fix: upgrade EKS module to v21 and remove AWS provider upper bound

Author: renovate[bot]

modules/aws-bootstrap/main.tf

@@ -5,7 +5,7 @@ locals {
 module "terraform_state" {
   #checkov:skip=CKV_TF_1:Using registry versioned modules
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "4.11.0"
+  version = "5.10.0"
 
   bucket = local.state_bucket
 

modules/eks/eks.tf

@@ -8,11 +8,26 @@ locals {
 module "eks" {
   #checkov:skip=CKV_TF_1:Using registry versioned modules
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.21.0"
+  version = "21.15.1"
 
-  cluster_endpoint_public_access = true
+  name               = var.name
+  kubernetes_version = var.k8s_version
+  vpc_id             = var.vpc_id
+  subnet_ids         = var.control_plane_subnets
 
-  cluster_addons = {
+  endpoint_public_access = true
+
+  authentication_mode = "API_AND_CONFIG_MAP"
+
+  kms_key_enable_default_policy = true
+  kms_key_administrators        = var.kms_key_administrators
+
+  encryption_config = {
+    resources        = ["secrets"]
+    provider_key_arn = var.secrets_encryption_kms_key_arn
+  }
+
+  addons = {
     coredns = {
       addon_version = data.aws_eks_addon_version.coredns.version
       timeouts = {
@@ -25,67 +40,55 @@ module "eks" {
     }
     vpc-cni = {
       addon_version = data.aws_eks_addon_version.vpc_cni.version
-      #service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
     }
     aws-ebs-csi-driver = {
       addon_version     = data.aws_eks_addon_version.ebs_csi_driver.version
       resolve_conflicts = "OVERWRITE"
     }
   }
 
-  # Self managed node groups will not automatically create the aws-auth configmap so we need to
-  create_aws_auth_configmap = true
-  manage_aws_auth_configmap = true
-
-  kms_key_enable_default_policy = true
-  kms_key_administrators        = var.kms_key_administrators
-
-
-  cluster_encryption_config = {
-    resources        = ["secrets"]
-    provider_key_arn = var.secrets_encryption_kms_key_arn
-  }
-
-  cluster_name    = var.name
-  cluster_version = var.k8s_version
-  subnet_ids      = var.control_plane_subnets
-  vpc_id          = var.vpc_id
-
-  self_managed_node_group_defaults = {
-    iam_role_additional_policies = {
-      ssm = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-      // AmazonEBSCSIDriverPolicy is definitely not needed by all nodes, only by csi-driver, it's here just for simplicity (EKS module doesn't support it)
-      csi = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  access_entries = merge(
+    { for role in var.map_roles :
+      role.rolearn => {
+        kubernetes_groups = role.groups
+        principal_arn     = role.rolearn
+      }
+    },
+    { for user in var.map_users :
+      user.userarn => {
+        kubernetes_groups = user.groups
+        principal_arn     = user.userarn
+      }
     }
-  }
-
-  aws_auth_roles = var.map_roles
-  aws_auth_users = var.map_users
+  )
 
   self_managed_node_groups = {
     for i, v in var.worker_groups : "nodegroup${i}" => {
       name          = v.name
       instance_type = v.instance_type
 
-      iam_role_attach_cni_policy = true
-
-      platform = "bottlerocket"
-      ami_id   = data.aws_ami.bottlerocket_ami.id
+      ami_type = "BOTTLEROCKET_x86_64"
 
       min_size     = v.asg_min_size
       max_size     = v.asg_max_size
       desired_size = v.asg_min_size
 
       subnets = v.subnets
 
+      iam_role_additional_policies = {
+        ssm = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+        csi = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+      }
+
+      iam_role_attach_cni_policy = true
+
       bootstrap_extra_args = <<-EOT
         [settings.host-containers.admin]
         enabled = false
 
         [settings.host-containers.control]
         enabled = true
 
-        # extra args added
         [settings.kernel]
         lockdown = "integrity"
 
@@ -99,16 +102,14 @@ module "eks" {
 
       target_group_arns = v.target_group_arns
 
-      // see https://eu-central-1.console.aws.amazon.com/ec2/v2/home?region=eu-central-1#ImageDetails:imageId=ami-00b9b96f830a6c28b
-      root_volume_size = 2
+      root_volume_size = 20
 
-      // ephemeral storage
       additional_ebs_volumes = [
         {
-          block_device_name     = "/dev/xvdb",
-          volume_size           = 20,
-          volume_type           = "gp3",
-          delete_on_termination = true,
+          block_device_name     = "/dev/xvdb"
+          volume_size           = 20
+          volume_type           = "gp3"
+          delete_on_termination = true
         }
       ]
 
@@ -126,23 +127,6 @@ module "eks" {
   }
 }
 
-# TODO:
-# module "vpc_cni_irsa" {
-#   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-#   version = "~> 5.0"
-
-#   role_name_prefix      = "VPC-CNI-IRSA"
-#   attach_vpc_cni_policy = true
-#   #vpc_cni_enable_ipv6   = true
-
-#   oidc_providers = {
-#     main = {
-#       provider_arn               = module.eks.oidc_provider_arn
-#       namespace_service_accounts = ["kube-system:aws-node"]
-#     }
-#   }
-# }
-
 resource "aws_security_group_rule" "ingress" {
   for_each = var.allow_ingress
 
@@ -156,7 +140,6 @@ resource "aws_security_group_rule" "ingress" {
   security_group_id        = module.eks.node_security_group_id
 }
 
-# this needs to be configured for properly working NodePorts
 resource "aws_security_group_rule" "eks_workers_to_eks_workers_all" {
   type        = "ingress"
   description = "EKS between workers all traffic"

modules/eks/main.tf

@@ -1,13 +1,3 @@
-data "aws_ami" "bottlerocket_ami" {
-  most_recent = true
-  owners      = ["amazon"]
-  filter {
-    name   = "name"
-    values = ["bottlerocket-aws-k8s-${var.k8s_version}-${var.k8s_architecture}-*"]
-  }
-}
-
-# determine EKS addon versions
 data "aws_eks_addon_version" "coredns" {
   addon_name         = "coredns"
   kubernetes_version = var.k8s_addon_version

modules/eks/variables.tf

@@ -25,12 +25,6 @@ variable "k8s_addon_version" {
   description = "EKS addons version"
 }
 
-variable "k8s_architecture" {
-  type        = string
-  default     = "x86_64"
-  description = "cpu architecture to use with k8s nodes"
-}
-
 variable "kms_key_administrators" {
   type        = list(string)
   default     = []

modules/eks/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.57.0, < 6.0.0"
+      version = ">= 4.57.0"
     }
   }
 }

modules/wireguard-ec2/main.tf

@@ -27,7 +27,7 @@ module "sg" {
 module "ec2_instance" {
   #checkov:skip=CKV_TF_1:Using registry versioned modules
   source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   create = var.create_instance
 

modules/wireguard-ec2/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.66.0, < 6.0.0"
+      version = ">= 4.66.0"
     }
   }
 }