output "access_entry_arn" {
+ description = "Amazon Resource Name (ARN) of the Access Entry"
+ value = try(aws_eks_access_entry.this[0].access_entry_arn, null)
+}
+
+################################################################################
+# Additional
+################################################################################
+
+output "image_id" {
+ description = "ID of the image"
+ value = try(aws_launch_template.this[0].image_id, null)
+}
+
+output "user_data" {
+ description = "Base64 encoded user data"
+ value = try(module.user_data.user_data, null)
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+output "security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the security group"
+ value = try(aws_security_group.this[0].arn, null)
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = try(aws_security_group.this[0].id, null)
+}
diff --git a/modules/self-managed-node-group/variables.tf b/modules/self-managed-node-group/variables.tf
new file mode 100644
index 0000000000..6e42508c68
--- /dev/null
+++ b/modules/self-managed-node-group/variables.tf
@@ -0,0 +1,1029 @@
+variable "create" {
+ description = "Determines whether to create self managed node group or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+ type = string
+ default = null
+}
+
+variable "partition" {
+ description = "The AWS partition - pass through value to reduce number of GET requests from data sources"
+ type = string
+ default = ""
+}
+
+variable "account_id" {
+ description = "The AWS account ID - pass through value to reduce number of GET requests from data sources"
+ type = string
+ default = ""
+}
+
+################################################################################
+# User Data
+################################################################################
+
+variable "cluster_name" {
+ description = "Name of associated EKS cluster"
+ type = string
+ default = ""
+}
+
+variable "cluster_endpoint" {
+ description = "Endpoint of associated EKS cluster"
+ type = string
+ default = null
+}
+
+variable "cluster_auth_base64" {
+ description = "Base64 encoded CA of associated EKS cluster"
+ type = string
+ default = null
+}
+
+variable "cluster_service_cidr" {
+ description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
+ type = string
+ default = null
+}
+
+variable "cluster_ip_family" {
+ description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
+ type = string
+ default = null
+}
+
+variable "additional_cluster_dns_ips" {
+ description = "Additional DNS IP addresses to use for the cluster. Only used when `ami_type` = `BOTTLEROCKET_*`"
+ type = list(string)
+ default = null
+}
+
+variable "pre_bootstrap_user_data" {
+ description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*`"
+ type = string
+ default = null
+}
+
+variable "post_bootstrap_user_data" {
+ description = "User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*`"
+ type = string
+ default = null
+}
+
+variable "bootstrap_extra_args" {
+ description = "Additional arguments passed to the bootstrap script. When `ami_type` = `BOTTLEROCKET_*`; these are additional [settings](https://github.com/bottlerocket-os/bottlerocket#settings) that are provided to the Bottlerocket user data"
+ type = string
+ default = null
+}
+
+variable "user_data_template_path" {
+ description = "Path to a local, custom user data template file to use when rendering user data"
+ type = string
+ default = null
+}
+
+variable "cloudinit_pre_nodeadm" {
+ description = "Array of cloud-init document parts that are created before the nodeadm document part"
+ type = list(object({
+ content = string
+ content_type = optional(string)
+ filename = optional(string)
+ merge_type = optional(string)
+ }))
+ default = null
+}
+
+variable "cloudinit_post_nodeadm" {
+ description = "Array of cloud-init document parts that are created after the nodeadm document part"
+ type = list(object({
+ content = string
+ content_type = optional(string)
+ filename = optional(string)
+ merge_type = optional(string)
+ }))
+ default = null
+}
+
+################################################################################
+# Launch template
+################################################################################
+
+variable "create_launch_template" {
+ description = "Determines whether to create launch template or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "launch_template_id" {
+ description = "The ID of an existing launch template to use. Required when `create_launch_template` = `false`"
+ type = string
+ default = ""
+}
+
+variable "launch_template_name" {
+ description = "Name of launch template to be created"
+ type = string
+ default = null
+}
+
+variable "launch_template_use_name_prefix" {
+ description = "Determines whether to use `launch_template_name` as is or create a unique name beginning with the `launch_template_name` as the prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "launch_template_description" {
+ description = "Description of the launch template"
+ type = string
+ default = null
+}
+
+variable "launch_template_default_version" {
+ description = "Default Version of the launch template"
+ type = string
+ default = null
+}
+
+variable "update_launch_template_default_version" {
+ description = "Whether to update Default Version each update. Conflicts with `launch_template_default_version`"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "disable_api_termination" {
+ description = "If true, enables EC2 instance termination protection"
+ type = bool
+ default = null
+}
+
+variable "instance_initiated_shutdown_behavior" {
+ description = "Shutdown behavior for the instance. Can be `stop` or `terminate`. (Default: `stop`)"
+ type = string
+ default = null
+}
+
+variable "kernel_id" {
+ description = "The kernel ID"
+ type = string
+ default = null
+}
+
+variable "ram_disk_id" {
+ description = "The ID of the ram disk"
+ type = string
+ default = null
+}
+
+variable "block_device_mappings" {
+ description = "Specify volumes to attach to the instance besides the volumes specified by the AMI"
+ type = map(object({
+ device_name = optional(string)
+ ebs = optional(object({
+ delete_on_termination = optional(bool)
+ encrypted = optional(bool)
+ iops = optional(number)
+ kms_key_id = optional(string)
+ snapshot_id = optional(string)
+ throughput = optional(number)
+ volume_initialization_rate = optional(number)
+ volume_size = optional(number)
+ volume_type = optional(string)
+ }))
+ no_device = optional(string)
+ virtual_name = optional(string)
+ }))
+ default = null
+}
+
+variable "capacity_reservation_specification" {
+ description = "Targeting for EC2 capacity reservations"
+ type = object({
+ capacity_reservation_preference = optional(string)
+ capacity_reservation_target = optional(object({
+ capacity_reservation_id = optional(string)
+ capacity_reservation_resource_group_arn = optional(string)
+ }))
+ })
+ default = null
+}
+
+variable "cpu_options" {
+ description = "The CPU options for the instance"
+ type = object({
+ amd_sev_snp = optional(string)
+ core_count = optional(number)
+ threads_per_core = optional(number)
+ })
+ default = null
+}
+
+variable "credit_specification" {
+ description = "Customize the credit specification of the instance"
+ type = object({
+ cpu_credits = optional(string)
+ })
+ default = null
+}
+
+variable "enclave_options" {
+ description = "Enable Nitro Enclaves on launched instances"
+ type = object({
+ enabled = optional(bool)
+ })
+ default = null
+}
+
+variable "instance_market_options" {
+ description = "The market (purchasing) option for the instance"
+ type = object({
+ market_type = optional(string)
+ spot_options = optional(object({
+ block_duration_minutes = optional(number)
+ instance_interruption_behavior = optional(string)
+ max_price = optional(string)
+ spot_instance_type = optional(string)
+ valid_until = optional(string)
+ }))
+ })
+ default = null
+}
+
+variable "maintenance_options" {
+ description = "The maintenance options for the instance"
+ type = object({
+ auto_recovery = optional(string)
+ })
+ default = null
+}
+
+variable "license_specifications" {
+ description = "A list of license specifications to associate with"
+ type = list(object({
+ license_configuration_arn = string
+ }))
+ default = null
+}
+
+variable "network_interfaces" {
+ description = "Customize network interfaces to be attached at instance boot time"
+ type = list(object({
+ associate_carrier_ip_address = optional(bool)
+ associate_public_ip_address = optional(bool)
+ connection_tracking_specification = optional(object({
+ tcp_established_timeout = optional(number)
+ udp_stream_timeout = optional(number)
+ udp_timeout = optional(number)
+ }))
+ delete_on_termination = optional(bool)
+ description = optional(string)
+ device_index = optional(number)
+ ena_srd_specification = optional(object({
+ ena_srd_enabled = optional(bool)
+ ena_srd_udp_specification = optional(object({
+ ena_srd_udp_enabled = optional(bool)
+ }))
+ }))
+ interface_type = optional(string)
+ ipv4_address_count = optional(number)
+ ipv4_addresses = optional(list(string))
+ ipv4_prefix_count = optional(number)
+ ipv4_prefixes = optional(list(string))
+ ipv6_address_count = optional(number)
+ ipv6_addresses = optional(list(string))
+ ipv6_prefix_count = optional(number)
+ ipv6_prefixes = optional(list(string))
+ network_card_index = optional(number)
+ network_interface_id = optional(string)
+ primary_ipv6 = optional(bool)
+ private_ip_address = optional(string)
+ security_groups = optional(list(string), [])
+ }))
+ default = []
+ nullable = false
+}
+
+variable "placement" {
+ description = "The placement of the instance"
+ type = object({
+ affinity = optional(string)
+ availability_zone = optional(string)
+ group_name = optional(string)
+ host_id = optional(string)
+ host_resource_group_arn = optional(string)
+ partition_number = optional(number)
+ spread_domain = optional(string)
+ tenancy = optional(string)
+ })
+ default = null
+}
+
+variable "create_placement_group" {
