awscc_eks_cluster (Resource)

An object representing an Amazon EKS cluster.

Example Usage

Basic usage with IAM Role and Tags

To use awscc_eks_cluster for creating Amazon EKS cluster with a IAM role and tags

resource "awscc_iam_role" "main" {
  description = "IAM Role of EKS Cluster"
  role_name   = "example-role"
  assume_role_policy_document = jsonencode({
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "eks.amazonaws.com"
      }
    }]
    Version = "2012-10-17"
  })
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
    # Optionally, enable Security Groups for Pods
    # Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
    "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
  ]
  max_session_duration = 7200
  path                 = "/"
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

resource "awscc_eks_cluster" "main" {
  name     = "example-cluster"
  role_arn = awscc_iam_role.main.arn
  resources_vpc_config = {
    subnet_ids = ["subnet-xxxx", "subnet-yyyy"] // EKS Cluster Subnet-IDs
  }
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

Enable Control Plane Logging in Amazon EKS

To use awscc_eks_cluster for creating Amazon EKS Cluster with control plane logging enabled

resource "awscc_iam_role" "main" {
  description = "IAM Role of EKS Cluster"
  role_name   = "example-role"
  assume_role_policy_document = jsonencode({
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "eks.amazonaws.com"
      }
    }]
    Version = "2012-10-17"
  })
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
    # Optionally, enable Security Groups for Pods
    # Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
    "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
  ]
  max_session_duration = 7200
  path                 = "/"
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

resource "awscc_eks_cluster" "main" {
  name     = "example-cluster"
  role_arn = awscc_iam_role.main.arn
  resources_vpc_config = {
    subnet_ids = ["subnet-xxxx", "subnet-yyyy"] // EKS Cluster Subnet-IDs
  }
  logging = {
    cluster_logging = {
      enabled_types = [
        {
          type = "api"
        },
        {
          type = "audit"
        },
        {
          type = "authenticator"
        }
      ]
    }
  }
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
  depends_on = [awscc_logs_log_group.main]
}

resource "awscc_logs_log_group" "main" {
  # The log group name format is /aws/eks/<cluster-name>/cluster
  # Reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
  log_group_name    = "/aws/eks/example-cluster/cluster"
  retention_in_days = 7
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

Enable Secrets Encryption with KMS in Amazon EKS

To use awscc_eks_cluster for creating Amazon EKS Cluster with secrets encryption enabled using AWS KMS

data "aws_caller_identity" "current" {}

resource "awscc_iam_role" "main" {
  description = "IAM Role of EKS Cluster"
  role_name   = "example-role"
  assume_role_policy_document = jsonencode({
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "eks.amazonaws.com"
      }
    }]
    Version = "2012-10-17"
  })
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
    # Optionally, enable Security Groups for Pods
    # Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
    "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
  ]
  max_session_duration = 7200
  path                 = "/"
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

resource "awscc_eks_cluster" "main" {
  name     = "example-cluster"
  role_arn = awscc_iam_role.main.arn
  resources_vpc_config = {
    subnet_ids = ["subnet-xxxx", "subnet-yyyy"] // EKS Cluster Subnet-IDs
  }
  encryption_config = [{
    provider = {
      key_arn = awscc_kms_key.main.arn
    }
    resources = ["secrets"]
  }]
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
  depends_on = [awscc_kms_key.main]
}

resource "awscc_kms_key" "main" {
  description            = "KMS Key for EKS Secrets Encryption"
  enabled                = "true"
  enable_key_rotation    = "false"
  pending_window_in_days = 30
  key_policy = jsonencode({
    "Version" : "2012-10-17",
    "Id" : "KMS-Key-Policy-For-Root",
    "Statement" : [
      {
        "Sid" : "Enable IAM User Permissions",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        "Action" : "kms:*",
        "Resource" : "*"
      },
    ],
    },
  )
  tags = [{
    key   = "Modified By"
    value = "AWSCC"
  }]
}

Schema

Required

Optional

Read-Only

Nested Schema for resources_vpc_config

Required:

Optional:

Nested Schema for access_config

Optional:

Nested Schema for encryption_config

Optional:

Nested Schema for encryption_config.provider

Optional:

Nested Schema for kubernetes_network_config

Optional:

Read-Only:

Nested Schema for logging

Optional:

Nested Schema for logging.cluster_logging

Optional:

Nested Schema for logging.cluster_logging.enabled_types

Optional:

Nested Schema for outpost_config

Required:

Optional:

Nested Schema for outpost_config.control_plane_placement

Optional:

Nested Schema for tags

Required:

Import

Import is supported using the following syntax:

$ terraform import awscc_eks_cluster.example <resource ID>