Skip to content

feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively #3412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively #3412

wants to merge 25 commits into from
+4,018 −3,315

Conversation

bryantbiggs
Copy link
Member

@bryantbiggs bryantbiggs commented Jul 9, 2025
edited
Loading

Description

List of backwards incompatible changes

  • Terraform v1.5.7 is now minimum supported version
  • AWS provider v6.0.0 is now minimum supported version
  • TLS provider v4.0.0 is now minimum supported version
  • The aws-auth sub-module has been removed. Users who wish to utilize its functionality can continue to do so by specifying a v20.x version, or ~> v20.0 version constraint in their module source.
  • bootstrap_self_managed_addons is now hardcoded to false. This is a legacy setting and instead users should utilize the EKS addons API, which is what this module does by default. In conjunction with this change, the bootstrap_self_managed_addons is now ignored by the module to aid in upgrading without disruption (otherwise it would require cluster re-creation).
  • When enabling enable_efa_support or creating placement groups within a node group, users must now specify the correct subnet_ids; the module no longer tries to automatically select a suitable subnet.
  • EKS managed node group:
    • IMDS now default to a hop limit of 1 (previously was 2)
    • ami_type now defaults to AL2023_x86_64_STANDARD
    • enable_monitoring is now set to false by default
    • enable_efa_only is now set to true by default
    • use_latest_ami_release_version is now set to true by default
    • Support for autoscaling group schedules has been removed
  • Self-managed node group:
    • IMDS now default to a hop limit of 1 (previously was 2)
    • ami_type now defaults to AL2023_x86_64_STANDARD
    • enable_monitoring is now set to false by default
    • enable_efa_only is now set to true by default
    • Support for autoscaling group schedules has been removed
  • Karpenter:
    • Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default
    • Karpenter controller policy for prior to Karpenter v1 have been removed (i.e. v0.33); the v1 policy is now used by default
    • create_pod_identity_association is now set to true by default
  • addons.resolve_conflicts_on_create is now set to "NONE" by default (was "OVERWRITE").
  • addons.most_recent is now set to true by default (was false).
  • cluster_identity_providers.issuer_url is now required to be set by users; the prior incorrect default has been removed. See feat: Starting with 1.30, do not use the cluster OIDC issuer URL by default in the identity provider config #3055 and Prevent conflicts between service account and jwt issuers kubernetes/kubernetes#123561 for more details.
  • The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stackoidc-eks endpoint instead of oidc.eks. This is to align with [EKS] [request]: Support for OIDC endpoint with PrivateLink EKS VPC Endpoint aws/containers-roadmap#2038 (comment)

Additional changes

Added

  • Support for region parameter to specify the AWS region for the resources created if different from the provider region.
  • Both the EKS managed and self-managed node groups now support creating their own security groups (again). This is primarily motivated by the changes for EFA support; previously users would need to specify enable_efa_support both at the cluster level (to add the appropriate security group rules to the shared node security group) as well as the node group level. However, its not always desirable to have these rules across ALL node groups when they are really only required on the node group where EFA is utilized. And similarly for other use cases, users can create custom rules for a specific node group instead of apply across ALL node groups.

Modified

  • Variable definitions now contain detailed object types in place of the previously used any type.
  • The embedded KMS key module definition has been updated to v4.0 to support the same version requirements as well as the new region argument.

Variable and output changes

  1. Removed variables:

    • enable_efa_support - users only need to set this within the node group configuration, as the module no longer manages EFA support at the cluster level.
    • enable_security_groups_for_pods - users can instead attach the arn:aws:iam::aws:policy/AmazonEKSVPCResourceController policy via iam_role_additional_policies if using security groups for pods.
    • eks-managed-node-group sub-module
      • cluster_service_ipv4_cidr - users should use cluster_service_cidr instead (for either IPv4 or IPv6).
      • elastic_gpu_specifications
      • elastic_inference_accelerator
      • platform - this is superseded by ami_type
      • placement_group_strategy - set to cluster by the module
      • placement_group_az - users will need to specify the correct subnet in subnet_ids
      • create_schedule
      • schedules
    • self-managed-node-group sub-module
      • elastic_gpu_specifications
      • elastic_inference_accelerator
      • platform - this is superseded by ami_type
      • create_schedule
      • schedules
      • placement_group_az - users will need to specify the correct subnet in subnet_ids
      • hibernation_options - not valid in EKS
      • min_elb_capacity - not valid in EKS
      • wait_for_elb_capacity - not valid in EKS
      • wait_for_capacity_timeout - not valid in EKS
      • default_cooldown - not valid in EKS
      • target_group_arns - not valid in EKS
      • service_linked_role_arn - not valid in EKS
      • warm_pool - not valid in EKS
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • enable_v1_permissions - v1 permissions are now the default
      • enable_irsa
      • irsa_oidc_provider_arn
      • irsa_namespace_service_accounts
      • irsa_assume_role_condition_test