+ description = "Determines whether a placement group is created & used by the node group"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "private_dns_name_options" {
+ description = "The options for the instance hostname. The default values are inherited from the subnet"
+ type = object({
+ enable_resource_name_dns_aaaa_record = optional(bool)
+ enable_resource_name_dns_a_record = optional(bool)
+ hostname_type = optional(string)
+ })
+ default = null
+}
+
+variable "ebs_optimized" {
+ description = "If true, the launched EC2 instance will be EBS-optimized"
+ type = bool
+ default = null
+}
+
+variable "ami_id" {
+ description = "The AMI from which to launch the instance"
+ type = string
+ default = ""
+ nullable = false
+}
+
+variable "ami_type" {
+ description = "Type of Amazon Machine Image (AMI) associated with the node group. See the [AWS documentation](https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid values"
+ type = string
+ default = "AL2023_x86_64_STANDARD"
+ nullable = false
+}
+
+variable "kubernetes_version" {
+ description = "Kubernetes cluster version - used to lookup default AMI ID if one is not provided"
+ type = string
+ default = null
+}
+
+variable "instance_requirements" {
+ description = "The attribute requirements for the type of instance. If present then `instance_type` cannot be present"
+ type = object({
+ accelerator_count = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ accelerator_manufacturers = optional(list(string))
+ accelerator_names = optional(list(string))
+ accelerator_total_memory_mib = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ accelerator_types = optional(list(string))
+ allowed_instance_types = optional(list(string))
+ bare_metal = optional(string)
+ baseline_ebs_bandwidth_mbps = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ burstable_performance = optional(string)
+ cpu_manufacturers = optional(list(string))
+ excluded_instance_types = optional(list(string))
+ instance_generations = optional(list(string))
+ local_storage = optional(string)
+ local_storage_types = optional(list(string))
+ max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)
+ memory_gib_per_vcpu = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ memory_mib = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ network_bandwidth_gbps = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ network_interface_count = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ on_demand_max_price_percentage_over_lowest_price = optional(number)
+ require_hibernate_support = optional(bool)
+ spot_max_price_percentage_over_lowest_price = optional(number)
+ total_local_storage_gb = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ vcpu_count = optional(object({
+ max = optional(number)
+ min = string
+ }))
+ })
+ default = null
+}
+
+variable "instance_type" {
+ description = "The type of the instance to launch"
+ type = string
+ default = "m6i.large"
+ nullable = false
+}
+
+variable "key_name" {
+ description = "The key name that should be used for the instance"
+ type = string
+ default = null
+}
+
+variable "vpc_security_group_ids" {
+ description = "A list of security group IDs to associate"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "cluster_primary_security_group_id" {
+ description = "The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service"
+ type = string
+ default = null
+}
+
+variable "enable_monitoring" {
+ description = "Enables/disables detailed monitoring"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "enable_efa_support" {
+ description = "Determines whether to enable Elastic Fabric Adapter (EFA) support"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "enable_efa_only" {
+ description = "Determines whether to enable EFA (`false`, default) or EFA and EFA-only (`true`) network interfaces. Note: requires vpc-cni version `v1.18.4` or later"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "efa_indices" {
+ description = "The indices of the network interfaces that should be EFA-enabled. Only valid when `enable_efa_support` = `true`"
+ type = list(number)
+ default = [0]
+ nullable = false
+}
+
+variable "metadata_options" {
+ description = "Customize the metadata options for the instance"
+ type = object({
+ http_endpoint = optional(string, "enabled")
+ http_protocol_ipv6 = optional(string)
+ http_put_response_hop_limit = optional(number, 1)
+ http_tokens = optional(string, "required")
+ instance_metadata_tags = optional(string)
+ })
+ default = {
+ http_endpoint = "enabled"
+ http_put_response_hop_limit = 1
+ http_tokens = "required"
+ }
+ nullable = false
+}
+
+variable "launch_template_tags" {
+ description = "A map of additional tags to add to the tag_specifications of launch template created"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+variable "tag_specifications" {
+ description = "The tags to apply to the resources during launch"
+ type = list(string)
+ default = ["instance", "volume", "network-interface"]
+ nullable = false
+}
+
+################################################################################
+# Autoscaling group
+################################################################################
+
+variable "create_autoscaling_group" {
+ description = "Determines whether to create autoscaling group or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "name" {
+ description = "Name of the Self managed Node Group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with the `name` as the prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "launch_template_version" {
+ description = "Launch template version. Can be version number, `$Latest`, or `$Default`"
+ type = string
+ default = null
+}
+
+variable "availability_zones" {
+ description = "A list of one or more availability zones for the group. Used for EC2-Classic and default subnets when not specified with `subnet_ids` argument. Conflicts with `subnet_ids`"
+ type = list(string)
+ default = null
+}
+
+variable "subnet_ids" {
+ description = "A list of subnet IDs to launch resources in. Subnets automatically determine which availability zones the group will reside. Conflicts with `availability_zones`"
+ type = list(string)
+ default = null
+}
+
+variable "min_size" {
+ description = "The minimum size of the autoscaling group"
+ type = number
+ default = 1
+ nullable = false
+}
+
+variable "max_size" {
+ description = "The maximum size of the autoscaling group"
+ type = number
+ default = 3
+ nullable = false
+}
+
+variable "desired_size" {
+ description = "The number of Amazon EC2 instances that should be running in the autoscaling group"
+ type = number
+ default = 1
+ nullable = false
+}
+
+variable "desired_size_type" {
+ description = "The unit of measurement for the value specified for `desired_size`. Supported for attribute-based instance type selection only. Valid values: `units`, `vcpu`, `memory-mib`"
+ type = string
+ default = null
+}
+
+variable "ignore_failed_scaling_activities" {
+ description = "Whether to ignore failed Auto Scaling scaling activities while waiting for capacity"
+ type = bool
+ default = null
+}
+
+variable "context" {
+ description = "Reserved"
+ type = string
+ default = null
+}
+
+variable "capacity_rebalance" {
+ description = "Indicates whether capacity rebalance is enabled"
+ type = bool
+ default = null
+}
+
+variable "default_instance_warmup" {
+ description = "Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data"
+ type = number
+ default = null
+}
+
+variable "protect_from_scale_in" {
+ description = "Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "placement_group" {
+ description = "The name of the placement group into which you'll launch your instances"
+ type = string
+ default = null
+}
+
+variable "health_check_type" {
+ description = "`EC2` or `ELB`. Controls how health checking is done"
+ type = string
+ default = null
+}
+
+variable "health_check_grace_period" {
+ description = "Time (in seconds) after instance comes into service before checking health"
+ type = number
+ default = null
+}
+
+variable "force_delete" {
+ description = "Allows deleting the Auto Scaling Group without waiting for all instances in the pool to terminate. You can force an Auto Scaling Group to delete even if it's in the process of scaling a resource. Normally, Terraform drains all the instances before deleting the group. This bypasses that behavior and potentially leaves resources dangling"
+ type = bool
+ default = null
+}
+
+variable "termination_policies" {
+ description = "A list of policies to decide how the instances in the Auto Scaling Group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `OldestLaunchTemplate`, `AllocationStrategy`, `Default`"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "suspended_processes" {
+ description = "A list of processes to suspend for the Auto Scaling Group. The allowed values are `Launch`, `Terminate`, `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, `ScheduledActions`, `AddToLoadBalancer`. Note that if you suspend either the `Launch` or `Terminate` process types, it can prevent your Auto Scaling Group from functioning properly"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "max_instance_lifetime" {
+ description = "The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds"
+ type = number
+ default = null
+}
+
+variable "enabled_metrics" {
+ description = "A list of metrics to collect. The allowed values are `GroupDesiredCapacity`, `GroupInServiceCapacity`, `GroupPendingCapacity`, `GroupMinSize`, `GroupMaxSize`, `GroupInServiceInstances`, `GroupPendingInstances`, `GroupStandbyInstances`, `GroupStandbyCapacity`, `GroupTerminatingCapacity`, `GroupTerminatingInstances`, `GroupTotalCapacity`, `GroupTotalInstances`"
+ type = list(string)
+ default = []
+ nullable = false
+}
+
+variable "metrics_granularity" {
+ description = "The granularity to associate with the metrics to collect. The only valid value is `1Minute`"
+ type = string
+ default = null
+}
+
+variable "initial_lifecycle_hooks" {
+ description = "One or more Lifecycle Hooks to attach to the Auto Scaling Group before instances are launched. The syntax is exactly the same as the separate `aws_autoscaling_lifecycle_hook` resource, without the `autoscaling_group_name` attribute. Please note that this will only work when creating a new Auto Scaling Group. For all other use-cases, please use `aws_autoscaling_lifecycle_hook` resource"
+ type = list(object({
+ default_result = optional(string)
+ heartbeat_timeout = optional(number)
+ lifecycle_transition = string
+ name = string
+ notification_metadata = optional(string)
+ notification_target_arn = optional(string)
+ role_arn = optional(string)
+ }))
+ default = null
+}
+
+variable "instance_maintenance_policy" {
+ description = "If this block is configured, add a instance maintenance policy to the specified Auto Scaling group"
+ type = object({
+ max_healthy_percentage = number
+ min_healthy_percentage = number
+ })
+ default = null
+}
+
+variable "instance_refresh" {
+ description = "If this block is configured, start an Instance Refresh when this Auto Scaling Group is updated"
+ type = object({
+ preferences = optional(object({
+ alarm_specification = optional(object({
+ alarms = optional(list(string))
+ }))
+ auto_rollback = optional(bool)
+ checkpoint_delay = optional(number)
+ checkpoint_percentages = optional(list(number))
+ instance_warmup = optional(number)
+ max_healthy_percentage = optional(number)
+ min_healthy_percentage = optional(number)
+ scale_in_protected_instances = optional(string)
+ skip_matching = optional(bool)
+ standby_instances = optional(string)
+ }))
+ strategy = optional(string)
+ triggers = optional(list(string))
+ })
+ default = {
+ strategy = "Rolling"
+ preferences = {
+ min_healthy_percentage = 66
+ }
+ }
+ nullable = false
+}
+
+variable "use_mixed_instances_policy" {
+ description = "Determines whether to use a mixed instances policy in the autoscaling group or not"
+ type = bool
+ default = false
+ nullable = false
+}
+
+variable "mixed_instances_policy" {
+ description = "Configuration block containing settings to define launch targets for Auto Scaling groups"
+ type = object({
+ instances_distribution = optional(object({
+ on_demand_allocation_strategy = optional(string)
+ on_demand_base_capacity = optional(number)
+ on_demand_percentage_above_base_capacity = optional(number)
+ spot_allocation_strategy = optional(string)
+ spot_instance_pools = optional(number)
+ spot_max_price = optional(string)
+ }))
+ launch_template = object({
+ override = optional(list(object({
+ instance_requirements = optional(object({
+ accelerator_count = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ accelerator_manufacturers = optional(list(string))
+ accelerator_names = optional(list(string))
+ accelerator_total_memory_mib = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ accelerator_types = optional(list(string))
+ allowed_instance_types = optional(list(string))
+ bare_metal = optional(string)
+ baseline_ebs_bandwidth_mbps = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ burstable_performance = optional(string)
+ cpu_manufacturers = optional(list(string))
+ excluded_instance_types = optional(list(string))
+ instance_generations = optional(list(string))
+ local_storage = optional(string)
+ local_storage_types = optional(list(string))
+ max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)
+ memory_gib_per_vcpu = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ memory_mib = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ network_bandwidth_gbps = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ network_interface_count = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ on_demand_max_price_percentage_over_lowest_price = optional(number)
+ require_hibernate_support = optional(bool)
+ spot_max_price_percentage_over_lowest_price = optional(number)
+ total_local_storage_gb = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ vcpu_count = optional(object({
+ max = optional(number)
+ min = optional(number)
+ }))
+ }))
+ instance_type = optional(string)
+ launch_template_specification = optional(object({
+ launch_template_id = optional(string)
+ launch_template_name = optional(string)
+ version = optional(string)
+ }))
+ weighted_capacity = optional(string)
+ })))
+ })
+ })
+ default = null
+}
+
+variable "timeouts" {
+ description = "Timeout configurations for the autoscaling group"
+ type = object({
+ delete = optional(string)
+ })
+ default = null
+}
+
+variable "autoscaling_group_tags" {
+ description = "A map of additional tags to add to the autoscaling group created. Tags are applied to the autoscaling group only and are NOT propagated to instances"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+variable "create_iam_instance_profile" {
+ description = "Determines whether an IAM instance profile is created or to use an existing IAM instance profile"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_instance_profile_arn" {
+ description = "Amazon Resource Name (ARN) of an existing IAM instance profile that provides permissions for the node group. Required if `create_iam_instance_profile` = `false`"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = null
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether cluster IAM role name (`iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = "Self managed node group IAM role"
+ nullable = false
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_attach_cni_policy" {
+ description = "Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_additional_policies" {
+ description = "Additional policies to be added to the IAM role"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+ nullable = false
+}
+
+################################################################################
+# IAM Role Policy
+################################################################################
+
+variable "create_iam_role_policy" {
+ description = "Determines whether an IAM role policy is created or not"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_policy_statements" {
+ description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed"
+ type = list(object({
+ sid = optional(string)
+ actions = optional(list(string))
+ not_actions = optional(list(string))
+ effect = optional(string)
+ resources = optional(list(string))
+ not_resources = optional(list(string))
+ principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ not_principals = optional(list(object({
+ type = string
+ identifiers = list(string)
+ })))
+ condition = optional(list(object({
+ test = string
+ values = list(string)
+ variable = string
+ })))
+ }))
+ default = null
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+variable "create_access_entry" {
+ description = "Determines whether an access entry is created for the IAM role used by the node group"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "iam_role_arn" {
+ description = "ARN of the IAM role used by the instance profile. Required when `create_access_entry = true` and `create_iam_instance_profile = false`"
+ type = string
+ default = null
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+variable "create_security_group" {
+ description = "Determines if a security group is created"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "security_group_name" {
+ description = "Name to use on security group created"
+ type = string
+ default = null
+}
+
+variable "security_group_use_name_prefix" {
+ description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
+ type = bool
+ default = true
+ nullable = false
+}
+
+variable "security_group_description" {
+ description = "Description of the security group created"
+ type = string
+ default = null
+}
+
+variable "security_group_ingress_rules" {
+ description = "Security group ingress rules to add to the security group created"
+ type = map(object({
+ name = optional(string)
+
+ cidr_ipv4 = optional(string)
+ cidr_ipv6 = optional(string)
+ description = optional(string)
+ from_port = optional(string)
+ ip_protocol = optional(string, "tcp")
+ prefix_list_id = optional(string)
+ referenced_security_group_id = optional(string)
+ self = optional(bool, false)
+ tags = optional(map(string), {})
+ to_port = optional(string)
+ }))
+ default = {}
+ nullable = false
+}
+
+variable "security_group_egress_rules" {
+ description = "Security group egress rules to add to the security group created"
+ type = map(object({
+ name = optional(string)
+
+ cidr_ipv4 = optional(string)
+ cidr_ipv6 = optional(string)
+ description = optional(string)
+ from_port = optional(string)
+ ip_protocol = optional(string, "tcp")
+ prefix_list_id = optional(string)
+ referenced_security_group_id = optional(string)
+ self = optional(bool, false)
+ tags = optional(map(string), {})
+ to_port = optional(string)
+ }))
+ default = {}
+ nullable = false
+}
+
+variable "security_group_tags" {
+ description = "A map of additional tags to add to the security group created"
+ type = map(string)
+ default = {}
+ nullable = false
+}
diff --git a/modules/self-managed-node-group/versions.tf b/modules/self-managed-node-group/versions.tf
new file mode 100644
index 0000000000..af99edcc27
--- /dev/null
+++ b/modules/self-managed-node-group/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = ">= 1.5.7"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 6.28"
+ }
+ }
+
+ provider_meta "aws" {
+ user_agent = [
+ "github.com/terraform-aws-modules/terraform-aws-eks"
+ ]
+ }
+}
diff --git a/node_groups.tf b/node_groups.tf
new file mode 100644
index 0000000000..f43a3e325d
--- /dev/null
+++ b/node_groups.tf
@@ -0,0 +1,545 @@
+locals {
+ kubernetes_network_config = try(aws_eks_cluster.this[0].kubernetes_network_config[0], {})
+}
+
+# This sleep resource is used to provide a timed gap between the cluster creation and the downstream dependencies
+# that consume the outputs from here. Any of the values that are used as triggers can be used in dependencies
+# to ensure that the downstream resources are created after both the cluster is ready and the sleep time has passed.
+# This was primarily added to give addons that need to be configured BEFORE data plane compute resources
+# enough time to create and configure themselves before the data plane compute resources are created.
+resource "time_sleep" "this" {
+ count = var.create ? 1 : 0
+
+ create_duration = var.dataplane_wait_duration
+
+ triggers = {
+ name = aws_eks_cluster.this[0].id
+ endpoint = aws_eks_cluster.this[0].endpoint
+ kubernetes_version = aws_eks_cluster.this[0].version
+ service_cidr = var.ip_family == "ipv6" ? try(local.kubernetes_network_config.service_ipv6_cidr, "") : try(local.kubernetes_network_config.service_ipv4_cidr, "")
+
+ certificate_authority_data = aws_eks_cluster.this[0].certificate_authority[0].data
+ }
+}
+
+################################################################################
+# EKS IPV6 CNI Policy
+# https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
+################################################################################
+
+data "aws_iam_policy_document" "cni_ipv6_policy" {
+ count = var.create && var.create_cni_ipv6_iam_policy ? 1 : 0
+
+ statement {
+ sid = "AssignDescribe"
+ actions = [
+ "ec2:AssignIpv6Addresses",
+ "ec2:DescribeInstances",
+ "ec2:DescribeTags",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeInstanceTypes"
+ ]
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "CreateTags"
+ actions = ["ec2:CreateTags"]
+ resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
+ }
+}
+
+# Note - we are keeping this to a minimum in hopes that its soon replaced with an AWS managed policy like `AmazonEKS_CNI_Policy`
+resource "aws_iam_policy" "cni_ipv6_policy" {
+ count = var.create && var.create_cni_ipv6_iam_policy ? 1 : 0
+
+ # Will cause conflicts if trying to create on multiple clusters but necessary to reference by exact name in sub-modules
+ name = "AmazonEKS_CNI_IPv6_Policy"
+ description = "IAM policy for EKS CNI to assign IPV6 addresses"
+ policy = data.aws_iam_policy_document.cni_ipv6_policy[0].json
+
+ tags = var.tags
+}
+
+################################################################################
+# Node Security Group
+# Defaults follow https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
+# Plus NTP/HTTPS (otherwise nodes fail to launch)
+################################################################################
+
+locals {
+ node_sg_name = coalesce(var.node_security_group_name, "${var.name}-node")
+ create_node_sg = var.create && var.create_node_security_group
+
+ node_security_group_id = local.create_node_sg ? aws_security_group.node[0].id : var.node_security_group_id
+
+ node_security_group_rules = {
+ ingress_cluster_443 = {
+ description = "Cluster API to node groups"
+ protocol = "tcp"
+ from_port = 443
+ to_port = 443
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ ingress_cluster_kubelet = {
+ description = "Cluster API to node kubelets"
+ protocol = "tcp"
+ from_port = 10250
+ to_port = 10250
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ ingress_self_coredns_tcp = {
+ description = "Node to node CoreDNS"
+ protocol = "tcp"
+ from_port = 53
+ to_port = 53
+ type = "ingress"
+ self = true
+ }
+ ingress_self_coredns_udp = {
+ description = "Node to node CoreDNS UDP"
+ protocol = "udp"
+ from_port = 53
+ to_port = 53
+ type = "ingress"
+ self = true
+ }
+ }
+
+ node_security_group_recommended_rules = { for k, v in {
+ ingress_nodes_ephemeral = {
+ description = "Node to node ingress on ephemeral ports"
+ protocol = "tcp"
+ from_port = 1025
+ to_port = 65535
+ type = "ingress"
+ self = true
+ }
+ # metrics-server, legacy port - TODO: remove this on the next breaking change at v22
+ ingress_cluster_4443_webhook = {
+ description = "Cluster API to node 4443/tcp webhook"
+ protocol = "tcp"
+ from_port = 4443
+ to_port = 4443
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ # metrics-server, current EKS default port
+ ingress_cluster_10251_webhook = {
+ description = "Cluster API to node 10251/tcp webhook"
+ protocol = "tcp"
+ from_port = 10251
+ to_port = 10251
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ # prometheus-adapter
+ ingress_cluster_6443_webhook = {
+ description = "Cluster API to node 6443/tcp webhook"
+ protocol = "tcp"
+ from_port = 6443
+ to_port = 6443
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ # Karpenter
+ ingress_cluster_8443_webhook = {
+ description = "Cluster API to node 8443/tcp webhook"
+ protocol = "tcp"
+ from_port = 8443
+ to_port = 8443
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ # ALB controller, NGINX
+ ingress_cluster_9443_webhook = {
+ description = "Cluster API to node 9443/tcp webhook"
+ protocol = "tcp"
+ from_port = 9443
+ to_port = 9443
+ type = "ingress"
+ source_cluster_security_group = true
+ }
+ egress_all = {
+ description = "Allow all egress"
+ protocol = "-1"
+ from_port = 0
+ to_port = 0
+ type = "egress"
+ cidr_blocks = ["0.0.0.0/0"]
+ ipv6_cidr_blocks = var.ip_family == "ipv6" ? ["::/0"] : null
+ }
+ } : k => v if var.node_security_group_enable_recommended_rules }
+}
+
+resource "aws_security_group" "node" {
+ count = local.create_node_sg ? 1 : 0
+
+ region = var.region
+
+ name = var.node_security_group_use_name_prefix ? null : local.node_sg_name
+ name_prefix = var.node_security_group_use_name_prefix ? "${local.node_sg_name}${var.prefix_separator}" : null
+ description = var.node_security_group_description
+ vpc_id = var.vpc_id
+
+ tags = merge(
+ var.tags,
+ {
+ "Name" = local.node_sg_name
+ "kubernetes.io/cluster/${var.name}" = "owned"
+ },
+ var.node_security_group_tags
+ )
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+resource "aws_security_group_rule" "node" {
+ for_each = { for k, v in merge(
+ local.node_security_group_rules,
+ local.node_security_group_recommended_rules,
+ var.node_security_group_additional_rules,
+ ) : k => v if local.create_node_sg }
+
+ region = var.region
+
+ security_group_id = aws_security_group.node[0].id
+ protocol = each.value.protocol
+ from_port = each.value.from_port
+ to_port = each.value.to_port
+ type = each.value.type
+ description = try(each.value.description, null)
+ cidr_blocks = try(each.value.cidr_blocks, null)
+ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
+ prefix_list_ids = try(each.value.prefix_list_ids, null)
+ self = try(each.value.self, null)
+ source_security_group_id = try(each.value.source_cluster_security_group, false) ? local.security_group_id : try(each.value.source_security_group_id, null)
+}
+
+################################################################################
+# Fargate Profile
+################################################################################
+
+module "fargate_profile" {
+ source = "./modules/fargate-profile"
+
+ for_each = var.create && !local.create_outposts_local_cluster && var.fargate_profiles != null ? var.fargate_profiles : {}
+
+ create = each.value.create
+
+ region = var.region
+
+ # Pass through values to reduce GET requests from data sources
+ partition = local.partition
+ account_id = local.account_id
+
+ # Fargate Profile
+ cluster_name = time_sleep.this[0].triggers["name"]
+ cluster_ip_family = var.ip_family
+ name = coalesce(each.value.name, each.key)
+ subnet_ids = coalesce(each.value.subnet_ids, var.subnet_ids)
+ selectors = each.value.selectors
+ timeouts = each.value.timeouts
+
+ # IAM role
+ create_iam_role = each.value.create_iam_role
+ iam_role_arn = each.value.iam_role_arn
+ iam_role_name = each.value.iam_role_name
+ iam_role_use_name_prefix = each.value.iam_role_use_name_prefix
+ iam_role_path = each.value.iam_role_path
+ iam_role_description = each.value.iam_role_description
+ iam_role_permissions_boundary = each.value.iam_role_permissions_boundary
+ iam_role_tags = each.value.iam_role_tags
+ iam_role_attach_cni_policy = each.value.iam_role_attach_cni_policy
+ iam_role_additional_policies = lookup(each.value, "iam_role_additional_policies", null)
+ create_iam_role_policy = each.value.create_iam_role_policy
+ iam_role_policy_statements = each.value.iam_role_policy_statements
+
+ tags = merge(
+ var.tags,
+ each.value.tags,
+ )
+}
+
+################################################################################
+# EKS Managed Node Group
+################################################################################
+
+module "eks_managed_node_group" {
+ source = "./modules/eks-managed-node-group"
+
+ for_each = var.create && !local.create_outposts_local_cluster && var.eks_managed_node_groups != null ? var.eks_managed_node_groups : {}
+
+ create = each.value.create
+
+ region = var.region
+
+ # Pass through values to reduce GET requests from data sources
+ partition = local.partition
+ account_id = local.account_id
+
+ cluster_name = time_sleep.this[0].triggers["name"]
+ kubernetes_version = each.value.kubernetes_version != null ? each.value.kubernetes_version : time_sleep.this[0].triggers["kubernetes_version"]
+
+
+ # EKS Managed Node Group
+ name = coalesce(each.value.name, each.key)
+ use_name_prefix = each.value.use_name_prefix
+
+ subnet_ids = coalesce(each.value.subnet_ids, var.subnet_ids)
+
+ min_size = each.value.min_size
+ max_size = each.value.max_size
+ desired_size = each.value.desired_size
+
+ ami_id = each.value.ami_id
+ ami_type = each.value.ami_type
+ ami_release_version = each.value.ami_release_version
+ use_latest_ami_release_version = each.value.use_latest_ami_release_version
+
+ capacity_type = each.value.capacity_type
+ disk_size = each.value.disk_size
+ force_update_version = each.value.force_update_version
+ instance_types = each.value.instance_types
+ labels = each.value.labels
+ node_repair_config = each.value.node_repair_config
+ remote_access = each.value.remote_access
+ taints = each.value.taints
+ update_config = each.value.update_config
+ timeouts = each.value.timeouts
+
+ # User data
+ cluster_endpoint = try(time_sleep.this[0].triggers["endpoint"], "")
+ cluster_auth_base64 = try(time_sleep.this[0].triggers["certificate_authority_data"], "")
+ cluster_ip_family = var.ip_family
+ cluster_service_cidr = try(time_sleep.this[0].triggers["service_cidr"], "")
+ enable_bootstrap_user_data = each.value.enable_bootstrap_user_data
+ pre_bootstrap_user_data = each.value.pre_bootstrap_user_data
+ post_bootstrap_user_data = each.value.post_bootstrap_user_data
+ bootstrap_extra_args = each.value.bootstrap_extra_args
+ user_data_template_path = each.value.user_data_template_path
+ cloudinit_pre_nodeadm = each.value.cloudinit_pre_nodeadm
+ cloudinit_post_nodeadm = each.value.cloudinit_post_nodeadm
+
+ # Launch Template
+ create_launch_template = each.value.create_launch_template
+ use_custom_launch_template = each.value.use_custom_launch_template
+ launch_template_id = each.value.launch_template_id
+ launch_template_name = coalesce(each.value.launch_template_name, each.key)
+ launch_template_use_name_prefix = each.value.launch_template_use_name_prefix
+ launch_template_version = each.value.launch_template_version
+ launch_template_default_version = each.value.launch_template_default_version
+ update_launch_template_default_version = each.value.update_launch_template_default_version
+ launch_template_description = coalesce(each.value.launch_template_description, "Custom launch template for ${coalesce(each.value.name, each.key)} EKS managed node group")
+ launch_template_tags = each.value.launch_template_tags
+ tag_specifications = each.value.tag_specifications
+
+ ebs_optimized = each.value.ebs_optimized
+ key_name = each.value.key_name
+ disable_api_termination = each.value.disable_api_termination
+ kernel_id = each.value.kernel_id
+ ram_disk_id = each.value.ram_disk_id
+
+ block_device_mappings = each.value.block_device_mappings
+ capacity_reservation_specification = each.value.capacity_reservation_specification
+ cpu_options = each.value.cpu_options
+ credit_specification = each.value.credit_specification
+ enclave_options = each.value.enclave_options
+ instance_market_options = each.value.instance_market_options
+ license_specifications = each.value.license_specifications
+ metadata_options = each.value.metadata_options
+ enable_monitoring = each.value.enable_monitoring
+ enable_efa_support = each.value.enable_efa_support
+ enable_efa_only = each.value.enable_efa_only
+ efa_indices = each.value.efa_indices
+ create_placement_group = each.value.create_placement_group
+ placement = each.value.placement
+ network_interfaces = each.value.network_interfaces
+ maintenance_options = each.value.maintenance_options
+ private_dns_name_options = each.value.private_dns_name_options
+
+ # IAM role
+ create_iam_role = each.value.create_iam_role
+ iam_role_arn = each.value.iam_role_arn
+ iam_role_name = each.value.iam_role_name
+ iam_role_use_name_prefix = each.value.iam_role_use_name_prefix
+ iam_role_path = each.value.iam_role_path
+ iam_role_description = each.value.iam_role_description
+ iam_role_permissions_boundary = each.value.iam_role_permissions_boundary
+ iam_role_tags = each.value.iam_role_tags
+ iam_role_attach_cni_policy = each.value.iam_role_attach_cni_policy
+ iam_role_additional_policies = lookup(each.value, "iam_role_additional_policies", null)
+ create_iam_role_policy = each.value.create_iam_role_policy
+ iam_role_policy_statements = each.value.iam_role_policy_statements
+
+ # Security group
+ vpc_security_group_ids = compact(concat([local.node_security_group_id], each.value.vpc_security_group_ids))
+ cluster_primary_security_group_id = each.value.attach_cluster_primary_security_group ? aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id : null
+ create_security_group = each.value.create_security_group
+ security_group_name = each.value.security_group_name
+ security_group_use_name_prefix = each.value.security_group_use_name_prefix
+ security_group_description = each.value.security_group_description
+ security_group_ingress_rules = each.value.security_group_ingress_rules
+ security_group_egress_rules = each.value.security_group_egress_rules
+ security_group_tags = each.value.security_group_tags
+
+ tags = merge(
+ var.tags,
+ each.value.tags,
+ )
+}
+
+################################################################################
+# Self Managed Node Group
+################################################################################
+
+module "self_managed_node_group" {
+ source = "./modules/self-managed-node-group"
+
+ for_each = var.create && var.self_managed_node_groups != null ? var.self_managed_node_groups : {}
+
+ create = each.value.create
+
+ region = var.region
+
+ # Pass through values to reduce GET requests from data sources
+ partition = local.partition
+ account_id = local.account_id
+
+ cluster_name = time_sleep.this[0].triggers["name"]
+
+ # Autoscaling Group
+ create_autoscaling_group = each.value.create_autoscaling_group
+
+ name = coalesce(each.value.name, each.key)
+ use_name_prefix = each.value.use_name_prefix
+
+ availability_zones = each.value.availability_zones
+ subnet_ids = coalesce(each.value.subnet_ids, var.subnet_ids)
+
+ min_size = each.value.min_size
+ max_size = each.value.max_size
+ desired_size = each.value.desired_size
+ desired_size_type = each.value.desired_size_type
+ capacity_rebalance = each.value.capacity_rebalance
+ default_instance_warmup = each.value.default_instance_warmup
+ protect_from_scale_in = each.value.protect_from_scale_in
+ context = each.value.context
+
+ create_placement_group = each.value.create_placement_group
+ placement_group = each.value.placement_group
+ health_check_type = each.value.health_check_type
+ health_check_grace_period = each.value.health_check_grace_period
+
+ ignore_failed_scaling_activities = each.value.ignore_failed_scaling_activities
+
+ force_delete = each.value.force_delete
+ termination_policies = each.value.termination_policies
+ suspended_processes = each.value.suspended_processes
+ max_instance_lifetime = each.value.max_instance_lifetime
+
+ enabled_metrics = each.value.enabled_metrics
+ metrics_granularity = each.value.metrics_granularity
+
+ initial_lifecycle_hooks = each.value.initial_lifecycle_hooks
+ instance_maintenance_policy = each.value.instance_maintenance_policy
+ instance_refresh = each.value.instance_refresh
+ use_mixed_instances_policy = each.value.use_mixed_instances_policy
+ mixed_instances_policy = each.value.mixed_instances_policy
+
+ timeouts = each.value.timeouts
+ autoscaling_group_tags = each.value.autoscaling_group_tags
+
+ # User data
+ ami_type = each.value.ami_type
+ cluster_endpoint = try(time_sleep.this[0].triggers["endpoint"], "")
+ cluster_auth_base64 = try(time_sleep.this[0].triggers["certificate_authority_data"], "")
+ cluster_service_cidr = try(time_sleep.this[0].triggers["service_cidr"], "")
+ additional_cluster_dns_ips = each.value.additional_cluster_dns_ips
+ cluster_ip_family = var.ip_family
+ pre_bootstrap_user_data = each.value.pre_bootstrap_user_data
+ post_bootstrap_user_data = each.value.post_bootstrap_user_data
+ bootstrap_extra_args = each.value.bootstrap_extra_args
+ user_data_template_path = each.value.user_data_template_path
+ cloudinit_pre_nodeadm = each.value.cloudinit_pre_nodeadm
+ cloudinit_post_nodeadm = each.value.cloudinit_post_nodeadm
+
+ # Launch Template
+ create_launch_template = each.value.create_launch_template
+ launch_template_id = each.value.launch_template_id
+ launch_template_name = coalesce(each.value.launch_template_name, each.key)
+ launch_template_use_name_prefix = each.value.launch_template_use_name_prefix
+ launch_template_version = each.value.launch_template_version
+ launch_template_default_version = each.value.launch_template_default_version
+ update_launch_template_default_version = each.value.update_launch_template_default_version
+ launch_template_description = coalesce(each.value.launch_template_description, "Custom launch template for ${coalesce(each.value.name, each.key)} self managed node group")
+ launch_template_tags = each.value.launch_template_tags
+ tag_specifications = each.value.tag_specifications
+
+ ebs_optimized = each.value.ebs_optimized
+ ami_id = each.value.ami_id
+ kubernetes_version = each.value.kubernetes_version != null ? each.value.kubernetes_version : time_sleep.this[0].triggers["kubernetes_version"]
+ instance_type = each.value.instance_type
+ key_name = each.value.key_name
+
+ disable_api_termination = each.value.disable_api_termination
+ instance_initiated_shutdown_behavior = each.value.instance_initiated_shutdown_behavior
+ kernel_id = each.value.kernel_id
+ ram_disk_id = each.value.ram_disk_id
+
+ block_device_mappings = each.value.block_device_mappings
+ capacity_reservation_specification = each.value.capacity_reservation_specification
+ cpu_options = each.value.cpu_options
+ credit_specification = each.value.credit_specification
+ enclave_options = each.value.enclave_options
+ instance_requirements = each.value.instance_requirements
+ instance_market_options = each.value.instance_market_options
+ license_specifications = each.value.license_specifications
+ metadata_options = each.value.metadata_options
+ enable_monitoring = each.value.enable_monitoring
+ enable_efa_support = each.value.enable_efa_support
+ enable_efa_only = each.value.enable_efa_only
+ efa_indices = each.value.efa_indices
+ network_interfaces = each.value.network_interfaces
+ placement = each.value.placement
+ maintenance_options = each.value.maintenance_options
+ private_dns_name_options = each.value.private_dns_name_options
+
+ # IAM role
+ create_iam_instance_profile = each.value.create_iam_instance_profile
+ iam_instance_profile_arn = each.value.iam_instance_profile_arn
+ iam_role_name = each.value.iam_role_name
+ iam_role_use_name_prefix = each.value.iam_role_use_name_prefix
+ iam_role_path = each.value.iam_role_path
+ iam_role_description = each.value.iam_role_description
+ iam_role_permissions_boundary = each.value.iam_role_permissions_boundary
+ iam_role_tags = each.value.iam_role_tags
+ iam_role_attach_cni_policy = each.value.iam_role_attach_cni_policy
+ iam_role_additional_policies = lookup(each.value, "iam_role_additional_policies", null)
+ create_iam_role_policy = each.value.create_iam_role_policy
+ iam_role_policy_statements = each.value.iam_role_policy_statements
+
+ # Access entry
+ create_access_entry = each.value.create_access_entry
+ iam_role_arn = each.value.iam_role_arn
+
+ # Security group
+ vpc_security_group_ids = compact(concat([local.node_security_group_id], each.value.vpc_security_group_ids))
+ cluster_primary_security_group_id = each.value.attach_cluster_primary_security_group ? aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id : null
+ create_security_group = each.value.create_security_group
+ security_group_name = each.value.security_group_name
+ security_group_use_name_prefix = each.value.security_group_use_name_prefix
+ security_group_description = each.value.security_group_description
+ security_group_ingress_rules = each.value.security_group_ingress_rules
+ security_group_egress_rules = each.value.security_group_egress_rules
+ security_group_tags = each.value.security_group_tags
+
+ tags = merge(
+ var.tags,
+ each.value.tags,
+ )
+}
diff --git a/outputs.tf b/outputs.tf
index 1521d5c379..027e35d051 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,90 +1,281 @@
-output "cluster_id" {
- description = "The name/id of the EKS cluster."
- value = "${aws_eks_cluster.this.id}"
-}
+################################################################################
+# Cluster
+################################################################################
-# Though documented, not yet supported
-# output "cluster_arn" {
-# description = "The Amazon Resource Name (ARN) of the cluster."
-# value = "${aws_eks_cluster.this.arn}"
-# }
+output "cluster_arn" {
+ description = "The Amazon Resource Name (ARN) of the cluster"
+ value = try(aws_eks_cluster.this[0].arn, null)
+
+ depends_on = [
+ aws_eks_access_entry.this,
+ aws_eks_access_policy_association.this,
+ ]
+}
output "cluster_certificate_authority_data" {
- description = "Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster."
