Skip to content

An opinionated Terraform module that can be used to create and manage an EKS cluster in AWS in a simplified way.


Notifications You must be signed in to change notification settings


Repository files navigation


An opinionated Terraform module that can be used to create and manage an EKS cluster in AWS in a simplified way.


Name Version
terraform >= 1.3.0
aws >= 5.34.0
null >= 3.1.1
tls < 4.0.0


Name Version
aws >= 5.34.0
null >= 3.1.1
tls < 4.0.0


Name Source Version
iam_assumable_role_aws_ebs_csi_driver terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_aws_load_balancer_controller terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_cert_manager terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_cluster_autoscaler terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_external_dns terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_log_shipping terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_phlare terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.4.0
iam_assumable_role_velero terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 5.9.2
main terraform-aws-modules/eks/aws ~> 20.0


Name Type
aws_iam_policy.aws_ebs_csi_driver resource
aws_iam_policy.aws_load_balancer_controller resource
aws_iam_policy.cert_manager resource
aws_iam_policy.cluster_autoscaler resource
aws_iam_policy.external_dns resource
aws_iam_policy.log_shipping resource
aws_iam_policy.phlare resource
aws_iam_policy.velero resource
aws_instance.echo-server resource
aws_key_pair.ssh_access resource
aws_s3_bucket.log_shipping resource
aws_s3_bucket.phlare resource
aws_s3_bucket.velero resource
aws_s3_bucket_acl.log_shipping resource
aws_s3_bucket_acl.phlare resource
aws_s3_bucket_acl.velero resource
aws_s3_bucket_lifecycle_configuration.velero resource
aws_s3_bucket_ownership_controls.log_shipping_ownership_controls resource
aws_s3_bucket_ownership_controls.phlare_ownership_controls resource
aws_s3_bucket_ownership_controls.velero_ownership_controls resource
aws_s3_bucket_public_access_block.log_shipping_block_public_access resource
aws_s3_bucket_public_access_block.phlare_block_public_access resource
aws_s3_bucket_public_access_block.velero_block_public_access resource
aws_security_group_rule.cluster_to_workers_ingress_all resource
aws_security_group_rule.workers_egress_dns_tcp resource
aws_security_group_rule.workers_egress_dns_udp resource
aws_security_group_rule.workers_egress_http resource
aws_security_group_rule.workers_egress_ssh resource
aws_security_group_rule.workers_to_workers_egress_all resource
aws_security_group_rule.workers_to_workers_ingress_all resource
null_resource.disable_aws_vpc_cni_plugin resource
null_resource.kubeconfig resource
null_resource.wait_for_control_plane_subnets resource
tls_private_key.ssh_key resource
aws_ami.ubuntu data source
aws_ami.workers data source
aws_caller_identity.current data source
aws_iam_policy_document.log_shipping data source
aws_iam_policy_document.phlare data source
aws_iam_policy_document.velero data source
aws_subnets.eks_control_plane data source
aws_subnets.private data source
aws_subnets.public data source
aws_vpc.vpc data source


Name Description Type Default Required
allow_imdsv1 Whether to allow IMDSv1 access (insecure). bool false no
ami_owners The list of acceptable owners of AMIs to be used for worker nodes. list(string)
aws_ebs_csi_driver_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'aws-ebs-csi-driver' role using OpenID Connect. list(string) [] no
aws_load_balancer_controller_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'aws-load-balancer-controller' role using OpenID Connect. list(string) [] no
cert_manager_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'cert-manager' role using OpenID Connect. list(string) [] no
cluster_addons Map of cluster addon configurations. any {} no
cluster_autoscaler_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'cluster-autoscaler' role using OpenID Connect. list(string) [] no
cluster_service_ipv4_cidr The CIDR block to assign Kubernetes service IP addresses from. string null no
control_plane_subnet_ids Can be used to override the list of subnet IDs to use for the EKS control-plane. If not defined, subnets tagged with 'eks-control-plane: true' will be used. list(string) [] no
disable_aws_vpc_cni_plugin Whether to disable the AWS VPC CNI plugin. Unless running in chaining mode, this should usually be 'true'. bool n/a yes
echo_server_instance_enabled Whether to create an EC2 instance outside the cluster that can act as 'echo-server'. bool false no
echo_server_instance_user_data The user data script to use for the 'echo-server' instance. string "" no
external_dns_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'external-dns' role using OpenID Connect. list(string) [] no
include_public_subnets Whether to include public subnets in the list of subnets usable by the EKS cluster. bool true no
kubernetes_version The version of Kubernetes/EKS to use. string n/a yes
log_shipping_bucket_name The name of the S3 bucket that will be used to store logs. string "" no
log_shipping_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'log-shipping' role using OpenID Connect. list(string) [] no
name The name of the EKS cluster. string n/a yes
phlare_bucket_name The name of the S3 bucket that will be used by Phlare string "" no
phlare_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'phlare' role using OpenID Connect. list(string) [] no
region The region in which to create the EKS cluster. string n/a yes
self_managed_node_groups A map describing the set of self-managed node groups to create. Other types of node groups besides self-managed are currently not supported.
ami_type = string
ami_name_filter = string
extra_tags = map(string)
instance_type = string
kubelet_extra_args = string
max_nodes = number
min_nodes = number
name = string
pre_bootstrap_user_data = string
post_bootstrap_user_data = string
cloudinit_pre_nodeadm = optional(list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
cloudinit_post_nodeadm = optional(list(object({
content = string
content_type = optional(string)
filename = optional(string)
merge_type = optional(string)
root_volume_id = string
root_volume_size = number
root_volume_type = string
subnet_ids = list(string)
iam_role_additional_policies = map(string)
iam_role_use_name_prefix = optional(bool, true)
key_name = optional(string)
n/a yes
tags The set of tags to place on the EKS cluster. map(string) n/a yes
velero_bucket_name The name of the S3 bucket that will be used to upload Velero backups. string "" no
velero_oidc_fully_qualified_subjects The list of trusted resources which can assume the 'velero' role using OpenID Connect. list(string) [] no
vpc_id The ID of the VPC in which to create the EKS cluster. string n/a yes
worker_node_additional_policies A list of additional policies to add to worker nodes. list(string) [] no


Name Description
aws_ebs_csi_driver_policy_arn n/a
aws_ebs_csi_driver_role_arn n/a
aws_load_balancer_controller_role_arn n/a
cert_manager_role_arn n/a
cluster_arn n/a
cluster_autoscaler_role_arn n/a
cluster_certificate_authority_data n/a
cluster_endpoint n/a
cluster_version n/a
external_dns_role_arn n/a
id n/a
log_shipping_bucket_name n/a
log_shipping_role_arn n/a
oidc_provider_arn n/a
oidc_provider_url n/a
path_to_kubeconfig_file n/a
ssh_key_name n/a
ssh_private_key_pem n/a
workers_iam_role_arns n/a
workers_security_group_id n/a


An opinionated Terraform module that can be used to create and manage an EKS cluster in AWS in a simplified way.







No packages published