@pulumi/eks
Version:
[](https://github.com/pulumi/pulumi-eks/actions/workflows/master.yml) [](https://slack.pulumi.com) [![n
442 lines (441 loc) • 18.1 kB
TypeScript
import * as outputs from "../types/output";
import * as enums from "../types/enums";
import * as pulumiAws from "@pulumi/aws";
import * as pulumiKubernetes from "@pulumi/kubernetes";
import { VpcCniAddon } from "..";
/**
* Access entries allow an IAM principal to access your cluster.
*
* You have the following options for authorizing an IAM principal to access Kubernetes objects on your cluster: Kubernetes role-based access control (RBAC), Amazon EKS, or both.
* Kubernetes RBAC authorization requires you to create and manage Kubernetes Role , ClusterRole , RoleBinding , and ClusterRoleBinding objects, in addition to managing access entries. If you use Amazon EKS authorization exclusively, you don't need to create and manage Kubernetes Role , ClusterRole , RoleBinding , and ClusterRoleBinding objects.
*/
export interface AccessEntry {
/**
* The access policies to associate to the access entry.
*/
accessPolicies?: {
[key: string]: outputs.AccessPolicyAssociation;
};
/**
* A list of groups within Kubernetes to which the IAM principal is mapped to.
*/
kubernetesGroups?: string[];
/**
* The IAM Principal ARN which requires Authentication access to the EKS cluster.
*/
principalArn: string;
/**
* The tags to apply to the AccessEntry.
*/
tags?: {
[key: string]: string;
};
/**
* The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.
* Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
*/
type?: enums.AccessEntryType;
/**
* Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
*/
username?: string;
}
/**
* Associates an access policy and its scope to an IAM principal.
*
* See for more details:
* https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
*/
export interface AccessPolicyAssociation {
/**
* The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace.
*/
accessScope: pulumiAws.types.output.eks.AccessPolicyAssociationAccessScope;
/**
* The ARN of the access policy to associate with the principal
*/
policyArn: string;
}
/**
* Describes the configuration options accepted by a cluster to create its own node groups.
*/
export interface ClusterNodeGroupOptions {
/**
* The AMI ID to use for the worker nodes.
*
* Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
*
* Note: `amiId` and `gpu` are mutually exclusive.
*
* See for more details:
* - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
*/
amiId?: string;
/**
* The AMI Type to use for the worker nodes.
*
* Only applicable when setting an AMI ID that is of type `arm64`.
*
* Note: `amiType` and `gpu` are mutually exclusive.
*/
amiType?: string;
/**
* The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.
*
* Per AWS, all stack-level tags, including automatically created tags, and the `cloudFormationTags` option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
*
* Note: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both.
*/
autoScalingGroupTags?: {
[key: string]: string;
};
/**
* Additional args to pass directly to `/etc/eks/bootstrap.sh`. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the `--apiserver-endpoint`, `--b64-cluster-ca` and `--kubelet-extra-args` flags are included automatically based on other configuration parameters.
*/
bootstrapExtraArgs?: string;
/**
* The configuration settings for Bottlerocket OS.
* The settings will get merged with the base settings the provider uses to configure Bottlerocket.
*
* This includes:
* - settings.kubernetes.api-server
* - settings.kubernetes.cluster-certificate
* - settings.kubernetes.cluster-name
* - settings.kubernetes.cluster-dns-ip
*
* For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.
*/
bottlerocketSettings?: {
[key: string]: any;
};
/**
* The tags to apply to the CloudFormation Stack of the Worker NodeGroup.
*
* Note: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both.
*/
cloudFormationTags?: {
[key: string]: string;
};
/**
* The ingress rule that gives node group access.
*/
clusterIngressRule?: pulumiAws.ec2.SecurityGroupRule;
/**
* The ID of the ingress rule that gives node group access.
*/
clusterIngressRuleId?: string;
/**
* The number of worker nodes that should be running in the cluster. Defaults to 2.
*/
desiredCapacity?: number;
/**
* Enables/disables detailed monitoring of the EC2 instances.
*
* With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals.
* When enabled, you can also get aggregated data across groups of similar instances.
