Docs
PackagesTry AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi
aws.eks.Cluster
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi
Manages an EKS Cluster.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
export = async () => {
const example = new aws.eks.Cluster("example", {
name: "example",
roleArn: exampleAwsIamRole.arn,
vpcConfig: {
subnetIds: [
example1.id,
example2.id,
],
},
}, {
dependsOn: [
example_AmazonEKSClusterPolicy,
example_AmazonEKSVPCResourceController,
],
});
return {
endpoint: example.endpoint,
"kubeconfig-certificate-authority-data": example.certificateAuthority.apply(certificateAuthority => certificateAuthority.data),
};
}
import pulumi
import pulumi_aws as aws
example = aws.eks.Cluster("example",
name="example",
role_arn=example_aws_iam_role["arn"],
vpc_config={
"subnetIds": [
example1["id"],
example2["id"],
],
},
opts = pulumi.ResourceOptions(depends_on=[
example__amazon_eks_cluster_policy,
example__amazon_eksvpc_resource_controller,
]))
pulumi.export("endpoint", example.endpoint)
pulumi.export("kubeconfig-certificate-authority-data", example.certificate_authority.data)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := eks.NewCluster(ctx, "example", &eks.ClusterArgs{
Name: pulumi.String("example"),
RoleArn: pulumi.Any(exampleAwsIamRole.Arn),
VpcConfig: &eks.ClusterVpcConfigArgs{
SubnetIds: pulumi.StringArray{
example1.Id,
example2.Id,
},
},
}, pulumi.DependsOn([]pulumi.Resource{
example_AmazonEKSClusterPolicy,
example_AmazonEKSVPCResourceController,
}))
if err != nil {
return err
}
ctx.Export("endpoint", example.Endpoint)
ctx.Export("kubeconfig-certificate-authority-data", example.CertificateAuthority.ApplyT(func(certificateAuthority eks.ClusterCertificateAuthority) (*string, error) {
return &certificateAuthority.Data, nil
}).(pulumi.StringPtrOutput))
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Eks.Cluster("example", new()
{
Name = "example",
RoleArn = exampleAwsIamRole.Arn,
VpcConfig = new Aws.Eks.Inputs.ClusterVpcConfigArgs
{
SubnetIds = new[]
{
example1.Id,
example2.Id,
},
},
}, new CustomResourceOptions
{
DependsOn =
{
example_AmazonEKSClusterPolicy,
example_AmazonEKSVPCResourceController,
},
});
return new Dictionary<string, object?>
{
["endpoint"] = example.Endpoint,
["kubeconfig-certificate-authority-data"] = example.CertificateAuthority.Apply(certificateAuthority => certificateAuthority.Data),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.eks.Cluster;
import com.pulumi.aws.eks.ClusterArgs;
import com.pulumi.aws.eks.inputs.ClusterVpcConfigArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Cluster("example", ClusterArgs.builder()
.name("example")
.roleArn(exampleAwsIamRole.arn())
.vpcConfig(ClusterVpcConfigArgs.builder()
.subnetIds(
example1.id(),
example2.id())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
example_AmazonEKSClusterPolicy,
example_AmazonEKSVPCResourceController)
.build());
ctx.export("endpoint", example.endpoint());
ctx.export("kubeconfig-certificate-authority-data", example.certificateAuthority().applyValue(certificateAuthority -> certificateAuthority.data()));
}
}
resources:
example:
type: aws:eks:Cluster
properties:
name: example
roleArn: ${exampleAwsIamRole.arn}
vpcConfig:
subnetIds:
- ${example1.id}
- ${example2.id}
options:
dependson:
- ${["example-AmazonEKSClusterPolicy"]}
- ${["example-AmazonEKSVPCResourceController"]}
outputs:
endpoint: ${example.endpoint}
kubeconfig-certificate-authority-data: ${example.certificateAuthority.data}
Example IAM Role for EKS Cluster
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["eks.amazonaws.com"],
}],
actions: ["sts:AssumeRole"],
}],
});
const example = new aws.iam.Role("example", {
name: "eks-cluster-example",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const example_AmazonEKSClusterPolicy = new aws.iam.RolePolicyAttachment("example-AmazonEKSClusterPolicy", {
policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
role: example.name,
});
// Optionally, enable Security Groups for Pods
// Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
const example_AmazonEKSVPCResourceController = new aws.iam.RolePolicyAttachment("example-AmazonEKSVPCResourceController", {
policyArn: "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
role: example.name,
});
import pulumi
import pulumi_aws as aws
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["eks.amazonaws.com"],
}],
"actions": ["sts:AssumeRole"],
}])
example = aws.iam.Role("example",
name="eks-cluster-example",
assume_role_policy=assume_role.json)
example__amazon_eks_cluster_policy = aws.iam.RolePolicyAttachment("example-AmazonEKSClusterPolicy",
policy_arn="arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
role=example.name)
# Optionally, enable Security Groups for Pods
# Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
example__amazon_eksvpc_resource_controller = aws.iam.RolePolicyAttachment("example-AmazonEKSVPCResourceController",
policy_arn="arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
role=example.name)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"eks.amazonaws.com",
},
},
},
Actions: []string{
"sts:AssumeRole",
},
},
},
}, nil)
if err != nil {
return err
}
example, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
Name: pulumi.String("eks-cluster-example"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
_, err = iam.NewRolePolicyAttachment(ctx, "example-AmazonEKSClusterPolicy", &iam.RolePolicyAttachmentArgs{
PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"),
Role: example.Name,
})
if err != nil {
return err
}
// Optionally, enable Security Groups for Pods
// Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
_, err = iam.NewRolePolicyAttachment(ctx, "example-AmazonEKSVPCResourceController", &iam.RolePolicyAttachmentArgs{
PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"),
Role: example.Name,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"eks.amazonaws.com",
},
},
},
Actions = new[]
{
"sts:AssumeRole",
},
},
},
});
var example = new Aws.Iam.Role("example", new()
{
Name = "eks-cluster-example",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var example_AmazonEKSClusterPolicy = new Aws.Iam.RolePolicyAttachment("example-AmazonEKSClusterPolicy", new()
{
PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
Role = example.Name,
});
// Optionally, enable Security Groups for Pods
// Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
var example_AmazonEKSVPCResourceController = new Aws.Iam.RolePolicyAttachment("example-AmazonEKSVPCResourceController", new()
{
PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
Role = example.Name,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("eks.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var example = new Role("example", RoleArgs.builder()
.name("eks-cluster-example")
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var example_AmazonEKSClusterPolicy = new RolePolicyAttachment("example-AmazonEKSClusterPolicy", RolePolicyAttachmentArgs.builder()
.policyArn("arn:aws:iam::aws:policy/AmazonEKSClusterPolicy")
.role(example.name())
.build());
// Optionally, enable Security Groups for Pods
// Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
var example_AmazonEKSVPCResourceController = new RolePolicyAttachment("example-AmazonEKSVPCResourceController", RolePolicyAttachmentArgs.builder()
.policyArn("arn:aws:iam::aws:policy/AmazonEKSVPCResourceController")
.role(example.name())
.build());
}
}
resources:
example:
type: aws:iam:Role
properties:
name: eks-cluster-example
assumeRolePolicy: ${assumeRole.json}
example-AmazonEKSClusterPolicy:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
role: ${example.name}
# Optionally, enable Security Groups for Pods
# Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
example-AmazonEKSVPCResourceController:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: arn:aws:iam::aws:policy/AmazonEKSVPCResourceController
role: ${example.name}
variables:
assumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- eks.amazonaws.com
actions:
- sts:AssumeRole
Enabling Control Plane Logging
EKS Control Plane Logging can be enabled via the enabled_cluster_log_types argument. To manage the CloudWatch Log Group retention period, the aws.cloudwatch.LogGroup resource can be used.
The below configuration uses
dependsOnto prevent ordering issues with EKS automatically creating the log group first and a variable for naming consistency. Other ordering and naming methodologies may be more appropriate for your environment.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const config = new pulumi.Config();
const clusterName = config.get("clusterName") || "example";
const exampleLogGroup = new aws.cloudwatch.LogGroup("example", {
name: `/aws/eks/${clusterName}/cluster`,
retentionInDays: 7,
});
const example = new aws.eks.Cluster("example", {
enabledClusterLogTypes: [
"api",
"audit",
],
name: clusterName,
}, {
dependsOn: [exampleLogGroup],
});
import pulumi
import pulumi_aws as aws
config = pulumi.Config()
cluster_name = config.get("clusterName")
if cluster_name is None:
cluster_name = "example"
example_log_group = aws.cloudwatch.LogGroup("example",
name=f"/aws/eks/{cluster_name}/cluster",
retention_in_days=7)
example = aws.eks.Cluster("example",
enabled_cluster_log_types=[
"api",
"audit",
],
name=cluster_name,
opts = pulumi.ResourceOptions(depends_on=[example_log_group]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
clusterName := "example"
if param := cfg.Get("clusterName"); param != "" {
clusterName = param
}
exampleLogGroup, err := cloudwatch.NewLogGroup(ctx, "example", &cloudwatch.LogGroupArgs{
Name: pulumi.String(fmt.Sprintf("/aws/eks/%v/cluster", clusterName)),
RetentionInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = eks.NewCluster(ctx, "example", &eks.ClusterArgs{
EnabledClusterLogTypes: pulumi.StringArray{
pulumi.String("api"),
pulumi.String("audit"),
},
Name: pulumi.String(clusterName),
}, pulumi.DependsOn([]pulumi.Resource{
exampleLogGroup,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var config = new Config();
var clusterName = config.Get("clusterName") ?? "example";
var exampleLogGroup = new Aws.CloudWatch.LogGroup("example", new()
{
Name = $"/aws/eks/{clusterName}/cluster",
RetentionInDays = 7,
});
var example = new Aws.Eks.Cluster("example", new()
{
EnabledClusterLogTypes = new[]
{
"api",
"audit",
},
Name = clusterName,
}, new CustomResourceOptions
{
DependsOn =
{
exampleLogGroup,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudwatch.LogGroupArgs;
import com.pulumi.aws.eks.Cluster;
import com.pulumi.aws.eks.ClusterArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var clusterName = config.get("clusterName").orElse("example");
var exampleLogGroup = new LogGroup("exampleLogGroup", LogGroupArgs.builder()
.name(String.format("/aws/eks/%s/cluster", clusterName))
.retentionInDays(7)
.build());
var example = new Cluster("example", ClusterArgs.builder()
.enabledClusterLogTypes(
"api",
"audit")
.name(clusterName)
.build(), CustomResourceOptions.builder()
.dependsOn(exampleLogGroup)
.build());
}
}
configuration:
clusterName:
type: string
default: example
resources:
example:
type: aws:eks:Cluster
properties:
enabledClusterLogTypes:
- api
- audit
name: ${clusterName}
options:
dependson:
- ${exampleLogGroup}
exampleLogGroup:
type: aws:cloudwatch:LogGroup
name: example
properties:
name: /aws/eks/${clusterName}/cluster
retentionInDays: 7 # ... potentially other configuration ...
Enabling IAM Roles for Service Accounts
For more information about this feature, see the EKS User Guide.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as std from "@pulumi/std";
import * as tls from "@pulumi/tls";
const exampleCluster = new aws.eks.Cluster("example", {});
const example = exampleCluster.identities.apply(identities => tls.getCertificateOutput({
url: identities[0].oidcs?.[0]?.issuer,
}));
const exampleOpenIdConnectProvider = new aws.iam.OpenIdConnectProvider("example", {
clientIdLists: ["sts.amazonaws.com"],
thumbprintLists: [example.apply(example => example.certificates?.[0]?.sha1Fingerprint)],
url: example.apply(example => example.url),
});
const exampleAssumeRolePolicy = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: ["sts:AssumeRoleWithWebIdentity"],
effect: "Allow",
conditions: [{
test: "StringEquals",
variable: std.replaceOutput({
text: exampleOpenIdConnectProvider.url,
search: "https://",
replace: "",
}).apply(invoke => `${invoke.result}:sub`),
values: ["system:serviceaccount:kube-system:aws-node"],
}],
principals: [{
identifiers: [exampleOpenIdConnectProvider.arn],
type: "Federated",
}],
}],
});
const exampleRole = new aws.iam.Role("example", {
assumeRolePolicy: exampleAssumeRolePolicy.apply(exampleAssumeRolePolicy => exampleAssumeRolePolicy.json),
name: "example",
});
import pulumi
import pulumi_aws as aws
import pulumi_std as std
import pulumi_tls as tls
example_cluster = aws.eks.Cluster("example")
example = example_cluster.identities.apply(lambda identities: tls.get_certificate_output(url=identities[0].oidcs[0].issuer))
example_open_id_connect_provider = aws.iam.OpenIdConnectProvider("example",
client_id_lists=["sts.amazonaws.com"],
thumbprint_lists=[example.certificates[0].sha1_fingerprint],
url=example.url)
example_assume_role_policy = aws.iam.get_policy_document_output(statements=[{
"actions": ["sts:AssumeRoleWithWebIdentity"],
"effect": "Allow",
"conditions": [{
"test": "StringEquals",
"variable": std.replace_output(text=example_open_id_connect_provider.url,
search="https://",
replace="").apply(lambda invoke: f"{invoke.result}:sub"),
"values": ["system:serviceaccount:kube-system:aws-node"],
}],
"principals": [{
"identifiers": [example_open_id_connect_provider.arn],
"type": "Federated",
}],
}])
example_role = aws.iam.Role("example",
assume_role_policy=example_assume_role_policy.json,
name="example")
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-tls/sdk/v4/go/tls"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleCluster, err := eks.NewCluster(ctx, "example", nil)
if err != nil {
return err
}
example := exampleCluster.Identities.ApplyT(func(identities []eks.ClusterIdentity) (tls.GetCertificateResult, error) {
return tls.GetCertificateOutput(ctx, tls.GetCertificateOutputArgs{
Url: identities[0].Oidcs[0].Issuer,
}, nil), nil
}).(tls.GetCertificateResultOutput)
exampleOpenIdConnectProvider, err := iam.NewOpenIdConnectProvider(ctx, "example", &iam.OpenIdConnectProviderArgs{
ClientIdLists: pulumi.StringArray{
pulumi.String("sts.amazonaws.com"),
},
ThumbprintLists: pulumi.StringArray{
example.ApplyT(func(example tls.GetCertificateResult) (*string, error) {
return &example.Certificates[0].Sha1Fingerprint, nil
}).(pulumi.StringPtrOutput),
},
Url: example.ApplyT(func(example tls.GetCertificateResult) (*string, error) {
return &example.Url, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
exampleAssumeRolePolicy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Actions: pulumi.StringArray{
pulumi.String("sts:AssumeRoleWithWebIdentity"),
},
Effect: pulumi.String("Allow"),
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: std.ReplaceOutput(ctx, std.ReplaceOutputArgs{
Text: exampleOpenIdConnectProvider.Url,
Search: pulumi.String("https://"),
Replace: pulumi.String(""),
}, nil).ApplyT(func(invoke std.ReplaceResult) (string, error) {
return fmt.Sprintf("%v:sub", invoke.Result), nil
}).(pulumi.StringOutput),
Values: pulumi.StringArray{
pulumi.String("system:serviceaccount:kube-system:aws-node"),
},
},
},
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Identifiers: pulumi.StringArray{
exampleOpenIdConnectProvider.Arn,
},
Type: pulumi.String("Federated"),
},
},
},
},
}, nil)
_, err = iam.NewRole(ctx, "example", &iam.RoleArgs{
AssumeRolePolicy: exampleAssumeRolePolicy.ApplyT(func(exampleAssumeRolePolicy iam.GetPolicyDocumentResult) (*string, error) {
return &exampleAssumeRolePolicy.Json, nil
}).(pulumi.StringPtrOutput),
Name: pulumi.String("example"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Std = Pulumi.Std;
using Tls = Pulumi.Tls;
return await Deployment.RunAsync(() =>
{
var exampleCluster = new Aws.Eks.Cluster("example");
var example = Tls.GetCertificate.Invoke(new()
{
Url = exampleCluster.Identities[0].Oidcs[0]?.Issuer,
});
var exampleOpenIdConnectProvider = new Aws.Iam.OpenIdConnectProvider("example", new()
{
ClientIdLists = new[]
{
"sts.amazonaws.com",
},
ThumbprintLists = new[]
{
example.Apply(getCertificateResult => getCertificateResult.Certificates[0]?.Sha1Fingerprint),
},
Url = example.Apply(getCertificateResult => getCertificateResult.Url),
});
var exampleAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRoleWithWebIdentity",
},
Effect = "Allow",
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = $"{Std.Replace.Invoke(new()
{
Text = exampleOpenIdConnectProvider.Url,
Search = "https://",
Replace = "",
}).Result}:sub",
Values = new[]
{
"system:serviceaccount:kube-system:aws-node",
},
},
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Identifiers = new[]
{
exampleOpenIdConnectProvider.Arn,
},
Type = "Federated",
},
},
},
},
});
var exampleRole = new Aws.Iam.Role("example", new()
{
AssumeRolePolicy = exampleAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
Name = "example",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.eks.Cluster;
import com.pulumi.tls.TlsFunctions;
import com.pulumi.tls.inputs.GetCertificateArgs;
import com.pulumi.aws.iam.OpenIdConnectProvider;
import com.pulumi.aws.iam.OpenIdConnectProviderArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleCluster = new Cluster("exampleCluster");
final var example = TlsFunctions.getCertificate(GetCertificateArgs.builder()
.url(exampleCluster.identities().applyValue(identities -> identities[0].oidcs()[0].issuer()))
.build());
var exampleOpenIdConnectProvider = new OpenIdConnectProvider("exampleOpenIdConnectProvider", OpenIdConnectProviderArgs.builder()
.clientIdLists("sts.amazonaws.com")
.thumbprintLists(example.applyValue(getCertificateResult -> getCertificateResult).applyValue(example -> example.applyValue(getCertificateResult -> getCertificateResult.certificates()[0].sha1Fingerprint())))
.url(example.applyValue(getCertificateResult -> getCertificateResult).applyValue(example -> example.applyValue(getCertificateResult -> getCertificateResult.url())))
.build());
final var exampleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRoleWithWebIdentity")
.effect("Allow")
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable(StdFunctions.replace().applyValue(invoke -> String.format("%s:sub", invoke.result())))
.values("system:serviceaccount:kube-system:aws-node")
.build())
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.identifiers(exampleOpenIdConnectProvider.arn())
.type("Federated")
.build())
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.assumeRolePolicy(exampleAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(exampleAssumeRolePolicy -> exampleAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.name("example")
.build());
}
}
resources:
exampleCluster:
type: aws:eks:Cluster
name: example
exampleOpenIdConnectProvider:
type: aws:iam:OpenIdConnectProvider
name: example
properties:
clientIdLists:
- sts.amazonaws.com
thumbprintLists:
- ${example.certificates[0].sha1Fingerprint}
url: ${example.url}
exampleRole:
type: aws:iam:Role
name: example
properties:
assumeRolePolicy: ${exampleAssumeRolePolicy.json}
name: example
variables:
example:
fn::invoke:
Function: tls:getCertificate
Arguments:
url: ${exampleCluster.identities[0].oidcs[0].issuer}
exampleAssumeRolePolicy:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRoleWithWebIdentity
effect: Allow
conditions:
- test: StringEquals
variable:
fn::join:
-
- - fn::invoke:
Function: std:replace
Arguments:
text: ${exampleOpenIdConnectProvider.url}
search: https://
replace:
Return: result
- :sub
values:
- system:serviceaccount:kube-system:aws-node
principals:
- identifiers:
- ${exampleOpenIdConnectProvider.arn}
type: Federated
EKS Cluster on AWS Outpost
Creating a local Amazon EKS cluster on an AWS Outpost
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.Role("example", {
assumeRolePolicy: exampleAssumeRolePolicy.json,
name: "example",
});
const exampleCluster = new aws.eks.Cluster("example", {
name: "example-cluster",
roleArn: example.arn,
vpcConfig: {
endpointPrivateAccess: true,
endpointPublicAccess: false,
},
outpostConfig: {
controlPlaneInstanceType: "m5d.large",
outpostArns: [exampleAwsOutpostsOutpost.arn],
},
});
import pulumi
import pulumi_aws as aws
example = aws.iam.Role("example",
assume_role_policy=example_assume_role_policy["json"],
name="example")
example_cluster = aws.eks.Cluster("example",
name="example-cluster",
role_arn=example.arn,
vpc_config={
"endpointPrivateAccess": True,
"endpointPublicAccess": False,
},
outpost_config={
"controlPlaneInstanceType": "m5d.large",
"outpostArns": [example_aws_outposts_outpost["arn"]],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
AssumeRolePolicy: pulumi.Any(exampleAssumeRolePolicy.Json),
Name: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = eks.NewCluster(ctx, "example", &eks.ClusterArgs{
Name: pulumi.String("example-cluster"),
RoleArn: example.Arn,
VpcConfig: &eks.ClusterVpcConfigArgs{
EndpointPrivateAccess: pulumi.Bool(true),
EndpointPublicAccess: pulumi.Bool(false),
},
OutpostConfig: &eks.ClusterOutpostConfigArgs{
ControlPlaneInstanceType: pulumi.String("m5d.large"),
OutpostArns: pulumi.StringArray{
exampleAwsOutpostsOutpost.Arn,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Iam.Role("example", new()
{
AssumeRolePolicy = exampleAssumeRolePolicy.Json,
Name = "example",
});
var exampleCluster = new Aws.Eks.Cluster("example", new()
{
Name = "example-cluster",
RoleArn = example.Arn,
VpcConfig = new Aws.Eks.Inputs.ClusterVpcConfigArgs
{
EndpointPrivateAccess = true,
EndpointPublicAccess = false,
},
OutpostConfig = new Aws.Eks.Inputs.ClusterOutpostConfigArgs
{
ControlPlaneInstanceType = "m5d.large",
OutpostArns = new[]
{
exampleAwsOutpostsOutpost.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.eks.Cluster;
import com.pulumi.aws.eks.ClusterArgs;
import com.pulumi.aws.eks.inputs.ClusterVpcConfigArgs;
import com.pulumi.aws.eks.inputs.ClusterOutpostConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Role("example", RoleArgs.builder()
.assumeRolePolicy(exampleAssumeRolePolicy.json())
.name("example")
.build());
var exampleCluster = new Cluster("exampleCluster", ClusterArgs.builder()
.name("example-cluster")
.roleArn(example.arn())
.vpcConfig(ClusterVpcConfigArgs.builder()
.endpointPrivateAccess(true)
.endpointPublicAccess(false)
.build())
.outpostConfig(ClusterOutpostConfigArgs.builder()
.controlPlaneInstanceType("m5d.large")
.outpostArns(exampleAwsOutpostsOutpost.arn())
.build())
.build());
}
}
resources:
example:
type: aws:iam:Role
properties:
assumeRolePolicy: ${exampleAssumeRolePolicy.json}
name: example
exampleCluster:
type: aws:eks:Cluster
name: example
properties:
name: example-cluster
roleArn: ${example.arn}
vpcConfig:
endpointPrivateAccess: true
endpointPublicAccess: false
outpostConfig:
controlPlaneInstanceType: m5d.large
outpostArns:
- ${exampleAwsOutpostsOutpost.arn}
EKS Cluster with Access Config
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.Role("example", {
assumeRolePolicy: exampleAssumeRolePolicy.json,
name: "example",
});
const exampleCluster = new aws.eks.Cluster("example", {
name: "example-cluster",
roleArn: example.arn,
vpcConfig: {
endpointPrivateAccess: true,
endpointPublicAccess: false,
},
accessConfig: {
authenticationMode: "CONFIG_MAP",
bootstrapClusterCreatorAdminPermissions: true,
},
});
import pulumi
import pulumi_aws as aws
example = aws.iam.Role("example",
assume_role_policy=example_assume_role_policy["json"],
name="example")
example_cluster = aws.eks.Cluster("example",
name="example-cluster",
role_arn=example.arn,
vpc_config={
"endpointPrivateAccess": True,
"endpointPublicAccess": False,
},
access_config={
"authenticationMode": "CONFIG_MAP",
"bootstrapClusterCreatorAdminPermissions": True,
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
AssumeRolePolicy: pulumi.Any(exampleAssumeRolePolicy.Json),
Name: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = eks.NewCluster(ctx, "example", &eks.ClusterArgs{
Name: pulumi.String("example-cluster"),
RoleArn: example.Arn,
VpcConfig: &eks.ClusterVpcConfigArgs{
