Add eks-fargate-profile module (#44)

.github/labeler.yaml

@@ -11,6 +11,9 @@
 ":floppy_disk: eks-cluster":
 - modules/eks-cluster/**/*
 
+":floppy_disk: eks-fargate-profile":
+- modules/eks-fargate-profile/**/*
+
 ":floppy_disk: eks-irsa":
 - modules/eks-irsa/**/*
 

.github/labels.yaml

@@ -52,6 +52,9 @@
 - color: "fbca04"
   description: "This issue or pull request is related to eks-cluster module."
   name: ":floppy_disk: eks-cluster"
+- color: "fbca04"
+  description: "This issue or pull request is related to eks-fargate-profile module."
+  name: ":floppy_disk: eks-fargate-profile"
 - color: "fbca04"
   description: "This issue or pull request is related to eks-irsa module."
   name: ":floppy_disk: eks-irsa"

README.md

@@ -6,6 +6,13 @@
 
 Terraform module which creates resources for container services on AWS.
 
+- [ecr-registry](./modules/ecr-registry)
+- [ecr-repository](./modules/ecr-repository)
+- [eks-aws-auth](./modules/eks-aws-auth)
+- [eks-cluster](./modules/eks-cluster)
+- [eks-fargate-profile](./modules/eks-fargate-profile)
+- [eks-max-pods](./modules/eks-max-pods)
+
 
 ## Target AWS Services
 

modules/eks-cluster/eks-control-plane.tf

@@ -19,17 +19,8 @@ locals {
 # EKS Control Plane
 ###################################################
 
-locals {
-  cluster_timeouts = merge(
-    {
-      create = "30m",
-      update = "60m",
-      delete = "15m",
-    },
-    var.timeouts
-  )
-}
-
+# TODO:
+# - `outpost_config`
 resource "aws_eks_cluster" "this" {
   name     = var.name
   version  = var.kubernetes_version
@@ -47,21 +38,27 @@ resource "aws_eks_cluster" "this" {
   }
 
   kubernetes_network_config {
-    service_ipv4_cidr = var.service_cidr
-    ip_family         = lower(var.ip_family)
+    service_ipv4_cidr = var.kubernetes_network_config.service_ipv4_cidr
+    ip_family         = lower(var.kubernetes_network_config.ip_family)
   }
 
   dynamic "encryption_config" {
-    for_each = var.encryption_enabled ? ["go"] : []
+    for_each = var.secrets_encryption.enabled ? [var.secrets_encryption] : []
 
     content {
       provider {
-        key_arn = var.encryption_kms_key
+        key_arn = encryption_config.value.kms_key
       }
-      resources = var.encryption_resources
+      resources = ["secrets"]
     }
   }
 
+  timeouts {
+    create = var.timeouts.create
+    update = var.timeouts.update
+    delete = var.timeouts.delete
+  }
+
   tags = merge(
     {
       "Name" = local.metadata.name
@@ -70,12 +67,6 @@ resource "aws_eks_cluster" "this" {
     var.tags,
   )
 
-  timeouts {
-    create = local.cluster_timeouts.create
-    update = local.cluster_timeouts.update
-    delete = local.cluster_timeouts.delete
-  }
-
   depends_on = [
     module.role__control_plane,
     aws_cloudwatch_log_group.this,

modules/eks-cluster/oidc-providers.tf

@@ -16,11 +16,11 @@ resource "aws_eks_identity_provider_config" "this" {
     issuer_url = each.value.issuer_url
     client_id  = each.value.client_id
 
-    required_claims = try(each.value.required_claims, null)
-    username_claim  = try(each.value.username_claim, null)
-    username_prefix = try(each.value.username_prefix, null)
-    groups_claim    = try(each.value.groups_claim, null)
-    groups_prefix   = try(each.value.groups_prefix, null)
+    required_claims = each.value.required_claims
+    username_claim  = each.value.username_claim
+    username_prefix = each.value.username_prefix
+    groups_claim    = each.value.groups_claim
+    groups_prefix   = each.value.groups_prefix
   }
 
   tags = merge(

modules/eks-cluster/outputs.tf

@@ -43,14 +43,26 @@ output "subnet_ids" {
   value       = aws_eks_cluster.this.vpc_config[0].subnet_ids
 }
 
