Skip to content

chore(deps): update terraform github.com/terraform-aws-modules/terraform-aws-eks to v21 #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-0.9
Choose a base branch
from
Open

chore(deps): update terraform github.com/terraform-aws-modules/terraform-aws-eks to v21 #28

wants to merge 1 commit into from

Conversation

@red-hat-konflux
Copy link

@red-hat-konflux red-hat-konflux bot commented Jul 25, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/terraform-aws-modules/terraform-aws-eks module major v18.2.0 -> v21.10.1

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

terraform-aws-modules/terraform-aws-eks (github.com/terraform-aws-modules/terraform-aws-eks)

v21.10.1

Compare Source

Bug Fixes
  • Update minimum required version of AWS provider for provisioned control plane (#​3603) (dc4de4f)

v21.10.0

Compare Source

Features

v21.9.0

Compare Source

Features

v21.8.0

Compare Source

Features
  • Allow using inline policy for Karpenter controller role to mitigate policy size LimitExceeded error (#​3563) (0659a8d), closes #​3512

v21.7.0

Compare Source

Features
  • Add recommended security group rule for port 10251 to match EKS addon for metrics-server (#​3562) (de8c550)

v21.6.1

Compare Source

Bug Fixes

v21.6.0

Compare Source

Features
  • Use aws_service_principal data source for deriving IAM service prinicpals (#​3539) (0b0ca66)

v21.5.0

Compare Source

Features
  • Allow for additional policy statements on sqs queue policy (#​3543) (67557e8)

v21.4.0

Compare Source

Features

v21.3.2

Compare Source

Bug Fixes
  • Incorporate AWS provider v6.15 corrections for EKS Auto Mode to support enabling/disabling EKS Auto Mode without affecting non-Auto Mode users (#​3526) (f5f6dae)

v21.3.1

Compare Source

Bug Fixes

v21.3.0

Compare Source

Features
  • Support EKS Auto Mode custom node pools only creation (#​3514) (165d7c8)

v21.2.0

Compare Source

Features
  • Update Karpenter controller policy and permissions to match upstream project (#​3510) (131db39)

v21.1.5

Compare Source

Bug Fixes
  • Ensure module created security group is included on any network interfaces created (#​3495) (fa1d422)

v21.1.4

Compare Source

Bug Fixes
  • Ensure module created security group is included on any network interfaces created (#​3493) (e5cff84)

v21.1.3

Compare Source

Bug Fixes
  • Correct addon timeout lookup/override logic to support global and addon specific settings (#​3492) (b236208)

v21.1.2

Compare Source

Bug Fixes
  • Remediate type mismatch for EFA interfaces and ensure correct (local) definition is used (#​3491) (3959b65)

v21.1.1

Compare Source

Bug Fixes
  • Correct metadata options loop condition due to variable definition defaults (#​3490) (b40968a)

v21.1.0

Compare Source

Features
  • Add support for deletion protection functionality in the cluster (#​3475) (83c9cd1)

v21.0.9

Compare Source

Bug Fixes
  • Allow disabling instance refresh on self-managed node groups (part deux) (#​3478) (ca8f37e)

v21.0.8

Compare Source

Bug Fixes
  • Allow disabling instance refresh on self-managed node groups (#​3473) (6a887ad)

v21.0.7

Compare Source

Bug Fixes
  • Correct access policy logic to support not providing a policy to associate (#​3464) (39be61d)

v21.0.6

Compare Source

Bug Fixes
  • Allow instance_requirements to be set in self-managed node groups (#​3455) (5322bf7)

v21.0.5

Compare Source

Bug Fixes
  • Correct addon logic lookup to pull latest addon version (#​3449) (55d7fa2)

v21.0.4

Compare Source

Bug Fixes
  • Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled (#​3439) (6b8a3d9)

v21.0.3

Compare Source

Bug Fixes
  • Correct variable defaults for ami_id and kubernetes_version (#​3437) (8807e0b)

v21.0.2

Compare Source

Bug Fixes
  • Move encryption_config default for resources out of type definition and to default variable value to allow disabling encryption (#​3436) (b37368f)

v21.0.1

Compare Source

Bug Fixes
  • Correct logic to try to use module created IAM role before falli… (#​3433) (97d4ebb)

v21.0.0

Compare Source

⚠ BREAKING CHANGES
  • Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#​3412)

List of backwards incompatible changes

See the UPGRADE-21.0.md for further details.

  • Terraform v1.5.7 is now minimum supported version
  • AWS provider v6.0.0 is now minimum supported version
  • TLS provider v4.0.0 is now minimum supported version
  • The aws-auth sub-module has been removed. Users who wish to utilize its functionality can continue to do so by specifying a v20.x version, or ~> v20.0 version constraint in their module source.
  • bootstrap_self_managed_addons is now hardcoded to false. This is a legacy setting and instead users should utilize the EKS addons API, which is what this module does by default. In conjunction with this change, the bootstrap_self_managed_addons is now ignored by the module to aid in upgrading without disruption (otherwise it would require cluster re-creation).
  • When enabling enable_efa_support or creating placement groups within a node group, users must now specify the correct subnet_ids; the module no longer tries to automatically select a suitable subnet.
  • EKS managed node group:
    • IMDS now default to a hop limit of 1 (previously was 2)
    • ami_type now defaults to AL2023_x86_64_STANDARD
    • enable_monitoring is now set to false by default
    • enable_efa_only is now set to true by default
    • use_latest_ami_release_version is now set to true by default
    • Support for autoscaling group schedules has been removed
  • Self-managed node group:
    • IMDS now default to a hop limit of 1 (previously was 2)
    • ami_type now defaults to AL2023_x86_64_STANDARD
    • enable_monitoring is now set to false by default
    • enable_efa_only is now set to true by default
    • Support for autoscaling group schedules has been removed
  • Karpenter:
    • Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default
    • Karpenter controller policy for prior to Karpenter v1 have been removed (i.e. v0.33); the v1 policy is now used by default
    • create_pod_identity_association is now set to true by default
  • addons.resolve_conflicts_on_create is now set to "NONE" by default (was "OVERWRITE").
  • addons.most_recent is now set to true by default (was false).
  • cluster_identity_providers.issuer_url is now required to be set by users; the prior incorrect default has been removed. See #​3055 and kubernetes/kubernetes#123561 for more details.
  • The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stackoidc-eks endpoint instead of oidc.eks. This is to align with aws/containers-roadmap#2038 (comment)

Additional changes

Added
  • Support for region parameter to specify the AWS region for the resources created if different from the provider region.
  • Both the EKS managed and self-managed node groups now support creating their own security groups (again). This is primarily motivated by the changes for EFA support; previously users would need to specify enable_efa_support both at the cluster level (to add the appropriate security group rules to the shared node security group) as well as the node group level. However, its not always desirable to have these rules across ALL node groups when they are really only required on the node group where EFA is utilized. And similarly for other use cases, users can create custom rules for a specific node group instead of apply across ALL node groups.
Modified
  • Variable definitions now contain detailed object types in place of the previously used any type.
  • The embedded KMS key module definition has been updated to v4.0 to support the same version requirements as well as the new region argument.
Variable and output changes

