feat: make EKS Auto Mode optional (#32)

* feat: optionally disable automode

* feat: added test case for auto mode disabled

Author: TheOutdoorProgrammer

.spacelift/config.yml

@@ -10,3 +10,7 @@ tests:
     project_root: examples/basic-example
     environment:
       TF_VAR_aws_region: "eu-west-2"
+  - name: Without auto mode
+    project_root: examples/without-auto-mode
+    environment:
+      TF_VAR_aws_region: "eu-west-2"

eks.tf

@@ -18,10 +18,31 @@ module "eks" {
 
   # Enable EKS Auto mode using a general purpose node pool
   compute_config = {
-    enabled    = true
-    node_pools = ["general-purpose"]
+    enabled    = var.eks_auto_mode_enabled
+    node_pools = var.eks_auto_mode_enabled ? ["general-purpose"] : []
   }
 
+  # When auto mode is disabled, the essential networking addons that auto mode
+  # normally manages must be installed BEFORE node groups via before_compute.
+  # Without this ordering, nodes deadlock: they need VPC CNI to pass health
+  # checks, but the default addon resource waits for node groups to complete.
+  addons = var.eks_auto_mode_enabled ? {} : {
+    vpc-cni = {
+      most_recent    = true
+      before_compute = true
+    }
+    kube-proxy = {
+      most_recent    = true
+      before_compute = true
+    }
+    coredns = {
+      most_recent    = true
+      before_compute = true
+    }
+  }
+
+  eks_managed_node_groups = var.eks_auto_mode_enabled ? null : var.eks_managed_node_groups
+
   tags = {
     Name = "Spacelift cluster ${module.spacelift.unique_suffix}"
   }

examples/without-auto-mode/main.tf

@@ -0,0 +1,37 @@
+data "aws_rds_engine_version" "postgres" {
+  engine = "aurora-postgresql"
+  latest = true
+}
+
+module "spacelift_eks_selfhosted" {
+  source = "../../"
+
+  aws_region         = var.aws_region
+  server_domain      = "test.spacelift.example.com"
+  rds_engine_version = data.aws_rds_engine_version.postgres.version_actual
+
+  eks_cluster_version = "1.32"
+
+  eks_upgrade_policy = {
+    support_type = "STANDARD"
+  }
+
+  # Disable EKS Auto Mode and use managed node groups instead
+  eks_auto_mode_enabled = false
+
+  eks_managed_node_groups = {
+    spacelift = {
+      ami_type       = "AL2023_x86_64_STANDARD"
+      instance_types = ["m5.large"]
+      min_size       = 2
+      max_size       = 4
+      desired_size   = 2
+    }
+  }
+
+  # For easier test cleanup:
+  rds_delete_protection_enabled = false
+  s3_retain_on_destroy          = false
+  ecr_force_delete              = true
+  rds_instance_configuration    = {}
+}

examples/without-auto-mode/provider.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      repo     = "github.com/spacelift-io/terraform-aws-eks-spacelift-selfhosted"
+      testcase = "without-auto-mode"
+    }
+  }
+}

examples/without-auto-mode/variables.tf

@@ -0,0 +1,3 @@
+variable "aws_region" {
+  type = string
+}

variables.tf

@@ -16,12 +16,6 @@ variable "server_domain" {
   description = "The domain that Spacelift is being hosted on, for example spacelift.example.com."
 }
 
-variable "server_port" {
-  type        = number
-  description = "The port that server pods listen on for HTTP. Used to setup security group rules between the load balancer and server pods."
-  default     = 1983
-}
-
 variable "license_token" {
   type        = string
   description = "The JWT token for using Spacelift. Only required for generating the kubernetes_secrets output. It can be ignored if you are not using that output."
@@ -330,6 +324,285 @@ variable "eks_cluster_name" {
   default     = null
 }
 
+variable "eks_auto_mode_enabled" {
+  type        = bool
+  description = "Whether to enable EKS Auto Mode."
+  default     = true
+}
+
+variable "eks_managed_node_groups" {
+  description = "Map of EKS managed node group definitions to create"
+  type = map(object({
+    create             = optional(bool)
+    kubernetes_version = optional(string)
+
+    # EKS Managed Node Group
+    name                           = optional(string) # Will fall back to map key
+    use_name_prefix                = optional(bool)
+    subnet_ids                     = optional(list(string))
+    min_size                       = optional(number)
+    max_size                       = optional(number)
+    desired_size                   = optional(number)
+    ami_id                         = optional(string)
+    ami_type                       = optional(string)
+    ami_release_version            = optional(string)
+    use_latest_ami_release_version = optional(bool)
+    capacity_type                  = optional(string)
+    disk_size                      = optional(number)
+    force_update_version           = optional(bool)
+    instance_types                 = optional(list(string))
+    labels                         = optional(map(string))
+    node_repair_config = optional(object({
+      enabled                                 = optional(bool)
+      max_parallel_nodes_repaired_count       = optional(number)
+      max_parallel_nodes_repaired_percentage  = optional(number)
+      max_unhealthy_node_threshold_count      = optional(number)
+      max_unhealthy_node_threshold_percentage = optional(number)
+      node_repair_config_overrides = optional(list(object({
+        min_repair_wait_time_mins = number
+        node_monitoring_condition = string
+        node_unhealthy_reason     = string
+        repair_action             = string
+      })))
+    }))
+    remote_access = optional(object({
+      ec2_ssh_key               = optional(string)
+      source_security_group_ids = optional(list(string))
+    }))
+    taints = optional(map(object({
+      key    = string
+      value  = optional(string)
+      effect = string
+    })))
+    update_config = optional(object({
+      max_unavailable            = optional(number)
+      max_unavailable_percentage = optional(number)
+      update_strategy            = optional(string)
+    }))
+    timeouts = optional(object({
+      create = optional(string)
+      update = optional(string)
+      delete = optional(string)
+    }))
+    # User data
+    enable_bootstrap_user_data = optional(bool)
+    pre_bootstrap_user_data    = optional(string)
+    post_bootstrap_user_data   = optional(string)
+    bootstrap_extra_args       = optional(string)
+    user_data_template_path    = optional(string)
+    cloudinit_pre_nodeadm = optional(list(object({
+      content      = string
+      content_type = optional(string)
+      filename     = optional(string)
+      merge_type   = optional(string)
+    })))
+    cloudinit_post_nodeadm = optional(list(object({
+      content      = string
+      content_type = optional(string)
+      filename     = optional(string)
+      merge_type   = optional(string)
+    })))
+    # Launch Template
+    create_launch_template                 = optional(bool)
+    use_custom_launch_template             = optional(bool)
+    launch_template_id                     = optional(string)
+    launch_template_name                   = optional(string) # Will fall back to map key
+    launch_template_use_name_prefix        = optional(bool)
+    launch_template_version                = optional(string)
+    launch_template_default_version        = optional(string)
+    update_launch_template_default_version = optional(bool)
+    launch_template_description            = optional(string)
+    launch_template_tags                   = optional(map(string))
+    tag_specifications                     = optional(list(string))
+    ebs_optimized                          = optional(bool)
+    key_name                               = optional(string)
+    disable_api_termination                = optional(bool)
+    kernel_id                              = optional(string)
+    ram_disk_id                            = optional(string)
+    block_device_mappings = optional(map(object({
+      device_name = optional(string)
+      ebs = optional(object({
+        delete_on_termination      = optional(bool)
+        encrypted                  = optional(bool)
+        iops                       = optional(number)
+        kms_key_id                 = optional(string)
+        snapshot_id                = optional(string)
+        throughput                 = optional(number)
+        volume_initialization_rate = optional(number)
+        volume_size                = optional(number)
+        volume_type                = optional(string)
+      }))
+      no_device    = optional(string)
+      virtual_name = optional(string)
+    })))
+    capacity_reservation_specification = optional(object({
+      capacity_reservation_preference = optional(string)
+      capacity_reservation_target = optional(object({
+        capacity_reservation_id                 = optional(string)
+        capacity_reservation_resource_group_arn = optional(string)
+      }))
+    }))
+    cpu_options = optional(object({
+      amd_sev_snp      = optional(string)
+      core_count       = optional(number)
+      threads_per_core = optional(number)
+    }))
+    credit_specification = optional(object({
+      cpu_credits = optional(string)
+    }))
+    enclave_options = optional(object({
+      enabled = optional(bool)
+    }))
+    instance_market_options = optional(object({
+      market_type = optional(string)
+      spot_options = optional(object({
+        block_duration_minutes         = optional(number)
+        instance_interruption_behavior = optional(string)
+        max_price                      = optional(string)
+        spot_instance_type             = optional(string)
+        valid_until                    = optional(string)
+      }))
+    }))
+    license_specifications = optional(list(object({
+      license_configuration_arn = string
+    })))
+    metadata_options = optional(object({