*
* Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage.
* For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.
*/
enableDetailedMonitoring?: boolean;
/**
* Encrypt the root block device of the nodes in the node group.
*/
encryptRootBlockDevice?: boolean;
/**
* Extra security groups to attach on all nodes in this worker node group.
*
* This additional set of security groups captures any user application rules that will be needed for the nodes.
*/
extraNodeSecurityGroups?: pulumiAws.ec2.SecurityGroup[];
/**
* Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
*
* Defaults to false.
*
* Note: `gpu` and `amiId` are mutually exclusive.
*
* See for more details:
* - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
* - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
*/
gpu?: boolean;
/**
* Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.
*
* See [EKS best practices](https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/) for more details.
*/
ignoreScalingChanges?: boolean;
/**
* The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
*/
instanceProfile?: pulumiAws.iam.InstanceProfile;
/**
* The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
*/
instanceProfileName?: string;
/**
* The instance type to use for the cluster's nodes. Defaults to "t3.medium".
*/
instanceType?: string;
/**
* Name of the key pair to use for SSH access to worker nodes.
*/
keyName?: string;
/**
* Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. Note that the `labels` and `taints` properties will be applied to this list (using `--node-labels` and `--register-with-taints` respectively) after to the explicit `kubeletExtraArgs`.
*/
kubeletExtraArgs?: string;
/**
* Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the `--node-labels` kubelet argument.
*/
labels?: {
[key: string]: string;
};
/**
* The tag specifications to apply to the launch template.
*/
launchTemplateTagSpecifications?: pulumiAws.types.output.ec2.LaunchTemplateTagSpecification[];
/**
* The maximum number of worker nodes running in the cluster. Defaults to 2.
*/
maxSize?: number;
/**
* The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
*/
minRefreshPercentage?: number;
/**
* The minimum number of worker nodes running in the cluster. Defaults to 1.
*/
minSize?: number;
/**
* Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
*/
nodeAssociatePublicIpAddress?: boolean;
/**
* Public key material for SSH access to worker nodes. See allowed formats at:
* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
* If not provided, no SSH access is enabled on VMs.
*/
nodePublicKey?: string;
/**
* Whether the root block device should be deleted on termination of the instance. Defaults to true.
*/
nodeRootVolumeDeleteOnTermination?: boolean;
/**
* Whether to encrypt a cluster node's root volume. Defaults to false.
*/
nodeRootVolumeEncrypted?: boolean;
/**
* The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
*/
nodeRootVolumeIops?: number;
/**
* The size in GiB of a cluster node's root volume. Defaults to 20.
*/
nodeRootVolumeSize?: number;
/**
* Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
*/
nodeRootVolumeThroughput?: number;
/**
* Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
*/
nodeRootVolumeType?: string;
/**
* The security group for the worker node group to communicate with the cluster.
*
* This security group requires specific inbound and outbound rules.
*
* See for more details:
* https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
*
* Note: The `nodeSecurityGroup` option and the cluster option`nodeSecurityGroupTags` are mutually exclusive.
*/
nodeSecurityGroup?: pulumiAws.ec2.SecurityGroup;
/**
* The ID of the security group for the worker node group to communicate with the cluster.
*
* This security group requires specific inbound and outbound rules.
*
* See for more details:
* https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
*
* Note: The `nodeSecurityGroupId` option and the cluster option `nodeSecurityGroupTags` are mutually exclusive.
*/
nodeSecurityGroupId?: string;
/**
* The set of subnets to override and use for the worker node group.
*
* Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's `subnetIds` is set, or if `publicSubnetIds` and/or `privateSubnetIds` were set.
*/
nodeSubnetIds?: string[];
/**
* Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`).
*/
nodeUserData?: string;
/**
* User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).
*
* See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html
*/
nodeUserDataOverride?: string;
/**
* Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way.
* The base settings the provider sets are:
* - cluster.name
* - cluster.apiServerEndpoint
* - cluster.certificateAuthority
* - cluster.cidr
*
* Note: This is only applicable when using AL2023.
* See for more details:
* - https://awslabs.github.io/amazon-eks-ami/nodeadm/
* - https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
*/
nodeadmExtraOptions?: outputs.NodeadmOptions[];
/**
* The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration.
