bug: aws-auth-config-fixed

aws_auth.tf

@@ -29,16 +29,17 @@
 
 
 locals {
-  certificate_authority_data_list          = coalescelist(aws_eks_cluster.default.*.certificate_authority, [[{ data : "" }]])
-  certificate_authority_data_list_internal = local.certificate_authority_data_list[0]
+  certificate_authority_data_list          = coalescelist(aws_eks_cluster.default[*].certificate_authority, [[{ data : "" }]])
   certificate_authority_data_map           = local.certificate_authority_data_list_internal[0]
   certificate_authority_data               = local.certificate_authority_data_map["data"]
+  certificate_authority_data_list_internal = local.certificate_authority_data_list[0]
+
 
   # Add worker nodes role ARNs (could be from many un-managed worker groups) to the ConfigMap
   # Note that we don't need to do this for managed Node Groups since EKS adds their roles to the ConfigMap automatically
   map_worker_roles = [
     {
-      rolearn : aws_iam_role.node_groups.0.arn
+      rolearn : aws_iam_role.node_groups[0].arn
       username : "system:node:{{EC2PrivateDNSName}}"
       groups : [
         "system:bootstrappers",
@@ -88,9 +89,9 @@ data "aws_eks_cluster_auth" "eks" {
 }
 
 provider "kubernetes" {
-  token                  = data.aws_eks_cluster_auth.eks[0].token
-  host                   = data.aws_eks_cluster.eks[0].endpoint
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks[0].certificate_authority.0.data)
+  token                  = var.apply_config_map_aws_auth ? data.aws_eks_cluster_auth.eks[0].token : ""
+  host                   = var.apply_config_map_aws_auth ? data.aws_eks_cluster.eks[0].endpoint : ""
+  cluster_ca_certificate = var.apply_config_map_aws_auth ? base64decode(data.aws_eks_cluster.eks[0].certificate_authority[0].data) : ""
 }
 
 resource "kubernetes_config_map" "aws_auth_ignore_changes" {

aws_node_groups.tf

@@ -9,8 +9,8 @@ module "eks_managed_node_group" {
   cluster_version = var.kubernetes_version
   vpc_security_group_ids = compact(
     concat(
-      aws_security_group.node_group.*.id,
-      aws_eks_cluster.default.*.vpc_config.0.cluster_security_group_id,
+      aws_security_group.node_group[*].id,
+      aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id,
       var.nodes_additional_security_group_ids
 
     )

examples/aws_managed/example.tf

@@ -271,6 +271,7 @@ module "eks" {
   name        = local.name
   environment = local.environment
   label_order = local.label_order
+  tags        = local.tags
 
   # EKS
   kubernetes_version     = "1.27"
@@ -279,7 +280,7 @@ module "eks" {
   vpc_id                            = module.vpc.vpc_id
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
-  eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
+  eks_additional_security_group_ids = [module.ssh.security_group_id, module.http_https.security_group_id]
   allowed_cidr_blocks               = [local.vpc_cidr_block]
 
   # AWS Managed Node Group
@@ -290,7 +291,22 @@ module "eks" {
     tags = {
       "kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"
       "k8s.io/cluster/${module.eks.cluster_name}"        = "shared"
+      propagate_tags = [{
+        key                 = "aws-node-termination-handler/managed"
+        value               = true
+        propagate_at_launch = true
+        },
+        {
+          key                 = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_id}"
+          value               = "owned"
+          propagate_at_launch = true
+      }]
     }
+    propagate_tags = [{
+      key                 = "aws-node-termination-handler/managed"
+      value               = true
+      propagate_at_launch = true
+    }]
     block_device_mappings = {
       xvda = {
         device_name = "/dev/xvda"
@@ -309,9 +325,9 @@ module "eks" {
     critical = {
       name           = "${module.eks.cluster_name}-critical"
       capacity_type  = "ON_DEMAND"
-      min_size       = 1
-      max_size       = 2
-      desired_size   = 2
+      min_size       = 0
+      max_size       = 1
+      desired_size   = 0
       instance_types = ["t3.medium"]
     }
 
@@ -350,4 +366,4 @@ provider "kubernetes" {
   host                   = data.aws_eks_cluster.this.endpoint
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
   token                  = data.aws_eks_cluster_auth.this.token
-}
+}

examples/aws_managed/versions.tf

@@ -11,5 +11,17 @@ terraform {
       source  = "hashicorp/cloudinit"
       version = ">= 2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.33.0" # Specify the appropriate version
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0.0"
+    }
   }
 }

examples/aws_managed_with_fargate/example.tf

@@ -272,6 +272,7 @@ module "eks" {
   name        = local.name
   environment = local.environment
   label_order = local.label_order
+  tags        = local.tags
 
   # EKS
   kubernetes_version     = "1.27"
@@ -280,7 +281,7 @@ module "eks" {
   vpc_id                            = module.vpc.vpc_id
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
-  eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
+  eks_additional_security_group_ids = [module.ssh.security_group_id, module.http_https.security_group_id]
   allowed_cidr_blocks               = [local.vpc_cidr_block]
 
   # AWS Managed Node Group

examples/aws_managed_with_fargate/versions.tf

@@ -11,5 +11,17 @@ terraform {
       source  = "hashicorp/cloudinit"
       version = ">= 2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.33.0" # Specify the appropriate version
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0.0"
+    }
   }
 }

examples/complete/example.tf

@@ -268,6 +268,7 @@ module "eks" {
   name        = local.name
   environment = local.environment
   enabled     = true
+  tags        = local.tags
 
   kubernetes_version      = "1.27"
   endpoint_private_access = true
@@ -277,7 +278,7 @@ module "eks" {
   vpc_id                            = module.vpc.vpc_id
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
-  eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
+  eks_additional_security_group_ids = [module.ssh.security_group_id, module.http_https.security_group_id]
   allowed_cidr_blocks               = [local.vpc_cidr_block]
 
   # Self Managed Node Group

examples/complete/versions.tf

@@ -11,5 +11,17 @@ terraform {
       source  = "hashicorp/cloudinit"
       version = ">= 2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.33.0" # Specify the appropriate version
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0.0"
+    }
   }
 }

examples/self_managed/example.tf

@@ -1,3 +1,6 @@
+terraform {
+  required_version = ">= 1.5.4"
+}
 provider "aws" {
   region = local.region
 }
@@ -41,6 +44,7 @@ module "subnets" {
   ipv6_cidr_block     = module.vpc.ipv6_cidr_block
   type                = "public-private"
   igw_id              = module.vpc.igw_id
+  label_order         = local.label_order
 
   extra_public_tags = {
     "kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"
@@ -228,6 +232,7 @@ module "eks" {
 
   name        = local.name
   environment = "test"
+  tags        = local.tags
 
   # EKS
   kubernetes_version      = "1.27"
@@ -237,7 +242,7 @@ module "eks" {
   vpc_id                            = module.vpc.vpc_id
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
-  eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
+  eks_additional_security_group_ids = [module.ssh.security_group_id, module.http_https.security_group_id]
   allowed_cidr_blocks               = [local.vpc_cidr_block]
 
   # Self Managed Node Grou
@@ -250,10 +255,8 @@ module "eks" {
       propagate_at_launch = true
       },
       {
-        key                 = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_id}"
-        value               = "owned"
-        propagate_at_launch = true
-
+        key   = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_id}"
+        value = "owned"
       }
     ]
 

examples/self_managed/versions.tf

@@ -10,5 +10,13 @@ terraform {
       source  = "hashicorp/cloudinit"
       version = ">= 2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.33.0" # Specify the appropriate version
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.2.0"
+    }
   }
 }

main.tf

@@ -38,15 +38,15 @@ resource "aws_eks_cluster" "default" {
     endpoint_private_access = var.endpoint_private_access
     endpoint_public_access  = var.endpoint_public_access
     public_access_cidrs     = var.public_access_cidrs
-    security_group_ids      = var.eks_additional_security_group_ids
+    security_group_ids      = concat(var.eks_additional_security_group_ids, var.vpc_security_group_ids)
   }
 
   dynamic "encryption_config" {
     for_each = var.cluster_encryption_config_enabled ? [local.cluster_encryption_config] : []
     content {
-      resources = lookup(encryption_config.value, "resources")
+      resources = lookup(encryption_config.value, "resources", null)
       provider {
-        key_arn = lookup(encryption_config.value, "provider_key_arn")
+        key_arn = lookup(encryption_config.value, "provider_key_arn", null)
       }
     }
   }
@@ -91,15 +91,15 @@ resource "aws_eks_cluster" "default" {
 
 data "tls_certificate" "cluster" {
   count = var.enabled && var.oidc_provider_enabled ? 1 : 0
-  url   = aws_eks_cluster.default[0].identity.0.oidc.0.issuer
+  url   = aws_eks_cluster.default[0].identity[0].oidc[0].issuer
 }
 
 resource "aws_iam_openid_connect_provider" "default" {
   count = var.enabled && var.oidc_provider_enabled ? 1 : 0
-  url   = aws_eks_cluster.default[0].identity.0.oidc.0.issuer
+  url   = aws_eks_cluster.default[0].identity[0].oidc[0].issuer
 
   client_id_list  = distinct(compact(concat(["sts.${data.aws_partition.current.dns_suffix}"], var.openid_connect_audiences)))
-  thumbprint_list = [data.tls_certificate.cluster[0].certificates.0.sha1_fingerprint]
+  thumbprint_list = [data.tls_certificate.cluster[0].certificates[0].sha1_fingerprint]
   tags            = module.labels.tags
 }
 

node_group/aws_managed/main.tf

@@ -1,6 +1,3 @@
-data "aws_partition" "current" {}
-
-data "aws_caller_identity" "current" {}
 
 #Module      : label
 #Description : Terraform module to create consistent naming for multiple names.
@@ -25,22 +22,40 @@ module "labels" {
 
 
 resource "aws_launch_template" "this" {
-  count       = var.enabled ? 1 : 0
-  name        = module.labels.id
-  description = var.launch_template_description
-
-  ebs_optimized = var.ebs_optimized
-  image_id      = var.ami_id
-  # # Set on node group instead
-  # instance_type = var.launch_template_instance_type
-  key_name               = var.key_name
-  user_data              = var.before_cluster_joining_userdata
-  vpc_security_group_ids = var.vpc_security_group_ids
-
+  count                   = var.enabled ? 1 : 0
+  name                    = module.labels.id
+  description             = var.launch_template_description
+  ebs_optimized           = var.ebs_optimized
+  image_id                = var.ami_id
+  key_name                = var.key_name
+  user_data               = var.before_cluster_joining_userdata
+  vpc_security_group_ids  = var.vpc_security_group_ids
   disable_api_termination = var.disable_api_termination
   kernel_id               = var.kernel_id
   ram_disk_id             = var.ram_disk_id
+  default_version         = var.update_launch_template_default_version ? var.launch_template_default_version : null
+
+  dynamic "tag_specifications" {
+    for_each = var.launch_template_tags != null ? [var.launch_template_tags] : []
+    content {
+      resource_type = "instance"
+      tags          = tag_specifications.value
+    }
+  }
 
+  dynamic "instance_market_options" {
+    for_each = var.instance_market_options == true ? [{ market_type = "spot", spot_options = { max_price = "0.05" } }] : []
+    content {
+      market_type = instance_market_options.value.market_type
+
+      dynamic "spot_options" {
+        for_each = (instance_market_options.value.spot_options != null) ? [instance_market_options.value.spot_options] : []
+        content {
+          max_price = spot_options.value.max_price
+        }
+      }
+    }
+  }
   dynamic "block_device_mappings" {
     for_each = var.block_device_mappings
     content {
@@ -244,7 +259,7 @@ resource "aws_eks_node_group" "this" {
     for_each = var.taints
     content {
       key    = taint.value.key
-      value  = lookup(taint.value, "value")
+      value  = lookup(taint.value, "value", null)
       effect = taint.value.effect
     }
   }

node_group/aws_managed/variables.tf

@@ -96,7 +96,7 @@ variable "launch_template_default_version" {
 variable "update_launch_template_default_version" {
   description = "Whether to update the launch templates default version on each update. Conflicts with `launch_template_default_version`"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "disable_api_termination" {
@@ -162,7 +162,7 @@ variable "enclave_options" {
 variable "instance_market_options" {
   description = "The market (purchasing) option for the instance"
   type        = any
-  default     = null
+  default     = true
 }
 
 variable "license_specifications" {

node_group/fargate_profile/fargate.tf

@@ -1,4 +1,5 @@
 terraform {
+  required_version = ">= 1.5.4"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
@@ -48,7 +49,7 @@ resource "aws_eks_fargate_profile" "default" {
   fargate_profile_name   = format("%s-%s", module.labels.id, each.value.addon_name)
   pod_execution_role_arn = aws_iam_role.fargate_role[0].arn
   subnet_ids             = var.subnet_ids
-  tags                   = module.labels.tags
+  tags                   = var.tags
 
   selector {
     namespace = lookup(each.value, "namespace", "default")