+      http_endpoint               = optional(string)
+      http_protocol_ipv6          = optional(string)
+      http_put_response_hop_limit = optional(number)
+      http_tokens                 = optional(string)
+      instance_metadata_tags      = optional(string)
+    }))
+    enable_monitoring      = optional(bool)
+    enable_efa_support     = optional(bool)
+    enable_efa_only        = optional(bool)
+    efa_indices            = optional(list(string))
+    create_placement_group = optional(bool)
+    placement = optional(object({
+      affinity                = optional(string)
+      availability_zone       = optional(string)
+      group_name              = optional(string)
+      host_id                 = optional(string)
+      host_resource_group_arn = optional(string)
+      partition_number        = optional(number)
+      spread_domain           = optional(string)
+      tenancy                 = optional(string)
+    }))
+    network_interfaces = optional(list(object({
+      associate_carrier_ip_address = optional(bool)
+      associate_public_ip_address  = optional(bool)
+      connection_tracking_specification = optional(object({
+        tcp_established_timeout = optional(number)
+        udp_stream_timeout      = optional(number)
+        udp_timeout             = optional(number)
+      }))
+      delete_on_termination = optional(bool)
+      description           = optional(string)
+      device_index          = optional(number)
+      ena_srd_specification = optional(object({
+        ena_srd_enabled = optional(bool)
+        ena_srd_udp_specification = optional(object({
+          ena_srd_udp_enabled = optional(bool)
+        }))
+      }))
+      interface_type       = optional(string)
+      ipv4_address_count   = optional(number)
+      ipv4_addresses       = optional(list(string))
+      ipv4_prefix_count    = optional(number)
+      ipv4_prefixes        = optional(list(string))
+      ipv6_address_count   = optional(number)
+      ipv6_addresses       = optional(list(string))
+      ipv6_prefix_count    = optional(number)
+      ipv6_prefixes        = optional(list(string))
+      network_card_index   = optional(number)
+      network_interface_id = optional(string)
+      primary_ipv6         = optional(bool)
+      private_ip_address   = optional(string)
+      security_groups      = optional(list(string), [])
+      subnet_id            = optional(string)
+    })))
+    maintenance_options = optional(object({
+      auto_recovery = optional(string)
+    }))
+    private_dns_name_options = optional(object({
+      enable_resource_name_dns_aaaa_record = optional(bool)
+      enable_resource_name_dns_a_record    = optional(bool)
+      hostname_type                        = optional(string)
+    }))
+    # IAM role
+    create_iam_role               = optional(bool)
+    iam_role_arn                  = optional(string)
+    iam_role_name                 = optional(string)
+    iam_role_use_name_prefix      = optional(bool)
+    iam_role_path                 = optional(string)
+    iam_role_description          = optional(string)
+    iam_role_permissions_boundary = optional(string)
+    iam_role_tags                 = optional(map(string))
+    iam_role_attach_cni_policy    = optional(bool)
+    iam_role_additional_policies  = optional(map(string))
+    create_iam_role_policy        = optional(bool)
+    iam_role_policy_statements = optional(list(object({
+      sid           = optional(string)
+      actions       = optional(list(string))
+      not_actions   = optional(list(string))
+      effect        = optional(string)
+      resources     = optional(list(string))
+      not_resources = optional(list(string))
+      principals = optional(list(object({
+        type        = string
+        identifiers = list(string)
+      })))
+      not_principals = optional(list(object({
+        type        = string
+        identifiers = list(string)
+      })))
+      condition = optional(list(object({
+        test     = string
+        values   = list(string)
+        variable = string
+      })))
+    })))
+    # Security group
+    vpc_security_group_ids                = optional(list(string), [])
+    attach_cluster_primary_security_group = optional(bool, false)
+    cluster_primary_security_group_id     = optional(string)
+    create_security_group                 = optional(bool)
+    security_group_name                   = optional(string)
+    security_group_use_name_prefix        = optional(bool)
+    security_group_description            = optional(string)
+    security_group_ingress_rules = optional(map(object({
+      name                         = optional(string)
+      cidr_ipv4                    = optional(string)
+      cidr_ipv6                    = optional(string)
+      description                  = optional(string)
+      from_port                    = optional(string)
+      ip_protocol                  = optional(string)
+      prefix_list_id               = optional(string)
+      referenced_security_group_id = optional(string)
+      self                         = optional(bool)
+      tags                         = optional(map(string))
+      to_port                      = optional(string)
+    })))
+    security_group_egress_rules = optional(map(object({
+      name                         = optional(string)
+      cidr_ipv4                    = optional(string)
+      cidr_ipv6                    = optional(string)
+      description                  = optional(string)
+      from_port                    = optional(string)
+      ip_protocol                  = optional(string)
+      prefix_list_id               = optional(string)
+      referenced_security_group_id = optional(string)
+      self                         = optional(bool)
+      tags                         = optional(map(string))
+      to_port                      = optional(string)
+    })), {})
+    security_group_tags = optional(map(string))
+
+    tags = optional(map(string))
+  }))
+  default = null
+}
+
 variable "eks_cluster_version" {
   type        = string
   description = "The Kubernetes version to run on the cluster. If not specified, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS."