#87 Add EKS auto mode options

choisungwook · Dec 14, 2024 · 583f195 · 583f195
1 parent 5a99dc8
commit 583f195
Show file tree

Hide file tree

Showing 7 changed files with 221 additions and 62 deletions.
diff --git a/eks/main.tf b/eks/main.tf
@@ -26,32 +26,36 @@ module "eks" {
     # https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/managing-kube-proxy.html
     {
       name                 = "kube-proxy"
-      version              = "v1.29.0-eksbuild.3"
+      version              = "v1.30.6-eksbuild.3"
       configuration_values = jsonencode({})
     },
     # https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/managing-vpc-cni.html
     {
       name                 = "vpc-cni"
-      version              = "v1.16.2-eksbuild.1"
+      version              = "v1.19.0-eksbuild.1"
       configuration_values = jsonencode({})
     },
     # https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/managing-coredns.html
     {
       name                 = "coredns"
-      version              = "v1.11.1-eksbuild.6"
+      version              = "v1.11.3-eksbuild.2"
       configuration_values = jsonencode({})
     }
   ]
 
   managed_node_groups = var.managed_node_groups
 
-  // IRSA role 생성 여부
+  # EKS auto mode
+  auto_mode_enabled      = var.auto_mode_enabled
+  cluster_compute_config = var.cluster_compute_config
+
+  # IRSA role 생성 여부
   karpenter_enabled      = true
   alb_controller_enabled = true
   external_dns_enabled   = true
   enable_amp             = var.enable_amp
 
-  // EKS access entry 설정
+  # EKS access entry 설정
   aws_auth_admin_roles = [
     var.assume_role_arn
   ]

diff --git a/eks/module/eks/eks_cluster.tf b/eks/module/eks/eks_cluster.tf
@@ -18,7 +18,40 @@ resource "aws_eks_cluster" "main" {
 
   # https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/eks_cluster.html#access_config
   access_config {
-    authentication_mode                         = "API_AND_CONFIG_MAP" # or API
+    authentication_mode                         = "API_AND_CONFIG_MAP"
     bootstrap_cluster_creator_admin_permissions = false
   }
+
+  dynamic "compute_config" {
+    for_each = length(var.cluster_compute_config) > 0 ? [var.cluster_compute_config] : []
+
+    content {
+      enabled       = try(compute_config.value.enabled, null)
+      node_pools    = var.auto_mode_enabled ? try(compute_config.value.node_pools, []) : null
+      node_role_arn = var.auto_mode_enabled && length(try(compute_config.value.node_pools, [])) > 0 ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
+    }
+  }
+
+  kubernetes_network_config {
+    dynamic "elastic_load_balancing" {
+      for_each = var.auto_mode_enabled ? [1] : []
+      content {
+        enabled = var.auto_mode_enabled
+      }
+    }
+
+    ip_family         = var.cluster_ip_family
+    service_ipv4_cidr = var.cluster_service_ipv4_cidr
+    service_ipv6_cidr = var.cluster_service_ipv6_cidr
+  }
+
+  dynamic "storage_config" {
+    for_each = var.auto_mode_enabled ? [1] : []
+
+    content {
+      block_storage {
+        enabled = var.auto_mode_enabled
+      }
+    }
+  }
 }
diff --git a/eks/module/eks/iam.tf b/eks/module/eks/iam.tf
@@ -1,35 +1,24 @@
+######################################################################
+# EKS cluster role
+######################################################################
 resource "aws_iam_role" "eks_role" {
-  name = "${var.eks_cluster_name}-eks-cluster-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Principal = {
-          Service = "eks.amazonaws.com"
-        },
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
+  name               = "${var.eks_cluster_name}-eks-cluster-role"
+  assume_role_policy = data.aws_iam_policy_document.eks_cluster.json
 }
 
-resource "aws_iam_role" "node_group_role" {
-  name = "${var.eks_cluster_name}-eks-worker-node-role"
-
-  assume_role_policy = jsonencode({
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "ec2.amazonaws.com"
-        }
-      },
+data "aws_iam_policy_document" "eks_cluster" {
+  statement {
+    sid = "EKSClusterAssumeRole"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
     ]
-    Version = "2012-10-17"
-  })
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.amazonaws.com"]
+    }
+  }
 }
 
 resource "aws_iam_policy_attachment" "eks_cluster_policy" {
@@ -44,6 +33,54 @@ resource "aws_iam_policy_attachment" "eks_cluster_vpc_controller" {
   roles      = [aws_iam_role.eks_role.name]
 }
 
+resource "aws_iam_policy_attachment" "eks_cluster_automode_storage" {
+  name       = "${var.eks_cluster_name}-AmazonEKSBlockStoragePolicy"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy"
+  roles      = [aws_iam_role.eks_role.name]
+}
+
+resource "aws_iam_policy_attachment" "eks_cluster_automode_compute" {
+  name       = "${var.eks_cluster_name}-AmazonEKSComputePolicy"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSComputePolicy"
+  roles      = [aws_iam_role.eks_role.name]
+}
+
+resource "aws_iam_policy_attachment" "eks_cluster_automode_loadbalancing" {
+  name       = "${var.eks_cluster_name}-AmazonEKSLoadBalancingPolicy"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy"
+  roles      = [aws_iam_role.eks_role.name]
+}
+
+resource "aws_iam_policy_attachment" "eks_cluster_automode_networking" {
+  name       = "${var.eks_cluster_name}-AmazonEKSNetworkingPolicy"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy"
+  roles      = [aws_iam_role.eks_role.name]
+}
+
+######################################################################
+# managed node group role
+######################################################################
+
+resource "aws_iam_role" "node_group_role" {
+  name               = "${var.eks_cluster_name}-eks-worker-node-role"
+  assume_role_policy = data.aws_iam_policy_document.node_group.json
+}
+
+data "aws_iam_policy_document" "node_group" {
+  statement {
+    sid = "EKSClusterAssumeRole"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
 resource "aws_iam_role_policy_attachment" "node_group_AmazonEC2ContainerRegistryReadOnly" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = aws_iam_role.node_group_role.id
@@ -69,9 +106,9 @@ resource "aws_iam_role_policy_attachment" "node_group_CloudWatchAgentServerPolic
   role       = aws_iam_role.node_group_role.id
 }
 
-////
-// OIDC provider
-///
+######################################################################
+# OIDC provider
+######################################################################
 
 data "tls_certificate" "eks_oidc_cert" {
   count = var.oidc_provider_enabled ? 1 : 0
@@ -83,3 +120,31 @@ resource "aws_iam_openid_connect_provider" "main" {
   thumbprint_list = [data.tls_certificate.eks_oidc_cert[0].certificates[0].sha1_fingerprint]
   url             = data.tls_certificate.eks_oidc_cert[0].url
 }
+
+# ######################################################################
+# # EKS auto Mode
+# ######################################################################
+
+resource "aws_iam_role" "eks_auto" {
+  count = var.auto_mode_enabled ? 1 : 0
+
+  name               = "${var.eks_cluster_name}-eks-automode-node-role"
+  assume_role_policy = data.aws_iam_policy_document.eks_auto[0].json
+}
+
+data "aws_iam_policy_document" "eks_auto" {
+  count = var.auto_mode_enabled ? 1 : 0
+
+  statement {
+    sid = "EKSAutoNodeAssumeRole"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
diff --git a/eks/module/eks/variables.tf b/eks/module/eks/variables.tf
@@ -86,3 +86,40 @@ variable "enable_amp" {
   type    = bool
   default = false
 }
+
+variable "cluster_ip_family" {
+  description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created"
+  type        = string
+  default     = "ipv4"
+}
+
+variable "cluster_service_ipv4_cidr" {
+  description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
+  type        = string
+  default     = null
+}
+
+variable "cluster_service_ipv6_cidr" {
+  description = "The CIDR block to assign Kubernetes pod and service IP addresses from if `ipv6` was specified when the cluster was created. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster"
+  type        = string
+  default     = null
+}
+
+######################################################################
+# EKS auto mode
+# When using EKS Auto Mode compute_config.enabled, kubernetes_network_config.elastic_load_balancing.enabled, and storage_config.block_storage.enabled
+# must *ALL be set to true.
+# Likewise for disabling EKS Auto Mode, all three arguments must be set to false.
+######################################################################
+
+variable "auto_mode_enabled" {
+  description = "Enable EKS Auto Mode"
+  type        = bool
+  default     = false
+}
+
+variable "cluster_compute_config" {
+  description = "Configuration block for the cluster compute configuration"
+  type        = any
+  default     = {}
+}
diff --git a/eks/provider.tf b/eks/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.50.0"
+      version = "5.81.0"
     }
   }
 

diff --git a/eks/terraform.tfvars b/eks/terraform.tfvars
@@ -1,5 +1,5 @@
 eks_cluster_name = "eks-from-terraform"
-eks_version      = "1.29"
+eks_version      = "1.30"
 
 # EKS 접근 유형
 endpoint_private_access = true
@@ -9,7 +9,10 @@ endpoint_public_access = true
 # Amazon Managed Prometheus 설치 여부
 enable_amp = false
 
+######################################################################
 # VPC
+######################################################################
+
 vpc_cidr = "10.0.0.0/16"
 
 public_subnets = {
@@ -46,16 +49,19 @@ private_subnets = {
   }
 }
 
+######################################################################
 # Managed Node Groups
-managed_node_groups = {
-  "ondemand-group-a" = {
-    node_group_name = "ondemand-group-a",
-    instance_types  = ["t3.medium"],
-    capacity_type   = "SPOT",
-    release_version = "" #latest
-    disk_size       = 20
-    desired_size    = 3,
-    max_size        = 3,
-    min_size        = 3
-  }
+######################################################################
+
+managed_node_groups = {}
+
+######################################################################
+# EKS auto Mode
+######################################################################
+
+auto_mode_enabled = true
+
+cluster_compute_config = {
+  enabled    = true
+  node_pools = ["general-purpose", "system"]
 }
diff --git a/eks/variables.tf b/eks/variables.tf
@@ -35,18 +35,8 @@ variable "managed_node_groups" {
     max_size        = number
     min_size        = number
   }))
-  default = {
-    "ondemand-group-a" = {
-      node_group_name = "ondemand-group-a",
-      instance_types  = ["t3.medium"],
-      capacity_type   = "SPOT",
-      release_version = "" #latest
-      disk_size       = 20
-      desired_size    = 3,
-      max_size        = 3,
-      min_size        = 3
-    }
-  }
+  # if you use EKS auto mode, you can set managed_node_groups = {}
+  default = {}
 }
 
 variable "assume_role_arn" {
@@ -58,6 +48,10 @@ variable "enable_amp" {
   default = false
 }
 
+######################################################################
+# VPC
+######################################################################
+
 variable "vpc_cidr" {
   description = "VPC CIDR"
   type        = string
@@ -113,3 +107,23 @@ variable "private_subnets" {
     }
   }
 }
+
+######################################################################
+# EKS auto mode
+
+# When using EKS Auto Mode compute_config.enabled, kubernetes_network_config.elastic_load_balancing.enabled, and storage_config.block_storage.enabled
+# must *ALL be set to true.
+# Likewise for disabling EKS Auto Mode, all three arguments must be set to false.
+######################################################################
+
+variable "auto_mode_enabled" {
+  description = "Enable EKS Auto Mode"
+  type        = bool
+  default     = false
+}
+
+variable "cluster_compute_config" {
+  description = "Configuration block for the cluster compute configuration"
+  type        = any
+  default     = {}
+}