- value = "${aws_eks_cluster.this.certificate_authority.0.data}"
+ description = "Base64 encoded certificate data required to communicate with the cluster"
+ value = try(aws_eks_cluster.this[0].certificate_authority[0].data, null)
+
+ depends_on = [
+ aws_eks_access_entry.this,
+ aws_eks_access_policy_association.this,
+ ]
}
output "cluster_endpoint" {
- description = "The endpoint for your EKS Kubernetes API."
- value = "${aws_eks_cluster.this.endpoint}"
+ description = "Endpoint for your Kubernetes API server"
+ value = try(aws_eks_cluster.this[0].endpoint, null)
+
+ depends_on = [
+ aws_eks_access_entry.this,
+ aws_eks_access_policy_association.this,
+ ]
+}
+
+output "cluster_id" {
+ description = "The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts"
+ value = try(aws_eks_cluster.this[0].cluster_id, "")
+}
+
+output "cluster_name" {
+ description = "The name of the EKS cluster"
+ value = try(aws_eks_cluster.this[0].name, "")
+
+ depends_on = [
+ aws_eks_access_entry.this,
+ aws_eks_access_policy_association.this,
+ ]
+}
+
+output "cluster_oidc_issuer_url" {
+ description = "The URL on the EKS cluster for the OpenID Connect identity provider"
+ value = try(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, null)
+}
+
+output "cluster_dualstack_oidc_issuer_url" {
+ description = "Dual-stack compatible URL on the EKS cluster for the OpenID Connect identity provider"
+ # https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
+ value = try(replace(replace(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "https://oidc.eks.", "https://oidc-eks."), ".amazonaws.com/", ".api.aws/"), null)
}
output "cluster_version" {
- description = "The Kubernetes server version for the EKS cluster."
- value = "${aws_eks_cluster.this.version}"
+ description = "The Kubernetes version for the cluster"
+ value = try(aws_eks_cluster.this[0].version, null)
+}
+
+output "cluster_platform_version" {
+ description = "Platform version for the cluster"
+ value = try(aws_eks_cluster.this[0].platform_version, null)
+}
+
+output "cluster_status" {
+ description = "Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED`"
+ value = try(aws_eks_cluster.this[0].status, null)
+}
+
+output "cluster_primary_security_group_id" {
+ description = "Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console"
+ value = try(aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id, null)
+}
+
+output "cluster_service_cidr" {
+ description = "The CIDR block where Kubernetes pod and service IP addresses are assigned from"
+ value = var.ip_family == "ipv6" ? try(aws_eks_cluster.this[0].kubernetes_network_config[0].service_ipv6_cidr, null) : try(aws_eks_cluster.this[0].kubernetes_network_config[0].service_ipv4_cidr, null)
+}
+
+output "cluster_ip_family" {
+ description = "The IP family used by the cluster (e.g. `ipv4` or `ipv6`)"
+ value = try(aws_eks_cluster.this[0].kubernetes_network_config[0].ip_family, null)
+}
+
+output "cluster_control_plane_scaling_tier" {
+ description = "The EKS Provisioned Control Plane scaling tier for the cluster"
+ value = try(aws_eks_cluster.this[0].control_plane_scaling_config[0].tier, null)
+}
+
+################################################################################
+# Access Entry
+################################################################################
+
+output "access_entries" {
+ description = "Map of access entries created and their attributes"
+ value = aws_eks_access_entry.this
+}
+
+output "access_policy_associations" {
+ description = "Map of eks cluster access policy associations created and their attributes"
+ value = aws_eks_access_policy_association.this
+}
+
+################################################################################
+# KMS Key
+################################################################################
+
+output "kms_key_arn" {
+ description = "The Amazon Resource Name (ARN) of the key"
+ value = module.kms.key_arn
+}
+
+output "kms_key_id" {
+ description = "The globally unique identifier for the key"
+ value = module.kms.key_id
+}
+
+output "kms_key_policy" {
+ description = "The IAM resource policy set on the key"
+ value = module.kms.key_policy
+}
+
+################################################################################
+# Cluster Security Group
+################################################################################
+
+output "cluster_security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the cluster security group"
+ value = try(aws_security_group.cluster[0].arn, null)
}
output "cluster_security_group_id" {
- description = "Security group ID attached to the EKS cluster."
- value = "${local.cluster_security_group_id}"
+ description = "ID of the cluster security group"
+ value = try(aws_security_group.cluster[0].id, null)
+}
+
+################################################################################
+# Node Security Group
+################################################################################
+
+output "node_security_group_arn" {
+ description = "Amazon Resource Name (ARN) of the node shared security group"
+ value = try(aws_security_group.node[0].arn, null)
+}
+
+output "node_security_group_id" {
+ description = "ID of the node shared security group"
+ value = try(aws_security_group.node[0].id, null)
+}
+
+################################################################################
+# IRSA
+################################################################################
+
+output "oidc_provider" {
+ description = "The OpenID Connect identity provider (issuer URL without leading `https://`)"
+ value = try(replace(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "https://", ""), null)
+}
+
+output "oidc_provider_arn" {
+ description = "The ARN of the OIDC Provider if `enable_irsa = true`"
+ value = try(aws_iam_openid_connect_provider.oidc_provider[0].arn, null)
}
-output "config_map_aws_auth" {
- description = "A kubernetes configuration to authenticate to this EKS cluster."
- value = "${data.template_file.config_map_aws_auth.rendered}"
+output "cluster_tls_certificate_sha1_fingerprint" {
+ description = "The SHA1 fingerprint of the public key of the cluster's certificate"
+ value = try(data.tls_certificate.this[0].certificates[0].sha1_fingerprint, null)
}
+################################################################################
+# IAM Role
+################################################################################
+
output "cluster_iam_role_name" {
- description = "IAM role name of the EKS cluster."
- value = "${aws_iam_role.cluster.name}"
+ description = "Cluster IAM role name"
+ value = try(aws_iam_role.this[0].name, null)
}
output "cluster_iam_role_arn" {
- description = "IAM role ARN of the EKS cluster."
- value = "${aws_iam_role.cluster.arn}"
+ description = "Cluster IAM role ARN"
+ value = try(aws_iam_role.this[0].arn, null)
}
-output "kubeconfig" {
- description = "kubectl config file contents for this EKS cluster."
- value = "${data.template_file.kubeconfig.rendered}"
+output "cluster_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, null)
}
-output "kubeconfig_filename" {
- description = "The filename of the generated kubectl config."
- value = "${element(concat(local_file.kubeconfig.*.filename, list("")), 0)}"
+################################################################################
+# EKS Auto Node IAM Role
+################################################################################
+
+output "node_iam_role_name" {
+ description = "EKS Auto node IAM role name"
+ value = try(aws_iam_role.eks_auto[0].name, null)
}
-output "workers_asg_arns" {
- description = "IDs of the autoscaling groups containing workers."
- value = "${concat(aws_autoscaling_group.workers.*.arn, aws_autoscaling_group.workers_launch_template.*.arn)}"
+output "node_iam_role_arn" {
+ description = "EKS Auto node IAM role ARN"
+ value = try(aws_iam_role.eks_auto[0].arn, null)
}
-output "workers_asg_names" {
- description = "Names of the autoscaling groups containing workers."
- value = "${concat(aws_autoscaling_group.workers.*.id, aws_autoscaling_group.workers_launch_template.*.id)}"
+output "node_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.eks_auto[0].unique_id, null)
}
-output "worker_security_group_id" {
- description = "Security group ID attached to the EKS workers."
- value = "${local.worker_security_group_id}"
+################################################################################
+# EKS Addons
+################################################################################
+
+output "cluster_addons" {
+ description = "Map of attribute maps for all EKS cluster addons enabled"
+ value = merge(aws_eks_addon.this, aws_eks_addon.before_compute)
}
-output "worker_iam_instance_profile_arns" {
- description = "default IAM instance profile ARN for EKS worker groups"
- value = "${aws_iam_instance_profile.workers.*.arn}"
+################################################################################
+# EKS Identity Provider
+################################################################################
+
+output "cluster_identity_providers" {
+ description = "Map of attribute maps for all EKS identity providers enabled"
+ value = aws_eks_identity_provider_config.this
}
-output "worker_iam_instance_profile_names" {
- description = "default IAM instance profile name for EKS worker groups"
- value = "${aws_iam_instance_profile.workers.*.name}"
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+output "cloudwatch_log_group_name" {
+ description = "Name of cloudwatch log group created"
+ value = try(aws_cloudwatch_log_group.this[0].name, null)
+}
+
+output "cloudwatch_log_group_arn" {
+ description = "Arn of cloudwatch log group created"
+ value = try(aws_cloudwatch_log_group.this[0].arn, null)
}
-output "worker_iam_role_name" {
- description = "default IAM role name for EKS worker groups"
- value = "${aws_iam_role.workers.name}"
+################################################################################
+# Fargate Profile
+################################################################################
+
+output "fargate_profiles" {
+ description = "Map of attribute maps for all EKS Fargate Profiles created"
+ value = module.fargate_profile
+}
+
+################################################################################
+# EKS Managed Node Group
+################################################################################
+
+output "eks_managed_node_groups" {
+ description = "Map of attribute maps for all EKS managed node groups created"
+ value = module.eks_managed_node_group
+}
+
+output "eks_managed_node_groups_autoscaling_group_names" {
+ description = "List of the autoscaling group names created by EKS managed node groups"
+ value = compact(flatten([for group in module.eks_managed_node_group : group.node_group_autoscaling_group_names]))
+}
+
+################################################################################
+# Self Managed Node Group
+################################################################################
+
+output "self_managed_node_groups" {
+ description = "Map of attribute maps for all self managed node groups created"
+ value = module.self_managed_node_group
}
-output "worker_iam_role_arn" {
- description = "default IAM role ARN for EKS worker groups"
- value = "${aws_iam_role.workers.arn}"
+output "self_managed_node_groups_autoscaling_group_names" {
+ description = "List of the autoscaling group names created by self-managed node groups"
+ value = compact([for group in module.self_managed_node_group : group.autoscaling_group_name])
}
diff --git a/templates/al2023_user_data.tpl b/templates/al2023_user_data.tpl
new file mode 100644
index 0000000000..cc360e6d65
--- /dev/null
+++ b/templates/al2023_user_data.tpl
@@ -0,0 +1,11 @@
+%{ if enable_bootstrap_user_data ~}
+---
+apiVersion: node.eks.aws/v1alpha1
+kind: NodeConfig
+spec:
+ cluster:
+ name: ${cluster_name}
+ apiServerEndpoint: ${cluster_endpoint}
+ certificateAuthority: ${cluster_auth_base64}
+ cidr: ${cluster_service_cidr}
+%{ endif ~}
diff --git a/templates/al2_user_data.tpl b/templates/al2_user_data.tpl
new file mode 100644
index 0000000000..d75d549ccc
--- /dev/null
+++ b/templates/al2_user_data.tpl
@@ -0,0 +1,12 @@
+%{ if enable_bootstrap_user_data ~}
+#!/bin/bash
+set -e
+%{ endif ~}
+${pre_bootstrap_user_data ~}
+%{ if enable_bootstrap_user_data ~}
+B64_CLUSTER_CA=${cluster_auth_base64}
+API_SERVER_URL=${cluster_endpoint}
+/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
+ --ip-family ${cluster_ip_family} --service-${cluster_ip_family}-cidr ${cluster_service_cidr}
+${post_bootstrap_user_data ~}
+%{ endif ~}
diff --git a/templates/bottlerocket_user_data.tpl b/templates/bottlerocket_user_data.tpl
new file mode 100644
index 0000000000..666d666069
--- /dev/null
+++ b/templates/bottlerocket_user_data.tpl
@@ -0,0 +1,8 @@
+%{ if enable_bootstrap_user_data ~}
+[settings.kubernetes]
+"cluster-name" = "${cluster_name}"
+"api-server" = "${cluster_endpoint}"
+"cluster-certificate" = "${cluster_auth_base64}"
+"cluster-dns-ip" = ${cluster_dns_ips}
+%{ endif ~}
+${bootstrap_extra_args ~}
diff --git a/templates/config-map-aws-auth-map_accounts.yaml.tpl b/templates/config-map-aws-auth-map_accounts.yaml.tpl
deleted file mode 100644
index 26dc5078f4..0000000000
--- a/templates/config-map-aws-auth-map_accounts.yaml.tpl
+++ /dev/null
@@ -1 +0,0 @@
- - "${account_number}"
diff --git a/templates/config-map-aws-auth-map_roles.yaml.tpl b/templates/config-map-aws-auth-map_roles.yaml.tpl
deleted file mode 100644
index 9f321b7be6..0000000000
--- a/templates/config-map-aws-auth-map_roles.yaml.tpl
+++ /dev/null
@@ -1,4 +0,0 @@
- - rolearn: ${role_arn}
- username: ${username}
- groups:
- - ${group}
diff --git a/templates/config-map-aws-auth-map_users.yaml.tpl b/templates/config-map-aws-auth-map_users.yaml.tpl
deleted file mode 100644
index 92499de41c..0000000000
--- a/templates/config-map-aws-auth-map_users.yaml.tpl
+++ /dev/null
@@ -1,4 +0,0 @@
- - userarn: ${user_arn}
- username: ${username}
- groups:
- - ${group}
diff --git a/templates/config-map-aws-auth.yaml.tpl b/templates/config-map-aws-auth.yaml.tpl
deleted file mode 100644
index 86f4f5f998..0000000000
--- a/templates/config-map-aws-auth.yaml.tpl
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: aws-auth
- namespace: kube-system
-data:
- mapRoles: |
-${worker_role_arn}
-${map_roles}
- mapUsers: |
-${map_users}
- mapAccounts: |
-${map_accounts}
diff --git a/templates/kubeconfig.tpl b/templates/kubeconfig.tpl
deleted file mode 100644
index 1696391e89..0000000000
--- a/templates/kubeconfig.tpl
+++ /dev/null
@@ -1,28 +0,0 @@
-apiVersion: v1
-preferences: {}
-kind: Config
-
-clusters:
-- cluster:
- server: ${endpoint}
- certificate-authority-data: ${cluster_auth_base64}
- name: ${kubeconfig_name}
-
-contexts:
-- context:
- cluster: ${kubeconfig_name}
- user: ${kubeconfig_name}
- name: ${kubeconfig_name}
-
-current-context: ${kubeconfig_name}
-
-users:
-- name: ${kubeconfig_name}
- user:
- exec:
- apiVersion: client.authentication.k8s.io/v1alpha1
- command: ${aws_authenticator_command}
- args:
-${aws_authenticator_command_args}
-${aws_authenticator_additional_args}
-${aws_authenticator_env_variables}
diff --git a/templates/userdata.sh.tpl b/templates/userdata.sh.tpl
deleted file mode 100644
index ba8ea2800b..0000000000
--- a/templates/userdata.sh.tpl
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash -xe
-
-# Allow user supplied pre userdata code
-${pre_userdata}
-
-# Bootstrap and join the cluster
-/etc/eks/bootstrap.sh --b64-cluster-ca '${cluster_auth_base64}' --apiserver-endpoint '${endpoint}' ${bootstrap_extra_args} --kubelet-extra-args '${kubelet_extra_args}' '${cluster_name}'
-
-# Allow user supplied userdata code
-${additional_userdata}
diff --git a/templates/windows_user_data.tpl b/templates/windows_user_data.tpl
new file mode 100644
index 0000000000..9721d3cc33
--- /dev/null
+++ b/templates/windows_user_data.tpl
@@ -0,0 +1,13 @@
+%{ if enable_bootstrap_user_data ~}
+