feat(tf): update terragrunt dependency github.com/terraform-aws-modules/terraform-aws-eks to v21

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/terraform-aws-modules/terraform-aws-eks	github	major	v20.28.0 → v21.14.0

---

Release Notes

terraform-aws-modules/terraform-aws-eks (github.com/terraform-aws-modules/terraform-aws-eks)

v21.14.0

Compare Source

Features

• Add support for EKS managed node group update_config.update_strategy (#​3626) (617dba6)

v21.13.0

Compare Source

Features

• Add support for EKS Capabilities (#​3624) (990050b)

v21.12.0

Compare Source

Features

• Add provider meta user-agent, replacing static tag (#​3614) (391b11e)

v21.11.0

Compare Source

Features

• Update Hybrid Node IAM role permissions (#​3620) (60dcc45)

v21.10.1

Compare Source

Bug Fixes

• Update minimum required version of AWS provider for provisioned control plane (#​3603) (dc4de4f)

v21.10.0

Compare Source

Features

• Add support for Provisioned Control Plane (#​3597) (d3d6697)

v21.9.0

Compare Source

Features

• Add support for node repair configuration arguments (#​3585) (c0ed29b)

v21.8.0

Compare Source

Features

• Allow using inline policy for Karpenter controller role to mitigate policy size LimitExceeded error (#​3563) (0659a8d), closes #​3512

v21.7.0

Compare Source

Features

• Add recommended security group rule for port 10251 to match EKS addon for metrics-server (#​3562) (de8c550)

v21.6.1

Compare Source

Bug Fixes

• Update CI workflow versions to latest (#​3554) (e4e25b1)

v21.6.0

Compare Source

Features

• Use aws_service_principal data source for deriving IAM service prinicpals (#​3539) (0b0ca66)

v21.5.0

Compare Source

Features

• Allow for additional policy statements on sqs queue policy (#​3543) (67557e8)

v21.4.0

Compare Source

Features

• Allow setting KMS key rotation period (#​3546) (fd490ea)

v21.3.2

Compare Source

Bug Fixes

• Incorporate AWS provider v6.15 corrections for EKS Auto Mode to support enabling/disabling EKS Auto Mode without affecting non-Auto Mode users (#​3526) (f5f6dae)

v21.3.1

Compare Source

Bug Fixes

• Sync Karpenter IAM permissions with upstream (#​3517) (c8bb152)

v21.3.0

Compare Source

Features

• Support EKS Auto Mode custom node pools only creation (#​3514) (165d7c8)

v21.2.0

Compare Source

Features

• Update Karpenter controller policy and permissions to match upstream project (#​3510) (131db39)

v21.1.5

Compare Source

Bug Fixes

• Ensure module created security group is included on any network interfaces created (#​3495) (fa1d422)

v21.1.4

Compare Source

Bug Fixes

• Ensure module created security group is included on any network interfaces created (#​3493) (e5cff84)

v21.1.3

Compare Source

Bug Fixes

• Correct addon timeout lookup/override logic to support global and addon specific settings (#​3492) (b236208)

v21.1.2

Compare Source

Bug Fixes

• Remediate type mismatch for EFA interfaces and ensure correct (local) definition is used (#​3491) (3959b65)

v21.1.1

Compare Source

Bug Fixes

• Correct metadata options loop condition due to variable definition defaults (#​3490) (b40968a)

v21.1.0

Compare Source

Features

• Add support for deletion protection functionality in the cluster (#​3475) (83c9cd1)

v21.0.9

Compare Source

Bug Fixes

• Allow disabling instance refresh on self-managed node groups (part deux) (#​3478) (ca8f37e)

v21.0.8

Compare Source

Bug Fixes

• Allow disabling instance refresh on self-managed node groups (#​3473) (6a887ad)

v21.0.7

Compare Source

Bug Fixes

• Correct access policy logic to support not providing a policy to associate (#​3464) (39be61d)

v21.0.6

Compare Source

Bug Fixes

• Allow instance_requirements to be set in self-managed node groups (#​3455) (5322bf7)

v21.0.5

Compare Source

Bug Fixes

• Correct addon logic lookup to pull latest addon version (#​3449) (55d7fa2)

v21.0.4

Compare Source

Bug Fixes

• Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled (#​3439) (6b8a3d9)

v21.0.3

Compare Source

Bug Fixes

• Correct variable defaults for ami_id and kubernetes_version (#​3437) (8807e0b)

v21.0.2

Compare Source

Bug Fixes

• Move encryption_config default for resources out of type definition and to default variable value to allow disabling encryption (#​3436) (b37368f)

v21.0.1

Compare Source

Bug Fixes

• Correct logic to try to use module created IAM role before falli… (#​3433) (97d4ebb)

v21.0.0

Compare Source

⚠ BREAKING CHANGES

• Upgrade min AWS provider and Terraform versions to 6.0 and 1.5.7 respectively (#​3412)

List of backwards incompatible changes

See the UPGRADE-21.0.md for further details.

• Terraform v1.5.7 is now minimum supported version
• AWS provider v6.0.0 is now minimum supported version
• TLS provider v4.0.0 is now minimum supported version
• The aws-auth sub-module has been removed. Users who wish to utilize its functionality can continue to do so by specifying a v20.x version, or ~> v20.0 version constraint in their module source.
• bootstrap_self_managed_addons is now hardcoded to false. This is a legacy setting and instead users should utilize the EKS addons API, which is what this module does by default. In conjunction with this change, the bootstrap_self_managed_addons is now ignored by the module to aid in upgrading without disruption (otherwise it would require cluster re-creation).
• When enabling enable_efa_support or creating placement groups within a node group, users must now specify the correct subnet_ids; the module no longer tries to automatically select a suitable subnet.
• EKS managed node group:
  • IMDS now default to a hop limit of 1 (previously was 2)
  • ami_type now defaults to AL2023_x86_64_STANDARD
  • enable_monitoring is now set to false by default
  • enable_efa_only is now set to true by default
  • use_latest_ami_release_version is now set to true by default
  • Support for autoscaling group schedules has been removed
• Self-managed node group:
  • IMDS now default to a hop limit of 1 (previously was 2)
  • ami_type now defaults to AL2023_x86_64_STANDARD
  • enable_monitoring is now set to false by default
  • enable_efa_only is now set to true by default
  • Support for autoscaling group schedules has been removed
• Karpenter:
  • Native support for IAM roles for service accounts (IRSA) has been removed; EKS Pod Identity is now enabled by default
  • Karpenter controller policy for prior to Karpenter v1 have been removed (i.e. v0.33); the v1 policy is now used by default
  • create_pod_identity_association is now set to true by default
• addons.resolve_conflicts_on_create is now set to "NONE" by default (was "OVERWRITE").
• addons.most_recent is now set to true by default (was false).
• cluster_identity_providers.issuer_url is now required to be set by users; the prior incorrect default has been removed. See #​3055 and kubernetes/kubernetes#123561 for more details.
• The OIDC issuer URL for IAM roles for service accounts (IRSA) has been changed to use the new dual stackoidc-eks endpoint instead of oidc.eks. This is to align with aws/containers-roadmap#2038 (comment)

Additional changes

Added

• Support for region parameter to specify the AWS region for the resources created if different from the provider region.
• Both the EKS managed and self-managed node groups now support creating their own security groups (again). This is primarily motivated by the changes for EFA support; previously users would need to specify enable_efa_support both at the cluster level (to add the appropriate security group rules to the shared node security group) as well as the node group level. However, its not always desirable to have these rules across ALL node groups when they are really only required on the node group where EFA is utilized. And similarly for other use cases, users can create custom rules for a specific node group instead of apply across ALL node groups.

Modified

• Variable definitions now contain detailed object types in place of the previously used any type.
• The embedded KMS key module definition has been updated to v4.0 to support the same version requirements as well as the new region argument.

