fix: Incorporate AWS provider v6.15 corrections for EKS Auto Mode t…

…o support enabling/disabling EKS Auto Mode without affecting non-Auto Mode users (#3526) * fix: Raise min supported version of AWS provider for EKS Auto Mode corrections * docs: Add note on encryption config settings * fix: Revert forcing a value for all EKS Auto Mode fields now that provider handles this
SCT-Engineering · Oct 6, 2025 · f5f6dae · f5f6dae
1 parent bf8c86f
commit f5f6dae
Show file tree

Hide file tree

Showing 33 changed files with 66 additions and 49 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.101.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

diff --git a/README.md b/README.md
@@ -28,6 +28,17 @@ Please note that we strive to provide a comprehensive suite of documentation for
 
 ### EKS Auto Mode
 
+> [!CAUTION]
+> Due to the current EKS Auto Mode API, to disable EKS Auto Mode you will have to explicity set:
+>
+>```hcl
+>compute_config = {
+>  enabled = false
+> }
+>```
+>
+> If you try to disable by simply removing the `compute_config` block, this will fail to disble EKS Auto Mode. Only after applying with `enabled = false` can you then remove the `compute_config` block from your configurations.
+
 ```hcl
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
@@ -75,6 +86,9 @@ module "eks" {
 
   # Create just the IAM resources for EKS Auto Mode for use with custom node pools
   create_auto_mode_iam_resources = true
+  compute_config = {
+    enabled = true
+  }
 
   vpc_id     = "vpc-1234556abcdef"
   subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
@@ -347,15 +361,15 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.9 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0 |
 
@@ -422,7 +436,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days | `number` | `90` | no |
 | <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | A map of additional tags to add to the cloudwatch log group created | `map(string)` | `{}` | no |
 | <a name="input_cluster_tags"></a> [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no |
-| <a name="input_compute_config"></a> [compute\_config](#input\_compute\_config) | Configuration block for the cluster compute configuration | <pre>object({<br/>    enabled       = optional(bool, false)<br/>    node_pools    = optional(list(string))<br/>    node_role_arn = optional(string)<br/>  })</pre> | `{}` | no |
+| <a name="input_compute_config"></a> [compute\_config](#input\_compute\_config) | Configuration block for the cluster compute configuration | <pre>object({<br/>    enabled       = optional(bool, false)<br/>    node_pools    = optional(list(string))<br/>    node_role_arn = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_control_plane_subnet_ids"></a> [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids) | A list of subnet IDs where the EKS cluster control plane (ENIs) will be provisioned. Used for expanding the pool of subnets used by nodes/node groups without replacing the EKS control plane | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_auto_mode_iam_resources"></a> [create\_auto\_mode\_iam\_resources](#input\_create\_auto\_mode\_iam\_resources) | Determines whether to create/attach IAM resources for EKS Auto Mode. Useful for when using only custom node pools and not built-in EKS Auto Mode node pools | `bool` | `false` | no |

diff --git a/docs/UPGRADE-21.0.md b/docs/UPGRADE-21.0.md
@@ -32,6 +32,7 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 - `addons.most_recent` is now set to `true` by default (was `false`).
 - `cluster_identity_providers.issuer_url` is now required to be set by users; the prior incorrect default has been removed. See https://github.com/terraform-aws-modules/terraform-aws-eks/pull/3055 and https://github.com/kubernetes/kubernetes/pull/123561 for more details.
 - The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stack`oidc-eks` endpoint instead of `oidc.eks`. This is to align with https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
+- With the changes to the variable type definition for `encryption_config` (formerly `cluster_encryption_config`), if you wish to disable secret encryption with a custom KMS key you should set `encryption_config = null` (In `v20.x`, you would previously have set `encryption_config = {}` to achieve the same outcome). Secret encryption can no longer be disabled - it is either enabled by default with the AWS managed key (`encryption_config = null`), or with a custom KMS key ( either leaving as is by not specifying or passing your own custom key ARN). EKS now encrypts secrets at rest by default  docs.aws.amazon.com/eks/latest/userguide/envelope-encryption.html and the default secret encryption w/ custom KMS key creation/usage by default was made years prior starting in version `v19.0` of this module. Removing this default behavior will be evaluated at the next breaking change given that secrets are now automatically encrypted at rest by AWS.
 
 ## Additional changes
 

diff --git a/examples/eks-auto-mode/README.md b/examples/eks-auto-mode/README.md
@@ -25,13 +25,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/examples/eks-auto-mode/main.tf b/examples/eks-auto-mode/main.tf
@@ -60,6 +60,9 @@ module "eks_auto_custom_node_pools" {
 