  1. Removed variables:

    • enable_efa_support - users only need to set this within the node group configuration, as the module no longer manages EFA support at the cluster level.
    • enable_security_groups_for_pods - users can instead attach the arn:aws:iam::aws:policy/AmazonEKSVPCResourceController policy via iam_role_additional_policies if using security groups for pods.
    • eks-managed-node-group sub-module
      • cluster_service_ipv4_cidr - users should use cluster_service_cidr instead (for either IPv4 or IPv6).
      • elastic_gpu_specifications
      • elastic_inference_accelerator
      • platform - this is superseded by ami_type
      • placement_group_strategy - set to cluster by the module
      • placement_group_az - users will need to specify the correct subnet in subnet_ids
      • create_schedule
      • schedules
    • self-managed-node-group sub-module
      • elastic_gpu_specifications
      • elastic_inference_accelerator
      • platform - this is superseded by ami_type
      • create_schedule
      • schedules
      • placement_group_az - users will need to specify the correct subnet in subnet_ids
      • hibernation_options - not valid in EKS
      • min_elb_capacity - not valid in EKS
      • wait_for_elb_capacity - not valid in EKS
      • wait_for_capacity_timeout - not valid in EKS
      • default_cooldown - not valid in EKS
      • target_group_arns - not valid in EKS
      • service_linked_role_arn - not valid in EKS
      • warm_pool - not valid in EKS
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • enable_v1_permissions - v1 permissions are now the default
      • enable_irsa
      • irsa_oidc_provider_arn
      • irsa_namespace_service_accounts
      • irsa_assume_role_condition_test

  2. Renamed variables:

    • Variables prefixed with cluster_* have been stripped of the prefix to better match the underlying API:
      • cluster_name -> name
      • cluster_version -> kubernetes_version
      • cluster_enabled_log_types -> enabled_log_types
      • cluster_force_update_version -> force_update_version
      • cluster_compute_config -> compute_config
      • cluster_upgrade_policy -> upgrade_policy
      • cluster_remote_network_config -> remote_network_config
      • cluster_zonal_shift_config -> zonal_shift_config
      • cluster_additional_security_group_ids -> additional_security_group_ids
      • cluster_endpoint_private_access -> endpoint_private_access
      • cluster_endpoint_public_access -> endpoint_public_access
      • cluster_endpoint_public_access_cidrs -> endpoint_public_access_cidrs
      • cluster_ip_family -> ip_family
      • cluster_service_ipv4_cidr -> service_ipv4_cidr
      • cluster_service_ipv6_cidr -> service_ipv6_cidr
      • cluster_encryption_config -> encryption_config
      • create_cluster_primary_security_group_tags -> create_primary_security_group_tags
      • cluster_timeouts -> timeouts
      • create_cluster_security_group -> create_security_group
      • cluster_security_group_id -> security_group_id
      • cluster_security_group_name -> security_group_name
      • cluster_security_group_use_name_prefix -> security_group_use_name_prefix
      • cluster_security_group_description -> security_group_description
      • cluster_security_group_additional_rules -> security_group_additional_rules
      • cluster_security_group_tags -> security_group_tags
      • cluster_encryption_policy_use_name_prefix -> encryption_policy_use_name_prefix
      • cluster_encryption_policy_name -> encryption_policy_name
      • cluster_encryption_policy_description -> encryption_policy_description
      • cluster_encryption_policy_path -> encryption_policy_path
      • cluster_encryption_policy_tags -> encryption_policy_tags
      • cluster_addons -> addons
      • cluster_addons_timeouts -> addons_timeouts
      • cluster_identity_providers -> identity_providers
    • eks-managed-node-group sub-module
      • cluster_version -> kubernetes_version
    • self-managed-node-group sub-module
      • cluster_version -> kubernetes_version
      • delete_timeout -> timeouts
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  3. Added variables:

    • region
    • eks-managed-node-group sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
      • create_security_group
      • security_group_name
      • security_group_use_name_prefix
      • security_group_description
      • security_group_ingress_rules
      • security_group_egress_rules
      • security_group_tags
    • self-managed-node-group sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
      • create_security_group
      • security_group_name
      • security_group_use_name_prefix
      • security_group_description
      • security_group_ingress_rules
      • security_group_egress_rules
      • security_group_tags
    • fargate-profile sub-module
      • region
      • partition - added to reduce number of GET requests from data sources when possible
      • account_id - added to reduce number of GET requests from data sources when possible
    • karpenter sub-module
      • region

  4. Removed outputs:

    • eks-managed-node-group sub-module
      • platform - this is superseded by ami_type
      • autoscaling_group_schedule_arns
    • self-managed-node-group sub-module
      • platform - this is superseded by ami_type
      • autoscaling_group_schedule_arns
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  5. Renamed outputs:

    • eks-managed-node-group sub-module
      • None
    • self-managed-node-group sub-module
      • None
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

  6. Added outputs:

    • eks-managed-node-group sub-module
      • security_group_arn
      • security_group_id
    • self-managed-node-group sub-module
      • security_group_arn
      • security_group_id
    • fargate-profile sub-module
      • None
    • karpenter sub-module
      • None

v20.37.2

Compare Source

Bug Fixes
  • Allow for both amazonaws.com.cn and amazonaws.com conditions in PassRole as required for AWS CN (#​3422) (83b68fd)

v20.37.1

Compare Source

Bug Fixes
  • Restrict AWS provider max version due to v6 provider breaking changes (#​3384) (681a868)

v20.37.0

Compare Source

Features

v20.36.1

Compare Source

Bug Fixes
  • Ensure additional_cluster_dns_ips is passed through from root module (#​3376) (7a83b1b)

v20.36.0

Compare Source

Features

v20.35.0

Compare Source

Features
  • Default to not changing autoscaling schedule values at the scheduled time (#​3322) (abf76f6)

v20.34.0

Compare Source

Features
  • Add capacity reservation permissions to Karpenter IAM policy (#​3318) (770ee99)

v20.33.1

Compare Source

Bug Fixes
  • Allow "EC2" access entry type for EKS Auto Mode custom node pools (#​3281) (3e2ea83)

v20.33.0

Compare Source

Features

v20.32.0

Compare Source

Features

v20.31.6

Compare Source

Bug Fixes

v20.31.5

Compare Source

Bug Fixes

v20.31.4

Compare Source

Bug Fixes
  • Auto Mode custom tag policy should apply to cluster role, not node role (#​3242) (a07013a)

v20.31.3

Compare Source

Bug Fixes
  • Update min provider version to remediate cluster replacement when enabling EKS Auto Mode (#​3240) (012e51c)

v20.31.2

Compare Source

Bug Fixes
  • Avoid trying to attach the node role when Auto Mode nodepools are not specified (#​3239) (ce34f1d)

v20.31.1

Compare Source

Bug Fixes
  • Create EKS Auto Mode role when Auto Mode is enabled, regardless of built-in node pool use (#​3234) (e2846be)

v20.31.0

Compare Source

Features

v20.30.1

Compare Source

Bug Fixes
  • Coalesce local resolve_conflicts_on_create_default value to a boolean since default is null (#​3221) (35388bb)

v20.30.0

Compare Source

Features
  • Improve addon dependency chain and decrease time to provision addons (due to retries) (#​3218) (ab2207d)

v20.29.0

Compare Source

Features
  • Add support for pod identity association on EKS addons (#​3203) (a224334)

v20.28.0

Compare Source

Features
  • Add support for creating efa-only network interfaces (#​3196) (c6da22c)

v20.27.0

Compare Source

Features

v20.26.1

Compare Source

Bug Fixes
  • Use dynamic partition data source to determine DNS suffix for Karpenter EC2 pass role permission (#​3193) (dea6c44)

v20.26.0

Compare Source

Features
  • Add support for desired_capacity_type (named desired_size_type) on self-managed node group (#​3166) (6974a5e)

v20.25.0

Compare Source

Features
  • Add support for newly released AL2023 accelerated AMI types (#​3177) (b2a8617)
Bug Fixes

v20.24.3

Compare Source

Bug Fixes
  • Add primary_ipv6 parameter to self-managed-node-group (#​3169) (fef6555)

v20.24.2

Compare Source

Bug Fixes

v20.24.1

Compare Source

Bug Fixes
  • Correct Karpenter EC2 service principal DNS suffix in non-commercial regions (#​3157) (47ab3eb)

v20.24.0

Compare Source

Features
  • Add support for Karpenter v1 controller IAM role permissions (#​3126) (e317651)

v20.23.0

Compare Source

Features
  • Add new output values for OIDC issuer URL and provider that are dual-stack compatible (#​3120) (72668ac)

v20.22.1

Compare Source

Bug Fixes

v20.22.0

Compare Source

Features
  • Enable update in place for node groups with cluster placement group strategy (#​3045) (75db486)

v20.21.0

Compare Source

Features

v20.20.0

Compare Source

Features

v20.19.0

Compare Source

Features

v20.18.0

Compare Source

Features

v20.17.2

Compare Source

Bug Fixes

v20.17.1

Compare Source

Bug Fixes
  • Invoke aws_iam_session_context data source only when required (#​3058) (f02df92)

v20.17.0

Compare Source

Features
  • Add support for ML capacity block reservations with EKS managed node group(s) (#​3091) (ae3379e)

v20.16.0

Compare Source

Features

v20.15.0

Compare Source

Features

v20.14.0

Compare Source

Features
  • Require users to supply OS via ami_type and not via platform which is unable to distinquish between the number of variants supported today (#​3068) (ef657bf)

v20.13.1

Compare Source

Bug Fixes
  • Correct syntax for correctly ignoring bootstrap_cluster_creator_admin_permissions and not all of access_config (#​3056) (1e31929)

v20.13.0

Compare Source

Features
  • Starting with 1.30, do not use the cluster OIDC issuer URL by default in the identity provider config (#​3055) (00f076a)

v20.12.0

Compare Source

Features
  • Support additional cluster DNS IPs with Bottlerocket based AMIs (#​3051) (541dbb2)

v20.11.1

Compare Source

Bug Fixes
  • Ignore changes to bootstrap_cluster_creator_admin_permissions which is disabled by default (#​3042) (c65d308)

v20.11.0

Compare Source

Features
  • Add SourceArn condition to Fargate profile trust policy (#​3039) (a070d7b)

v20.10.0

Compare Source

Features
  • Add support for Pod Identity assocation on Karpenter sub-module (#​3031) (cfcaf27)

v20.9.0

Compare Source

Features
  • Propagate ami_type to self-managed node group; allow using ami_type only (#​3030) (74d3918)

v20.8.5

Compare Source

Bug Fixes
  • Forces cluster outputs to wait until access entries are complete (#​3000) (e2a39c0)

v20.8.4

Compare Source

Bug Fixes
  • Pass nodeadm user data variables from root module down to nodegroup sub-modules (#​2981) (84effa0)

v20.8.3

Compare Source

Bug Fixes
  • Ensure the correct service CIDR and IP family is used in the rendered user data (#​2963) (aeb9f0c)

v20.8.2

Compare Source

Bug Fixes
  • Ensure a default ip_family value is provided to guarantee a CNI policy is attached to nodes (#​2967) (29dcca3)

v20.8.1

Compare Source

Bug Fixes
  • Do not attach policy if Karpenter node role is not created by module (#​2964) (3ad19d7)

[v20.8.0](https://redirect.github.com/terraform-aws-

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch 2 times, most recently from a8f0a27 to 68b7ac2 Compare August 1, 2025 08:20
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch 2 times, most recently from d019ad3 to 1a985c7 Compare August 15, 2025 08:30
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from 1a985c7 to e696528 Compare August 15, 2025 16:31
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from e696528 to ad6ec4b Compare August 29, 2025 08:33
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch 2 times, most recently from 7f3d254 to 08a763d Compare September 19, 2025 08:28
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from 08a763d to fa52b06 Compare October 15, 2025 09:02
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from fa52b06 to c8ea33c Compare October 23, 2025 01:09
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from c8ea33c to b529bd0 Compare October 31, 2025 09:07
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from b529bd0 to 6be2331 Compare November 17, 2025 02:12
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from 6be2331 to 86edab6 Compare November 28, 2025 02:18
@red-hat-konflux
chore(deps): update terraform github.com/terraform-aws-modules/terraf…
363d689 
…orm-aws-eks to v21

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-0.9/github.com-terraform-aws-modules-terraform-aws-eks-21.x branch from 86edab6 to 363d689 Compare November 29, 2025 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants