Skip to content

nuonco/aws-eks-sandbox

BranchesTags

Repository files navigation

Nuon AWS EKS Sandbox

Turnkey AWS EKS sandbox for Nuon apps.

Requirements

Name Version
terraform >= 1.7.5
aws = 5.94.1
helm = 2.17.0
kubectl = 1.19
kubernetes = 2.36.0

Providers

Name Version
aws 5.94.1
helm.main 2.17.0
kubectl.main 1.19.0

Modules

Name Source Version
additional_irsa terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks ~> 5.0
additional_subnet_tags ./subnet_tags n/a
ebs_csi_irsa terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks ~> 5.0
ecr terraform-aws-modules/ecr/aws >= 2.4.0
eks terraform-aws-modules/eks/aws ~> 20.35.0
nuon_dns ./nuon_dns n/a

Resources

Name Type
aws_iam_policy.ecr_access resource
aws_iam_role_policy_attachment.ecr_access_deprovision resource
aws_iam_role_policy_attachment.ecr_access_maintenance resource
aws_iam_role_policy_attachment.ecr_access_provision resource
aws_kms_key.eks resource
aws_security_group_rule.runner_cluster_access resource
helm_release.ebs_csi resource
helm_release.kyverno resource
helm_release.metrics_server resource
kubectl_manifest.default_policies resource
kubectl_manifest.maintenance resource
kubectl_manifest.maintenance_role_binding resource
kubectl_manifest.namespaces resource
kubectl_manifest.vendor_policies resource
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_iam_policy_document.ecr data source
aws_security_group.default data source
aws_security_groups.runner data source
aws_subnet.private data source
aws_subnet.public data source
aws_subnet.runner data source
aws_subnets.private data source
aws_subnets.public data source
aws_subnets.runner data source
aws_vpc.vpc data source

Inputs

Name Description Type Default Required
additional_access_entry A single access entry. Useful when providing access to an additional role. map(any) {} no
additional_irsas List of additional IRSA accounts to create. 
list(object({
 role_name = string,
 namespace = string,
 service_account = string,
 }))
 [] no
additional_namespaces A list of namespaces that should be created on the cluster. The {{.nuon.install.id}} namespace is created by default. list(string) [] no
additional_tags Extra tags to append to the default tags that will be added to install resources. map(any) {} no
cluster_name The name of the EKS cluster. If not provided, the install ID will be used by default. string "" no
cluster_version The Kubernetes version to use for the EKS cluster. string "1.32" no
default_instance_type The EC2 instance type to use for the EKS cluster's default node group. string "t3a.medium" no
deprovision_iam_role_arn The deprovision IAM Role ARN string n/a yes
deprovision_role_eks_access_entry_policy_associations EKS Cluster Access Entry Policy Associations for deprovision role. map(any) 
{
 "cluster_admin": {
 "access_scope": {
 "type": "cluster"
 },
 "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
 },
 "eks_admin": {
 "access_scope": {
 "type": "cluster"
 },
 "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
 }
}
 no
deprovision_role_eks_kubernetes_groups List of Kubernetes Groups to add this role to. The deprovision role is assigned to a deprovision group automatically. These are additional groups. list(any) [] no
desired_size The desired number of nodes in the managed node group. number 3 no
enable_nuon_dns Whether or not the cluster should use a nuon-provided nuon.run domain. Controls the cert-manager-issuer and the route_53_zone. string "false" no
helm_driver One of 'configmap' or 'secret' string "secret" no
internal_root_domain The internal root domain. string n/a yes
kyverno_policy_dir Path to a directory with kyverno policy manifests. string "./kyverno-policies" no
maintenance_cluster_role_rules_override A list of rules for the ClusterRole definition for the maintenance group. If this value is provided, these rules will be used instead. 
list(object({
 apiGroups = list(string),
 resources = list(string),
 verbs = list(string),
 resourceNames = optional(list(string)),
 }))
 [] no
maintenance_iam_role_arn The provision IAM Role ARN string n/a yes
maintenance_role_eks_access_entry_policy_associations EKS Cluster Access Entry Policy Associations for maintenance role. Defaults to none meaning permissions are governed by eponymous RBAC group. map(any) {} no
maintenance_role_eks_kubernetes_groups List of Kubernetes Groups to add this role to. The maintenance role is assigned to a maintenance group automatically. These are additional groups. list(any) [] no
max_size The maximum number of nodes in the managed node group. number 5 no
min_size The minimum number of nodes in the managed node group. number 2 no
nuon_id The nuon id for this install. Used for naming purposes. string n/a yes
provision_iam_role_arn The maintenance IAM Role ARN string n/a yes
provision_role_eks_access_entry_policy_associations EKS Cluster Access Entry Policy Associations for provision role. map(any) 
{
 "cluster_admin": {
 "access_scope": {
 "type": "cluster"
 },
 "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
 },
 "eks_admin": {
 "access_scope": {
 "type": "cluster"
 },
 "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
 }
}
 no
provision_role_eks_kubernetes_groups List of Kubernetes Groups to add this role to. The provision role is assigned to a provision group automatically. These are additional groups. list(any) [] no
public_root_domain The public root domain. string n/a yes
region The region to launch the cluster in. string n/a yes
tags List of custom tags to add to the install resources. Used for taxonomic purposes. map(any) n/a yes
vpc_id The ID of the AWS VPC to provision the sandbox in. string n/a yes

Outputs

Name Description
account A map of AWS account attributes: id, region.
additional_irsa n/a
cluster A map of EKS cluster attributes: arn, certificate_authority_data, endpoint, name, platform_version, status, oidc_issuer_url, oidc_provider_arn, cluster_security_group_id, node_security_group_id.
ecr A map of ECR attributes: repository_url, repository_arn, repository_name, registry_id, registry_url.
namespaces A list of namespaces that were created by this module.
nuon_dns A map of Nuon DNS attributes: whether nuon.run has been enabled; AWS Route 53 details for the public_domain and internal_domain; metadata bout the helm charts the module installs on.
vpc A map of vpc attributes: name, id, cidr, azs, private_subnet_cidr_blocks, private_subnet_ids, public_subnet_cidr_blocks, public_subnet_ids, default_security_group_id.

Default Helm Charts

  1. EBS CSI
  2. Metrics Server
  3. Kyverno

[Optional] Nuon DNS

Nuon offers the option to provision complementary nuon.run domains for ease of use. To enable the nuon dns, set enable_nuon_dns to true or 1.

Note: The domain names are provided by Nuon automatically and cannot be customized.

Resources

When Nuon DNS is enabled, the following Helm Charts are installed.

Chart Version
alb-ingress-controller 1.12.0
cert-manager 1.11.0
external-dns 1.12.0
ingress-nginx 4.12.1

And the following AWS Resources will be created.

  • Route 53 Zone

Additionally, some default internal and public cert issuers (cert-manager) are created.

About

AWS EKS sandbox for Nuon apps.

Topics

managed-by-terraform

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases 1

initial release Latest
Apr 16, 2025

Packages

No packages published

Contributors 5

Languages