* Valid values are `RECOMMENDED`, `AL2`, `AL2023` and `Bottlerocket`.
*
* Defaults to the current recommended OS.
*/
operatingSystem?: enums.OperatingSystem;
/**
* Bidding price for spot instance. If set, only spot instances will be added as worker node.
*/
spotPrice?: string;
/**
* Custom k8s node taints to be attached to each worker node. Adds the given taints to the `--register-with-taints` kubelet argument
*/
taints?: {
[key: string]: outputs.Taint;
};
/**
* Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
*/
version?: string;
}
/**
* Defines the core set of data associated with an EKS cluster, including the network in which it runs.
*/
export interface CoreData {
/**
* The access entries added to the cluster.
*/
accessEntries?: outputs.AccessEntry[];
awsProvider?: pulumiAws.Provider;
cluster: pulumiAws.eks.Cluster;
/**
* The IAM Role attached to the EKS Cluster
*/
clusterIamRole: pulumiAws.iam.Role;
clusterSecurityGroup?: pulumiAws.ec2.SecurityGroup;
eksNodeAccess?: pulumiKubernetes.core.v1.ConfigMap;
encryptionConfig?: pulumiAws.types.output.eks.ClusterEncryptionConfig;
/**
* The EKS cluster's Kubernetes API server endpoint.
*/
endpoint: string;
/**
* The Fargate profile used to manage which pods run on Fargate.
*/
fargateProfile?: pulumiAws.eks.FargateProfile;
/**
* The IAM instance roles for the cluster's nodes.
*/
instanceRoles: pulumiAws.iam.Role[];
/**
* The kubeconfig file for the cluster.
*/
kubeconfig?: any;
/**
* The cluster's node group options.
*/
nodeGroupOptions: outputs.ClusterNodeGroupOptions;
/**
* Tags attached to the security groups associated with the cluster's worker nodes.
*/
nodeSecurityGroupTags?: {
[key: string]: string;
};
oidcProvider?: pulumiAws.iam.OpenIdConnectProvider;
/**
* List of subnet IDs for the private subnets.
*/
privateSubnetIds?: string[];
provider: pulumiKubernetes.Provider;
/**
* List of subnet IDs for the public subnets.
*/
publicSubnetIds?: string[];
/**
* The storage class used for persistent storage by the cluster.
*/
storageClasses?: {
[key: string]: pulumiKubernetes.storage.v1.StorageClass;
};
/**
* List of subnet IDs for the EKS cluster.
*/
subnetIds: string[];
/**
* A map of tags assigned to the EKS cluster.
*/
tags?: {
[key: string]: string;
};
/**
* The VPC CNI for the cluster.
*/
vpcCni?: VpcCniAddon;
/**
* ID of the cluster's VPC.
*/
vpcId: string;
}
/**
* NodeGroupData describes the resources created for the given NodeGroup.
*/
export interface NodeGroupData {
/**
* The AutoScalingGroup for the node group.
*/
autoScalingGroup: pulumiAws.autoscaling.Group;
/**
* The additional security groups for the node group that captures user-specific rules.
*/
extraNodeSecurityGroups: pulumiAws.ec2.SecurityGroup[];
/**
* The security group for the node group to communicate with the cluster.
*/
nodeSecurityGroup: pulumiAws.ec2.SecurityGroup;
}
/**
* MIME document parts for nodeadm configuration. This can be shell scripts, nodeadm configuration or any other user data compatible script.
*
* See for more details: https://awslabs.github.io/amazon-eks-ami/nodeadm/.
*/
export interface NodeadmOptions {
/**
* The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
*/
content: string;
/**
* The MIME type of the content. Examples are `text/x-shellscript; charset="us-ascii"` for shell scripts, and `application/node.eks.aws` nodeadm configuration.
*/
contentType: string;
}
/**
* Represents a Kubernetes `taint` to apply to all Nodes in a NodeGroup. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/.
*/
export interface Taint {
/**
* The effect of the taint.
*/
effect: string;
/**
* The value of the taint.
*/
value: string;
}