Merge branch 'main' into migration/20240523

.github/settings.yml

@@ -5,3 +5,7 @@ repository:
   description: Terraform module for provisioning an EKS cluster
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-module, eks, aws, masters, kubernetes, k8s, hcl2, eks-cluster, eks-workers, fargate
+
+
+
+

.github/workflows/chatops.yml

@@ -8,9 +8,10 @@ permissions:
   pull-requests: write
   id-token: write
   contents: write
+  statuses: write
 
 jobs:
-  terraform-module:
+  test:
     uses: cloudposse/.github/.github/workflows/shared-terraform-chatops.yml@main
-    secrets:
-      github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/terratest') }}
+    secrets: inherit

README.md

@@ -411,6 +411,8 @@ Available targets:
 | <a name="input_allowed_security_group_ids"></a> [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the cluster. | `list(string)` | `[]` | no |
 | <a name="input_associated_security_group_ids"></a> [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the cluster with.<br>These security groups will not be modified. | `list(string)` | `[]` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
+| <a name="input_bootstrap_self_managed_addons_enabled"></a> [bootstrap\_self\_managed\_addons\_enabled](#input\_bootstrap\_self\_managed\_addons\_enabled) | Manages bootstrap of default networking addons after cluster has been created | `bool` | `null` | no |
+| <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If provided, the KMS Key ID to use to encrypt AWS CloudWatch logs | `string` | `null` | no |
 | <a name="input_cluster_attributes"></a> [cluster\_attributes](#input\_cluster\_attributes) | Override label module default cluster attributes | `list(string)` | <pre>[<br>  "cluster"<br>]</pre> | no |
 | <a name="input_cluster_depends_on"></a> [cluster\_depends\_on](#input\_cluster\_depends\_on) | If provided, the EKS will depend on this object, and therefore not be created until this object is finalized.<br>This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created. | `any` | `null` | no |

docs/terraform.md

@@ -66,6 +66,8 @@
 | <a name="input_allowed_security_group_ids"></a> [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the cluster. | `list(string)` | `[]` | no |
 | <a name="input_associated_security_group_ids"></a> [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the cluster with.<br>These security groups will not be modified. | `list(string)` | `[]` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
+| <a name="input_bootstrap_self_managed_addons_enabled"></a> [bootstrap\_self\_managed\_addons\_enabled](#input\_bootstrap\_self\_managed\_addons\_enabled) | Manages bootstrap of default networking addons after cluster has been created | `bool` | `null` | no |
+| <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If provided, the KMS Key ID to use to encrypt AWS CloudWatch logs | `string` | `null` | no |
 | <a name="input_cluster_attributes"></a> [cluster\_attributes](#input\_cluster\_attributes) | Override label module default cluster attributes | `list(string)` | <pre>[<br>  "cluster"<br>]</pre> | no |
 | <a name="input_cluster_depends_on"></a> [cluster\_depends\_on](#input\_cluster\_depends\_on) | If provided, the EKS will depend on this object, and therefore not be created until this object is finalized.<br>This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created. | `any` | `null` | no |

examples/complete/main.tf

@@ -110,8 +110,9 @@ module "eks_cluster" {
   cluster_encryption_config_kms_key_policy                  = var.cluster_encryption_config_kms_key_policy
   cluster_encryption_config_resources                       = var.cluster_encryption_config_resources
 
-  addons            = local.addons
-  addons_depends_on = [module.eks_node_group]
+  addons                                = local.addons
+  addons_depends_on                     = [module.eks_node_group]
+  bootstrap_self_managed_addons_enabled = var.bootstrap_self_managed_addons_enabled
 
   access_entry_map = local.access_entry_map
   access_config = {

examples/complete/variables.tf

@@ -109,6 +109,12 @@ variable "addons" {
   description = "Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources."
 }
 
+variable "bootstrap_self_managed_addons_enabled" {
+  description = "Manages bootstrap of default networking addons after cluster has been created"
+  type        = bool
+  default     = null
+}
+
 variable "private_ipv6_enabled" {
   type        = bool
   default     = false

iam.tf

@@ -78,6 +78,8 @@ resource "aws_iam_policy" "cluster_elb_service_role" {
 
   name   = "${module.label.id}-ServiceRole"
   policy = one(data.aws_iam_policy_document.cluster_elb_service_role[*].json)
+
+  tags = module.this.tags
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_elb_service_role" {

main.tf

@@ -35,6 +35,7 @@ resource "aws_cloudwatch_log_group" "default" {
   retention_in_days = var.cluster_log_retention_period
   kms_key_id        = var.cloudwatch_log_group_kms_key_id
   tags              = module.label.tags
+  log_group_class   = var.cloudwatch_log_group_class
 }
 
 resource "aws_kms_key" "cluster" {
@@ -55,12 +56,13 @@ resource "aws_kms_alias" "cluster" {
 resource "aws_eks_cluster" "default" {
   #bridgecrew:skip=BC_AWS_KUBERNETES_1:Allow permissive security group for public access, difficult to restrict without a VPN
   #bridgecrew:skip=BC_AWS_KUBERNETES_4:Let user decide on control plane logging, not necessary in non-production environments
-  count                     = local.enabled ? 1 : 0
-  name                      = module.label.id
-  tags                      = module.label.tags
-  role_arn                  = local.eks_service_role_arn
-  version                   = var.kubernetes_version
-  enabled_cluster_log_types = var.enabled_cluster_log_types
+  count                         = local.enabled ? 1 : 0
+  name                          = module.label.id
+  tags                          = module.label.tags
+  role_arn                      = local.eks_service_role_arn
+  version                       = var.kubernetes_version
+  enabled_cluster_log_types     = var.enabled_cluster_log_types
+  bootstrap_self_managed_addons = var.bootstrap_self_managed_addons_enabled
 
   access_config {
     authentication_mode                         = var.access_config.authentication_mode

variables.tf

@@ -155,6 +155,12 @@ variable "cloudwatch_log_group_kms_key_id" {
   default     = null
 }
 
+variable "cloudwatch_log_group_class" {
+  type        = string
+  description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
+  default     = null
+}
+
 variable "addons" {
   type = list(object({
     addon_name           = string
@@ -191,6 +197,12 @@ variable "addons_depends_on" {
   default     = null
 }
 
+variable "bootstrap_self_managed_addons_enabled" {
+  description = "Manages bootstrap of default networking addons after cluster has been created"
+  type        = bool
+  default     = null
+}
+
 variable "cluster_attributes" {
   type        = list(string)
   description = "Override label module default cluster attributes"