{"name":"eks","version":"4.2.0","description":"Pulumi Amazon Web Services (AWS) EKS Components.","keywords":["pulumi","aws","eks"],"homepage":"https://pulumi.com","license":"Apache-2.0","repository":"https://github.com/pulumi/pulumi-eks","language":{"csharp":{"liftSingleValueMethodReturns":true,"packageReferences":{"Pulumi":"3.*","Pulumi.Aws":"7.*","Pulumi.Kubernetes":"4.*"},"respectSchemaVersion":true},"go":{"generateResourceContainerTypes":true,"importBasePath":"github.com/pulumi/pulumi-eks/sdk/v4/go/eks","internalModuleName":"utilities","liftSingleValueMethodReturns":true,"respectSchemaVersion":true},"java":{"dependencies":{"com.pulumi:aws":"7.14.0","com.pulumi:kubernetes":"4.19.0"}},"nodejs":{"dependencies":{"@pulumi/aws":"^7.14.0","@pulumi/kubernetes":"^4.19.0","https-proxy-agent":"^5.0.1","js-yaml":"^4.1.0","netmask":"^2.0.2","semver":"^7.3.7","which":"^1.3.1"},"devDependencies":{"@types/js-yaml":"^4.0.5","@types/netmask":"^1.0.30","@types/node":"^18.11.13","@types/semver":"^7.3.10","@types/which":"^1.3.1","typescript":"^4.6.2"},"respectSchemaVersion":true},"python":{"liftSingleValueMethodReturns":true,"pyproject":{"enabled":true},"readme":"Pulumi Amazon Web Services (AWS) EKS Components.","requires":{"pulumi-aws":"\u003e=7.14.0,\u003c8.0.0","pulumi-kubernetes":"\u003e=4.19.0,\u003c5.0.0"},"respectSchemaVersion":true,"usesIOClasses":true}},"config":{},"types":{"eks:index:AccessEntry":{"description":"Access entries allow an IAM principal to access your cluster.\n\nYou have the following options for authorizing an IAM principal to access Kubernetes objects on your cluster: Kubernetes role-based access control (RBAC), Amazon EKS, or both.\nKubernetes RBAC authorization requires you to create and manage Kubernetes Role , ClusterRole , RoleBinding , and ClusterRoleBinding objects, in addition to managing access entries. If you use Amazon EKS authorization exclusively, you don't need to create and manage Kubernetes Role , ClusterRole , RoleBinding , and ClusterRoleBinding objects.","properties":{"accessPolicies":{"type":"object","additionalProperties":{"$ref":"#/types/eks:index:AccessPolicyAssociation"},"plain":true,"description":"The access policies to associate to the access entry."},"kubernetesGroups":{"type":"array","items":{"type":"string"},"description":"A list of groups within Kubernetes to which the IAM principal is mapped to."},"principalArn":{"type":"string","description":"The IAM Principal ARN which requires Authentication access to the EKS cluster."},"tags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the AccessEntry."},"type":{"$ref":"#/types/eks:index:AccessEntryType","description":"The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.\nDefaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies."},"username":{"type":"string","description":"Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name."}},"type":"object","required":["principalArn"]},"eks:index:AccessEntryType":{"description":"The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.\nDefaults to STANDARD which provides the standard workflow. EC2_LINUX and EC2_WINDOWS types disallow users to input a kubernetesGroup, and prevent associating access policies.","type":"string","enum":[{"name":"Standard","description":"Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.","value":"STANDARD"},{"name":"FargateLinux","description":"For IAM roles used with AWS Fargate profiles.","value":"FARGATE_LINUX"},{"name":"EC2Linux","description":"For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.","value":"EC2_LINUX"},{"name":"EC2Windows","description":"For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.","value":"EC2_WINDOWS"},{"name":"EC2","description":"For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.","value":"EC2"}]},"eks:index:AccessPolicyAssociation":{"description":"Associates an access policy and its scope to an IAM principal.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/access-entries.html","properties":{"accessScope":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FAccessPolicyAssociationAccessScope:AccessPolicyAssociationAccessScope","description":"The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace."},"policyArn":{"type":"string","description":"The ARN of the access policy to associate with the principal"}},"type":"object","required":["policyArn","accessScope"]},"eks:index:AmiType":{"description":"Predefined AMI types for EKS optimized AMIs. Can be used to select the latest EKS optimized AMI for a node group.","type":"string","enum":[{"name":"AL2X86_64","value":"AL2_x86_64","deprecationMessage":"Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead.\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html"},{"name":"AL2X86_64GPU","value":"AL2_x86_64_GPU","deprecationMessage":"Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead.\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html"},{"name":"AL2Arm64","value":"AL2_ARM_64","deprecationMessage":"Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead.\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html"},{"name":"AL2023X86_64Standard","value":"AL2023_x86_64_STANDARD"},{"name":"AL2023Arm64Standard","value":"AL2023_ARM_64_STANDARD"},{"name":"AL2023X86_64Nvidia","value":"AL2023_x86_64_NVIDIA"},{"name":"BottlerocketArm64","value":"BOTTLEROCKET_ARM_64"},{"name":"BottlerocketX86_64","value":"BOTTLEROCKET_x86_64"},{"name":"BottlerocketArm64Nvidia","value":"BOTTLEROCKET_ARM_64_NVIDIA"},{"name":"BottlerocketX86_64Nvidia","value":"BOTTLEROCKET_x86_64_NVIDIA"}]},"eks:index:AuthenticationMode":{"description":"The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam","type":"string","enum":[{"name":"ConfigMap","description":"Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.","value":"CONFIG_MAP","deprecationMessage":"The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.\nFor more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html."},{"name":"Api","description":"Only Access Entries will be used for authenticating to the Kubernetes API.","value":"API"},{"name":"ApiAndConfigMap","description":"Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.","value":"API_AND_CONFIG_MAP","deprecationMessage":"The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.\nFor more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html."}]},"eks:index:AutoModeOptions":{"description":"Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.\n\nFor more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html","properties":{"computeConfig":{"$ref":"#/types/eks:index:ClusterComputeConfig","description":"Compute configuration for EKS Auto Mode."},"createNodeRole":{"type":"boolean","plain":true,"description":"Whether to create an IAM role for the EKS Auto Mode node group if none is provided in `computeConfig`.","default":true},"enabled":{"type":"boolean","plain":true,"description":"Whether to enable EKS Auto Mode. If enabled, EKS will manage node pools, EBS volumes and Load Balancers for you.\nWhen enabled, the vpc-cni and kube-proxy will not be enabled by default because EKS Auto Mode includes pod networking capabilities."}},"type":"object","required":["enabled"]},"eks:index:ClusterComputeConfig":{"description":"Configuration for the compute capability of your EKS Auto Mode cluster.","properties":{"nodePools":{"type":"array","items":{"type":"string"},"description":"Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. Valid options are `general-purpose` and `system`.\n\nBy default, the built-in `system` and `general-purpose` nodepools are enabled."},"nodeRoleArn":{"type":"string","description":"The ARN of the IAM Role EKS will assign to EC2 Managed Instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled."}},"type":"object"},"eks:index:ClusterNodeGroupOptions":{"description":"Describes the configuration options accepted by a cluster to create its own node groups.","properties":{"amiId":{"type":"string","description":"The AMI ID to use for the worker nodes.\n\nDefaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.\n\nNote: `amiId` and `gpu` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html."},"amiType":{"type":"string","description":"The AMI Type to use for the worker nodes. \n\nOnly applicable when setting an AMI ID that is of type `arm64`. \n\nNote: `amiType` and `gpu` are mutually exclusive.\n\n"},"autoScalingGroupTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.\n\nPer AWS, all stack-level tags, including automatically created tags, and the `cloudFormationTags` option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html\n\nNote: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both."},"bootstrapExtraArgs":{"type":"string","description":"Additional args to pass directly to `/etc/eks/bootstrap.sh`. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the `--apiserver-endpoint`, `--b64-cluster-ca` and `--kubelet-extra-args` flags are included automatically based on other configuration parameters."},"bottlerocketSettings":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"The configuration settings for Bottlerocket OS.\nThe settings will get merged with the base settings the provider uses to configure Bottlerocket.\n\nThis includes:\n - settings.kubernetes.api-server\n - settings.kubernetes.cluster-certificate\n - settings.kubernetes.cluster-name\n - settings.kubernetes.cluster-dns-ip\n\nFor an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/."},"cloudFormationTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the CloudFormation Stack of the Worker NodeGroup.\n\nNote: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both."},"clusterIngressRule":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule","description":"The ingress rule that gives node group access."},"clusterIngressRuleId":{"type":"string","description":"The ID of the ingress rule that gives node group access."},"desiredCapacity":{"type":"integer","description":"The number of worker nodes that should be running in the cluster. Defaults to 2."},"enableDetailedMonitoring":{"type":"boolean","description":"Enables/disables detailed monitoring of the EC2 instances.\n\nWith detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals.\nWhen enabled, you can also get aggregated data across groups of similar instances.\n\nNote: You are charged per metric that is sent to CloudWatch. You are not charged for data storage.\nFor more information, see \"Paid tier\" and \"Example 1 - EC2 Detailed Monitoring\" here https://aws.amazon.com/cloudwatch/pricing/."},"encryptRootBlockDevice":{"type":"boolean","description":"Encrypt the root block device of the nodes in the node group."},"extraNodeSecurityGroups":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"description":"Extra security groups to attach on all nodes in this worker node group.\n\nThis additional set of security groups captures any user application rules that will be needed for the nodes."},"gpu":{"type":"boolean","description":"Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.\n\nDefaults to false.\n\nNote: `gpu` and `amiId` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html\n- https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html"},"ignoreScalingChanges":{"type":"boolean","plain":true,"description":"Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.\n\nSee [EKS best practices](https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/) for more details."},"instanceProfile":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile","plain":true,"description":"The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive."},"instanceProfileName":{"type":"string","description":"The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive."},"instanceType":{"type":"string","description":"The instance type to use for the cluster's nodes. Defaults to \"t3.medium\"."},"keyName":{"type":"string","description":"Name of the key pair to use for SSH access to worker nodes."},"kubeletExtraArgs":{"type":"string","description":"Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. Note that the `labels` and `taints` properties will be applied to this list (using `--node-labels` and `--register-with-taints` respectively) after to the explicit `kubeletExtraArgs`."},"labels":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the `--node-labels` kubelet argument."},"launchTemplateTagSpecifications":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:ec2%2FLaunchTemplateTagSpecification:LaunchTemplateTagSpecification"},"description":"The tag specifications to apply to the launch template."},"maxSize":{"type":"integer","description":"The maximum number of worker nodes running in the cluster. Defaults to 2."},"minRefreshPercentage":{"type":"integer","description":"The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50."},"minSize":{"type":"integer","description":"The minimum number of worker nodes running in the cluster. Defaults to 1."},"nodeAssociatePublicIpAddress":{"type":"boolean","description":"Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs."},"nodePublicKey":{"type":"string","description":"Public key material for SSH access to worker nodes. See allowed formats at:\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html\nIf not provided, no SSH access is enabled on VMs."},"nodeRootVolumeDeleteOnTermination":{"type":"boolean","description":"Whether the root block device should be deleted on termination of the instance. Defaults to true."},"nodeRootVolumeEncrypted":{"type":"boolean","description":"Whether to encrypt a cluster node's root volume. Defaults to false."},"nodeRootVolumeIops":{"type":"integer","description":"The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'."},"nodeRootVolumeSize":{"type":"integer","description":"The size in GiB of a cluster node's root volume. Defaults to 20."},"nodeRootVolumeThroughput":{"type":"integer","description":"Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'."},"nodeRootVolumeType":{"type":"string","description":"Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the worker node group to communicate with the cluster.\n\nThis security group requires specific inbound and outbound rules.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\n\nNote: The `nodeSecurityGroup` option and the cluster option`nodeSecurityGroupTags` are mutually exclusive."},"nodeSecurityGroupId":{"type":"string","description":"The ID of the security group for the worker node group to communicate with the cluster.\n\nThis security group requires specific inbound and outbound rules.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\n\nNote: The `nodeSecurityGroupId` option and the cluster option `nodeSecurityGroupTags` are mutually exclusive."},"nodeSubnetIds":{"type":"array","items":{"type":"string"},"description":"The set of subnets to override and use for the worker node group.\n\nSetting this option overrides which subnets to use for the worker node group, regardless if the cluster's `subnetIds` is set, or if `publicSubnetIds` and/or `privateSubnetIds` were set."},"nodeUserData":{"type":"string","description":"Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`)."},"nodeUserDataOverride":{"type":"string","description":"User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html"},"nodeadmExtraOptions":{"type":"array","items":{"$ref":"#/types/eks:index:NodeadmOptions"},"description":"Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way.\nThe base settings the provider sets are:\n - cluster.name\n - cluster.apiServerEndpoint\n - cluster.certificateAuthority\n - cluster.cidr\n\nNote: This is only applicable when using AL2023.\nSee for more details:\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/"},"operatingSystem":{"$ref":"#/types/eks:index:OperatingSystem","description":"The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration.\nValid values are `RECOMMENDED`, `AL2`, `AL2023` and `Bottlerocket`.\n\nDefaults to the current recommended OS."},"spotPrice":{"type":"string","description":"Bidding price for spot instance. If set, only spot instances will be added as worker node."},"taints":{"type":"object","additionalProperties":{"$ref":"#/types/eks:index:Taint"},"description":"Custom k8s node taints to be attached to each worker node. Adds the given taints to the `--register-with-taints` kubelet argument"},"version":{"type":"string","description":"Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used."}},"type":"object"},"eks:index:ClusterNodePools":{"description":"Built-in node pools of EKS Auto Mode. For more details see: https://docs.aws.amazon.com/eks/latest/userguide/set-builtin-node-pools.html","type":"string","enum":[{"name":"System","description":"This NodePool has a `CriticalAddonsOnly` taint. Many EKS addons, such as CoreDNS, tolerate this taint. Use this system node pool to segregate cluster-critical applications. Supports both `amd64` and `arm64` architectures.","value":"system"},{"name":"GeneralPurpose","description":"This NodePool provides support for launching nodes for general purpose workloads in your cluster. Only supports `amd64` architecture.","value":"general-purpose"}]},"eks:index:CoreData":{"description":"Defines the core set of data associated with an EKS cluster, including the network in which it runs.","properties":{"accessEntries":{"type":"array","items":{"$ref":"#/types/eks:index:AccessEntry"},"description":"The access entries added to the cluster."},"awsProvider":{"$ref":"/aws/v7.14.0/schema.json#/provider"},"cluster":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:eks%2Fcluster:Cluster"},"clusterIamRole":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role","description":"The IAM Role attached to the EKS Cluster"},"clusterSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"eksNodeAccess":{"$ref":"/kubernetes/v4.19.0/schema.json#/resources/kubernetes:core%2Fv1:ConfigMap"},"encryptionConfig":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FClusterEncryptionConfig:ClusterEncryptionConfig"},"endpoint":{"type":"string","description":"The EKS cluster's Kubernetes API server endpoint."},"fargateProfile":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:eks%2FfargateProfile:FargateProfile","description":"The Fargate profile used to manage which pods run on Fargate."},"instanceRoles":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role"},"description":"The IAM instance roles for the cluster's nodes."},"kubeconfig":{"$ref":"pulumi.json#/Any","description":"The kubeconfig file for the cluster."},"nodeGroupOptions":{"$ref":"#/types/eks:index:ClusterNodeGroupOptions","description":"The cluster's node group options."},"nodeSecurityGroupTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Tags attached to the security groups associated with the cluster's worker nodes."},"oidcProvider":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2FopenIdConnectProvider:OpenIdConnectProvider"},"privateSubnetIds":{"type":"array","items":{"type":"string"},"description":"List of subnet IDs for the private subnets."},"provider":{"$ref":"/kubernetes/v4.19.0/schema.json#/provider"},"publicSubnetIds":{"type":"array","items":{"type":"string"},"description":"List of subnet IDs for the public subnets."},"storageClasses":{"type":"object","additionalProperties":{"$ref":"/kubernetes/v4.19.0/schema.json#/resources/kubernetes:storage.k8s.io%2Fv1:StorageClass"},"description":"The storage class used for persistent storage by the cluster."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"List of subnet IDs for the EKS cluster."},"tags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of tags assigned to the EKS cluster."},"vpcCni":{"$ref":"#/resources/eks:index:VpcCniAddon","description":"The VPC CNI for the cluster."},"vpcId":{"type":"string","description":"ID of the cluster's VPC."