   # Create just the IAM resources for EKS Auto Mode for use with custom node pools
   create_auto_mode_iam_resources = true
+  compute_config = {
+    enabled = true
+  }
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets

diff --git a/examples/eks-auto-mode/versions.tf b/examples/eks-auto-mode/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/examples/eks-hybrid-nodes/README.md b/examples/eks-hybrid-nodes/README.md
@@ -26,7 +26,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.4 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.5 |
@@ -36,8 +36,8 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
-| <a name="provider_aws.remote"></a> [aws.remote](#provider\_aws.remote) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
+| <a name="provider_aws.remote"></a> [aws.remote](#provider\_aws.remote) | >= 6.15 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 3.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3.4 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 2.5 |

diff --git a/examples/eks-hybrid-nodes/versions.tf b/examples/eks-hybrid-nodes/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
     helm = {
       source  = "hashicorp/helm"

diff --git a/examples/eks-managed-node-group/versions.tf b/examples/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/examples/karpenter/README.md b/examples/karpenter/README.md
@@ -94,14 +94,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 3.0 |
 
 ## Modules

diff --git a/examples/karpenter/versions.tf b/examples/karpenter/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
     helm = {
       source  = "hashicorp/helm"

diff --git a/examples/self-managed-node-group/versions.tf b/examples/self-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -26,7 +26,7 @@ locals {
   create_outposts_local_cluster = var.outpost_config != null
   enable_encryption_config      = var.encryption_config != null && !local.create_outposts_local_cluster
 
-  create_auto_mode_iam_resources = var.compute_config.enabled || var.create_auto_mode_iam_resources
+  create_auto_mode_iam_resources = try(var.compute_config.enabled, false) == true || var.create_auto_mode_iam_resources
 }
 
 ################################################################################
@@ -58,7 +58,7 @@ resource "aws_eks_cluster" "this" {
   }
 
   dynamic "compute_config" {
-    for_each = [var.compute_config]
+    for_each = var.compute_config != null ? [var.compute_config] : []
 
     content {
       enabled       = compute_config.value.enabled
@@ -81,7 +81,7 @@ resource "aws_eks_cluster" "this" {
 
     content {
       dynamic "elastic_load_balancing" {
-        for_each = [var.compute_config]
+        for_each = var.compute_config != null ? [var.compute_config] : []
 
         content {
           enabled = elastic_load_balancing.value.enabled
@@ -148,7 +148,7 @@ resource "aws_eks_cluster" "this" {
   }
 
   dynamic "storage_config" {
-    for_each = [var.compute_config]
+    for_each = var.compute_config != null ? [var.compute_config] : []
 
     content {
       block_storage {

diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md
@@ -64,13 +64,13 @@ module "eks_managed_node_group" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/modules/eks-managed-node-group/versions.tf b/modules/eks-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/modules/fargate-profile/README.md b/modules/fargate-profile/README.md
@@ -29,13 +29,13 @@ module "fargate_profile" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/modules/fargate-profile/versions.tf b/modules/fargate-profile/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/modules/hybrid-node-role/README.md b/modules/hybrid-node-role/README.md
@@ -75,13 +75,13 @@ module "eks_hybrid_node_role" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/modules/hybrid-node-role/versions.tf b/modules/hybrid-node-role/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
@@ -86,13 +86,13 @@ module "karpenter" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/modules/karpenter/versions.tf b/modules/karpenter/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md
@@ -43,13 +43,13 @@ module "self_managed_node_group" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/modules/self-managed-node-group/versions.tf b/modules/self-managed-node-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/tests/eks-fargate-profile/README.md b/tests/eks-fargate-profile/README.md
@@ -18,13 +18,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 

diff --git a/tests/eks-fargate-profile/versions.tf b/tests/eks-fargate-profile/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
   }
 }
diff --git a/tests/eks-hybrid-nodes/README.md b/tests/eks-hybrid-nodes/README.md
@@ -18,7 +18,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0 |
 
 ## Providers

diff --git a/tests/eks-hybrid-nodes/versions.tf b/tests/eks-hybrid-nodes/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.13"
+      version = ">= 6.15"
     }
     tls = {
       source  = "hashicorp/tls"

diff --git a/tests/eks-managed-node-group/README.md b/tests/eks-managed-node-group/README.md
@@ -18,13 +18,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.13 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules