Segregate addons to new file (#47)

default node size increased to t3a.large due to new addons enabled metrics-server, cert-manager, prometheus-node-exporter are now eks addons updated to use latest module for eks from upstream
SCT-Engineering · Mar 6, 2026 · f42f222 · f42f222
1 parent 54692ae
commit f42f222
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 51 deletions.
diff --git a/README.md b/README.md
@@ -104,7 +104,7 @@ efs-csi-controller    0         5m
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.27.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.28.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.11.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.15.1 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
@@ -138,6 +138,7 @@ efs-csi-controller    0         5m
 | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_devs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_sc_eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
@@ -154,7 +155,7 @@ efs-csi-controller    0         5m
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.medium"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.large"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `2` | no |

diff --git a/access-entries.tf b/access-entries.tf
@@ -15,6 +15,11 @@ data "aws_iam_roles" "sso_devs" {
   path_prefix = "/aws-reserved/sso.amazonaws.com/"
 }
 
+data "aws_iam_roles" "sso_sc_eks" {
+  name_regex  = "AWSReservedSSO_sc-eks"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 data "aws_iam_roles" "roles" {
   name_regex = "r-inf-terraform(-eks)"
 }
@@ -26,7 +31,7 @@ data "aws_iam_roles" "sso_read" {
 
 locals {
   access_entries = merge(local.admins, local.viewers)
-  admin_arns     = [for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn if arn != data.aws_iam_session_context.current.issuer_arn]
+  admin_arns     = [for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns), tolist(data.aws_iam_roles.sso_sc_eks.arns)) : arn if arn != data.aws_iam_session_context.current.issuer_arn]
   admins = {
     for arn in local.admin_arns :
     arn => {

diff --git a/addons.tf b/addons.tf
@@ -0,0 +1,49 @@
+locals {
+  addons = {
+    amazon-cloudwatch-observability = {
+      most_recent              = true
+      service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn
+    }
+    aws-ebs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
+    }
+    aws-efs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
+    }
+    cert-manager = {
+      most_recent = true
+    }
+    coredns = {
+      most_recent = true
+    }
+    eks-node-monitoring-agent = {
+      most_recent = true
+    }
+    eks-pod-identity-agent = {
+      most_recent    = true
+      before_compute = true
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    kube-state-metrics = {
+      most_recent = true
+    }
+    metrics-server = {
+      most_recent = true
+    }
+    prometheus-node-exporter = {
+      most_recent = true
+    }
+    snapshot-controller = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent              = true
+      service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn
+      before_compute           = true
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -19,7 +19,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.11.0"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.15.1"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
@@ -41,50 +41,7 @@ module "cluster" {
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets
 
-  addons = {
-    amazon-cloudwatch-observability = {
-      most_recent              = true
-      service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn
-    }
-    aws-ebs-csi-driver = {
-      most_recent              = true
-      service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
-    }
-    aws-efs-csi-driver = {
-      most_recent              = true
-      service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
-    }
-    cert-manager = {
-      most_recent = true
-    }
-    coredns = {
-      most_recent = true
-    }
-    eks-node-monitoring-agent = {
-      most_recent = true
-    }
-    eks-pod-identity-agent = {
-      most_recent    = true
-      before_compute = true
-    }
-    kube-proxy = {
-      most_recent = true
-    }
-    # kube-state-metrics = {
-    #   most_recent = true
-    # }
-    metrics-server = {
-      most_recent = true
-    }
-    snapshot-controller = {
-      most_recent = true
-    }
-    vpc-cni = {
-      most_recent              = true
-      service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn
-      before_compute           = true
-    }
-  }
+  addons = local.addons
 
   node_security_group_enable_recommended_rules = true
 
@@ -93,7 +50,7 @@ module "cluster" {
   security_group_additional_rules = local.cluster_security_group_additional_rules
 
   eks_managed_node_groups = {
-    karpenter_controllers = {
+    karpenter = {
       name          = local.ng_name
       ami_type      = "BOTTLEROCKET_x86_64"
       capacity_type = "ON_DEMAND"
@@ -103,6 +60,9 @@ module "cluster" {
       min_size     = var.eks_ng_min_size
       max_size     = var.eks_ng_max_size
       desired_size = var.eks_ng_desired_size
+      node_repair_config = {
+        enabled = true
+      }
 
       iam_role_name                = format("%v%v-nodegroup", local.prefixes["eks-role"], var.cluster_name)
       iam_role_additional_policies = local.additional_policies

diff --git a/additional-sg-rules.tf → securitygroups.rules.tf b/additional-sg-rules.tf → securitygroups.rules.tf
diff --git a/variables.tf b/variables.tf
@@ -55,7 +55,7 @@ variable "eks_instance_types" {
   description = "List of EC2 instance types for the EKS node group"
   type        = list(string)
   default = [
-    "t3a.medium"
+    "t3a.large"
   ]
   validation {
     condition     = length(var.eks_instance_types) > 0