v20.1.1

20.1.1 (2024-02-06)

Bug Fixes

• Update access entries kubernetes_groups default value to null (#2897) (1e32e6a)

v20.1.0

20.1.0 (2024-02-06)

Features

• Add output for access_policy_associations (#2904) (0d2a4c2)

v20.0.1

20.0.1 (2024-02-03)

Bug Fixes

• Correct cluster access entry to create multiple policy associations per access entry (#2892) (4177913)

v20.0.0

20.0.0 (2024-02-02)

⚠ BREAKING CHANGES

• Replace the use of aws-auth configmap with EKS cluster access entry (#2858)

See the UPGRADE-20.0.md guide for further details on the changes and guidance for upgrading

List of backwards incompatible changes

• Minium supported AWS provider version increased to v5.34
• Minimum supported Terraform version increased to v1.3 to support Terraform state moved blocks as well as other advanced features
• The resolve_conflicts argument within the cluster_addons configuration has been replaced with resolve_conflicts_on_create and resolve_conflicts_on_delete now that resolve_conflicts is deprecated
• The default/fallback value for the preserve argument of cluster_addonsis now set to true. This has shown to be useful for users deprovisioning clusters while avoiding the situation where the CNI is deleted too early and causes resources to be left orphaned resulting in conflicts.
• The Karpenter sub-module's use of the irsa naming convention has been removed, along with an update to the Karpenter controller IAM policy to align with Karpenter's v1beta1/v0.32 changes. Instead of referring to the role as irsa or pod_identity, its simply just an IAM role used by the Karpenter controller and there is support for use with either IRSA and/or Pod Identity (default) at this time
• The aws-auth ConfigMap resources have been moved to a standalone sub-module. This removes the Kubernetes provider requirement from the main module and allows for the aws-auth ConfigMap to be managed independently of the main module. This sub-module will be removed entirely in the next major release.
• Support for cluster access management has been added with the default authentication mode set as API_AND_CONFIG_MAP. This is a one way change if applied; if you wish to use CONFIG_MAP, you will need to set authentication_mode = "CONFIG_MAP" explicitly when upgrading.
• Karpenter EventBridge rule key spot_interrupt updated to correct mis-spelling (was spot_interupt). This will cause the rule to be replaced

Additional changes

Added

• A module tag has been added to the cluster control plane
• Support for cluster access entries. The bootstrap_cluster_creator_admin_permissions setting on the control plane has been hardcoded to false since this operation is a one time operation only at cluster creation per the EKS API. Instead, users can enable/disable enable_cluster_creator_admin_permissions at any time to achieve the same functionality. This takes the identity that Terraform is using to make API calls and maps it into a cluster admin via an access entry. For users on existing clusters, you will need to remove the default cluster administrator that was created by EKS prior to the cluster access entry APIs - see the section Removing the default cluster administrator for more details.
• Support for specifying the CloudWatch log group class (standard or infrequent access)
• Native support for Windows based managed nodegroups similar to AL2 and Bottlerocket
• Self-managed nodegroups now support instance_maintenance_policy and have added max_healthy_percentage, scale_in_protected_instances, and standby_instances arguments to the instance_refresh.preferences block

Modified

• For sts:AssumeRole permissions by services, the use of dynamically looking up the DNS suffix has been replaced with the static value of amazonaws.com. This does not appear to change by partition and instead requires users to set this manually for non-commercial regions.
• The default value for kms_key_enable_default_policy has changed from false to true to align with the default behavior of the aws_kms_key resource
• The Karpenter default value for create_instance_profile has changed from true to false to align with the changes in Karpenter v0.32
• The Karpenter variable create_instance_profile default value has changed from true to false. Starting with Karpenter v0.32.0, Karpenter accepts an IAM role and creates the EC2 instance profile used by the nodes

Removed

• The complete example has been removed due to its redundancy with the other examples
• References to the IRSA sub-module in the IAM repository have been removed. Once https://github.com/clowdhaus/terraform-aws-eks-pod-identity has been updated and moved into the organization, the documentation here will be updated to mention the new module.

v19.21.0

19.21.0 (2023-12-11)

Features

• Add tags for CloudWatch log group only (#2841) (4c5c97b)

v19.20.0

19.20.0 (2023-11-14)

Features

• Allow OIDC root CA thumbprint to be included/excluded (#2778) (091c680)

v19.19.1

19.19.1 (2023-11-10)

Bug Fixes

• Remove additional conditional on Karpenter instance profile creation to support upgrading (#2812) (c36c8dc)

v19.19.0

19.19.0 (2023-11-04)

Features

• Update KMS module to avoid calling data sources when create_kms_key = false (#2804) (0732bea)

v19.18.0

19.18.0 (2023-11-01)

Features

• Add Karpenter v1beta1 compatibility (#2800) (aec2bab)

v19.17.4

19.17.4 (2023-10-30)

Bug Fixes

• Updating license_specification result type (#2798) (ba0ebeb)