forked from aws-ia/terraform-aws-eks-blueprints
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
128 lines (106 loc) · 5.44 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
locals {
cluster_encryption_config = length(var.cluster_encryption_config) > 0 ? var.cluster_encryption_config : [
{
provider_key_arn = try(module.kms[0].key_arn, var.cluster_kms_key_arn)
resources = ["secrets"]
}
]
}
module "kms" {
count = var.create_eks && var.cluster_kms_key_arn == null && var.enable_cluster_encryption ? 1 : 0
source = "./modules/aws-kms"
alias = "alias/${var.cluster_name}"
description = "${var.cluster_name} EKS cluster secret encryption key"
policy = data.aws_iam_policy_document.eks_key.json
deletion_window_in_days = var.cluster_kms_key_deletion_window_in_days
tags = var.tags
}
module "aws_eks" {
source = "terraform-aws-modules/eks/aws"
version = "v18.29.1"
create = var.create_eks
cluster_name = var.cluster_name
cluster_version = var.cluster_version
cluster_timeouts = var.cluster_timeouts
create_iam_role = var.create_iam_role
iam_role_arn = var.iam_role_arn
iam_role_use_name_prefix = false
iam_role_name = local.cluster_iam_role_name
iam_role_path = var.iam_role_path
iam_role_description = var.iam_role_description
iam_role_permissions_boundary = var.iam_role_permissions_boundary
iam_role_additional_policies = var.iam_role_additional_policies
subnet_ids = var.private_subnet_ids
control_plane_subnet_ids = var.control_plane_subnet_ids
cluster_endpoint_private_access = var.cluster_endpoint_private_access
cluster_endpoint_public_access = var.cluster_endpoint_public_access
cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
cluster_ip_family = var.cluster_ip_family
cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr
vpc_id = var.vpc_id
create_cluster_security_group = var.create_cluster_security_group
cluster_security_group_id = var.cluster_security_group_id
cluster_security_group_name = var.cluster_security_group_name
cluster_security_group_use_name_prefix = var.cluster_security_group_use_name_prefix
cluster_security_group_description = var.cluster_security_group_description
cluster_additional_security_group_ids = var.cluster_additional_security_group_ids
cluster_security_group_additional_rules = var.cluster_security_group_additional_rules
cluster_security_group_tags = var.cluster_security_group_tags
create_node_security_group = var.create_node_security_group
node_security_group_name = var.node_security_group_name
node_security_group_use_name_prefix = var.node_security_group_use_name_prefix
node_security_group_description = var.node_security_group_description
node_security_group_additional_rules = var.node_security_group_additional_rules
node_security_group_tags = var.node_security_group_tags
enable_irsa = var.enable_irsa
openid_connect_audiences = var.openid_connect_audiences
custom_oidc_thumbprints = var.custom_oidc_thumbprints
create_cloudwatch_log_group = var.create_cloudwatch_log_group
cluster_enabled_log_types = var.cluster_enabled_log_types
cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
cloudwatch_log_group_kms_key_id = var.cloudwatch_log_group_kms_key_id
attach_cluster_encryption_policy = false
cluster_encryption_config = var.enable_cluster_encryption ? local.cluster_encryption_config : []
cluster_identity_providers = var.cluster_identity_providers
tags = var.tags
}
# ---------------------------------------------------------------------------------------------------------------------
# Amazon EMR on EKS Virtual Clusters
# ---------------------------------------------------------------------------------------------------------------------
module "emr_on_eks" {
source = "./modules/emr-on-eks"
for_each = { for key, value in var.emr_on_eks_teams : key => value
if var.enable_emr_on_eks && length(var.emr_on_eks_teams) > 0
}
emr_on_eks_teams = each.value
eks_cluster_id = module.aws_eks.cluster_id
iam_role_permissions_boundary = var.iam_role_permissions_boundary
tags = var.tags
depends_on = [kubernetes_config_map.aws_auth]
}
resource "kubernetes_config_map" "amazon_vpc_cni" {
count = var.enable_windows_support ? 1 : 0
metadata {
name = "amazon-vpc-cni"
namespace = "kube-system"
}
data = {
"enable-windows-ipam" = var.enable_windows_support ? "true" : "false"
}
depends_on = [
module.aws_eks.cluster_id,
data.http.eks_cluster_readiness[0]
]
}
# ---------------------------------------------------------------------------------------------------------------------
# Teams
# ---------------------------------------------------------------------------------------------------------------------
module "aws_eks_teams" {
count = length(var.application_teams) > 0 || length(var.platform_teams) > 0 ? 1 : 0
source = "./modules/aws-eks-teams"
application_teams = var.application_teams
platform_teams = var.platform_teams
iam_role_permissions_boundary = var.iam_role_permissions_boundary
eks_cluster_id = module.aws_eks.cluster_id
tags = var.tags
}