AWS EKS Terraform Module

Name	Source	Version
argocd
cluster	terraform-aws-modules/eks/aws	15.1.0
efs	camptocamp/efs/aws
iam_assumable_role_cert_manager	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	4.0.0
iam_assumable_role_cluster_autoscaler	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	4.0.0
iam_assumable_role_loki	terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc	4.0.0
nlb	terraform-aws-modules/alb/aws	6.0.0
nlb_private	terraform-aws-modules/alb/aws	5.10.0

Name

Source

Version

argocd

cluster

terraform-aws-modules/eks/aws

15.1.0

efs

camptocamp/efs/aws

iam_assumable_role_cert_manager

terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc

4.0.0

iam_assumable_role_cluster_autoscaler

terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc

4.0.0

iam_assumable_role_loki

terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc

4.0.0

nlb

terraform-aws-modules/alb/aws

6.0.0

nlb_private

terraform-aws-modules/alb/aws

5.10.0

Resources

Name	Type
aws_cognito_user_pool_client.client	resource
aws_iam_policy.cert_manager	resource
aws_iam_policy.cluster_autoscaler	resource
aws_iam_policy.loki	resource
aws_route53_record.wildcard	resource
aws_s3_bucket.loki	resource
aws_security_group_rule.workers_ingress_healthcheck_http	resource
aws_security_group_rule.workers_ingress_healthcheck_https	resource
random_password.grafana_admin_password	resource
aws_eks_cluster.cluster	data source
aws_eks_cluster_auth.cluster	data source
aws_iam_policy_document.cert_manager	data source
aws_iam_policy_document.cluster_autoscaler	data source
aws_iam_policy_document.loki	data source
aws_region.current	data source
aws_route53_zone.this	data source
aws_subnet_ids.private	data source
aws_subnet_ids.public	data source
aws_vpc.this	data source
dns_a_record_set.nlb	data source

Name

Type

aws_cognito_user_pool_client.client

resource

aws_iam_policy.cert_manager

resource

aws_iam_policy.cluster_autoscaler

resource

aws_iam_policy.loki

resource

aws_route53_record.wildcard

resource

aws_s3_bucket.loki

resource

aws_security_group_rule.workers_ingress_healthcheck_http

resource

aws_security_group_rule.workers_ingress_healthcheck_https

resource

random_password.grafana_admin_password

resource

aws_eks_cluster.cluster

data source

aws_eks_cluster_auth.cluster

data source

aws_iam_policy_document.cert_manager

data source

aws_iam_policy_document.cluster_autoscaler

data source

aws_iam_policy_document.loki

data source

aws_region.current

data source

aws_route53_zone.this

data source

aws_subnet_ids.private

data source

aws_subnet_ids.public

data source

aws_vpc.this

data source

dns_a_record_set.nlb

data source

Inputs

Name Description Type Default Required

Name	Description	Type	Default	Required
app_of_apps_values_overrides	App of apps values overrides.	`string`	`""`	no
argocd_server_secretkey	ArgoCD Server Secert Key to avoid regenerate token on redeploy.	`string`	`null`	no
base_domain	The base domain used for Ingresses.	`string`	`null`	no
cluster_endpoint_public_access_cidrs	List of CIDR blocks which can access the Amazon EKS public API server endpoint.	`list(string)`	`[ "0.0.0.0/0" ]`	no
cluster_name	The name of the Kubernetes cluster to create.	`string`	n/a	yes
cluster_version	Kubernetes version to use for the EKS cluster.	`string`	`"1.21"`	no
cognito_user_pool_domain	Domain prefix of the Cognito user pool to use (custom domain currently not supported!).	`string`	n/a	yes
cognito_user_pool_id	ID of the Cognito user pool to use.	`string`	n/a	yes
create_private_nlb	Whether to create an internal NLB attached the private subnets	`bool`	`false`	no
create_public_nlb	Whether to create an internet-facing NLB attached to the public subnets	`bool`	`true`	no
enable_cluster_autoscaler	Whether to setup a cluster autoscaler	`bool`	`false`	no
enable_efs	Whether to provision an EFS filesystem, along with a provisioner	`bool`	`false`	no
extra_app_projects	Extra AppProjects objects to deploy.	`any`	`[]`	no
extra_application_sets	Extra ApplicationSets objects to deploy.	`any`	`[]`	no
extra_apps	Extra Applications objects to deploy.	`any`	`[]`	no
extra_lb_http_tcp_listeners	Additional load-balancer listeners	`list(any)`	`[]`	no
extra_lb_target_groups	Additional load-balancer target groups	`list(any)`	`[]`	no
grafana_admin_password	The admin password for Grafana.	`string`	`null`	no
kubeconfig_aws_authenticator_command	Override the kubeconfig authenticator command	`string`	`"aws-iam-authenticator"`	no
kubeconfig_aws_authenticator_command_args	Override the kubeconfig authenticator arguments	`list(string)`	`[]`	no
map_accounts	Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf in the terraform-aws-eks module’s code for example format.	`list(string)`	`[]`	no
map_roles	Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf in the terraform-aws-eks module’s code for example format.	`list(object({ rolearn = string username = string groups = list(string) }))`	`[]`	no
map_users	Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf in the terraform-aws-eks module’s code for example format.	`list(object({ userarn = string username = string groups = list(string) }))`	`[]`	no
oidc	OIDC configuration for core applications.	`object({ issuer_url = string oauth_url = string token_url = string api_url = string client_id = string client_secret = string oauth2_proxy_extra_args = list(string) })`	`null`	no
other_domains	Other domains used for Ingresses requiring a DNS-01 challenge for Let’s Encrypt validation with cert-manager (e.g. wildcard certificates).	`list(string)`	`[]`	no
prometheus_oauth2_proxy_args	n/a	`object({ prometheus_oauth2_proxy_extra_args = list(string) prometheus_oauth2_proxy_image = string prometheus_oauth2_proxy_extra_volume_mounts = list(object({ name = string mount_path = string })) })`	`{ "prometheus_oauth2_proxy_extra_args": [], "prometheus_oauth2_proxy_extra_volume_mounts": [], "prometheus_oauth2_proxy_image": "quay.io/oauth2-proxy/oauth2-proxy:v7.1.3" }`	no
repo_url	The source repo URL of ArgoCD’s app of apps.	`string`	`"https://github.com/camptocamp/devops-stack.git"`	no
repositories	A list of repositories to add to ArgoCD.	`map(map(string))`	`{}`	no
target_revision	The source target revision of ArgoCD’s app of apps.	`string`	`"v0.56.0"`	no
vpc_id	VPC where the cluster and workers will be deployed.	`string`	n/a	yes
wait_for_app_of_apps	Allow to disable wait for app of apps	`bool`	`true`	no
worker_groups	A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers_group_defaults for valid keys.	`any`	`[]`	no

app_of_apps_values_overrides

App of apps values overrides.

string

""

no

argocd_server_secretkey

ArgoCD Server Secert Key to avoid regenerate token on redeploy.

string

null

no

base_domain

The base domain used for Ingresses.

string

null

no

cluster_endpoint_public_access_cidrs

List of CIDR blocks which can access the Amazon EKS public API server endpoint.

list(string)

[
  "0.0.0.0/0"
]

no

cluster_name

The name of the Kubernetes cluster to create.

string

n/a

yes

cluster_version

Kubernetes version to use for the EKS cluster.

string

"1.21"

no

cognito_user_pool_domain

Domain prefix of the Cognito user pool to use (custom domain currently not supported!).

string

n/a

yes

cognito_user_pool_id

ID of the Cognito user pool to use.

string

n/a

yes

create_private_nlb

Whether to create an internal NLB attached the private subnets

bool

false

no

create_public_nlb

Whether to create an internet-facing NLB attached to the public subnets

bool

true

no

enable_cluster_autoscaler

Whether to setup a cluster autoscaler

bool

false

no

enable_efs

Whether to provision an EFS filesystem, along with a provisioner

bool

false

no

extra_app_projects

Extra AppProjects objects to deploy.

any

[]

no

extra_application_sets

Extra ApplicationSets objects to deploy.

any

[]

no

extra_apps

Extra Applications objects to deploy.

any

[]

no

extra_lb_http_tcp_listeners

Additional load-balancer listeners

list(any)

[]

no

extra_lb_target_groups

Additional load-balancer target groups

list(any)

[]

no

grafana_admin_password

The admin password for Grafana.

string

null

no

kubeconfig_aws_authenticator_command

Override the kubeconfig authenticator command

string

"aws-iam-authenticator"

no

kubeconfig_aws_authenticator_command_args

Override the kubeconfig authenticator arguments

list(string)

[]

no

map_accounts

Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf in the terraform-aws-eks module’s code for example format.

list(string)

[]

no

map_roles

Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf in the terraform-aws-eks module’s code for example format.

list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))

[]

no

map_users

Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf in the terraform-aws-eks module’s code for example format.

list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))

[]

no

oidc

OIDC configuration for core applications.

object({
    issuer_url              = string
    oauth_url               = string
    token_url               = string
    api_url                 = string
    client_id               = string
    client_secret           = string
    oauth2_proxy_extra_args = list(string)
  })

null

no

other_domains

Other domains used for Ingresses requiring a DNS-01 challenge for Let’s Encrypt validation with cert-manager (e.g. wildcard certificates).

list(string)

[]

no

prometheus_oauth2_proxy_args

n/a

object({
    prometheus_oauth2_proxy_extra_args = list(string)
    prometheus_oauth2_proxy_image      = string
    prometheus_oauth2_proxy_extra_volume_mounts = list(object({
      name       = string
      mount_path = string
    }))
  })

{
  "prometheus_oauth2_proxy_extra_args": [],
  "prometheus_oauth2_proxy_extra_volume_mounts": [],
  "prometheus_oauth2_proxy_image": "quay.io/oauth2-proxy/oauth2-proxy:v7.1.3"
}

no

repo_url

The source repo URL of ArgoCD’s app of apps.

string

"https://github.com/camptocamp/devops-stack.git"

no

repositories

A list of repositories to add to ArgoCD.

map(map(string))

{}

no

target_revision

The source target revision of ArgoCD’s app of apps.

string

"v0.56.0"

no

vpc_id

VPC where the cluster and workers will be deployed.

string

n/a

yes

wait_for_app_of_apps

Allow to disable wait for app of apps

bool

true

no

worker_groups

A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers_group_defaults for valid keys.

any

[]

no

Outputs

Name	Description
app_of_apps_values	App of Apps values
argocd_auth_token	The token to set in ARGOCD_AUTH_TOKEN environment variable.
argocd_server	The URL of the ArgoCD server.
argocd_server_admin_password	The ArgoCD admin password.
base_domain	n/a
cluster_id	The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready
cluster_oidc_issuer_url	The URL on the EKS cluster OIDC Issuer
grafana_admin_password	The admin password for Grafana.
kubeconfig	The content of the KUBECONFIG file.
kubernetes_cluster_ca_certificate	n/a
kubernetes_host	n/a
kubernetes_token	n/a
repo_url	n/a
target_revision	n/a
worker_iam_role_name	default IAM role name for EKS worker groups
worker_security_group_id	Security group ID attached to the EKS workers.

Name

Description

app_of_apps_values

App of Apps values

argocd_auth_token

The token to set in ARGOCD_AUTH_TOKEN environment variable.

argocd_server

The URL of the ArgoCD server.

argocd_server_admin_password

The ArgoCD admin password.

base_domain

n/a