  2. Renamed variables:

    • Variables prefixed with cluster_* have been stripped of the prefix to better match the underlying API:
      • cluster_name -> name
      • cluster_version -> kubernetes_version
      • cluster_enabled_log_types -> enabled_log_types
      • cluster_force_update_version -> force_update_version
      • cluster_compute_config -> compute_config
      • cluster_upgrade_policy -> upgrade_policy
      • cluster_remote_network_config -> remote_network_config
      • cluster_zonal_shift_config -> zonal_shift_config
      • cluster_additional_security_group_ids -> additional_security_group_ids
      • cluster_endpoint_private_access -> endpoint_private_access
      • cluster_endpoint_public_access -> endpoint_public_access
      • cluster_endpoint_public_access_cidrs -> endpoint_public_access_cidrs
      • cluster_ip_family -> ip_family
      • cluster_service_ipv4_cidr -> service_ipv4_cidr
      • cluster_service_ipv6_cidr -> service_ipv6_cidr
      • cluster_encryption_config -> encryption_config
      • create_cluster_primary_security_group_tags -> create_primary_security_group_tags
      • cluster_timeouts -> timeouts
      • create_cluster_security_group -> create_security_group
      • cluster_security_group_id -> security_group_id
      • cluster_security_group_name -> security_group_name
      • cluster_security_group_use_name_prefix -> security_group_use_name_prefix
      • cluster_security_group_description -> security_group_description
      • cluster_security_group_additional_rules -> security_group_additional_rules
      • cluster_security_group_tags -> security_group_tags
      • cluster_encryption_policy_use_name_prefix -> encryption_policy_use_name_prefix
      • cluster_encryption_policy_name -> encryption_policy_name
      • cluster_encryption_policy_description -> encryption_policy_description
      • cluster_encryption_policy_path -> encryption_policy_path
      • cluster_encryption_policy_tags -> encryption_policy_tags
      • cluster_addons -> addons
      • cluster_addons_timeouts -> addons_timeouts
      • cluster_identity_providers -> identity_providers
    • eks-managed-node-group sub-module
      • cluster_version -> kubernetes_version
    • self-managed-node-group sub-module
      • cluster_version -> kubernetes_version
      • delete_timeout -> timeouts
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  3. Added variables:

    • region
    • eks-managed-node-group sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
      • create_security_group
      • security_group_name
      • security_group_use_name_prefix
      • security_group_description
      • security_group_ingress_rules
      • security_group_egress_rules
      • security_group_tags
    • self-managed-node-group sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
      • create_security_group
      • security_group_name
      • security_group_use_name_prefix
      • security_group_description
      • security_group_ingress_rules
      • security_group_egress_rules
      • security_group_tags
    • fargate-profile sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
    • karpenter sub-module
      • region

  4. Removed outputs:

    • eks-managed-node-group sub-module
      • platform - this is superseded by ami_type
      • autoscaling_group_schedule_arns
    • self-managed-node-group sub-module
      • platform - this is superseded by ami_type
      • autoscaling_group_schedule_arns
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  5. Renamed outputs:

    • eks-managed-node-group sub-module
      • None
    • self-managed-node-group sub-module
      • None
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  6. Added outputs:

    • eks-managed-node-group sub-module
      • security_group_arn
      • security_group_id
    • self-managed-node-group sub-module
      • security_group_arn
      • security_group_id
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

Motivation and Context

Breaking Changes

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@bryantbiggs
Copy link
Member Author

finding the variable optional attributes to be a bit challenging:

which is why this hasn't proceeded. once those are stabilized a bit, we can apply those learnings here and proceed

gecko655
gecko655 reviewed Jul 14, 2025
View reviewed changes
@gecko655 gecko655 mentioned this pull request Jul 14, 2025
Open
@sanderjochems-capgemini sanderjochems-capgemini mentioned this pull request Jul 15, 2025
Open
3 tasks
@bryantbiggs bryantbiggs mentioned this pull request Jul 15, 2025
Closed
@roncohen4
Copy link

@bryantbiggs Looking forward for this release, it's blocking me from upgrading AWS provider to 6.x
Any estimation for this to be done any time soon?

