platformbuilders · pb-kaio-santos · Feb 12, 2026
diff --git a/aws/modules/eks/examples/terragrunt.hcl b/aws/modules/eks/examples/terragrunt.hcl
@@ -0,0 +1,79 @@
+terraform {
+  source = "git::git@github.com:platformbuilders/terraform-modules.git//aws/modules/eks?ref=vx.x.x"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependencies "vpc" {
+  config_path = "../vpc"
+}
+
+inputs = {
+  name               = "bu-x-use1-0x"
+  kubernetes_version = "1.35"
+
+  vpc_id             = dependency.vpc.outputs.vpc_id
+  private_subnet_ids = dependency.vpc.outputs.private_subnet_ids
+  public_subnet_ids  = dependency.vpc.outputs.public_subnet_ids
+
+  addons = {
+    coredns = {
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts_on_update = "OVERWRITE"
+    }
+    vpc-cni = {
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts_on_update = "OVERWRITE"
+    }
+    aws-ebs-csi-driver = {
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts_on_update = "OVERWRITE"
+      service_account_role_arn    = "arn:aws:iam::123456789012:role/ebs-csi-controller"
+    }
+  }
+
+  security_group_additional_rules = {
+    ingress_vpn = {
+      description = "Description xxxx"
+      type        = "ingress"
+      from_port   = 443
+      to_port     = 443
+      protocol    = "tcp"
+      cidr_blocks = ["10.x.x.x/24"]
+    }
+  }
+
+  node_security_group_additional_rules = {
+    ingress_cluster_api = {
+      description = "Description xxxx"
+      type                          = "ingress"
+      from_port                     = 0
+      to_port                       = 65535
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+    }
+  }
+
+  eks_node_groups = {
+    general = {
+      min_size                   = 1
+      max_size                   = 5
+      desired_size               = 2
+      instance_types             = ["m5a.xlarge"]
+      disk_size                  = 50
+      use_custom_launch_template = false
+      iam_role_additional_policies = {
+        AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+        AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+      }
+    }
+  }
+
+  additional_tags = {
+    Environment = "production"
+    Team        = "platform"
+    ManagedBy   = "terragrunt"
+  }
+}
diff --git a/aws/modules/eks/main.tf b/aws/modules/eks/main.tf
@@ -1,92 +1,37 @@
-data "aws_caller_identity" "current" {}
-
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.20.0"
-
-  cluster_name    = "eks-${var.name}"
-  cluster_version = var.eks_version
+  version = "21.15.1"
 
-  cluster_endpoint_private_access = var.endpoint_private_access
-  cluster_endpoint_public_access  = var.endpoint_public_access
-  kms_key_administrators          = var.kms_key_administrators
-  enable_irsa                     = var.enable_irsa
+  name               = "${var.name}"
+  kubernetes_version = var.kubernetes_version
 
-  cluster_addons = {
-    coredns = {
-      resolve_conflicts = "OVERWRITE"
-    }
-    kube-proxy = {}
-    vpc-cni = {
-      resolve_conflicts = "OVERWRITE"
-    }
-    vpc-cni = {
-      resolve_conflicts = "OVERWRITE"
-    }
-    aws-ebs-csi-driver = {
-      resolve_conflicts        = "OVERWRITE"
-      service_account_role_arn = var.ebs_service_account_role
-    }
-  }
+  endpoint_private_access = var.endpoint_private_access
+  endpoint_public_access  = var.endpoint_public_access
+  kms_key_administrators  = var.kms_key_administrators
+  enable_irsa             = var.enable_irsa
 
-  cluster_security_group_additional_rules = {
-    ingress_vpn = {
-      description                   = "Access EKS from Builders VPN"
-      type                          = "ingress"
-      from_port                     = 0
-      to_port                       = 65535
-      protocol                      = "tcp"
-      cidr_blocks                   = ["10.30.0.0/16"]
-      source_cluster_security_group = true
-    }
-  }
+  addons = var.addons
 
-  node_security_group_additional_rules = {
-    ingress_all_trafic_eks_api = {
-      description                   = "Access EKS from EKS API"
-      type                          = "ingress"
-      from_port                     = 0
-      to_port                       = 65535
-      protocol                      = "tcp"
-      security_group_id             = module.eks.cluster_security_group_id
-      source_cluster_security_group = true
-    }
-  }
+  security_group_additional_rules      = var.security_group_additional_rules
+  node_security_group_additional_rules = var.node_security_group_additional_rules
 
   cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
 
-  # cluster_encryption_config = [{
-  #   provider_key_arn = aws_kms_key.secret_encrypt.arn
-  #   resources        = ["secrets"]
-  # }]
-
   vpc_id     = var.vpc_id
   subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids)
 
-  eks_managed_node_group_defaults = {
-    disk_size                    = var.disk_size_gb
-    instance_types               = var.instance_type
-    iam_role_additional_policies = {}
-  }
-
   eks_managed_node_groups = {
     for name, config in var.eks_node_groups : name => {
-      min_size                   = config.min_size
-      max_size                   = config.max_size
-      desired_size               = config.desired_size
-      instance_types             = config.instance_types
-      subnet_ids                 = concat(var.private_subnet_ids, var.public_subnet_ids)
-      use_custom_launch_template = config.use_custom_launch_template
-      disk_size                  = config.disk_size
-      iam_role_additional_policies = {
-        managed_policy_arns = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-      }
+      min_size                     = config.min_size
+      max_size                     = config.max_size
+      desired_size                 = config.desired_size
+      instance_types               = config.instance_types
+      subnet_ids                   = concat(var.private_subnet_ids, var.public_subnet_ids)
+      use_custom_launch_template   = config.use_custom_launch_template
+      disk_size                    = config.disk_size
+      iam_role_additional_policies = config.iam_role_additional_policies
     }
   }
 
-  manage_aws_auth_configmap = var.manage_aws_auth_configmap
-
-  aws_auth_roles = var.additional_roles
-
-  aws_auth_users = var.aws_auth_users
+  tags = var.additional_tags
 }
diff --git a/aws/modules/eks/variables.tf b/aws/modules/eks/variables.tf
@@ -1,31 +1,38 @@
 variable "name" {
   description = "EKS Regional unique cluster name"
+  type        = string
 }
 
-variable "eks_version" {
-  description = "Kubernetes EKS version"
+variable "kubernetes_version" {
+  description = "Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.33`)"
+  type        = string
 }
 
 variable "endpoint_private_access" {
-  description = "Enable private endpoint access"
+  description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled"
+  type        = bool
   default     = true
 }
 
 variable "endpoint_public_access" {
-  description = "Enable public endpoint access"
+  description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled"
+  type        = bool
   default     = false
 }
 
 variable "vpc_id" {
-  description = "EKS vpc id"
+  description = "ID of the VPC where the cluster security group will be provisioned"
+  type        = string
 }
 
 variable "private_subnet_ids" {
   description = "Private subnets ids"
+  type        = list(string)
 }
 
 variable "public_subnet_ids" {
   description = "Public subnets ids"
+  type        = list(string)
 }
 
 variable "additional_tags" {
@@ -34,68 +41,61 @@ variable "additional_tags" {
   default     = {}
 }
 
-variable "disk_size_gb" {
-  description = "Node disk size in Gigabites"
-  default     = 50
-  type        = string
-}
-
-variable "instance_type" {
-  description = "Lista de tipos de instância permitidos para os grupos de nodes gerenciados."
-  type        = list(string)
-  default     = ["t3a.xlarge"]
-}
-
-variable "additional_roles" {
-  type = list(object({
-    rolearn  = string
-    username = string
-    groups   = list(string)
-  }))
-  default = []
-}
-
 variable "kms_key_administrators" {
-  description = "A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available"
+  description = "A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available"
   type        = list(string)
   default     = []
 }
 
-variable "ebs_service_account_role" {
-  description = "The role ARN used in service account to ebs addon"
-  type        = string
-  default     = null
-}
-
-variable "eks_node_groups" {
-  type = map(object({
-    min_size                   = number
-    max_size                   = number
-    desired_size               = number
-    instance_types             = list(string)
-    disk_size                  = number
-    use_custom_launch_template = bool
-  }))
-}
-
-variable "manage_aws_auth_configmap" {
-  description = "If true, the aws-auth configMap will be created and managed by this module. If false, the aws-auth configMap will not be created or managed."
-  default     = false
-}
-
 variable "enable_irsa" {
   description = "Determines whether to create an OpenID Connect Provider for EKS to enable IRSA"
   type        = bool
-  default     = false
+  default     = true
 }
 
-variable "aws_auth_users" {
-  description = "Additional IAM users to add to the aws-auth configmap."
-  type        = list(any)
-  default     = []
+variable "addons" {
+  description = "Map of cluster addon configurations to enable for the cluster"
+  type        = any
+  default = {
+    coredns = {
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts_on_update = "OVERWRITE"
+    }
+    kube-proxy = {}
+    vpc-cni = {
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts_on_update = "OVERWRITE"
+    }
+  }
+}
+
+variable "security_group_additional_rules" {
+  description = "List of additional security group rules to add to the cluster security group"
+  type        = any
+  default     = {}
+}
+
+variable "node_security_group_additional_rules" {
+  description = "List of additional security group rules to add to the node security group"
+  type        = any
+  default     = {}
 }
 
 variable "cloudwatch_log_group_retention_in_days" {
   description = "Number of days to retain CloudWatch logs for EKS control plane"
+  type        = number
   default     = 7
 }
+
+variable "eks_node_groups" {
+  description = "Map of EKS managed node group definitions to create"
+  type = map(object({
+    min_size                     = number
+    max_size                     = number
+    desired_size                 = number
+    instance_types               = list(string)
+    disk_size                    = number
+    use_custom_launch_template   = bool
+    iam_role_additional_policies = optional(map(string), {})
+  }))
+}