terraform-aws-modules · bryantbiggs · Dec 5, 2022 · Aug 20, 2022 · Aug 20, 2022 · Aug 20, 2022
diff --git a/README.md b/README.md
@@ -203,6 +203,7 @@ module "eks" {
 - [Complete](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/complete): EKS Cluster using all available node group types in various combinations demonstrating many of the supported features and configurations
 - [EKS Managed Node Group](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_managed_node_group): EKS Cluster using EKS managed node groups
 - [Fargate Profile](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/fargate_profile): EKS cluster using [Fargate Profiles](https://docs.aws.amazon.com/eks/latest/userguide/fargate.html)
+- [Outposts](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/outposts): EKS local cluster provisioned on [AWS Outposts](https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts.html)
 - [Self Managed Node Group](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/self_managed_node_group): EKS Cluster using self-managed node groups
 - [User Data](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/user_data): Various supported methods of providing necessary bootstrap scripts and configuration settings via user data
 
@@ -301,7 +302,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_security_group_additional_rules"></a> [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source | `any` | `{}` | no |
 | <a name="input_cluster_security_group_description"></a> [cluster\_security\_group\_description](#input\_cluster\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no |
-| <a name="input_cluster_security_group_id"></a> [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false` | `string` | `""` | no |
+| <a name="input_cluster_security_group_id"></a> [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Existing security group ID to be attached to the cluster | `string` | `""` | no |
 | <a name="input_cluster_security_group_name"></a> [cluster\_security\_group\_name](#input\_cluster\_security\_group\_name) | Name to use on cluster security group created | `string` | `null` | no |
 | <a name="input_cluster_security_group_tags"></a> [cluster\_security\_group\_tags](#input\_cluster\_security\_group\_tags) | A map of additional tags to add to the cluster security group created | `map(string)` | `{}` | no |
 | <a name="input_cluster_security_group_use_name_prefix"></a> [cluster\_security\_group\_use\_name\_prefix](#input\_cluster\_security\_group\_use\_name\_prefix) | Determines whether cluster security group name (`cluster_security_group_name`) is used as a prefix | `bool` | `true` | no |
@@ -315,7 +316,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_create_aws_auth_configmap"></a> [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
 | <a name="input_create_cluster_primary_security_group_tags"></a> [create\_cluster\_primary\_security\_group\_tags](#input\_create\_cluster\_primary\_security\_group\_tags) | Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation | `bool` | `true` | no |
-| <a name="input_create_cluster_security_group"></a> [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Determines if a security group is created for the cluster or use the existing `cluster_security_group_id` | `bool` | `true` | no |
+| <a name="input_create_cluster_security_group"></a> [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Determines if a security group is created for the cluster. Note: the EKS service creates a primary security group for the cluster by default | `bool` | `true` | no |
 | <a name="input_create_cni_ipv6_iam_policy"></a> [create\_cni\_ipv6\_iam\_policy](#input\_create\_cni\_ipv6\_iam\_policy) | Determines whether to create an [`AmazonEKS_CNI_IPv6_Policy`](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy) | `bool` | `false` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
 | <a name="input_create_kms_key"></a> [create\_kms\_key](#input\_create\_kms\_key) | Controls if a KMS key for cluster encryption should be created | `bool` | `true` | no |
@@ -357,7 +358,6 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_openid_connect_audiences"></a> [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider | `list(string)` | `[]` | no |
 | <a name="input_outpost_config"></a> [outpost\_config](#input\_outpost\_config) | Configuration for the AWS Outpost to provision the cluster on | `any` | `{}` | no |
 | <a name="input_prefix_separator"></a> [prefix\_separator](#input\_prefix\_separator) | The separator to use between the prefix and the generated timestamp for resource names | `string` | `"-"` | no |
-| <a name="input_provision_on_outpost"></a> [provision\_on\_outpost](#input\_provision\_on\_outpost) | Determines whether cluster should be provisioned on an AWS Outpost | `bool` | `false` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
 | <a name="input_self_managed_node_group_defaults"></a> [self\_managed\_node\_group\_defaults](#input\_self\_managed\_node\_group\_defaults) | Map of self-managed node group default configurations | `any` | `{}` | no |
 | <a name="input_self_managed_node_groups"></a> [self\_managed\_node\_groups](#input\_self\_managed\_node\_groups) | Map of self-managed node group definitions to create | `any` | `{}` | no |

diff --git a/docs/UPGRADE-19.0.md b/docs/UPGRADE-19.0.md
@@ -32,6 +32,16 @@ Please consult the `examples` directory for reference example configurations. If
   - `cluster_endpoint_private_access` previously defaulted to `false` and now defaults to `true`
 - The addon configuration now sets `"OVERWRITE"` as the default value for `resolve_conflicts` to ease addon upgrade management. Users can opt out of this by instead setting `"NONE"` as the value for `resolve_conflicts`
 - The `kms` module used has been updated from `v1.0.2` to `v1.1.0` - no material changes other than updated to latest
+- The default value for EKS managed node group `update_config` has been updated to the recommended `{ max_unavailable_percentage = 33 }`
+- The default value for the self-managed node group `instance_refresh` has been updated to the recommended:
+    ```hcl
+    {
+      strategy = "Rolling"
+      preferences = {
+        min_healthy_percentage = 66
+      }
+    }
+    ```
 
 ### Removed
 
@@ -74,10 +84,19 @@ Please consult the `examples` directory for reference example configurations. If
    - `service_ipv6_cidr` for setting the IPv6 CIDR block for the Kubernetes service addresses
 
    - Self managed node groups:
-     - N/A
+     - `launch_template_id` for use when using an existing/externally created launch template (Ref: https://github.com/terraform-aws-modules/terraform-aws-autoscaling/pull/204)
+     - `maintenance_options`
+     - `private_dns_name_options`
+     - `instance_requirements`
+     - `context`
+     - `default_instance_warmup`
+     - `force_delete_warm_pool`
    - EKS managed node groups:
      - `use_custom_launch_template` was added to better clarify how users can switch betweeen a custom launch template or the default launch template provided by the EKS managed node group. Previously, to achieve this same functionality of using the default launch template, users needed to set `create_launch_template = false` and `launch_template_name = ""` which is not very intuitive.
-
+     - `launch_template_id` for use when using an existing/externally created launch template (Ref: https://github.com/terraform-aws-modules/terraform-aws-autoscaling/pull/204)
+     - `maintenance_options`
+     - `private_dns_name_options`
+     -
 4. Removed outputs:
 
    - Self managed node groups:
@@ -134,9 +153,10 @@ EKS managed node groups on `v18.x` by default create a security group that does
   3. New instances will launch without the EKS managed node group security group, and prior instances will be terminated
   4. Once the EKS managed node group has cycled, the security group will be deleted
 
-2. Once the node group security group(s) have been removed, you can update your module definition to specify the `v19.x` version of the module.
-3. Using the documentation provided above, update your module definition to reflect the changes in the module from `v18.x` to `v19.x`. You can utilize `terraform plan` as you go to help highlight any changes that you wish to make. See below for `terraform state mv ...` commands related to the use of `iam_role_additional_policies`. If you are not providing any values to these variables, you can skip this section.
-4. Once you are satisifed with the changes and the `terraform plan` output, you can apply the changes to sync your infrastructure with the updated module definition (or vice versa).
+2. Once the node group security group(s) have been removed, you can update your module definition to specify the `v19.x` version of the module
+3. Run `terraform init -upgrade=true` to update your configuration and pull in the v19 changes
+4. Using the documentation provided above, update your module definition to reflect the changes in the module from `v18.x` to `v19.x`. You can utilize `terraform plan` as you go to help highlight any changes that you wish to make. See below for `terraform state mv ...` commands related to the use of `iam_role_additional_policies`. If you are not providing any values to these variables, you can skip this section.
+5. Once you are satisifed with the changes and the `terraform plan` output, you can apply the changes to sync your infrastructure with the updated module definition (or vice versa).
 
 ### Diff of Before (v18.x) vs After (v19.x)
 
@@ -176,7 +196,7 @@ EKS managed node groups on `v18.x` by default create a security group that does
   kms_key_deletion_window_in_days = 7
   enable_kms_key_rotation         = true
 
-- iam_role_additional_policies = [additional = aws_iam_policy.additional.arn]
+- iam_role_additional_policies = [aws_iam_policy.additional.arn]
 + iam_role_additional_policies = {
 +   additional = aws_iam_policy.additional.arn
 + }
@@ -222,7 +242,7 @@ EKS managed node groups on `v18.x` by default create a security group that does
   # Self Managed Node Group(s)
   self_managed_node_group_defaults = {
     vpc_security_group_ids = [aws_security_group.additional.id]
--   iam_role_additional_policies = [additional = aws_iam_policy.additional.arn]
+-   iam_role_additional_policies = [aws_iam_policy.additional.arn]
 +   iam_role_additional_policies = {
 +     additional = aws_iam_policy.additional.arn
 +   }
@@ -265,7 +285,7 @@ EKS managed node groups on `v18.x` by default create a security group that does
 
     attach_cluster_primary_security_group = true
     vpc_security_group_ids                = [aws_security_group.additional.id]
--   iam_role_additional_policies = [additional = aws_iam_policy.additional.arn]
+-   iam_role_additional_policies = [aws_iam_policy.additional.arn]
 +   iam_role_additional_policies = {
 +     additional = aws_iam_policy.additional.arn
 +   }
@@ -313,7 +333,7 @@ EKS managed node groups on `v18.x` by default create a security group that does
 
   # Fargate Profile(s)
   fargate_profile_defaults = {
--   iam_role_additional_policies = [additional = aws_iam_policy.additional.arn]
+-   iam_role_additional_policies = [aws_iam_policy.additional.arn]
 +   iam_role_additional_policies = {
 +     additional = aws_iam_policy.additional.arn
 +   }

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -34,14 +34,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.32 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.34 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.32 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.34 |
 
 ## Modules
 

diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.32"
+      version = ">= 4.34"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

diff --git a/examples/eks_managed_node_group/README.md b/examples/eks_managed_node_group/README.md
@@ -58,14 +58,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.32 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.34 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.32 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.34 |
 
 ## Modules
 

diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf
@@ -212,7 +212,7 @@ module "eks" {
     # Use existing/external launch template
     external_lt = {
       create_launch_template  = false
-      launch_template_name    = aws_launch_template.external.name
+      launch_template_id      = aws_launch_template.external.id
       launch_template_version = aws_launch_template.external.default_version
     }
 

diff --git a/examples/eks_managed_node_group/versions.tf b/examples/eks_managed_node_group/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.32"
+      version = ">= 4.34"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

diff --git a/examples/fargate_profile/README.md b/examples/fargate_profile/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.32 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.34 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.7 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.32 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.34 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.7 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
 

diff --git a/examples/fargate_profile/versions.tf b/examples/fargate_profile/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.32"
+      version = ">= 4.34"
     }
     helm = {
       source  = "hashicorp/helm"