Nuon AWS EKS Sandbox + Karpenter

Turnkey AWS EKS Karpenter sandbox for Nuon apps.

Requirements

Name	Version
terraform	>= 1.7.5
aws	= 5.94.1
helm	= 2.17.0
kubectl	= 1.19
kubernetes	= 2.36.0

Providers

Name	Version
aws	= 5.94.1
helm.main	= 2.17.0
kubectl.main	= 1.19

Modules

Name	Source	Version
additional_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.0
additional_subnet_tags	./subnet_tags	n/a
ebs_csi_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	~> 5.0
ecr	terraform-aws-modules/ecr/aws	>= 2.4.0
eks	terraform-aws-modules/eks/aws	~> 20.35.0
karpenter	terraform-aws-modules/eks/aws//modules/karpenter	20.33.1
nuon_dns	./nuon_dns	n/a

Resources

Name	Type
aws_ec2_tag.private_subnets_karpenter_tags	resource
aws_iam_instance_profile.karpenter	resource
aws_iam_policy.ecr_access	resource
aws_iam_role_policy_attachment.ecr_access_deprovision	resource
aws_iam_role_policy_attachment.ecr_access_maintenance	resource
aws_iam_role_policy_attachment.ecr_access_provision	resource
aws_kms_key.eks	resource
aws_security_group_rule.runner_cluster_access	resource
helm_release.ebs_csi	resource
helm_release.karpenter	resource
helm_release.karpenter_crd	resource
helm_release.kyverno	resource
helm_release.metrics_server	resource
kubectl_manifest.default_policies	resource
kubectl_manifest.karpenter_ec2nodeclass_default	resource
kubectl_manifest.karpenter_nodepool_default	resource
kubectl_manifest.maintenance	resource
kubectl_manifest.maintenance_role_binding	resource
kubectl_manifest.namespaces	resource
kubectl_manifest.vendor_policies	resource
aws_availability_zones.available	data source
aws_caller_identity.current	data source
aws_iam_policy_document.ecr	data source
aws_security_group.default	data source
aws_security_groups.runner	data source
aws_subnet.private	data source
aws_subnet.public	data source
aws_subnet.runner	data source
aws_subnets.private	data source
aws_subnets.public	data source
aws_subnets.runner	data source
aws_vpc.vpc	data source