}},"type":"object","required":["cluster","vpcId","subnetIds","endpoint","provider","instanceRoles","nodeGroupOptions","clusterIamRole"]},"eks:index:CoreDnsAddonOptions":{"properties":{"configurationValues":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"Custom configuration values for the coredns addon. This object must match the schema derived from [describe-addon-configuration](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-configuration.html)."},"enabled":{"type":"boolean","plain":true,"description":"Whether or not to create the `coredns` Addon in the cluster\n\nThe managed addon can only be enabled if the cluster is a Fargate cluster or if the cluster\nuses the default node group, otherwise the self-managed addon is used.","default":true},"resolveConflictsOnCreate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnCreate","plain":true,"description":"How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are `NONE` and `OVERWRITE`. For more details see the [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) API Docs.","default":"OVERWRITE"},"resolveConflictsOnUpdate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnUpdate","plain":true,"description":"How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are `NONE`, `OVERWRITE`, and `PRESERVE`. For more details see the [UpdateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) API Docs.","default":"OVERWRITE"},"version":{"type":"string","description":"The version of the EKS add-on. The version must match one of the versions returned by [describe-addon-versions](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-versions.html)."}},"type":"object"},"eks:index:CreationRoleProvider":{"description":"Contains the AWS Role and Provider necessary to override the `[system:master]` entity ARN. This is an optional argument used when creating `Cluster`. Read more: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html\n\nNote: This option is only supported with Pulumi nodejs programs. Please use `ProviderCredentialOpts` as an alternative instead.","properties":{"provider":{"$ref":"/aws/v7.14.0/schema.json#/provider","plain":true},"role":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role","plain":true}},"type":"object","required":["role","provider"]},"eks:index:FargateProfile":{"description":"Defines how Kubernetes pods are executed in Fargate. See aws.eks.FargateProfileArgs for reference.","properties":{"podExecutionRoleArn":{"type":"string","description":"Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role with the `arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy` policy attached."},"selectors":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FFargateProfileSelector:FargateProfileSelector"},"description":"Specify the namespace and label selectors to use for launching pods into Fargate."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private subnets associated with the cluster."}},"type":"object"},"eks:index:KubeProxyAddonOptions":{"properties":{"configurationValues":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"Custom configuration values for the kube-proxy addon. This object must match the schema derived from [describe-addon-configuration](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-configuration.html)."},"enabled":{"type":"boolean","plain":true,"description":"Whether or not to create the `kube-proxy` Addon in the cluster. Defaults to true, unless `autoMode` is enabled."},"resolveConflictsOnCreate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnCreate","plain":true,"description":"How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are `NONE` and `OVERWRITE`. For more details see the [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) API Docs.","default":"OVERWRITE"},"resolveConflictsOnUpdate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnUpdate","plain":true,"description":"How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are `NONE`, `OVERWRITE`, and `PRESERVE`. For more details see the [UpdateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) API Docs.","default":"OVERWRITE"},"version":{"type":"string","description":"The version of the EKS add-on. The version must match one of the versions returned by [describe-addon-versions](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-versions.html)."}},"type":"object"},"eks:index:KubeconfigOptions":{"description":"Represents the AWS credentials to scope a given kubeconfig when using a non-default credential chain.\n\nThe options can be used independently, or additively.\n\nA scoped kubeconfig is necessary for certain auth scenarios. For example:\n 1. Assume a role on the default account caller,\n 2. Use an AWS creds profile instead of the default account caller,\n 3. Use an AWS creds creds profile instead of the default account caller,\n and then assume a given role on the profile. This scenario is also\n possible by only using a profile, iff the profile includes a role to\n assume in its settings.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html\n- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html\n- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html","properties":{"profileName":{"type":"string","description":"AWS credential profile name to always use instead of the default AWS credential provider chain.\n\nThe profile is passed to kubeconfig as an authentication environment setting."},"roleArn":{"type":"string","description":"Role ARN to assume instead of the default AWS credential provider chain.\n\nThe role is passed to kubeconfig as an authentication exec argument."}},"type":"object"},"eks:index:NodeGroupData":{"description":"NodeGroupData describes the resources created for the given NodeGroup.","properties":{"autoScalingGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:autoscaling%2Fgroup:Group","description":"The AutoScalingGroup for the node group."},"extraNodeSecurityGroups":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"description":"The additional security groups for the node group that captures user-specific rules."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the node group to communicate with the cluster."}},"type":"object","required":["nodeSecurityGroup","extraNodeSecurityGroups","autoScalingGroup"]},"eks:index:NodeadmOptions":{"description":"MIME document parts for nodeadm configuration. This can be shell scripts, nodeadm configuration or any other user data compatible script.\n\nSee for more details: https://awslabs.github.io/amazon-eks-ami/nodeadm/.","properties":{"content":{"type":"string","description":"The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType."},"contentType":{"type":"string","description":"The MIME type of the content. Examples are `text/x-shellscript; charset=\"us-ascii\"` for shell scripts, and `application/node.eks.aws` nodeadm configuration."}},"type":"object","required":["content","contentType"]},"eks:index:OperatingSystem":{"description":"The type of EKS optimized Operating System to use for node groups.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html","type":"string","enum":[{"name":"AL2","description":"EKS optimized OS based on Amazon Linux 2 (AL2).","value":"AL2","deprecationMessage":"Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead.\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html"},{"name":"AL2023","description":"EKS optimized OS based on Amazon Linux 2023 (AL2023).\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html","value":"AL2023"},{"name":"Bottlerocket","description":"EKS optimized Container OS based on Bottlerocket.\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html","value":"Bottlerocket"},{"name":"RECOMMENDED","description":"The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023).\nThis will be kept up to date with AWS' recommendations for EKS optimized operating systems.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html","value":"AL2023"}]},"eks:index:ResolveConflictsOnCreate":{"description":"How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are `NONE` and `OVERWRITE`. For more details see the [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) API Docs.","type":"string","enum":[{"name":"None","description":"If the self-managed version of the add-on is installed on your cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.","value":"NONE"},{"name":"Overwrite","description":"If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.","value":"OVERWRITE"}]},"eks:index:ResolveConflictsOnUpdate":{"description":"How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are `NONE`, `OVERWRITE`, and `PRESERVE`. For more details see the [UpdateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) API Docs.","type":"string","enum":[{"name":"None","description":"Amazon EKS doesn't change the value. The update might fail.","value":"NONE"},{"name":"Overwrite","description":"Amazon EKS overwrites the changed value back to the Amazon EKS default value.","value":"OVERWRITE"},{"name":"Preserve","description":"Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster.","value":"PRESERVE"}]},"eks:index:RoleMapping":{"description":"Describes a mapping from an AWS IAM role to a Kubernetes user and groups.","properties":{"groups":{"type":"array","items":{"type":"string"},"description":"A list of groups within Kubernetes to which the role is mapped."},"roleArn":{"type":"string","description":"The ARN of the IAM role to add."},"username":{"type":"string","description":"The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role."}},"type":"object","required":["roleArn","username","groups"]},"eks:index:StorageClass":{"description":"StorageClass describes the inputs to a single Kubernetes StorageClass provisioned by AWS. Any number of storage classes can be added to a cluster at creation time. One of these storage classes may be configured the default storage class for the cluster.","properties":{"allowVolumeExpansion":{"type":"boolean","description":"AllowVolumeExpansion shows whether the storage class allow volume expand."