@bryantbiggs
Copy link
Member Author

it should land this week - we're just in the final testing/validation phase

bryantbiggs added 20 commits July 21, 2025 14:24
@bryantbiggs
feat!: Upgrade min AWS provider and Terraform versions to 6.0 and `…
7312108 
…1.5.7` respectively
@bryantbiggs
fix: Remove deprecated arguments in AWS v6.0 provider, upgrade Helm p…
43f810d 
…rovider to v3.0, bump VPC module to v6.0
@bryantbiggs
fix: Remove aws-auth sub-module
14a3561
@bryantbiggs
fix: Remove platform and cluster_service_ipv4_cidr variables from…
200d7fb 
… `user-data` sub-module
@bryantbiggs
fix: Resolve all marked todos that have been accumulated
7bee6c5
@bryantbiggs
fix: Set default http_put_response_hop_limit to 1
80d2273
@bryantbiggs
fix: Remove IRSA support from Karpenter sub-module
c3c6772
@bryantbiggs
fix: Avoid making GET requests from data sources unless absolutely ne…
2d79dc2 
…cessary
@bryantbiggs
feat: Add variable optional attribute definitions
200a712
@bryantbiggs
feat: Bump KMS key module version to latest, add remaining variable a…
eb26ecb 
…ttribute definitions
@bryantbiggs
fix: Remove cluster_ prefix from variable names to better match the…
20d9722 
… underlying API
@bryantbiggs
fix: Move all EFA logic to the nodegroup itself
96d79e5
@bryantbiggs
fix: Remove arguments that do not make sense in EKS
8bf26fa
@bryantbiggs
fix: Updates from plan validation
a28e9ae
@bryantbiggs
fix: Remove more self-managed node group attributes that are commonly…
f3df353 
… not used in EKS clusters
@bryantbiggs
fix: Remove data plane compute *_defaults variables that do not wor…
f34758e 
…k with variable optional attributes
@bryantbiggs
fix: Ignore changes to bootstrap_self_managed_addons to aid in upgrade
73762df
@bryantbiggs
feat: Add support for region argument on relevant resources
2fd94b7
@bryantbiggs
feat: Initial pass on upgrade guide
576c2cf
@bryantbiggs
fix: Updates from testing and validating EKS managed node group
e4c63d2
@bryantbiggs bryantbiggs changed the title feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively feat!: Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively Jul 21, 2025
@bryantbiggs bryantbiggs marked this pull request as ready for review July 21, 2025 22:10
@bryantbiggs bryantbiggs requested a review from antonbabenko July 21, 2025 22:10
zz-openai
zz-openai reviewed Jul 23, 2025
View reviewed changes
main.tf
node_role_arn = local.auto_mode_enabled && length(try(compute_config.value.node_pools, [])) > 0 ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
enabled = compute_config.value.enabled
node_pools = compute_config.value.node_pools
node_role_arn = compute_config.value.node_pools != null ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
Copy link

@zz-openai zz-openai Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getting some errors

"compute_config" = {
      "enabled" = true
      "node_pools" = tolist([
        "general-purpose",
      ])
      "node_role_arn" = tostring(null)
    }

and the try block get fake passed and then resolves to null. maybe its caused by the new type definition?

antonbabenko
antonbabenko approved these changes Jul 23, 2025
View reviewed changes
Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor question, and looks great! 👍

modules/fargate-profile/variables.tf
@@ -88,12 +108,33 @@ variable "create_iam_role_policy" {
description = "Determines whether an IAM role policy is created or not"
type = bool
default = true
nullable = false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need nullable here? We don't have it in many variables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gecko655 gecko655 gecko655 left review comments

@zz-openai zz-openai zz-openai left review comments

@antonbabenko antonbabenko antonbabenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@bryantbiggs @roncohen4 @antonbabenko @gecko655 @zz-openai