EndpointPrivateAccess: pulumi.Bool(true),
EndpointPublicAccess: pulumi.Bool(false),
},
AccessConfig: &eks.ClusterAccessConfigArgs{
AuthenticationMode: pulumi.String("CONFIG_MAP"),
BootstrapClusterCreatorAdminPermissions: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Iam.Role("example", new()
{
AssumeRolePolicy = exampleAssumeRolePolicy.Json,
Name = "example",
});
var exampleCluster = new Aws.Eks.Cluster("example", new()
{
Name = "example-cluster",
RoleArn = example.Arn,
VpcConfig = new Aws.Eks.Inputs.ClusterVpcConfigArgs
{
EndpointPrivateAccess = true,
EndpointPublicAccess = false,
},
AccessConfig = new Aws.Eks.Inputs.ClusterAccessConfigArgs
{
AuthenticationMode = "CONFIG_MAP",
BootstrapClusterCreatorAdminPermissions = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.eks.Cluster;
import com.pulumi.aws.eks.ClusterArgs;
import com.pulumi.aws.eks.inputs.ClusterVpcConfigArgs;
import com.pulumi.aws.eks.inputs.ClusterAccessConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Role("example", RoleArgs.builder()
.assumeRolePolicy(exampleAssumeRolePolicy.json())
.name("example")
.build());
var exampleCluster = new Cluster("exampleCluster", ClusterArgs.builder()
.name("example-cluster")
.roleArn(example.arn())
.vpcConfig(ClusterVpcConfigArgs.builder()
.endpointPrivateAccess(true)
.endpointPublicAccess(false)
.build())
.accessConfig(ClusterAccessConfigArgs.builder()
.authenticationMode("CONFIG_MAP")
.bootstrapClusterCreatorAdminPermissions(true)
.build())
.build());
}
}
resources:
example:
type: aws:iam:Role
properties:
assumeRolePolicy: ${exampleAssumeRolePolicy.json}
name: example
exampleCluster:
type: aws:eks:Cluster
name: example
properties:
name: example-cluster
roleArn: ${example.arn}
vpcConfig:
endpointPrivateAccess: true
endpointPublicAccess: false
accessConfig:
authenticationMode: CONFIG_MAP
bootstrapClusterCreatorAdminPermissions: true
After adding inline IAM Policies (e.g., aws.iam.RolePolicy resource) or attaching IAM Policies (e.g., aws.iam.Policy resource and aws.iam.RolePolicyAttachment resource) with the desired permissions to the IAM Role, annotate the Kubernetes service account (e.g., kubernetes_service_account resource) and recreate any pods.
Create Cluster Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Cluster(name: string, args: ClusterArgs, opts?: CustomResourceOptions);@overload
def Cluster(resource_name: str,
args: ClusterArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Cluster(resource_name: str,
opts: Optional[ResourceOptions] = None,
role_arn: Optional[str] = None,
vpc_config: Optional[ClusterVpcConfigArgs] = None,
access_config: Optional[ClusterAccessConfigArgs] = None,
default_addons_to_removes: Optional[Sequence[str]] = None,
enabled_cluster_log_types: Optional[Sequence[str]] = None,
encryption_config: Optional[ClusterEncryptionConfigArgs] = None,
kubernetes_network_config: Optional[ClusterKubernetesNetworkConfigArgs] = None,
name: Optional[str] = None,
outpost_config: Optional[ClusterOutpostConfigArgs] = None,
tags: Optional[Mapping[str, str]] = None,
version: Optional[str] = None)func NewCluster(ctx *Context, name string, args ClusterArgs, opts ...ResourceOption) (*Cluster, error)public Cluster(string name, ClusterArgs args, CustomResourceOptions? opts = null)
public Cluster(String name, ClusterArgs args)
public Cluster(String name, ClusterArgs args, CustomResourceOptions options)
type: aws:eks:Cluster
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ClusterArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ClusterArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ClusterArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ClusterArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ClusterArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var exampleclusterResourceResourceFromEkscluster = new Aws.Eks.Cluster("exampleclusterResourceResourceFromEkscluster", new()
{
RoleArn = "string",
VpcConfig = new Aws.Eks.Inputs.ClusterVpcConfigArgs
{
SubnetIds = new[]
{
"string",
},
ClusterSecurityGroupId = "string",
EndpointPrivateAccess = false,
EndpointPublicAccess = false,
PublicAccessCidrs = new[]
{
"string",
},
SecurityGroupIds = new[]
{
"string",
},
VpcId = "string",
},
AccessConfig = new Aws.Eks.Inputs.ClusterAccessConfigArgs
{
AuthenticationMode = "string",
BootstrapClusterCreatorAdminPermissions = false,
},
DefaultAddonsToRemoves = new[]
{
"string",
},
EnabledClusterLogTypes = new[]
{
"string",
},
EncryptionConfig = new Aws.Eks.Inputs.ClusterEncryptionConfigArgs
{
Provider = new Aws.Eks.Inputs.ClusterEncryptionConfigProviderArgs
{
KeyArn = "string",
},
Resources = new[]
{
"string",
},
},
KubernetesNetworkConfig = new Aws.Eks.Inputs.ClusterKubernetesNetworkConfigArgs
{
IpFamily = "string",
ServiceIpv4Cidr = "string",
ServiceIpv6Cidr = "string",
},
Name = "string",
OutpostConfig = new Aws.Eks.Inputs.ClusterOutpostConfigArgs
{
ControlPlaneInstanceType = "string",
OutpostArns = new[]
{
"string",
},
ControlPlanePlacement = new Aws.Eks.Inputs.ClusterOutpostConfigControlPlanePlacementArgs
{
GroupName = "string",
},
},
Tags =
{
{ "string", "string" },
},
Version = "string",
});
example, err := eks.NewCluster(ctx, "exampleclusterResourceResourceFromEkscluster", &eks.ClusterArgs{
RoleArn: pulumi.String("string"),
VpcConfig: &eks.ClusterVpcConfigArgs{
SubnetIds: pulumi.StringArray{
pulumi.String("string"),
},
ClusterSecurityGroupId: pulumi.String("string"),
EndpointPrivateAccess: pulumi.Bool(false),
EndpointPublicAccess: pulumi.Bool(false),
PublicAccessCidrs: pulumi.StringArray{
pulumi.String("string"),
},
SecurityGroupIds: pulumi.StringArray{
pulumi.String("string"),
},
VpcId: pulumi.String("string"),
},
AccessConfig: &eks.ClusterAccessConfigArgs{
AuthenticationMode: pulumi.String("string"),
BootstrapClusterCreatorAdminPermissions: pulumi.Bool(false),
},
DefaultAddonsToRemoves: pulumi.StringArray{
pulumi.String("string"),
},
EnabledClusterLogTypes: pulumi.StringArray{
pulumi.String("string"),
},
EncryptionConfig: &eks.ClusterEncryptionConfigArgs{
Provider: &eks.ClusterEncryptionConfigProviderArgs{
KeyArn: pulumi.String("string"),
},
Resources: pulumi.StringArray{
pulumi.String("string"),
},
},
KubernetesNetworkConfig: &eks.ClusterKubernetesNetworkConfigArgs{
IpFamily: pulumi.String("string"),
ServiceIpv4Cidr: pulumi.String("string"),
ServiceIpv6Cidr: pulumi.String("string"),
},
Name: pulumi.String("string"),
OutpostConfig: &eks.ClusterOutpostConfigArgs{
ControlPlaneInstanceType: pulumi.String("string"),
OutpostArns: pulumi.StringArray{
pulumi.String("string"),
},
ControlPlanePlacement: &eks.ClusterOutpostConfigControlPlanePlacementArgs{
GroupName: pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
Version: pulumi.String("string"),
})
var exampleclusterResourceResourceFromEkscluster = new Cluster("exampleclusterResourceResourceFromEkscluster", ClusterArgs.builder()
.roleArn("string")
.vpcConfig(ClusterVpcConfigArgs.builder()
.subnetIds("string")
.clusterSecurityGroupId("string")
.endpointPrivateAccess(false)
.endpointPublicAccess(false)
.publicAccessCidrs("string")
.securityGroupIds("string")
.vpcId("string")
.build())
.accessConfig(ClusterAccessConfigArgs.builder()
.authenticationMode("string")
.bootstrapClusterCreatorAdminPermissions(false)
.build())
.defaultAddonsToRemoves("string")
.enabledClusterLogTypes("string")
.encryptionConfig(ClusterEncryptionConfigArgs.builder()
.provider(ClusterEncryptionConfigProviderArgs.builder()
.keyArn("string")
.build())
.resources("string")
.build())
.kubernetesNetworkConfig(ClusterKubernetesNetworkConfigArgs.builder()
.ipFamily("string")
.serviceIpv4Cidr("string")
.serviceIpv6Cidr("string")
.build())
.name("string")
.outpostConfig(ClusterOutpostConfigArgs.builder()
.controlPlaneInstanceType("string")
.outpostArns("string")
.controlPlanePlacement(ClusterOutpostConfigControlPlanePlacementArgs.builder()
.groupName("string")
.build())
.build())
.tags(Map.of("string", "string"))
.version("string")
.build());
examplecluster_resource_resource_from_ekscluster = aws.eks.Cluster("exampleclusterResourceResourceFromEkscluster",
role_arn="string",
vpc_config={
"subnetIds": ["string"],
"clusterSecurityGroupId": "string",
"endpointPrivateAccess": False,
"endpointPublicAccess": False,
"publicAccessCidrs": ["string"],
"securityGroupIds": ["string"],
"vpcId": "string",
},
access_config={
"authenticationMode": "string",
"bootstrapClusterCreatorAdminPermissions": False,
},
default_addons_to_removes=["string"],
enabled_cluster_log_types=["string"],
encryption_config={
"provider": {
"keyArn": "string",
},
"resources": ["string"],
},
kubernetes_network_config={
"ipFamily": "string",
"serviceIpv4Cidr": "string",
"serviceIpv6Cidr": "string",
},
name="string",
outpost_config={
"controlPlaneInstanceType": "string",
"outpostArns": ["string"],
"controlPlanePlacement": {
"groupName": "string",
},
},
tags={
"string": "string",
},
version="string")
const exampleclusterResourceResourceFromEkscluster = new aws.eks.Cluster("exampleclusterResourceResourceFromEkscluster", {
roleArn: "string",
vpcConfig: {
subnetIds: ["string"],
clusterSecurityGroupId: "string",
endpointPrivateAccess: false,
endpointPublicAccess: false,
publicAccessCidrs: ["string"],
securityGroupIds: ["string"],
vpcId: "string",
},
accessConfig: {
authenticationMode: "string",
bootstrapClusterCreatorAdminPermissions: false,
},
defaultAddonsToRemoves: ["string"],
enabledClusterLogTypes: ["string"],
encryptionConfig: {
provider: {
keyArn: "string",
},
resources: ["string"],
},
kubernetesNetworkConfig: {
ipFamily: "string",
serviceIpv4Cidr: "string",
serviceIpv6Cidr: "string",
},
name: "string",
outpostConfig: {
controlPlaneInstanceType: "string",
outpostArns: ["string"],
controlPlanePlacement: {
groupName: "string",
},
},
tags: {
string: "string",
},
version: "string",
});
type: aws:eks:Cluster
properties:
accessConfig:
authenticationMode: string
bootstrapClusterCreatorAdminPermissions: false
defaultAddonsToRemoves:
- string
enabledClusterLogTypes:
- string
encryptionConfig:
provider:
keyArn: string
resources:
- string
kubernetesNetworkConfig:
ipFamily: string
serviceIpv4Cidr: string
serviceIpv6Cidr: string
name: string
outpostConfig:
controlPlaneInstanceType: string
controlPlanePlacement:
groupName: string
outpostArns:
- string
roleArn: string
tags:
string: string
version: string
vpcConfig:
clusterSecurityGroupId: string
endpointPrivateAccess: false
endpointPublicAccess: false
publicAccessCidrs:
- string
securityGroupIds:
- string
subnetIds:
- string
vpcId: string
Cluster Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Cluster resource accepts the following input properties:
- Role
Arn string - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - Vpc
Config ClusterVpc Config Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- Access
Config ClusterAccess Config - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- Default
Addons List<string>To Removes - Enabled
Cluster List<string>Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- Encryption
Config ClusterEncryption Config - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- Kubernetes
Network ClusterConfig Kubernetes Network Config - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- Name string
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - Outpost
Config ClusterOutpost Config - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- Dictionary<string, string>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Version string
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- Role
Arn string - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - Vpc
Config ClusterVpc Config Args Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- Access
Config ClusterAccess Config Args - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- Default
Addons []stringTo Removes - Enabled
Cluster []stringLog Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- Encryption
Config ClusterEncryption Config Args - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- Kubernetes
Network ClusterConfig Kubernetes Network Config Args - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- Name string
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - Outpost
Config ClusterOutpost Config Args - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- map[string]string
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Version string
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- role
Arn String - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - vpc
Config ClusterVpc Config Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access
Config ClusterAccess Config - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- default
Addons List<String>To Removes - enabled
Cluster List<String>Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption
Config ClusterEncryption Config - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- kubernetes
Network ClusterConfig Kubernetes Network Config - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name String
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost
Config ClusterOutpost Config - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- Map<String,String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - version String
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- role
Arn string - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - vpc
Config ClusterVpc Config Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access
Config ClusterAccess Config - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- default
Addons string[]To Removes - enabled
Cluster string[]Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption
Config ClusterEncryption Config - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- kubernetes
Network ClusterConfig Kubernetes Network Config - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name string
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost
Config ClusterOutpost Config - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- {[key: string]: string}
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - version string
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- role_
arn str - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - vpc_
config ClusterVpc Config Args Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access_
config ClusterAccess Config Args - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- default_
addons_ Sequence[str]to_ removes - enabled_
cluster_ Sequence[str]log_ types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption_
config ClusterEncryption Config Args - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- kubernetes_
network_ Clusterconfig Kubernetes Network Config Args - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name str
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost_
config ClusterOutpost Config Args - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- Mapping[str, str]
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - version str
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- role
Arn String - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - vpc
Config Property Map Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access
Config Property Map - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- default
Addons List<String>To Removes - enabled
Cluster List<String>Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption
Config Property Map - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- kubernetes
Network Property MapConfig - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name String
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost
Config Property Map - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- Map<String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - version String
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
Outputs
All input properties are implicitly available as output properties. Additionally, the Cluster resource produces the following output properties:
- Arn string
- ARN of the cluster.
-
List<Cluster
Certificate Authority> -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - Cluster
Id string - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- Created
At string - Unix epoch timestamp in seconds for when the cluster was created.
- Endpoint string
- Endpoint for your Kubernetes API server.
- Id string
- The provider-assigned unique ID for this managed resource.
- Identities
List<Cluster
Identity> - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- Platform
Version string - Platform version for the cluster.
- Status string
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- ARN of the cluster.
-
[]Cluster
Certificate Authority -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - Cluster
Id string - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- Created
At string - Unix epoch timestamp in seconds for when the cluster was created.
- Endpoint string
- Endpoint for your Kubernetes API server.
- Id string
- The provider-assigned unique ID for this managed resource.
- Identities
[]Cluster
Identity - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- Platform
Version string - Platform version for the cluster.
- Status string
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- ARN of the cluster.
-
List<Cluster
Certificate Authority> -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster
Id String - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created
At String - Unix epoch timestamp in seconds for when the cluster was created.
- endpoint String
- Endpoint for your Kubernetes API server.
- id String
- The provider-assigned unique ID for this managed resource.
- identities
List<Cluster
Identity> - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- platform
Version String - Platform version for the cluster.
- status String
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- ARN of the cluster.
-
Cluster
Certificate Authority[] -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster
Id string - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created
At string - Unix epoch timestamp in seconds for when the cluster was created.
- endpoint string
- Endpoint for your Kubernetes API server.
- id string
- The provider-assigned unique ID for this managed resource.
- identities
Cluster
Identity[] - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- platform
Version string - Platform version for the cluster.
- status string
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- ARN of the cluster.
-
Sequence[Cluster
Certificate Authority] -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster_
id str - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created_
at str - Unix epoch timestamp in seconds for when the cluster was created.
- endpoint str
- Endpoint for your Kubernetes API server.
- id str
- The provider-assigned unique ID for this managed resource.
- identities
Sequence[Cluster
Identity] - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- platform_
version str - Platform version for the cluster.
- status str
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- ARN of the cluster.
- List<Property Map>
- Property Map
- Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster
Id String - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created
At String - Unix epoch timestamp in seconds for when the cluster was created.
- endpoint String
- Endpoint for your Kubernetes API server.
- id String
- The provider-assigned unique ID for this managed resource.
- identities List<Property Map>
- Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- platform
Version String - Platform version for the cluster.
- status String
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Look up Existing Cluster Resource
Get an existing Cluster resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ClusterState, opts?: CustomResourceOptions): Cluster@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_config: Optional[ClusterAccessConfigArgs] = None,
arn: Optional[str] = None,
certificate_authorities: Optional[Sequence[ClusterCertificateAuthorityArgs]] = None,
certificate_authority: Optional[ClusterCertificateAuthorityArgs] = None,
cluster_id: Optional[str] = None,
created_at: Optional[str] = None,
default_addons_to_removes: Optional[Sequence[str]] = None,
enabled_cluster_log_types: Optional[Sequence[str]] = None,
encryption_config: Optional[ClusterEncryptionConfigArgs] = None,
endpoint: Optional[str] = None,
identities: Optional[Sequence[ClusterIdentityArgs]] = None,
kubernetes_network_config: Optional[ClusterKubernetesNetworkConfigArgs] = None,
name: Optional[str] = None,
outpost_config: Optional[ClusterOutpostConfigArgs] = None,
platform_version: Optional[str] = None,
role_arn: Optional[str] = None,
status: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
version: Optional[str] = None,
vpc_config: Optional[ClusterVpcConfigArgs] = None) -> Clusterfunc GetCluster(ctx *Context, name string, id IDInput, state *ClusterState, opts ...ResourceOption) (*Cluster, error)public static Cluster Get(string name, Input<string> id, ClusterState? state, CustomResourceOptions? opts = null)public static Cluster get(String name, Output<String> id, ClusterState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Config ClusterAccess Config - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- Arn string
- ARN of the cluster.
-
List<Cluster
Certificate Authority> -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - Cluster
Id string - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- Created
At string - Unix epoch timestamp in seconds for when the cluster was created.
- Default
Addons List<string>To Removes - Enabled
Cluster List<string>Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- Encryption
Config ClusterEncryption Config - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- Endpoint string
- Endpoint for your Kubernetes API server.
- Identities
List<Cluster
Identity> - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- Kubernetes
Network ClusterConfig Kubernetes Network Config - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- Name string
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - Outpost
Config ClusterOutpost Config - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- Platform
Version string - Platform version for the cluster.
- Role
Arn string - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - Status string
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Dictionary<string, string>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Version string
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- Vpc
Config ClusterVpc Config Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- Access
Config ClusterAccess Config Args - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- Arn string
- ARN of the cluster.
-
[]Cluster
Certificate Authority Args -
Cluster
Certificate Authority Args - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - Cluster
Id string - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- Created
At string - Unix epoch timestamp in seconds for when the cluster was created.
- Default
Addons []stringTo Removes - Enabled
Cluster []stringLog Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- Encryption
Config ClusterEncryption Config Args - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- Endpoint string
- Endpoint for your Kubernetes API server.
- Identities
[]Cluster
Identity Args - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- Kubernetes
Network ClusterConfig Kubernetes Network Config Args - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- Name string
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - Outpost
Config ClusterOutpost Config Args - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- Platform
Version string - Platform version for the cluster.
- Role
Arn string - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - Status string
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - map[string]string
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Version string
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- Vpc
Config ClusterVpc Config Args Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access
Config ClusterAccess Config - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- arn String
- ARN of the cluster.
-
List<Cluster
Certificate Authority> -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster
Id String - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created
At String - Unix epoch timestamp in seconds for when the cluster was created.
- default
Addons List<String>To Removes - enabled
Cluster List<String>Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption
Config ClusterEncryption Config - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- endpoint String
- Endpoint for your Kubernetes API server.
- identities
List<Cluster
Identity> - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- kubernetes
Network ClusterConfig Kubernetes Network Config - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name String
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost
Config ClusterOutpost Config - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- platform
Version String - Platform version for the cluster.
- role
Arn String - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - status String
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Map<String,String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - version String
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- vpc
Config ClusterVpc Config Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access
Config ClusterAccess Config - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- arn string
- ARN of the cluster.
-
Cluster
Certificate Authority[] -
Cluster
Certificate Authority - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster
Id string - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created
At string - Unix epoch timestamp in seconds for when the cluster was created.
- default
Addons string[]To Removes - enabled
Cluster string[]Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption
Config ClusterEncryption Config - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- endpoint string
- Endpoint for your Kubernetes API server.
- identities
Cluster
Identity[] - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- kubernetes
Network ClusterConfig Kubernetes Network Config - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name string
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost
Config ClusterOutpost Config - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- platform
Version string - Platform version for the cluster.
- role
Arn string - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - status string
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - {[key: string]: string}
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - version string
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- vpc
Config ClusterVpc Config Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access_
config ClusterAccess Config Args - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- arn str
- ARN of the cluster.
-
Sequence[Cluster
Certificate Authority Args] -
Cluster
Certificate Authority Args - Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster_
id str - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created_
at str - Unix epoch timestamp in seconds for when the cluster was created.
- default_
addons_ Sequence[str]to_ removes - enabled_
cluster_ Sequence[str]log_ types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption_
config ClusterEncryption Config Args - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- endpoint str
- Endpoint for your Kubernetes API server.
- identities
Sequence[Cluster
Identity Args] - Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- kubernetes_
network_ Clusterconfig Kubernetes Network Config Args - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name str
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost_
config ClusterOutpost Config Args - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- platform_
version str - Platform version for the cluster.
- role_
arn str - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - status str
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Mapping[str, str]
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - version str
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- vpc_
config ClusterVpc Config Args Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
- access
Config Property Map - Configuration block for the access config associated with your cluster, see Amazon EKS Access Entries.
- arn String
- ARN of the cluster.
- List<Property Map>
- Property Map
- Attribute block containing
certificate-authority-datafor your cluster. Detailed below. - cluster
Id String - The ID of your local Amazon EKS cluster on the AWS Outpost. This attribute isn't available for an AWS EKS cluster on AWS cloud.
- created
At String - Unix epoch timestamp in seconds for when the cluster was created.
- default
Addons List<String>To Removes - enabled
Cluster List<String>Log Types - List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
- encryption
Config Property Map - Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
- endpoint String
- Endpoint for your Kubernetes API server.
- identities List<Property Map>
- Attribute block containing identity provider information for your cluster. Only available on Kubernetes version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. Detailed below.
- kubernetes
Network Property MapConfig - Configuration block with kubernetes network configuration for the cluster. Detailed below. If removed, this provider will only perform drift detection if a configuration value is provided.
- name String
- Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (
^[0-9A-Za-z][A-Za-z0-9\-_]*$). - outpost
Config Property Map - Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
- platform
Version String - Platform version for the cluster.
- role
Arn String - ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding
depends_onif using theaws.iam.RolePolicyresource oraws.iam.RolePolicyAttachmentresource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion. - status String
- Status of the EKS cluster. One of
CREATING,ACTIVE,DELETING,FAILED. - Map<String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - version String
- Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
- vpc
Config Property Map Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
The following arguments are optional:
Supporting Types
ClusterAccessConfig, ClusterAccessConfigArgs
- Authentication
Mode string - The authentication mode for the cluster. Valid values are
CONFIG_MAP,APIorAPI_AND_CONFIG_MAP - Bootstrap
Cluster boolCreator Admin Permissions - Whether or not to bootstrap the access config values to the cluster. Default is
true.
- Authentication
Mode string - The authentication mode for the cluster. Valid values are
CONFIG_MAP,APIorAPI_AND_CONFIG_MAP - Bootstrap
Cluster boolCreator Admin Permissions - Whether or not to bootstrap the access config values to the cluster. Default is
true.
- authentication
Mode String - The authentication mode for the cluster. Valid values are
CONFIG_MAP,APIorAPI_AND_CONFIG_MAP - bootstrap
Cluster BooleanCreator Admin Permissions - Whether or not to bootstrap the access config values to the cluster. Default is
true.
- authentication
Mode string - The authentication mode for the cluster. Valid values are
CONFIG_MAP,APIorAPI_AND_CONFIG_MAP - bootstrap
Cluster booleanCreator Admin Permissions - Whether or not to bootstrap the access config values to the cluster. Default is
true.
- authentication_
mode str - The authentication mode for the cluster. Valid values are
CONFIG_MAP,APIorAPI_AND_CONFIG_MAP - bootstrap_
cluster_ boolcreator_ admin_ permissions - Whether or not to bootstrap the access config values to the cluster. Default is
true.
- authentication
Mode String - The authentication mode for the cluster. Valid values are
CONFIG_MAP,APIorAPI_AND_CONFIG_MAP - bootstrap
Cluster BooleanCreator Admin Permissions - Whether or not to bootstrap the access config values to the cluster. Default is
true.
ClusterCertificateAuthority, ClusterCertificateAuthorityArgs
- Data string
- Base64 encoded certificate data required to communicate with your cluster. Add this to the
certificate-authority-datasection of thekubeconfigfile for your cluster.
- Data string
- Base64 encoded certificate data required to communicate with your cluster. Add this to the
certificate-authority-datasection of thekubeconfigfile for your cluster.
- data String
- Base64 encoded certificate data required to communicate with your cluster. Add this to the
certificate-authority-datasection of thekubeconfigfile for your cluster.
- data string
- Base64 encoded certificate data required to communicate with your cluster. Add this to the
certificate-authority-datasection of thekubeconfigfile for your cluster.
- data str
- Base64 encoded certificate data required to communicate with your cluster. Add this to the
certificate-authority-datasection of thekubeconfigfile for your cluster.
- data String
- Base64 encoded certificate data required to communicate with your cluster. Add this to the
certificate-authority-datasection of thekubeconfigfile for your cluster.
ClusterEncryptionConfig, ClusterEncryptionConfigArgs
- Provider
Cluster
Encryption Config Provider - Configuration block with provider for encryption. Detailed below.
- Resources List<string>
- List of strings with resources to be encrypted. Valid values:
secrets.
- Provider
Cluster
Encryption Config Provider - Configuration block with provider for encryption. Detailed below.
- Resources []string
- List of strings with resources to be encrypted. Valid values:
secrets.
- provider
Cluster
Encryption Config Provider - Configuration block with provider for encryption. Detailed below.
- resources List<String>
- List of strings with resources to be encrypted. Valid values:
secrets.
- provider
Cluster
Encryption Config Provider - Configuration block with provider for encryption. Detailed below.
- resources string[]
- List of strings with resources to be encrypted. Valid values:
secrets.
- provider
Cluster
Encryption Config Provider - Configuration block with provider for encryption. Detailed below.
- resources Sequence[str]
- List of strings with resources to be encrypted. Valid values:
secrets.
- provider Property Map
- Configuration block with provider for encryption. Detailed below.
- resources List<String>
- List of strings with resources to be encrypted. Valid values:
secrets.
ClusterEncryptionConfigProvider, ClusterEncryptionConfigProviderArgs
- Key
Arn string - ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
- Key
Arn string - ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
- key
Arn String - ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
- key
Arn string - ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
- key_
arn str - ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
- key
Arn String - ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
ClusterIdentity, ClusterIdentityArgs
- Oidcs
List<Cluster
Identity Oidc> - Nested block containing OpenID Connect identity provider information for the cluster. Detailed below.
- Oidcs
[]Cluster
Identity Oidc - Nested block containing OpenID Connect identity provider information for the cluster. Detailed below.
- oidcs
List<Cluster
Identity Oidc> - Nested block containing OpenID Connect identity provider information for the cluster. Detailed below.
- oidcs
Cluster
Identity Oidc[] - Nested block containing OpenID Connect identity provider information for the cluster. Detailed below.
- oidcs
Sequence[Cluster
Identity Oidc] - Nested block containing OpenID Connect identity provider information for the cluster. Detailed below.
- oidcs List<Property Map>
- Nested block containing OpenID Connect identity provider information for the cluster. Detailed below.
ClusterIdentityOidc, ClusterIdentityOidcArgs
- Issuer string
- Issuer URL for the OpenID Connect identity provider.
- Issuer string
- Issuer URL for the OpenID Connect identity provider.
- issuer String
- Issuer URL for the OpenID Connect identity provider.
- issuer string
- Issuer URL for the OpenID Connect identity provider.
- issuer str
- Issuer URL for the OpenID Connect identity provider.
- issuer String
- Issuer URL for the OpenID Connect identity provider.
ClusterKubernetesNetworkConfig, ClusterKubernetesNetworkConfigArgs
- Ip
Family string - The IP family used to assign Kubernetes pod and service addresses. Valid values are
ipv4(default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created. - Service
Ipv4Cidr string The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
- Service
Ipv6Cidr string - The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified
ipv6for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
- Ip
Family string - The IP family used to assign Kubernetes pod and service addresses. Valid values are
ipv4(default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created. - Service
Ipv4Cidr string The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
- Service
Ipv6Cidr string - The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified
ipv6for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
- ip
Family String - The IP family used to assign Kubernetes pod and service addresses. Valid values are
ipv4(default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created. - service
Ipv4Cidr String The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
- service
Ipv6Cidr String - The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified
ipv6for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
- ip
Family string - The IP family used to assign Kubernetes pod and service addresses. Valid values are
ipv4(default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created. - service
Ipv4Cidr string The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
- service
Ipv6Cidr string - The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified
ipv6for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
- ip_
family str - The IP family used to assign Kubernetes pod and service addresses. Valid values are
ipv4(default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created. - service_
ipv4_ strcidr The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
- service_
ipv6_ strcidr - The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified
ipv6for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
- ip
Family String - The IP family used to assign Kubernetes pod and service addresses. Valid values are
ipv4(default) andipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created. - service
Ipv4Cidr String The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
- service
Ipv6Cidr String - The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified
ipv6for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
ClusterOutpostConfig, ClusterOutpostConfigArgs
- Control
Plane stringInstance Type The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
1–20 nodes, then we recommend specifying a large instance type.
21–100 nodes, then we recommend specifying an xlarge instance type.
101–250 nodes, then we recommend specifying a 2xlarge instance type.
For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.
- Outpost
Arns List<string> - The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
- Control
Plane ClusterPlacement Outpost Config Control Plane Placement - An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
The
control_plane_placementconfiguration block supports the following arguments:
- Control
Plane stringInstance Type The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
1–20 nodes, then we recommend specifying a large instance type.
21–100 nodes, then we recommend specifying an xlarge instance type.
101–250 nodes, then we recommend specifying a 2xlarge instance type.
For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.
- Outpost
Arns []string - The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
- Control
Plane ClusterPlacement Outpost Config Control Plane Placement - An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
The
control_plane_placementconfiguration block supports the following arguments:
- control
Plane StringInstance Type The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
1–20 nodes, then we recommend specifying a large instance type.
21–100 nodes, then we recommend specifying an xlarge instance type.
101–250 nodes, then we recommend specifying a 2xlarge instance type.
For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.
- outpost
Arns List<String> - The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
- control
Plane ClusterPlacement Outpost Config Control Plane Placement - An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
The
control_plane_placementconfiguration block supports the following arguments:
- control
Plane stringInstance Type The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
1–20 nodes, then we recommend specifying a large instance type.
21–100 nodes, then we recommend specifying an xlarge instance type.
101–250 nodes, then we recommend specifying a 2xlarge instance type.
For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.
- outpost
Arns string[] - The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
- control
Plane ClusterPlacement Outpost Config Control Plane Placement - An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
The
control_plane_placementconfiguration block supports the following arguments:
- control_
plane_ strinstance_ type The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
1–20 nodes, then we recommend specifying a large instance type.
21–100 nodes, then we recommend specifying an xlarge instance type.
101–250 nodes, then we recommend specifying a 2xlarge instance type.
For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.
- outpost_
arns Sequence[str] - The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
- control_
plane_ Clusterplacement Outpost Config Control Plane Placement - An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
The
control_plane_placementconfiguration block supports the following arguments:
- control
Plane StringInstance Type The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
1–20 nodes, then we recommend specifying a large instance type.
21–100 nodes, then we recommend specifying an xlarge instance type.
101–250 nodes, then we recommend specifying a 2xlarge instance type.
For a list of the available Amazon EC2 instance types, see Compute and storage in AWS Outposts rack features The control plane is not automatically scaled by Amazon EKS.
- outpost
Arns List<String> - The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
- control
Plane Property MapPlacement - An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
The
control_plane_placementconfiguration block supports the following arguments:
ClusterOutpostConfigControlPlanePlacement, ClusterOutpostConfigControlPlanePlacementArgs
- Group
Name string - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
- Group
Name string - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
- group
Name String - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
- group
Name string - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
- group_
name str - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
- group
Name String - The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
ClusterVpcConfig, ClusterVpcConfigArgs
- Subnet
Ids List<string> - List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
- Cluster
Security stringGroup Id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
- Endpoint
Private boolAccess - Whether the Amazon EKS private API server endpoint is enabled. Default is
false. - Endpoint
Public boolAccess - Whether the Amazon EKS public API server endpoint is enabled. Default is
true. - Public
Access List<string>Cidrs - List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with
0.0.0.0/0. The provider will only perform drift detection of its value when present in a configuration. - Security
Group List<string>Ids - List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
- Vpc
Id string - ID of the VPC associated with your cluster.
- Subnet
Ids []string - List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
- Cluster
Security stringGroup Id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
- Endpoint
Private boolAccess - Whether the Amazon EKS private API server endpoint is enabled. Default is
false. - Endpoint
Public boolAccess - Whether the Amazon EKS public API server endpoint is enabled. Default is
true. - Public
Access []stringCidrs - List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with
0.0.0.0/0. The provider will only perform drift detection of its value when present in a configuration. - Security
Group []stringIds - List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
- Vpc
Id string - ID of the VPC associated with your cluster.
- subnet
Ids List<String> - List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
- cluster
Security StringGroup Id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
- endpoint
Private BooleanAccess - Whether the Amazon EKS private API server endpoint is enabled. Default is
false. - endpoint
Public BooleanAccess - Whether the Amazon EKS public API server endpoint is enabled. Default is
true. - public
Access List<String>Cidrs - List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with
0.0.0.0/0. The provider will only perform drift detection of its value when present in a configuration. - security
Group List<String>Ids - List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
- vpc
Id String - ID of the VPC associated with your cluster.
- subnet
Ids string[] - List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
- cluster
Security stringGroup Id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
- endpoint
Private booleanAccess - Whether the Amazon EKS private API server endpoint is enabled. Default is
false. - endpoint
Public booleanAccess - Whether the Amazon EKS public API server endpoint is enabled. Default is
true. - public
Access string[]Cidrs - List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with
0.0.0.0/0. The provider will only perform drift detection of its value when present in a configuration. - security
Group string[]Ids - List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
- vpc
Id string - ID of the VPC associated with your cluster.
- subnet_
ids Sequence[str] - List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
- cluster_
security_ strgroup_ id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
- endpoint_
private_ boolaccess - Whether the Amazon EKS private API server endpoint is enabled. Default is
false. - endpoint_
public_ boolaccess - Whether the Amazon EKS public API server endpoint is enabled. Default is
true. - public_
access_ Sequence[str]cidrs - List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with
0.0.0.0/0. The provider will only perform drift detection of its value when present in a configuration. - security_
group_ Sequence[str]ids - List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
- vpc_
id str - ID of the VPC associated with your cluster.
- subnet
Ids List<String> - List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
- cluster
Security StringGroup Id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
- endpoint
Private BooleanAccess - Whether the Amazon EKS private API server endpoint is enabled. Default is
false. - endpoint
Public BooleanAccess - Whether the Amazon EKS public API server endpoint is enabled. Default is
true. - public
Access List<String>Cidrs - List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with
0.0.0.0/0. The provider will only perform drift detection of its value when present in a configuration. - security
Group List<String>Ids - List of security group IDs for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
- vpc
Id String - ID of the VPC associated with your cluster.
Import
Using pulumi import, import EKS Clusters using the name. For example:
$ pulumi import aws:eks/cluster:Cluster my_cluster my_cluster
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Try AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi