v21.0.0

21.0.0 (2025-07-23)

⚠ BREAKING CHANGES

• Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#3412)

List of backwards incompatible changes

See the UPGRADE-21.0.md for further details.

• Terraform v1.5.7 is now minimum supported version
• AWS provider v6.0.0 is now minimum supported version
• TLS provider v4.0.0 is now minimum supported version
• The aws-auth sub-module has been removed. Users who wish to utilize its functionality can continue to do so by specifying a v20.x version, or ~> v20.0 version constraint in their module source.
• bootstrap_self_managed_addons is now hardcoded to false. This is a legacy setting and instead users should utilize the EKS addons API, which is what this module does by default. In conjunction with this change, the bootstrap_self_managed_addons is now ignored by the module to aid in upgrading without disruption (otherwise it would require cluster re-creation).
• When enabling enable_efa_support or creating placement groups within a node group, users must now specify the correct subnet_ids; the module no longer tries to automatically select a suitable subnet.
• EKS managed node group:
  • IMDS now default to a hop limit of 1 (previously was 2)
  • ami_type now defaults to AL2023_x86_64_STANDARD
  • enable_monitoring is now set to false by default
  • enable_efa_only is now set to true by default
  • use_latest_ami_release_version is now set to true by default
  • Support for autoscaling group schedules has been removed
• Self-managed node group:
  • IMDS now default to a hop limit of 1 (previously was 2)
  • ami_type now defaults to AL2023_x86_64_STANDARD
  • enable_monitoring is now set to false by default
  • enable_efa_only is now set to true by default
  • Support for autoscaling group schedules has been removed
• Karpenter:
  • Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default
  • Karpenter controller policy for prior to Karpenter v1 have been removed (i.e. v0.33); the v1 policy is now used by default
  • create_pod_identity_association is now set to true by default
• addons.resolve_conflicts_on_create is now set to "NONE" by default (was "OVERWRITE").
• addons.most_recent is now set to true by default (was false).
• cluster_identity_providers.issuer_url is now required to be set by users; the prior incorrect default has been removed. See #3055 and kubernetes/kubernetes#123561 for more details.
• The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stackoidc-eks endpoint instead of oidc.eks. This is to align with aws/containers-roadmap#2038 (comment)

Additional changes

Added

• Support for region parameter to specify the AWS region for the resources created if different from the provider region.
• Both the EKS managed and self-managed node groups now support creating their own security groups (again). This is primarily motivated by the changes for EFA support; previously users would need to specify enable_efa_support both at the cluster level (to add the appropriate security group rules to the shared node security group) as well as the node group level. However, its not always desirable to have these rules across ALL node groups when they are really only required on the node group where EFA is utilized. And similarly for other use cases, users can create custom rules for a specific node group instead of apply across ALL node groups.

Modified

• Variable definitions now contain detailed object types in place of the previously used any type.
• The embedded KMS key module definition has been updated to v4.0 to support the same version requirements as well as the new region argument.

Variable and output changes

1. Removed variables:

   • enable_efa_support - users only need to set this within the node group configuration, as the module no longer manages EFA support at the cluster level.
   • enable_security_groups_for_pods - users can instead attach the arn:aws:iam::aws:policy/AmazonEKSVPCResourceController policy via iam_role_additional_policies if using security groups for pods.
   • eks-managed-node-group sub-module
     • cluster_service_ipv4_cidr - users should use cluster_service_cidr instead (for either IPv4 or IPv6).
     • elastic_gpu_specifications
     • elastic_inference_accelerator
     • platform - this is superseded by ami_type
     • placement_group_strategy - set to cluster by the module
     • placement_group_az - users will need to specify the correct subnet in subnet_ids
     • create_schedule
     • schedules
   • self-managed-node-group sub-module
     • elastic_gpu_specifications
     • elastic_inference_accelerator
     • platform - this is superseded by ami_type
     • create_schedule
     • schedules
     • placement_group_az - users will need to specify the correct subnet in subnet_ids
     • hibernation_options - not valid in EKS
     • min_elb_capacity - not valid in EKS
     • wait_for_elb_capacity - not valid in EKS
     • wait_for_capacity_timeout - not valid in EKS
     • default_cooldown - not valid in EKS
     • target_group_arns - not valid in EKS
     • service_linked_role_arn - not valid in EKS
     • warm_pool - not valid in EKS
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • enable_v1_permissions - v1 permissions are now the default
     • enable_irsa
     • irsa_oidc_provider_arn
     • irsa_namespace_service_accounts
     • irsa_assume_role_condition_test

2. Renamed variables:

   • Variables prefixed with cluster_* have been stripped of the prefix to better match the underlying API:
     • cluster_name -> name
     • cluster_version -> kubernetes_version
     • cluster_enabled_log_types -> enabled_log_types
     • cluster_force_update_version -> force_update_version
     • cluster_compute_config -> compute_config
     • cluster_upgrade_policy -> upgrade_policy
     • cluster_remote_network_config -> remote_network_config
     • cluster_zonal_shift_config -> zonal_shift_config
     • cluster_additional_security_group_ids -> additional_security_group_ids
     • cluster_endpoint_private_access -> endpoint_private_access
     • cluster_endpoint_public_access -> endpoint_public_access
     • cluster_endpoint_public_access_cidrs -> endpoint_public_access_cidrs
     • cluster_ip_family -> ip_family
     • cluster_service_ipv4_cidr -> service_ipv4_cidr
     • cluster_service_ipv6_cidr -> service_ipv6_cidr
     • cluster_encryption_config -> encryption_config
     • create_cluster_primary_security_group_tags -> create_primary_security_group_tags
     • cluster_timeouts -> timeouts
     • create_cluster_security_group -> create_security_group
     • cluster_security_group_id -> security_group_id
     • cluster_security_group_name -> security_group_name
     • cluster_security_group_use_name_prefix -> security_group_use_name_prefix
     • cluster_security_group_description -> security_group_description
     • cluster_security_group_additional_rules -> security_group_additional_rules
     • cluster_security_group_tags -> security_group_tags
     • cluster_encryption_policy_use_name_prefix -> encryption_policy_use_name_prefix
     • cluster_encryption_policy_name -> encryption_policy_name
     • cluster_encryption_policy_description -> encryption_policy_description
     • cluster_encryption_policy_path -> encryption_policy_path
     • cluster_encryption_policy_tags -> encryption_policy_tags
     • cluster_addons -> addons
     • cluster_addons_timeouts -> addons_timeouts
     • cluster_identity_providers -> identity_providers
   • eks-managed-node-group sub-module
     • cluster_version -> kubernetes_version
   • self-managed-node-group sub-module
     • cluster_version -> kubernetes_version
     • delete_timeout -> timeouts
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • None

3. Added variables:

   • region
   • eks-managed-node-group sub-module
     • region
     • partition - added to reduce number of GET requests from data sources when possible
     • account_id - added to reduce number of GET requests from data sources when possible
     • create_security_group
     • security_group_name
     • security_group_use_name_prefix
     • security_group_description
     • security_group_ingress_rules
     • security_group_egress_rules
     • security_group_tags
   • self-managed-node-group sub-module
     • region
     • partition - added to reduce number of GET requests from data sources when possible
     • account_id - added to reduce number of GET requests from data sources when possible
     • create_security_group
     • security_group_name
     • security_group_use_name_prefix
     • security_group_description
     • security_group_ingress_rules
     • security_group_egress_rules...

v20.37.2

20.37.2 (2025-07-17)

Bug Fixes

• Allow for both amazonaws.com.cn and amazonaws.com conditions in PassRole as required for AWS CN (#3422) (83b68fd)

v20.37.1

20.37.1 (2025-06-18)

Bug Fixes

• Restrict AWS provider max version due to v6 provider breaking changes (#3384) (681a868)

v20.37.0

20.37.0 (2025-06-09)

Features

• Add AL2023 ARM64 NVIDIA variants (#3369) (715d42b)

v20.36.1

20.36.1 (2025-06-09)

Bug Fixes

• Ensure additional_cluster_dns_ips is passed through from root module (#3376) (7a83b1b)

v20.36.0

20.36.0 (2025-04-18)

Features

• Add support for cluster force_update_version (#3345) (207d73f)

v20.35.0

20.35.0 (2025-03-29)

Features

• Default to not changing autoscaling schedule values at the scheduled time (#3322) (abf76f6)

v20.34.0

20.34.0 (2025-03-07)

Features

• Add capacity reservation permissions to Karpenter IAM policy (#3318) (770ee99)

v20.33.1

20.33.1 (2025-01-22)

Bug Fixes

• Allow "EC2" access entry type for EKS Auto Mode custom node pools (#3281) (3e2ea83)

v20.33.0

20.33.0 (2025-01-17)

Features

• Add node repair config to managed node group (#3271) (edd7ef3), closes terraform-aws-modules/terraform-aws-eks#3249