Introduction:
Click here: https://dev.to/aws-builders/enable-eks-auto-mode-on-an-existing-cluster-1j5m
Terraform Implementation of Amazon EKS Auto Mode
locals {
cluster_name = "my-vpc-eks-test"
}
module "vpc_eks" {
source = "terraform-aws-modules/vpc/aws"
version = "5.18.1"
name = "my-vpc-eks-test"
cidr = "10.20.0.0/19"
azs = ["eu-west-2a", "eu-west-2b", "eu-west-2c"]
private_subnets = ["10.20.0.0/21", "10.20.8.0/21", "10.20.16.0/21"]
public_subnets = ["10.20.24.0/23", "10.20.26.0/23", "10.20.28.0/23"]
enable_nat_gateway = true
single_nat_gateway = true
one_nat_gateway_per_az = false
enable_vpn_gateway = true
enable_dns_hostnames = true
enable_dns_support = true
propagate_private_route_tables_vgw = true
propagate_public_route_tables_vgw = true
private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1",
"mapPublicIpOnLaunch" = "FALSE"
"karpenter.sh/discovery" = local.cluster_name
"kubernetes.io/role/cni" = "1"
}
public_subnet_tags = {
"kubernetes.io/role/elb" = "1",
"mapPublicIpOnLaunch" = "TRUE"
}
tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
}
}
resource "aws_eks_cluster" "cluster" {
name = local.cluster_name
role_arn = aws_iam_role.cluster.arn
version = "1.32"
vpc_config {
subnet_ids = module.vpc_eks.private_subnets
security_group_ids = []
endpoint_private_access = "true"
endpoint_public_access = "true"
}
access_config {
authentication_mode = "API"
bootstrap_cluster_creator_admin_permissions = false
}
bootstrap_self_managed_addons = false
zonal_shift_config {
enabled = true
}
compute_config {
enabled = true
node_pools = ["general-purpose", "system"]
node_role_arn = aws_iam_role.node.arn
}
kubernetes_network_config {
elastic_load_balancing {
enabled = true
}
}
storage_config {
block_storage {
enabled = true
}
}
}
resource "aws_iam_role" "cluster" {
name = "eks-test-cluster-role"
assume_role_policy = data.aws_iam_policy_document.cluster_role_assume_role_policy.json
}
resource "aws_iam_role_policy_attachments_exclusive" "cluster" {
role_name = aws_iam_role.cluster.name
policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSComputePolicy",
"arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy",
"arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy",
"arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
"arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
]
}
data "aws_iam_policy_document" "cluster_role_assume_role_policy" {
statement {
actions = ["sts:AssumeRole", "sts:TagSession"]
principals {
type = "Service"
identifiers = ["eks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "node" {
name = "eks-auto-node-example"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["sts:AssumeRole"]
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "node_AmazonEKSWorkerNodeMinimalPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
role = aws_iam_role.node.name
}
resource "aws_iam_role_policy_attachment" "node_AmazonEC2ContainerRegistryPullOnly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
role = aws_iam_role.node.name
}