Variable and output changes

1. Removed variables:

   • enable_efa_support - users only need to set this within the node group configuration, as the module no longer manages EFA support at the cluster level.
   • enable_security_groups_for_pods - users can instead attach the arn:aws:iam::aws:policy/AmazonEKSVPCResourceController policy via iam_role_additional_policies if using security groups for pods.
   • eks-managed-node-group sub-module
     • cluster_service_ipv4_cidr - users should use cluster_service_cidr instead (for either IPv4 or IPv6).
     • elastic_gpu_specifications
     • elastic_inference_accelerator
     • platform - this is superseded by ami_type
     • placement_group_strategy - set to cluster by the module
     • placement_group_az - users will need to specify the correct subnet in subnet_ids
     • create_schedule
     • schedules
   • self-managed-node-group sub-module
     • elastic_gpu_specifications
     • elastic_inference_accelerator
     • platform - this is superseded by ami_type
     • create_schedule
     • schedules
     • placement_group_az - users will need to specify the correct subnet in subnet_ids
     • hibernation_options - not valid in EKS
     • min_elb_capacity - not valid in EKS
     • wait_for_elb_capacity - not valid in EKS
     • wait_for_capacity_timeout - not valid in EKS
     • default_cooldown - not valid in EKS
     • target_group_arns - not valid in EKS
     • service_linked_role_arn - not valid in EKS
     • warm_pool - not valid in EKS
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • enable_v1_permissions - v1 permissions are now the default
     • enable_irsa
     • irsa_oidc_provider_arn
     • irsa_namespace_service_accounts
     • irsa_assume_role_condition_test

2. Renamed variables:

   • Variables prefixed with cluster_* have been stripped of the prefix to better match the underlying API:
     • cluster_name -> name
     • cluster_version -> kubernetes_version
     • cluster_enabled_log_types -> enabled_log_types
     • cluster_force_update_version -> force_update_version
     • cluster_compute_config -> compute_config
     • cluster_upgrade_policy -> upgrade_policy
     • cluster_remote_network_config -> remote_network_config
     • cluster_zonal_shift_config -> zonal_shift_config
     • cluster_additional_security_group_ids -> additional_security_group_ids
     • cluster_endpoint_private_access -> endpoint_private_access
     • cluster_endpoint_public_access -> endpoint_public_access
     • cluster_endpoint_public_access_cidrs -> endpoint_public_access_cidrs
     • cluster_ip_family -> ip_family
     • cluster_service_ipv4_cidr -> service_ipv4_cidr
     • cluster_service_ipv6_cidr -> service_ipv6_cidr
     • cluster_encryption_config -> encryption_config
     • create_cluster_primary_security_group_tags -> create_primary_security_group_tags
     • cluster_timeouts -> timeouts
     • create_cluster_security_group -> create_security_group
     • cluster_security_group_id -> security_group_id
     • cluster_security_group_name -> security_group_name
     • cluster_security_group_use_name_prefix -> security_group_use_name_prefix
     • cluster_security_group_description -> security_group_description
     • cluster_security_group_additional_rules -> security_group_additional_rules
     • cluster_security_group_tags -> security_group_tags
     • cluster_encryption_policy_use_name_prefix -> encryption_policy_use_name_prefix
     • cluster_encryption_policy_name -> encryption_policy_name
     • cluster_encryption_policy_description -> encryption_policy_description
     • cluster_encryption_policy_path -> encryption_policy_path
     • cluster_encryption_policy_tags -> encryption_policy_tags
     • cluster_addons -> addons
     • cluster_addons_timeouts -> addons_timeouts
     • cluster_identity_providers -> identity_providers
   • eks-managed-node-group sub-module
     • cluster_version -> kubernetes_version
   • self-managed-node-group sub-module
     • cluster_version -> kubernetes_version
     • delete_timeout -> timeouts
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • None

3. Added variables:

   • region
   • eks-managed-node-group sub-module
     • region
     • partition - added to reduce number of GET requests from data sources when possible
     • account_id - added to reduce number of GET requests from data sources when possible
     • create_security_group
     • security_group_name
     • security_group_use_name_prefix
     • security_group_description
     • security_group_ingress_rules
     • security_group_egress_rules
     • security_group_tags
   • self-managed-node-group sub-module
     • region
     • partition - added to reduce number of GET requests from data sources when possible
     • account_id - added to reduce number of GET requests from data sources when possible
     • create_security_group
     • security_group_name
     • security_group_use_name_prefix
     • security_group_description
     • security_group_ingress_rules
     • security_group_egress_rules
     • security_group_tags
   • fargate-profile sub-module
     • region
     • partition - added to reduce number of GET requests from data sources when possible
     • account_id - added to reduce number of GET requests from data sources when possible
   • karpenter sub-module
     • region

4. Removed outputs:

   • eks-managed-node-group sub-module
     • platform - this is superseded by ami_type
     • autoscaling_group_schedule_arns
   • self-managed-node-group sub-module
     • platform - this is superseded by ami_type
     • autoscaling_group_schedule_arns
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • None

5. Renamed outputs:

   • eks-managed-node-group sub-module
     • None
   • self-managed-node-group sub-module
     • None
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • None

6. Added outputs:

   • eks-managed-node-group sub-module
     • security_group_arn
     • security_group_id
   • self-managed-node-group sub-module
     • security_group_arn
     • security_group_id
   • fargate-profile sub-module
     • None
   • karpenter sub-module
     • None

v20.37.2

Compare Source

Bug Fixes

• Allow for both amazonaws.com.cn and amazonaws.com conditions in PassRole as required for AWS CN (#​3422) (83b68fd)

v20.37.1

Compare Source

Bug Fixes

• Restrict AWS provider max version due to v6 provider breaking changes (#​3384) (681a868)

v20.37.0

Compare Source

Features

• Add AL2023 ARM64 NVIDIA variants (#​3369) (715d42b)

v20.36.1

Compare Source

Bug Fixes

• Ensure additional_cluster_dns_ips is passed through from root module (#​3376) (7a83b1b)

v20.36.0

Compare Source

Features

• Add support for cluster force_update_version (#​3345) (207d73f)

v20.35.0

Compare Source

Features

• Default to not changing autoscaling schedule values at the scheduled time (#​3322) (abf76f6)

v20.34.0

Compare Source

Features

• Add capacity reservation permissions to Karpenter IAM policy (#​3318) (770ee99)

v20.33.1

Compare Source

Bug Fixes

• Allow "EC2" access entry type for EKS Auto Mode custom node pools (#​3281) (3e2ea83)

v20.33.0

Compare Source

Features

• Add node repair config to managed node group (#​3271) (edd7ef3), closes terraform-aws-modules/terraform-aws-eks#3249

v20.32.0

Compare Source

Features

• Add Bottlerocket FIPS image variants (#​3275) (d876ac4)

v20.31.6

Compare Source

Bug Fixes

• Revert changes to disabling auto mode #​3253 (#​3255) (1ac67b8)

v20.31.5

Compare Source

Bug Fixes

• Correct Auto Mode disable (#​3253) (2a6a57a)

v20.31.4

Compare Source

Bug Fixes

• Auto Mode custom tag policy should apply to cluster role, not node role (#​3242) (a07013a)

v20.31.3

Compare Source

Bug Fixes

• Update min provider version to remediate cluster replacement when enabling EKS Auto Mode (#​3240) (012e51c)

v20.31.2

Compare Source

Bug Fixes

• Avoid trying to attach the node role when Auto Mode nodepools are not specified (#​3239) (ce34f1d)

v20.31.1

Compare Source

Bug Fixes

• Create EKS Auto Mode role when Auto Mode is enabled, regardless of built-in node pool use (#​3234) (e2846be)

v20.31.0

Compare Source

Features

• Add support for EKS Auto Mode and EKS Hybrid nodes (#​3225) (3b974d3)

v20.30.1

Compare Source

Bug Fixes

• Coalesce local resolve_conflicts_on_create_default value to a boolean since default is null (#​3221) (35388bb)

v20.30.0

Compare Source

Features

• Improve addon dependency chain and decrease time to provision addons (due to retries) (#​3218) (ab2207d)

v20.29.0

Compare Source

Features

• Add support for pod identity association on EKS addons (#​3203) (a224334)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.