Inputs

Name	Description	Type	Default	Required
additional_access_entry	A single access entry. Useful when providing access to an additional role.	map(any)	{}	no
additional_irsas	List of additional IRSA accounts to create.	list(object({ role_name = string, namespace = string, service_account = string, }))	[]	no
additional_namespaces	A list of namespaces that should be created on the cluster. The {{.nuon.install.id}} namespace is created by default.	list(string)	[]	no
additional_tags	Extra tags to append to the default tags that will be added to install resources.	map(any)	{}	no
cluster_name	The name of the EKS cluster. If not provided, the install ID will be used by default.	string	""	no
cluster_version	The Kubernetes version to use for the EKS cluster.	string	"1.32"	no
default_instance_type	The EC2 instance type to use for the EKS cluster's default node group.	string	"t3a.medium"	no
deprovision_iam_role_arn	The deprovision IAM Role ARN	string	n/a	yes
deprovision_role_eks_access_entry_policy_associations	EKS Cluster Access Entry Policy Associations for deprovision role.	map(any)	{ "cluster_admin": { "access_scope": { "type": "cluster" }, "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" }, "eks_admin": { "access_scope": { "type": "cluster" }, "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy" } }	no
deprovision_role_eks_kubernetes_groups	List of Kubernetes Groups to add this role to. The deprovision role is assigned to a deprovision group automatically. These are additional groups.	list(any)	[]	no
desired_size	The desired number of nodes in the managed node group.	number	3	no
enable_nuon_dns	Whether or not the cluster should use a nuon-provided nuon.run domain. Controls the cert-manager-issuer and the route_53_zone.	string	"false"	no
helm_driver	One of 'configmap' or 'secret'	string	"secret"	no
internal_root_domain	The internal root domain.	string	n/a	yes
karpenter_default_nodeclass_ami_selector_terms	If specified, override the included default nodeclass AMI selector terms.	any	null	no
karpenter_default_nodepool_spec	If specified, override the included default nodepool spec.	any	null	no
karpenter_replica_count	The number of replicas for the Karpenter controller.	number	2	no
kyverno_policy_dir	Path to a directory with kyverno policy manifests.	string	"./kyverno-policies"	no
maintenance_cluster_role_rules_override	A list of rules for the ClusterRole definition for the maintenance group. If this value is provided, these rules will be used instead.	list(object({ apiGroups = list(string), resources = list(string), verbs = list(string), resourceNames = optional(list(string)), }))	[]	no
maintenance_iam_role_arn	The provision IAM Role ARN	string	n/a	yes
maintenance_role_eks_access_entry_policy_associations	EKS Cluster Access Entry Policy Associations for maintenance role. Defaults to none meaning permissions are governed by eponymous RBAC group.	map(any)	{}	no
maintenance_role_eks_kubernetes_groups	List of Kubernetes Groups to add this role to. The maintenance role is assigned to a maintenance group automatically. These are additional groups.	list(any)	[]	no
max_size	The maximum number of nodes in the managed node group.	number	5	no
min_size	The minimum number of nodes in the managed node group.	number	2	no
nuon_id	The nuon id for this install. Used for naming purposes.	string	n/a	yes
provision_iam_role_arn	The maintenance IAM Role ARN	string	n/a	yes
provision_role_eks_access_entry_policy_associations	EKS Cluster Access Entry Policy Associations for provision role.	map(any)	{ "cluster_admin": { "access_scope": { "type": "cluster" }, "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" }, "eks_admin": { "access_scope": { "type": "cluster" }, "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy" } }	no
provision_role_eks_kubernetes_groups	List of Kubernetes Groups to add this role to. The provision role is assigned to a provision group automatically. These are additional groups.	list(any)	[]	no
public_root_domain	The public root domain.	string	n/a	yes
region	The region to launch the cluster in.	string	n/a	yes
tags	List of custom tags to add to the install resources. Used for taxonomic purposes.	map(any)	n/a	yes
vpc_id	The ID of the AWS VPC to provision the sandbox in.	string	n/a	yes

Outputs

Name	Description
account	A map of AWS account attributes: id, region.
additional_irsa	n/a
cluster	A map of EKS cluster attributes: arn, certificate_authority_data, endpoint, name, platform_version, status, oidc_issuer_url, oidc_provider_arn, cluster_security_group_id, node_security_group_id.
ecr	A map of ECR attributes: repository_url, repository_arn, repository_name, registry_id, registry_url.
karpenter	n/a
namespaces	A list of namespaces that were created by this module.
nuon_dns	A map of Nuon DNS attributes: whether nuon.run has been enabled; AWS Route 53 details for the public_domain and internal_domain; metadata bout the helm charts the module installs on.
vpc	A map of vpc attributes: name, id, cidr, azs, private_subnet_cidr_blocks, private_subnet_ids, public_subnet_cidr_blocks, public_subnet_ids, default_security_group_id.

Default Helm Charts

1. EBS CSI
2. Metrics Server
3. Kyverno

[Optional] Nuon DNS

Nuon offers the option to provision complementary nuon.run domains for ease of use. To enable the nuon dns, set enable_nuon_dns to true or 1.

Note: The domain names are provided by Nuon automatically and cannot be customized.

Resources

When Nuon DNS is enabled, the following Helm Charts are installed.

Chart	Version
alb-ingress-controller	1.12.0
cert-manager	1.11.0
external-dns	1.12.0
ingress-nginx	4.12.1

And the following AWS Resources will be created.

• Route 53 Zone

Additionally, some default internal and public cert issuers (cert-manager) are created.