},"default":{"type":"boolean","description":"True if this storage class should be a default storage class for the cluster.\n\nNote: As of Kubernetes v1.11+ on EKS, a default `gp2` storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html\n\nPlease note that at most one storage class can be marked as default. If two or more of them are marked as default, a PersistentVolumeClaim without `storageClassName` explicitly specified cannot be created. See: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/#changing-the-default-storageclass"},"encrypted":{"type":"boolean","description":"Denotes whether the EBS volume should be encrypted."},"iopsPerGb":{"type":"integer","description":"I/O operations per second per GiB for \"io1\" volumes. The AWS volume plugin multiplies this with the size of a requested volume to compute IOPS of the volume and caps the result at 20,000 IOPS."},"kmsKeyId":{"type":"string","description":"The full Amazon Resource Name of the key to use when encrypting the volume. If none is supplied but encrypted is true, a key is generated by AWS."},"metadata":{"$ref":"/kubernetes/v4.19.0/schema.json#/types/kubernetes:meta%2Fv1:ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"},"mountOptions":{"type":"array","items":{"type":"string"},"description":"Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid."},"reclaimPolicy":{"type":"string","description":"Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete."},"type":{"type":"string","description":"The EBS volume type."},"volumeBindingMode":{"type":"string","description":"VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is alpha-level and is only honored by servers that enable the VolumeScheduling feature."},"zones":{"type":"array","items":{"type":"string"},"description":"The AWS zone or zones for the EBS volume. If zones is not specified, volumes are generally round-robin-ed across all active zones where Kubernetes cluster has a node. zone and zones parameters must not be used at the same time."}},"type":"object","required":["type"]},"eks:index:Taint":{"description":"Represents a Kubernetes `taint` to apply to all Nodes in a NodeGroup. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/.","properties":{"effect":{"type":"string","description":"The effect of the taint."},"value":{"type":"string","description":"The value of the taint."}},"type":"object","required":["value","effect"]},"eks:index:UserMapping":{"description":"Describes a mapping from an AWS IAM user to a Kubernetes user and groups.","properties":{"groups":{"type":"array","items":{"type":"string"},"description":"A list of groups within Kubernetes to which the user is mapped to."},"userArn":{"type":"string","description":"The ARN of the IAM user to add."},"username":{"type":"string","description":"The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user."}},"type":"object","required":["userArn","username","groups"]},"eks:index:VpcCniOptions":{"description":"Describes the configuration options available for the Amazon VPC CNI plugin for Kubernetes.","properties":{"addonVersion":{"type":"string","description":"The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used."},"cniConfigureRpfilter":{"type":"boolean","description":"Specifies whether ipamd should configure rp filter for primary interface. Default is `false`."},"cniCustomNetworkCfg":{"type":"boolean","description":"Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is `false`"},"cniExternalSnat":{"type":"boolean","description":"Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is `false`"},"configurationValues":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"Custom configuration values for the vpc-cni addon. This object must match the schema derived from [describe-addon-configuration](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-configuration.html)."},"customNetworkConfig":{"type":"boolean","description":"Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's `resourcesVpcConfig`.\n\nDefaults to false."},"disableTcpEarlyDemux":{"type":"boolean","description":"Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency."},"enableNetworkPolicy":{"type":"boolean","description":"Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.\n\nSee for more information: [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)."},"enablePodEni":{"type":"boolean","description":"Specifies whether to allow IPAMD to add the `vpc.amazonaws.com/has-trunk-attached` label to the node if the instance has capacity to attach an additional ENI. Default is `false`. If using liveness and readiness probes, you will also need to disable TCP early demux."},"enablePrefixDelegation":{"type":"boolean","description":"IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true."},"eniConfigLabelDef":{"type":"string","description":"Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone\nRef: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))\n\nDefaults to the official AWS CNI image in ECR."},"eniMtu":{"type":"integer","description":"Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.\n\nDefaults to 9001."},"externalSnat":{"type":"boolean","description":"Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.\n\nDefaults to false."},"logFile":{"type":"string","description":"Specifies the file path used for logs.\n\nDefaults to \"stdout\" to emit Pod logs for `kubectl logs`."},"logLevel":{"type":"string","description":"Specifies the log level used for logs.\n\nDefaults to \"DEBUG\"\nValid values: \"DEBUG\", \"INFO\", \"WARN\", \"ERROR\", or \"FATAL\"."},"nodePortSupport":{"type":"boolean","description":"Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.\n\nDefaults to true."},"resolveConflictsOnCreate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnCreate","plain":true,"description":"How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are `NONE` and `OVERWRITE`. For more details see the [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) API Docs.","default":"OVERWRITE"},"resolveConflictsOnUpdate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnUpdate","plain":true,"description":"How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are `NONE`, `OVERWRITE`, and `PRESERVE`. For more details see the [UpdateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) API Docs.","default":"OVERWRITE"},"securityContextPrivileged":{"type":"boolean","description":"Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default"},"serviceAccountRoleArn":{"type":"string","description":"The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role.\n\nFor more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the Amazon EKS User Guide.\n\nNote: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the Amazon EKS User Guide."},"vethPrefix":{"type":"string","description":"Specifies the veth prefix used to generate the host-side veth device name for the CNI.\n\nThe prefix can be at most 4 characters long.\n\nDefaults to \"eni\"."},"warmEniTarget":{"type":"integer","description":"Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.\n\nDefaults to 1."},"warmIpTarget":{"type":"integer","description":"Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node."},"warmPrefixTarget":{"type":"integer","description":"WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md"}},"type":"object"}},"provider":{},"resources":{"eks:index:Addon":{"description":"Addon manages an EKS add-on.\nFor more information about supported add-ons, see: https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html","inputProperties":{"addonName":{"type":"string","description":"Name of the EKS add-on. The name must match one of the names returned by describe-addon-versions."},"addonVersion":{"type":"string","description":"The version of the EKS add-on. The version must match one of the versions returned by describe-addon-versions."},"cluster":{"$ref":"#/resources/eks:index:Cluster","description":"The target EKS cluster."},"configurationValues":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"Custom configuration values for addons specified as an object. This object value must match the JSON schema derived from describe-addon-configuration."},"preserve":{"type":"boolean","description":"Indicates if you want to preserve the created resources when deleting the EKS add-on."},"resolveConflictsOnCreate":{"type":"string","description":"How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are NONE and OVERWRITE. For more details see the CreateAddon API Docs."},"resolveConflictsOnUpdate":{"type":"string","description":"How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are NONE, OVERWRITE, and PRESERVE. For more details see the UpdateAddon API Docs."},"serviceAccountRoleArn":{"type":"string","description":"The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide.\n\n\t\t\t\t\t\tNote: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see Enabling IAM roles for service accounts on your cluster in the Amazon EKS User Guide."},"tags":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."}},"requiredInputs":["addonName","cluster"],"isComponent":true},"eks:index:Cluster":{"description":"Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.\n\n## Example Usage\n\n### Provisioning a New EKS Cluster\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as eks from \"@pulumi/eks\";\n\n// Create an EKS cluster with the default configuration.\nconst cluster = new eks.Cluster(\"cluster\", {});\n\n// Export the cluster's kubeconfig.\nexport const kubeconfig = cluster.kubeconfig;\n ```\n\n```python\n import pulumi\n import pulumi_eks as eks\n \n # Create an EKS cluster with the default configuration.\n cluster = eks.Cluster(\"cluster\")\n\n # Export the cluster's kubeconfig.\n pulumi.export(\"kubeconfig\", cluster.kubeconfig)\n ```\n\n```go\n package main\n \n import (\n \t\"github.com/pulumi/pulumi-eks/sdk/go/eks\"\n \t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n )\n\nfunc main() {\n \tpulumi.Run(func(ctx *pulumi.Context) error {\n \t\t// Create an EKS cluster with the default configuration.\n\t\tcluster, err := eks.NewCluster(ctx, \"cluster\", nil)\n \t\tif err != nil {\n \t\t\treturn err\n \t\t}\n \t\t// Export the cluster's kubeconfig.\n \t\tctx.Export(\"kubeconfig\", cluster.Kubeconfig)\n\t\treturn nil\n \t})\n }\n ```\n\n```csharp\n using System.Collections.Generic;\n using Pulumi;\n using Eks = Pulumi.Eks;\n \n return await Deployment.RunAsync(() =\u003e\n {\n \t// Create an EKS cluster with the default configuration.\n\tvar cluster = new Eks.Cluster(\"cluster\");\n \n \treturn new Dictionary\u003cstring, object?\u003e\n \t{\n \t\t// Export the cluster's kubeconfig.\n \t\t[\"kubeconfig\"] = cluster.Kubeconfig,\n \t};\n });\n\n```\n\n```java\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.eks.Cluster;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n\tpublic static void main(String[] args) {\n\t\tPulumi.run(App::stack);\n\t}\n\n\t public static void stack(Context ctx) {\n \t\t// Create an EKS cluster with the default configuration.\n \t\tvar cluster = new Cluster(\"cluster\");\n \n \t\t// Export the cluster's kubeconfig.\n\t\tctx.export(\"kubeconfig\", cluster.kubeconfig());\n\t}\n }\n```\n\n```yaml\nresources:\n# Create an EKS cluster with the default configuration.\ncluster:\ntype: eks:Cluster\noutputs:\n# Export the cluster's kubeconfig.\nkubeconfig: ${cluster.kubeconfig}\n\n```\n\u003c!--End PulumiCodeChooser --\u003e","properties":{"autoModeNodeRoleName":{"type":"string","description":"The name of the IAM role created for nodes managed by EKS Auto Mode. Defaults to an empty string."},"awsProvider":{"$ref":"/aws/v7.14.0/schema.json#/provider","description":"The AWS resource provider."},"clusterIngressRuleId":{"type":"string","description":"The ID of the security group rule that gives node group access to the cluster API server. Defaults to an empty string if `skipDefaultSecurityGroups` is set to true."},"clusterSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the EKS cluster."},"clusterSecurityGroupId":{"type":"string","description":"The cluster security group ID of the EKS cluster. Returns the EKS created security group if `skipDefaultSecurityGroups` is set to true."},"core":{"$ref":"#/types/eks:index:CoreData","description":"The EKS cluster and its dependencies."},"defaultNodeGroup":{"$ref":"#/types/eks:index:NodeGroupData","description":"The default Node Group configuration, or undefined if `skipDefaultNodeGroup` was specified."},"defaultNodeGroupAsgName":{"type":"string","description":"The name of the default node group's AutoScaling Group. Defaults to an empty string if `skipDefaultNodeGroup` is set to true."},"eksCluster":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:eks%2Fcluster:Cluster","description":"The EKS cluster."},"eksClusterIngressRule":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule","description":"The ingress rule that gives node group access to cluster API server."},"fargateProfileId":{"type":"string","description":"The ID of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured."},"fargateProfileStatus":{"type":"string","description":"The status of the Fargate Profile. Defaults to an empty string if no Fargate profile is configured."},"instanceRoles":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role"},"description":"The service roles used by the EKS cluster. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`."},"kubeconfig":{"$ref":"pulumi.json#/Any","description":"A kubeconfig that can be used to connect to the EKS cluster."},"kubeconfigJson":{"type":"string","description":"A kubeconfig that can be used to connect to the EKS cluster as a JSON string."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the cluster's nodes."},"nodeSecurityGroupId":{"type":"string","description":"The node security group ID of the EKS cluster. Returns the EKS created security group if `skipDefaultSecurityGroups` is set to true."},"oidcIssuer":{"type":"string","description":"The OIDC Issuer of the EKS cluster (OIDC Provider URL without leading `https://`).\n\nThis value can be used to associate kubernetes service accounts with IAM roles. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html."},"oidcProviderArn":{"type":"string","description":"The ARN of the IAM OpenID Connect Provider for the EKS cluster. Defaults to an empty string if no OIDC provider is configured."},"oidcProviderUrl":{"type":"string","description":"Issuer URL for the OpenID Connect identity provider of the EKS cluster."}},"required":["kubeconfig","kubeconfigJson","awsProvider","instanceRoles","eksCluster","core","clusterSecurityGroupId","nodeSecurityGroupId","clusterIngressRuleId","defaultNodeGroupAsgName","fargateProfileId","fargateProfileStatus","oidcProviderArn","oidcProviderUrl","oidcIssuer","autoModeNodeRoleName"],"inputProperties":{"accessEntries":{"type":"object","additionalProperties":{"$ref":"#/types/eks:index:AccessEntry","plain":true},"plain":true,"description":"Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/access-entries.html"},"authenticationMode":{"$ref":"#/types/eks:index:AuthenticationMode","plain":true,"description":"The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam"},"autoMode":{"$ref":"#/types/eks:index:AutoModeOptions","plain":true,"description":"Configuration Options for EKS Auto Mode. If EKS Auto Mode is enabled, AWS will manage cluster infrastructure on your behalf.\n\nFor more information, see: https://docs.aws.amazon.com/eks/latest/userguide/automode.html"},"bootstrapSelfManagedAddons":{"type":"boolean","description":"Install default unmanaged add-ons, such as `aws-cni`, `kube-proxy`, and CoreDNS during cluster creation. If `false`, you must manually install desired add-ons. Changing this value will force a new cluster to be created. Defaults to `true`"},"clusterSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.\n\nNote: The security group resource should not contain any inline ingress or egress rules."},"clusterSecurityGroupTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the cluster security group."},"clusterTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the EKS cluster."},"corednsAddonOptions":{"$ref":"#/types/eks:index:CoreDnsAddonOptions","plain":true,"description":"Options for managing the `coredns` addon."},"createInstanceRole":{"type":"boolean","plain":true,"description":"Whether to create the instance role for the EKS cluster. Defaults to true when using the default node group, false otherwise.\nIf set to false when using the default node group, an instance role or instance profile must be provided.n\nNote: this option has no effect if a custom instance role is provided with `instanceRole` or `instanceRoles`."},"createOidcProvider":{"type":"boolean","description":"Indicates whether an IAM OIDC Provider is created for the EKS cluster.\n\nThe OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.\n\nSee for more details:\n - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html\n - https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html\n - https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/\n - https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts"},"creationRoleProvider":{"$ref":"#/types/eks:index:CreationRoleProvider","plain":true,"description":"The IAM Role Provider used to create \u0026 authenticate against the EKS cluster. This role is given `[system:masters]` permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html\n\nNote: This option is only supported with Pulumi nodejs programs. Please use `ProviderCredentialOpts` as an alternative instead."},"deletionProtection":{"type":"boolean","description":"Whether to enable deletion protection for the cluster. When enabled, the cluster cannot be deleted unless deletion protection is first disabled. Default: `false`."},"desiredCapacity":{"type":"integer","description":"The number of worker nodes that should be running in the cluster. Defaults to 2."},"enableConfigMapMutable":{"type":"boolean","description":"Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.\n\nApplies updates to the aws-auth ConfigMap in place over a replace operation if set to true.\nhttps://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs"},"enabledClusterLogTypes":{"type":"array","items":{"type":"string"},"description":"Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: [\"api\", \"audit\", \"authenticator\", \"controllerManager\", \"scheduler\"]. By default it is off."},"encryptionConfigKeyArn":{"type":"string","description":"KMS Key ARN to use with the encryption configuration for the cluster.\n\nOnly available on Kubernetes 1.13+ clusters created after March 6, 2020.\nSee for more details:\n- https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/"},"endpointPrivateAccess":{"type":"boolean","description":"Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is `false`."},"endpointPublicAccess":{"type":"boolean","description":"Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is `true`."},"fargate":{"oneOf":[{"type":"boolean"},{"$ref":"#/types/eks:index:FargateProfile"}],"description":"Add support for launching pods in Fargate. Defaults to launching pods in the `default` namespace. If specified, the default node group is skipped as though `skipDefaultNodeGroup: true` had been passed."},"gpu":{"type":"boolean","description":"Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.\n\nDefaults to false.\n\nNote: `gpu` and `nodeAmiId` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html\n- https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html"},"instanceProfileName":{"type":"string","description":"The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup."},"instanceRole":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role","description":"This enables the simple case of only registering a *single* IAM instance role with the cluster, that is required to be shared by *all* node groups in their instance profiles.\n\nNote: options `instanceRole` and `instanceRoles` are mutually exclusive."},"instanceRoles":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role"},"description":"This enables the advanced case of registering *many* IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.\n\nNote: options `instanceRole` and `instanceRoles` are mutually exclusive."},"instanceType":{"type":"string","description":"The instance type to use for the cluster's nodes. Defaults to \"t3.medium\"."},"ipFamily":{"type":"string","description":"The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`.\nYou can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.","replaceOnChanges":true},"kubeProxyAddonOptions":{"$ref":"#/types/eks:index:KubeProxyAddonOptions","plain":true,"description":"Options for managing the `kube-proxy` addon."},"kubernetesServiceIpAddressRange":{"type":"string","description":"The CIDR block to assign Kubernetes service IP addresses from. If you don't\nspecify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or\n172.20.0.0/16 CIDR blocks. This setting only applies to IPv4 clusters. We recommend that you specify a block\nthat does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify\na custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.\n\nThe block must meet the following requirements:\n- Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.\n- Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.\n- Between /24 and /12."},"maxSize":{"type":"integer","description":"The maximum number of worker nodes running in the cluster. Defaults to 2."},"minSize":{"type":"integer","description":"The minimum number of worker nodes running in the cluster. Defaults to 1."},"name":{"type":"string","description":"The cluster's physical resource name.\n\nIf not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format `${name}-eksCluster-0123abcd`.\n\nSee for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming"},"nodeAmiId":{"type":"string","description":"The AMI ID to use for the worker nodes.\n\nDefaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.\n\nNote: `nodeAmiId` and `gpu` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html."},"nodeAssociatePublicIpAddress":{"type":"boolean","plain":true,"description":"Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs."},"nodeGroupOptions":{"$ref":"#/types/eks:index:ClusterNodeGroupOptions","plain":true,"description":"The common configuration settings for NodeGroups."},"nodePublicKey":{"type":"string","description":"Public key material for SSH access to worker nodes. See allowed formats at:\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html\nIf not provided, no SSH access is enabled on VMs."},"nodeRootVolumeEncrypted":{"type":"boolean","description":"Encrypt the root block device of the nodes in the node group."},"nodeRootVolumeSize":{"type":"integer","description":"The size in GiB of a cluster node's root volume. Defaults to 20."},"nodeSecurityGroupTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the default `nodeSecurityGroup` created by the cluster.\n\nNote: The `nodeSecurityGroupTags` option and the node group option `nodeSecurityGroup` are mutually exclusive."},"nodeSubnetIds":{"type":"array","items":{"type":"string"},"description":"The subnets to use for worker nodes. Defaults to the value of subnetIds."},"nodeUserData":{"type":"string","description":"Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`)."},"privateSubnetIds":{"type":"array","items":{"type":"string"},"description":"The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.\n\nIf `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.\n\nWorker network architecture options:\n - Private-only: Only set `privateSubnetIds`.\n - Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.\n - Public-only: Only set `publicSubnetIds`.\n - Default workers to run in a public subnet.\n - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.\n - Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.\n\nAlso consider setting `nodeAssociatePublicIpAddress: false` for fully private workers."},"providerCredentialOpts":{"$ref":"#/types/eks:index:KubeconfigOptions","description":"The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.\n\nThis is required for certain auth scenarios. For example:\n- Creating and using a new AWS provider instance, or\n- Setting the AWS_PROFILE environment variable, or\n- Using a named profile configured on the AWS provider via:\n`pulumi config set aws:profile \u003cprofileName\u003e`\n\nSee for more details:\n- https://www.pulumi.com/registry/packages/aws/api-docs/provider/\n- https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/\n- https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration\n- https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html"},"proxy":{"type":"string","plain":true,"description":"The HTTP(S) proxy to use within a proxied environment.\n\n The proxy is used during cluster creation, and OIDC configuration.\n\nThis is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.\n\nThis option is required iff the proxy environment variables are not set.\n\nFormat: \u003cprotocol\u003e://\u003chost\u003e:\u003cport\u003e\nAuth Format: \u003cprotocol\u003e://\u003cusername\u003e:\u003cpassword\u003e@\u003chost\u003e:\u003cport\u003e\n\nEx:\n - \"http://proxy.example.com:3128\"\n - \"https://proxy.example.com\"\n - \"http://username:password@proxy.example.com:3128\""},"publicAccessCidrs":{"type":"array","items":{"type":"string"},"description":"Indicates which CIDR blocks can access the Amazon EKS public API server endpoint."},"publicSubnetIds":{"type":"array","items":{"type":"string"},"description":"The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.\n\nIf `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.\n\nWorker network architecture options:\n - Private-only: Only set `privateSubnetIds`.\n - Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.\n - Public-only: Only set `publicSubnetIds`.\n - Default workers to run in a public subnet.\n - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.\n - Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged."},"roleMappings":{"type":"array","items":{"$ref":"#/types/eks:index:RoleMapping"},"description":"Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`"},"serviceRole":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role","description":"IAM Service Role for EKS to use to manage the cluster."},"skipDefaultNodeGroup":{"type":"boolean","plain":true,"description":"If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless `fargate` or `autoMode` is enabled."},"skipDefaultSecurityGroups":{"type":"boolean","plain":true,"description":"If this toggle is set to true, the EKS cluster will be created without the default node and cluster security groups. Defaults to false, unless `autoMode` is enabled.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html"},"storageClasses":{"oneOf":[{"type":"string","plain":true},{"type":"object","additionalProperties":{"$ref":"#/types/eks:index:StorageClass","plain":true},"plain":true}],"plain":true,"description":"An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.\n\nNote: As of Kubernetes v1.11+ on EKS, a default `gp2` storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html"},"subnetIds":{"type":"array","items":{"type":"string"},"description":"The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.\n\nIf `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.\n\nIf the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.\n\nNote: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged."},"tags":{"type":"object","additionalProperties":{"type":"string"},"description":"Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging."},"upgradePolicy":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FClusterUpgradePolicy:ClusterUpgradePolicy","description":"The cluster's upgrade policy. Valid support types are \"STANDARD\" and \"EXTENDED\". Defaults to \"EXTENDED\"."},"useDefaultVpcCni":{"type":"boolean","plain":true,"description":"Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with `vpcCniOptions`.\nDefaults to true, unless `autoMode` is enabled."},"userMappings":{"type":"array","items":{"$ref":"#/types/eks:index:UserMapping"},"description":"Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`."},"version":{"type":"string","description":"Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used."},"vpcCniOptions":{"$ref":"#/types/eks:index:VpcCniOptions","plain":true,"description":"The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type."},"vpcId":{"type":"string","description":"The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC."}},"isComponent":true,"methods":{"getKubeconfig":"eks:index:Cluster/getKubeconfig"}},"eks:index:ClusterCreationRoleProvider":{"description":"ClusterCreationRoleProvider is a component that wraps creating a role provider that can be passed to the `Cluster`'s `creationRoleProvider`. This can be used to provide a specific role to use for the creation of the EKS cluster different from the role being used to run the Pulumi deployment.","properties":{"role":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role"}},"required":["role"],"inputProperties":{"profile":{"type":"string"},"region":{"type":"string"}},"isComponent":true},"eks:index:ManagedNodeGroup":{"description":"Manages an EKS Node Group, which can provision and optionally update an Auto Scaling Group of Kubernetes worker nodes compatible with EKS. Additional documentation about this functionality can be found in the [EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html).\n\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n### Basic Managed Node Group\nThis example demonstrates creating a managed node group with typical defaults. The node group uses the latest EKS-optimized Amazon Linux AMI, creates 2 nodes, and runs on t3.medium instances. Instance security groups are automatically configured.\n\n\n```yaml\nresources:\n eks-vpc:\n type: awsx:ec2:Vpc\n properties:\n enableDnsHostnames: true\n cidrBlock: 10.0.0.0/16\n eks-cluster:\n type: eks:Cluster\n properties:\n vpcId: ${eks-vpc.vpcId}\n authenticationMode: API\n publicSubnetIds: ${eks-vpc.publicSubnetIds}\n privateSubnetIds: ${eks-vpc.privateSubnetIds}\n skipDefaultNodeGroup: true\n node-role:\n type: aws:iam:Role\n properties:\n assumeRolePolicy:\n fn::toJSON:\n Version: 2012-10-17\n Statement:\n - Action: sts:AssumeRole\n Effect: Allow\n Sid: \"\"\n Principal:\n Service: ec2.amazonaws.com\n worker-node-policy:\n type: aws:iam:RolePolicyAttachment\n properties:\n role: ${node-role.name}\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\"\n cni-policy:\n type: aws:iam:RolePolicyAttachment\n properties:\n role: ${node-role.name}\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"\n registry-policy:\n type: aws:iam:RolePolicyAttachment\n properties:\n role: ${node-role.name}\n policyArn: \"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"\n node-group:\n type: eks:ManagedNodeGroup\n properties:\n cluster: ${eks-cluster}\n nodeRole: ${node-role}\n\n```\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport * as awsx from \"@pulumi/awsx\";\nimport * as eks from \"@pulumi/eks\";\n\nconst eksVpc = new awsx.ec2.Vpc(\"eks-vpc\", {\n enableDnsHostnames: true,\n cidrBlock: \"10.0.0.0/16\",\n});\nconst eksCluster = new eks.Cluster(\"eks-cluster\", {\n vpcId: eksVpc.vpcId,\n authenticationMode: eks.AuthenticationMode.Api,\n publicSubnetIds: eksVpc.publicSubnetIds,\n privateSubnetIds: eksVpc.privateSubnetIds,\n skipDefaultNodeGroup: true,\n});\nconst nodeRole = new aws.iam.Role(\"node-role\", {assumeRolePolicy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [{\n Action: \"sts:AssumeRole\",\n Effect: \"Allow\",\n Sid: \"\",\n Principal: {\n Service: \"ec2.amazonaws.com\",\n },\n }],\n})});\nconst workerNodePolicy = new aws.iam.RolePolicyAttachment(\"worker-node-policy\", {\n role: nodeRole.name,\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\",\n});\nconst cniPolicy = new aws.iam.RolePolicyAttachment(\"cni-policy\", {\n role: nodeRole.name,\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\",\n});\nconst registryPolicy = new aws.iam.RolePolicyAttachment(\"registry-policy\", {\n role: nodeRole.name,\n policyArn: \"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\",\n});\nconst nodeGroup = new eks.ManagedNodeGroup(\"node-group\", {\n cluster: eksCluster,\n nodeRole: nodeRole,\n});\n\n```\n\n```python\nimport pulumi\nimport json\nimport pulumi_aws as aws\nimport pulumi_awsx as awsx\nimport pulumi_eks as eks\n\neks_vpc = awsx.ec2.Vpc(\"eks-vpc\",\n enable_dns_hostnames=True,\n cidr_block=\"10.0.0.0/16\")\neks_cluster = eks.Cluster(\"eks-cluster\",\n vpc_id=eks_vpc.vpc_id,\n authentication_mode=eks.AuthenticationMode.API,\n public_subnet_ids=eks_vpc.public_subnet_ids,\n private_subnet_ids=eks_vpc.private_subnet_ids,\n skip_default_node_group=True)\nnode_role = aws.iam.Role(\"node-role\", assume_role_policy=json.dumps({\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Action\": \"sts:AssumeRole\",\n \"Effect\": \"Allow\",\n \"Sid\": \"\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\",\n },\n }],\n}))\nworker_node_policy = aws.iam.RolePolicyAttachment(\"worker-node-policy\",\n role=node_role.name,\n policy_arn=\"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\")\ncni_policy = aws.iam.RolePolicyAttachment(\"cni-policy\",\n role=node_role.name,\n policy_arn=\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\")\nregistry_policy = aws.iam.RolePolicyAttachment(\"registry-policy\",\n role=node_role.name,\n policy_arn=\"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\")\nnode_group = eks.ManagedNodeGroup(\"node-group\",\n cluster=eks_cluster,\n node_role=node_role)\n\n```\n\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-awsx/sdk/v2/go/awsx/ec2\"\n\t\"github.com/pulumi/pulumi-eks/sdk/v4/go/eks\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\teksVpc, err := ec2.NewVpc(ctx, \"eks-vpc\", \u0026ec2.VpcArgs{\n\t\t\tEnableDnsHostnames: pulumi.Bool(true),\n\t\t\tCidrBlock: \"10.0.0.0/16\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\teksCluster, err := eks.NewCluster(ctx, \"eks-cluster\", \u0026eks.ClusterArgs{\n\t\t\tVpcId: eksVpc.VpcId,\n\t\t\tAuthenticationMode: eks.AuthenticationModeApi,\n\t\t\tPublicSubnetIds: eksVpc.PublicSubnetIds,\n\t\t\tPrivateSubnetIds: eksVpc.PrivateSubnetIds,\n\t\t\tSkipDefaultNodeGroup: true,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": []map[string]interface{}{\n\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\"Action\": \"sts:AssumeRole\",\n\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\"Sid\": \"\",\n\t\t\t\t\t\"Principal\": map[string]interface{}{\n\t\t\t\t\t\t\"Service\": \"ec2.amazonaws.com\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\tnodeRole, err := iam.NewRole(ctx, \"node-role\", \u0026iam.RoleArgs{\n\t\t\tAssumeRolePolicy: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRolePolicyAttachment(ctx, \"worker-node-policy\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: nodeRole.Name,\n\t\t\tPolicyArn: pulumi.String(\"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRolePolicyAttachment(ctx, \"cni-policy\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: nodeRole.Name,\n\t\t\tPolicyArn: pulumi.String(\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRolePolicyAttachment(ctx, \"registry-policy\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: nodeRole.Name,\n\t\t\tPolicyArn: pulumi.String(\"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = eks.NewManagedNodeGroup(ctx, \"node-group\", \u0026eks.ManagedNodeGroupArgs{\n\t\t\tCluster: eksCluster,\n\t\t\tNodeRole: nodeRole,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n\n```\n\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\nusing Awsx = Pulumi.Awsx;\nusing Eks = Pulumi.Eks;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var eksVpc = new Awsx.Ec2.Vpc(\"eks-vpc\", new()\n {\n EnableDnsHostnames = true,\n CidrBlock = \"10.0.0.0/16\",\n });\n\n var eksCluster = new Eks.Cluster(\"eks-cluster\", new()\n {\n VpcId = eksVpc.VpcId,\n AuthenticationMode = Eks.AuthenticationMode.Api,\n PublicSubnetIds = eksVpc.PublicSubnetIds,\n PrivateSubnetIds = eksVpc.PrivateSubnetIds,\n SkipDefaultNodeGroup = true,\n });\n\n var nodeRole = new Aws.Iam.Role(\"node-role\", new()\n {\n AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"Version\"] = \"2012-10-17\",\n [\"Statement\"] = new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n [\"Action\"] = \"sts:AssumeRole\",\n [\"Effect\"] = \"Allow\",\n [\"Sid\"] = \"\",\n [\"Principal\"] = new Dictionary\u003cstring, object?\u003e\n {\n [\"Service\"] = \"ec2.amazonaws.com\",\n },\n },\n },\n }),\n });\n\n var workerNodePolicy = new Aws.Iam.RolePolicyAttachment(\"worker-node-policy\", new()\n {\n Role = nodeRole.Name,\n PolicyArn = \"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\",\n });\n\n var cniPolicy = new Aws.Iam.RolePolicyAttachment(\"cni-policy\", new()\n {\n Role = nodeRole.Name,\n PolicyArn = \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\",\n });\n\n var registryPolicy = new Aws.Iam.RolePolicyAttachment(\"registry-policy\", new()\n {\n Role = nodeRole.Name,\n PolicyArn = \"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\",\n });\n\n var nodeGroup = new Eks.ManagedNodeGroup(\"node-group\", new()\n {\n Cluster = eksCluster,\n NodeRole = nodeRole,\n });\n\n return new Dictionary\u003cstring, object?\u003e{};\n});\n\n```\n\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.awsx.ec2.Vpc;\nimport com.pulumi.awsx.ec2.VpcArgs;\nimport com.pulumi.eks.Cluster;\nimport com.pulumi.eks.ClusterArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.iam.RolePolicyAttachment;\nimport com.pulumi.aws.iam.RolePolicyAttachmentArgs;\nimport com.pulumi.eks.ManagedNodeGroup;\nimport com.pulumi.eks.ManagedNodeGroupArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var eksVpc = new Vpc(\"eksVpc\", VpcArgs.builder()\n .enableDnsHostnames(true)\n .cidrBlock(\"10.0.0.0/16\")\n .build());\n\n var eksCluster = new Cluster(\"eksCluster\", ClusterArgs.builder()\n .vpcId(eksVpc.vpcId())\n .authenticationMode(\"API\")\n .publicSubnetIds(eksVpc.publicSubnetIds())\n .privateSubnetIds(eksVpc.privateSubnetIds())\n .skipDefaultNodeGroup(true)\n .build());\n\n var nodeRole = new Role(\"nodeRole\", RoleArgs.builder()\n .assumeRolePolicy(serializeJson(\n jsonObject(\n jsonProperty(\"Version\", \"2012-10-17\"),\n jsonProperty(\"Statement\", jsonArray(jsonObject(\n jsonProperty(\"Action\", \"sts:AssumeRole\"),\n jsonProperty(\"Effect\", \"Allow\"),\n jsonProperty(\"Sid\", \"\"),\n jsonProperty(\"Principal\", jsonObject(\n jsonProperty(\"Service\", \"ec2.amazonaws.com\")\n ))\n )))\n )))\n .build());\n\n var workerNodePolicy = new RolePolicyAttachment(\"workerNodePolicy\", RolePolicyAttachmentArgs.builder()\n .role(nodeRole.name())\n .policyArn(\"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\")\n .build());\n\n var cniPolicy = new RolePolicyAttachment(\"cniPolicy\", RolePolicyAttachmentArgs.builder()\n .role(nodeRole.name())\n .policyArn(\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\")\n .build());\n\n var registryPolicy = new RolePolicyAttachment(\"registryPolicy\", RolePolicyAttachmentArgs.builder()\n .role(nodeRole.name())\n .policyArn(\"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\")\n .build());\n\n var nodeGroup = new ManagedNodeGroup(\"nodeGroup\", ManagedNodeGroupArgs.builder()\n .cluster(eksCluster)\n .nodeRole(nodeRole)\n .build());\n }\n}\n```\n{{% /example %}}\n\n{{% example %}}\n### Enabling EFA Support\n\nEnabling EFA support for a node group will do the following:\n- All EFA interfaces supported by the instance will be exposed on the launch template used by the node group\n- A `clustered` placement group will be created and passed to the launch template\n- Checks will be performed to ensure that the instance type supports EFA and that the specified AZ is supported by the chosen instance type\n\nThe GPU optimized AMIs include all necessary drivers and libraries to support EFA. If you're choosing an instance type without GPU acceleration you will need to install the drivers and libraries manually and bake a custom AMI.