Skip to main content



Terraform module to create an Elastic Kubernetes (EKS) cluster and associated worker instances on AWS



attach_cluster_encryption_policyIndicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key providedboolfalse
cloudwatch_log_group_kms_key_idIf a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (
cloudwatch_log_group_retention_in_daysNumber of days to retain log events. Default retention - 90 daysnumberfalse
cluster_additional_security_group_idsList of additional, externally created security group IDs to attach to the cluster control planelist(string)false
cluster_addonsMap of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with nameanyfalse
cluster_enabled_log_typesA list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (
cluster_encryption_configConfiguration block with encryption configuration for the clusterlist(object({\n provider_key_arn = string\n resources = list(string)\n }))false
cluster_encryption_policy_descriptionDescription of the cluster encryption policy createdstringfalse
cluster_encryption_policy_nameName to use on cluster encryption policy createdstringfalse
cluster_encryption_policy_pathCluster encryption policy pathstringfalse
cluster_encryption_policy_tagsA map of additional tags to add to the cluster encryption policy createdmap(string)false
cluster_encryption_policy_use_name_prefixDetermines whether cluster encryption policy name (cluster_encryption_policy_name) is used as a prefixstringfalse
cluster_endpoint_private_accessIndicates whether or not the Amazon EKS private API server endpoint is enabledboolfalse
cluster_endpoint_public_accessIndicates whether or not the Amazon EKS public API server endpoint is enabledboolfalse
cluster_endpoint_public_access_cidrsList of CIDR blocks which can access the Amazon EKS public API server endpointlist(string)false
cluster_iam_role_dns_suffixBase DNS domain name for the current partition (e.g., in AWS Commercial, in AWS China)stringfalse
cluster_identity_providersMap of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSAanyfalse
cluster_ip_familyThe IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be createdstringfalse
cluster_nameName of the EKS clusterstringfalse
cluster_security_group_additional_rulesList of additional security group rules to add to the cluster security group created. Set source_node_security_group = true inside rules to set the node_security_group as sourceanyfalse
cluster_security_group_descriptionDescription of the cluster security group createdstringfalse
cluster_security_group_idExisting security group ID to be attached to the cluster. Required if create_cluster_security_group = falsestringfalse
cluster_security_group_nameName to use on cluster security group createdstringfalse
cluster_security_group_tagsA map of additional tags to add to the cluster security group createdmap(string)false
cluster_security_group_use_name_prefixDetermines whether cluster security group name (cluster_security_group_name) is used as a prefixstringfalse
cluster_service_ipv4_cidrThe CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the or CIDR blocksstringfalse
cluster_tagsA map of additional tags to add to the clustermap(string)false
cluster_timeoutsCreate, update, and delete timeout configurations for the clustermap(string)false
cluster_versionKubernetes <major>.<minor> version to use for the EKS cluster (i.e.: 1.21)stringfalse
createControls if EKS resources should be created (affects nearly all resources)boolfalse
create_cloudwatch_log_groupDetermines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabledboolfalse
create_cluster_security_groupDetermines if a security group is created for the cluster or use the existing cluster_security_group_idboolfalse
create_cni_ipv6_iam_policyDetermines whether to create an AmazonEKS_CNI_IPv6_Policyboolfalse
create_iam_roleDetermines whether a an IAM role is created or to use an existing IAM roleboolfalse
create_node_security_groupDetermines whether to create a security group for the node groups or use the existing node_security_group_idboolfalse
custom_oidc_thumbprintsAdditional list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)list(string)false
eks_managed_node_group_defaultsMap of EKS managed node group default configurationsanyfalse
eks_managed_node_groupsMap of EKS managed node group definitions to createanyfalse
enable_irsaDetermines whether to create an OpenID Connect Provider for EKS to enable IRSAboolfalse
fargate_profile_defaultsMap of Fargate Profile default configurationsanyfalse
fargate_profilesMap of Fargate Profile definitions to createanyfalse
iam_role_additional_policiesAdditional policies to be added to the IAM rolelist(string)false
iam_role_arnExisting IAM role ARN for the cluster. Required if create_iam_role is set to falsestringfalse
iam_role_descriptionDescription of the rolestringfalse
iam_role_nameName to use on IAM role createdstringfalse
iam_role_pathCluster IAM role pathstringfalse
iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the IAM rolestringfalse
iam_role_tagsA map of additional tags to add to the IAM role createdmap(string)false
iam_role_use_name_prefixDetermines whether the IAM role name (iam_role_name) is used as a prefixstringfalse
node_security_group_additional_rulesList of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as sourceanyfalse
node_security_group_descriptionDescription of the node security group createdstringfalse
node_security_group_idID of an existing security group to attach to the node groups createdstringfalse
node_security_group_nameName to use on node security group createdstringfalse
node_security_group_tagsA map of additional tags to add to the node security group createdmap(string)false
node_security_group_use_name_prefixDetermines whether node security group name (node_security_group_name) is used as a prefixstringfalse
openid_connect_audiencesList of OpenID Connect audience client IDs to add to the IRSA providerlist(string)false
prefix_separatorThe separator to use between the prefix and the generated timestamp for resource namesstringfalse
putin_khuyloDo you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info:!boolfalse
self_managed_node_group_defaultsMap of self-managed node group default configurationsanyfalse
self_managed_node_groupsMap of self-managed node group definitions to createanyfalse
subnet_idsA list of subnet IDs where the EKS cluster (ENIs) will be provisioned along with the nodes/node groups. Node groups can be deployed within a different set of subnet IDs from within the node group configurationlist(string)false
tagsA map of tags to add to all resourcesmap(string)false
vpc_idID of the VPC where the cluster and its nodes will be provisionedstringfalse
writeConnectionSecretToRefThe secret which the cloud resource connection will be written towriteConnectionSecretToReffalse


nameThe secret name which the cloud resource connection will be written tostringtrue
namespaceThe secret namespace which the cloud resource connection will be written tostringfalse