-output "service_cidr" {
-  description = "The CIDR block which is assigned to Kubernetes service IP addresses."
-  value       = aws_eks_cluster.this.kubernetes_network_config[0].service_ipv4_cidr
+output "kubernetes_network_config" {
+  description = <<EOF
+  The configurations of Kubernetes network.
+    `service_ipv4_cidr` - The CIDR block which is assigned to Kubernetes service IP addresses.
+    `ip_family` - The IP family used to assign Kubernetes pod and service addresses.
+  EOF
+  value = {
+    service_ipv4_cidr = aws_eks_cluster.this.kubernetes_network_config[0].service_ipv4_cidr
+    ip_family         = upper(aws_eks_cluster.this.kubernetes_network_config[0].ip_family)
+  }
 }
 
-output "ip_family" {
-  description = "The IP family used to assign Kubernetes pod and service addresses."
-  value       = upper(aws_eks_cluster.this.kubernetes_network_config[0].ip_family)
+output "secrets_encryption" {
+  description = <<EOF
+  The configurations of the encryption of Kubernetes secrets.
+  EOF
+  value = {
+    enabled = var.secrets_encryption.enabled
+    kms_key = one(aws_eks_cluster.this.encryption_config[*].provider[0].key_arn)
+  }
 }
 
 output "security_group_ids" {
@@ -98,21 +110,6 @@ output "logging" {
   }
 }
 
-output "fargate_profiles" {
-  description = "A map of all Fargate Profiles created."
-  value = {
-    for name, profile in aws_eks_fargate_profile.this :
-    name => {
-      id         = profile.id
-      arn        = profile.arn
-      status     = profile.status
-      name       = profile.fargate_profile_name
-      subnet_ids = profile.subnet_ids
-      selectors  = profile.selector
-    }
-  }
-}
-
 output "oidc_identity_providers" {
   description = "A map of all associated OIDC Identity Providers to the cluster."
   value = {

modules/eks-cluster/variables.tf

@@ -1,6 +1,7 @@
 variable "name" {
   description = "(Required) Name of the EKS cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores."
   type        = string
+  nullable    = false
 
   validation {
     condition     = length(var.name) <= 100
@@ -9,35 +10,35 @@ variable "name" {
 }
 
 variable "kubernetes_version" {
-  description = "(Optional) Kubernetes version to use for the EKS cluster."
+  description = "(Optional) Desired Kubernetes version to use for the EKS cluster. Defaults to `1.26`."
   type        = string
-  default     = "1.21"
+  default     = "1.26"
   nullable    = false
 }
 
-variable "subnet_ids" {
-  description = "(Required) A list of subnets to creates cross-account elastic network interfaces to allow communication between your worker nodes and the Kubernetes control plane. Must be in at least two different availability zones."
-  type        = list(string)
-  nullable    = false
-}
+variable "kubernetes_network_config" {
+  description = <<EOF
+  (Optional) A configuration of Kubernetes network. `kubernetes_network_config` as defined below.
+    (Optional) `service_ipv4_cidr` - The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.
+    (Optional) `ip_family` - The IP family used to assign Kubernetes pod and service addresses. Valid values are `IPV4` and `IPV6`. Defaults to `IPV4`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.
+  EOF
+  type = object({
+    service_ipv4_cidr = optional(string)
+    ip_family         = optional(string, "IPV4")
+  })
+  default  = {}
+  nullable = false
 
-variable "service_cidr" {
-  description = "(Optional) The CIDR block to assign Kubernetes service IP addresses from. Recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. Only valid if `ip_family` is `IPV4`."
-  type        = string
-  default     = "172.20.0.0/16"
-  nullable    = false
+  validation {
+    condition     = contains(["IPV4", "IPV6"], var.kubernetes_network_config.ip_family)
+    error_message = "Valid values for `kubernetes_network_config.ip_family` are `IPV4` and `IPV6`."
+  }
 }
 
-variable "ip_family" {
-  description = "(Optional) The IP family used to assign Kubernetes pod and service addresses. Valid values are `IPV4` and `IPV6`. Defaults to `IPV4`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created."
-  type        = string
-  default     = "IPV4"
+variable "subnet_ids" {
+  description = "(Required) A list of subnets to creates cross-account elastic network interfaces to allow communication between your worker nodes and the Kubernetes control plane. Must be in at least two different availability zones."
+  type        = list(string)
   nullable    = false
-
-  validation {
-    condition     = contains(["IPV4", "IPV6"], var.ip_family)
-    error_message = "The possible values are `IPV4` and `IPV6`."
-  }
 }
 
 variable "endpoint_public_access" {
@@ -76,8 +77,8 @@ variable "endpoint_private_access_source_security_group_ids" {
 }
 
 variable "log_types" {
-  description = "(Optional) A list of the desired control plane logging to enable."
-  type        = list(string)
+  description = "(Optional) A set of the desired control plane logging to enable."
+  type        = set(string)
   default     = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
   nullable    = false
 }
@@ -95,56 +96,18 @@ variable "log_encryption_kms_key" {
   default     = null
 }
 
-variable "encryption_enabled" {
-  description = "(Optional) Whether to encrypt kubernetes resources."
-  type        = string
-  default     = false
-  nullable    = false
-}
-
-variable "encryption_kms_key" {
-  description = "(Optional) The ARN of the KMS customer master key (CMK) to encrypt resources. The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK."
-  type        = string
-  default     = null
-}
-
-variable "encryption_resources" {
-  description = "(Optional) List of strings with resources to be encrypted. Valid values: `secrets`."
-  type        = list(string)
-  default     = ["secrets"]
-  nullable    = false
-}
-
-variable "timeouts" {
-  description = "(Optional) How long to wait for the EKS Cluster to be created/updated/deleted."
-  type        = map(string)
-  default = {
-    create = "30m"
-    update = "60m"
-    delete = "15m"
-  }
-  nullable = false
-}
-
-variable "fargate_default_subnet_ids" {
-  description = "(Optional) A list of defualt subnet IDs for the EKS Fargate Profile. Only used if you do not specified `subnet_ids` in Fargate Profile."
-  type        = list(string)
-  default     = []
-  nullable    = false
-}
-
-variable "fargate_profiles" {
+variable "secrets_encryption" {
   description = <<EOF
-  (Optional) A list of Fargate Profile definitions to create. `fargate_profiles` block as defined below.
-    (Required) `name` - The name of Fargate Profile.
-    (Required) `selectors` - Configuration block(s) for selecting Kubernetes Pods to execute with this EKS Fargate Profile. Each block of `selectors` block as defined below.
-      (Required) `namespace` - Kubernetes namespace for selection.
-      (Optional) `labels` - Key-value map of Kubernetes labels for selection.
-    (Optional) `subnet_ids` - A list of subnet IDs for the EKS Fargate Profile. Use cluster subnet IDs if not provided.
+  (Optional) A configuration to encrypt Kubernetes secrets. Envelope encryption provides an additional layer of encryption for your Kubernetes secrets. Once turned on, secrets encryption cannot be modified or removed. `secrets_encryption` as defined below.
+    (Optional) `enabled` - Whether to enable envelope encryption of Kubernetes secrets. Defaults to `false`.
+    (Optional) `kms_key` - The ID of AWS KMS key to use for envelope encryption of Kubernetes secrets.
   EOF
-  type        = any
-  default     = []
-  nullable    = false
+  type = object({
+    enabled = optional(bool, false)
+    kms_key = optional(string)
+  })
+  default  = {}
+  nullable = false
 }
 
 variable "oidc_identity_providers" {
@@ -159,9 +122,30 @@ variable "oidc_identity_providers" {
     (Optional) `groups_claim` - The JWT claim that the provider will use to return groups.
     (Optional) `groups_prefix` - A prefix that is prepended to group claims e.g., `oidc:`.
   EOF
-  type        = any
-  default     = []
-  nullable    = false
+  type = list(object({
+    name       = string
+    issuer_url = string
+    client_id  = string
+
+    required_claims = optional(map(string), {})
+    username_claim  = optional(string)
+    username_prefix = optional(string)
+    groups_claim    = optional(string)
+    groups_prefix   = optional(string)
+  }))
+  default  = []
+  nullable = false
+}
+
+variable "timeouts" {
+  description = "(Optional) How long to wait for the EKS Cluster to be created/updated/deleted."
+  type = object({
+    create = optional(string, "30m")
+    update = optional(string, "60m")
+    delete = optional(string, "15m")
+  })
+  default  = {}
+  nullable = false
 }
 
 variable "tags" {