\n\nYou can use the [aws-efa-k8s-device-plugin](https://github.com/aws/eks-charts/tree/master/stable/aws-efa-k8s-device-plugin) Helm chart to expose the EFA interfaces on the nodes as an extended resource, and allow pods to request these interfaces to be mounted to their containers.\nYour application container will need to have the necessary libraries and runtimes in order to leverage the EFA interfaces (e.g. libfabric).\n\n```yaml\nname: eks-mng-docs\ndescription: A Pulumi YAML program to deploy a Kubernetes cluster on AWS\nruntime: yaml\nresources:\n eks-vpc:\n type: awsx:ec2:Vpc\n properties:\n enableDnsHostnames: true\n cidrBlock: 10.0.0.0/16\n eks-cluster:\n type: eks:Cluster\n properties:\n vpcId: ${eks-vpc.vpcId}\n authenticationMode: API\n publicSubnetIds: ${eks-vpc.publicSubnetIds}\n privateSubnetIds: ${eks-vpc.privateSubnetIds}\n skipDefaultNodeGroup: true\n k8sProvider:\n type: pulumi:providers:kubernetes\n properties:\n kubeconfig: ${eks-cluster.kubeconfig}\n node-role:\n type: aws:iam:Role\n properties:\n assumeRolePolicy:\n fn::toJSON:\n Version: 2012-10-17\n Statement:\n - Action: sts:AssumeRole\n Effect: Allow\n Sid: \"\"\n Principal:\n Service: ec2.amazonaws.com\n worker-node-policy:\n type: aws:iam:RolePolicyAttachment\n properties:\n role: ${node-role.name}\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\"\n cni-policy:\n type: aws:iam:RolePolicyAttachment\n properties:\n role: ${node-role.name}\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"\n registry-policy:\n type: aws:iam:RolePolicyAttachment\n properties:\n role: ${node-role.name}\n policyArn: \"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"\n \n # The node group for running system pods (e.g. coredns, etc.)\n system-node-group:\n type: eks:ManagedNodeGroup\n properties:\n cluster: ${eks-cluster}\n nodeRole: ${node-role}\n\n # EFA device plugin for exposing EFA interfaces as extended resources\n device-plugin:\n type: kubernetes:helm.sh/v3:Release\n properties:\n version: \"0.5.7\"\n repositoryOpts:\n repo: \"https://aws.github.io/eks-charts\"\n chart: \"aws-efa-k8s-device-plugin\"\n namespace: \"kube-system\"\n atomic: true\n values:\n tolerations:\n - key: \"efa-enabled\"\n operator: \"Exists\"\n effect: \"NoExecute\"\n options:\n provider: ${k8sProvider}\n\n # The node group for running EFA enabled workloads\n efa-node-group:\n type: eks:ManagedNodeGroup\n properties:\n cluster: ${eks-cluster}\n nodeRole: ${node-role}\n instanceTypes: [\"g6.8xlarge\"]\n gpu: true\n scalingConfig:\n minSize: 2\n desiredSize: 2\n maxSize: 4\n enableEfaSupport: true\n placementGroupAvailabilityZone: \"us-west-2b\"\n # Taint the nodes so that only pods with the efa-enabled label can be scheduled on them\n taints:\n - key: \"efa-enabled\"\n value: \"true\"\n effect: \"NO_EXECUTE\"\n # Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd\n # These are faster than the regular EBS volumes\n nodeadmExtraOptions:\n - contentType: \"application/node.eks.aws\"\n content: |\n apiVersion: node.eks.aws/v1alpha1\n kind: NodeConfig\n spec:\n instance:\n localStorage:\n strategy: RAID0\n\n```\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport * as awsx from \"@pulumi/awsx\";\nimport * as eks from \"@pulumi/eks\";\nimport * as kubernetes from \"@pulumi/kubernetes\";\n\nconst eksVpc = new awsx.ec2.Vpc(\"eks-vpc\", {\n enableDnsHostnames: true,\n cidrBlock: \"10.0.0.0/16\",\n});\nconst eksCluster = new eks.Cluster(\"eks-cluster\", {\n vpcId: eksVpc.vpcId,\n authenticationMode: eks.AuthenticationMode.Api,\n publicSubnetIds: eksVpc.publicSubnetIds,\n privateSubnetIds: eksVpc.privateSubnetIds,\n skipDefaultNodeGroup: true,\n});\nconst k8SProvider = new kubernetes.Provider(\"k8sProvider\", {kubeconfig: eksCluster.kubeconfig});\nconst nodeRole = new aws.iam.Role(\"node-role\", {assumeRolePolicy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [{\n Action: \"sts:AssumeRole\",\n Effect: \"Allow\",\n Sid: \"\",\n Principal: {\n Service: \"ec2.amazonaws.com\",\n },\n }],\n})});\nconst workerNodePolicy = new aws.iam.RolePolicyAttachment(\"worker-node-policy\", {\n role: nodeRole.name,\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\",\n});\nconst cniPolicy = new aws.iam.RolePolicyAttachment(\"cni-policy\", {\n role: nodeRole.name,\n policyArn: \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\",\n});\nconst registryPolicy = new aws.iam.RolePolicyAttachment(\"registry-policy\", {\n role: nodeRole.name,\n policyArn: \"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\",\n});\n\n// The node group for running system pods (e.g. coredns, etc.)\nconst systemNodeGroup = new eks.ManagedNodeGroup(\"system-node-group\", {\n cluster: eksCluster,\n nodeRole: nodeRole,\n});\n\n// The EFA device plugin for exposing EFA interfaces as extended resources\nconst devicePlugin = new kubernetes.helm.v3.Release(\"device-plugin\", {\n version: \"0.5.7\",\n repositoryOpts: {\n repo: \"https://aws.github.io/eks-charts\",\n },\n chart: \"aws-efa-k8s-device-plugin\",\n namespace: \"kube-system\",\n atomic: true,\n values: {\n tolerations: [{\n key: \"efa-enabled\",\n operator: \"Exists\",\n effect: \"NoExecute\",\n }],\n },\n}, {\n provider: k8SProvider,\n});\n\n// The node group for running EFA enabled workloads\nconst efaNodeGroup = new eks.ManagedNodeGroup(\"efa-node-group\", {\n cluster: eksCluster,\n nodeRole: nodeRole,\n instanceTypes: [\"g6.8xlarge\"],\n gpu: true,\n scalingConfig: {\n minSize: 2,\n desiredSize: 2,\n maxSize: 4,\n },\n enableEfaSupport: true,\n placementGroupAvailabilityZone: \"us-west-2b\",\n\n // Taint the nodes so that only pods with the efa-enabled label can be scheduled on them\n taints: [{\n key: \"efa-enabled\",\n value: \"true\",\n effect: \"NO_EXECUTE\",\n }],\n\n // Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd\n // These are faster than the regular EBS volumes\n nodeadmExtraOptions: [{\n contentType: \"application/node.eks.aws\",\n content: `apiVersion: node.eks.aws/v1alpha1\nkind: NodeConfig\nspec:\n instance:\n localStorage:\n strategy: RAID0\n`,\n }],\n});\n\n```\n\n```python\nimport pulumi\nimport json\nimport pulumi_aws as aws\nimport pulumi_awsx as awsx\nimport pulumi_eks as eks\nimport pulumi_kubernetes as kubernetes\n\neks_vpc = awsx.ec2.Vpc(\"eks-vpc\",\n enable_dns_hostnames=True,\n cidr_block=\"10.0.0.0/16\")\neks_cluster = eks.Cluster(\"eks-cluster\",\n vpc_id=eks_vpc.vpc_id,\n authentication_mode=eks.AuthenticationMode.API,\n public_subnet_ids=eks_vpc.public_subnet_ids,\n private_subnet_ids=eks_vpc.private_subnet_ids,\n skip_default_node_group=True)\nk8_s_provider = kubernetes.Provider(\"k8sProvider\", kubeconfig=eks_cluster.kubeconfig)\nnode_role = aws.iam.Role(\"node-role\", assume_role_policy=json.dumps({\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Action\": \"sts:AssumeRole\",\n \"Effect\": \"Allow\",\n \"Sid\": \"\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\",\n },\n }],\n}))\nworker_node_policy = aws.iam.RolePolicyAttachment(\"worker-node-policy\",\n role=node_role.name,\n policy_arn=\"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\")\ncni_policy = aws.iam.RolePolicyAttachment(\"cni-policy\",\n role=node_role.name,\n policy_arn=\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\")\nregistry_policy = aws.iam.RolePolicyAttachment(\"registry-policy\",\n role=node_role.name,\n policy_arn=\"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\")\n\n# The node group for running system pods (e.g. coredns, etc.)\nsystem_node_group = eks.ManagedNodeGroup(\"system-node-group\",\n cluster=eks_cluster,\n node_role=node_role)\n\n# The EFA device plugin for exposing EFA interfaces as extended resources\ndevice_plugin = kubernetes.helm.v3.Release(\"device-plugin\",\n version=\"0.5.7\",\n repository_opts={\n \"repo\": \"https://aws.github.io/eks-charts\",\n },\n chart=\"aws-efa-k8s-device-plugin\",\n namespace=\"kube-system\",\n atomic=True,\n values={\n \"tolerations\": [{\n \"key\": \"efa-enabled\",\n \"operator\": \"Exists\",\n \"effect\": \"NoExecute\",\n }],\n },\n opts = pulumi.ResourceOptions(provider=k8_s_provider))\n\n# The node group for running EFA enabled workloads\nefa_node_group = eks.ManagedNodeGroup(\"efa-node-group\",\n cluster=eks_cluster,\n node_role=node_role,\n instance_types=[\"g6.8xlarge\"],\n gpu=True,\n scaling_config={\n \"min_size\": 2,\n \"desired_size\": 2,\n \"max_size\": 4,\n },\n enable_efa_support=True,\n placement_group_availability_zone=\"us-west-2b\",\n\n # Taint the nodes so that only pods with the efa-enabled label can be scheduled on them\n taints=[{\n \"key\": \"efa-enabled\",\n \"value\": \"true\",\n \"effect\": \"NO_EXECUTE\",\n }],\n\n # Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd\n # These are faster than the regular EBS volumes\n nodeadm_extra_options=[{\n \"content_type\": \"application/node.eks.aws\",\n \"content\": \"\"\"apiVersion: node.eks.aws/v1alpha1\nkind: NodeConfig\nspec:\n instance:\n localStorage:\n strategy: RAID0\n\"\"\",\n }])\n\n```\n\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\tawseks \"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks\"\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi-awsx/sdk/v2/go/awsx/ec2\"\n\t\"github.com/pulumi/pulumi-eks/sdk/v4/go/eks\"\n\t\"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes\"\n\thelmv3 \"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/helm/v3\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\teksVpc, err := ec2.NewVpc(ctx, \"eks-vpc\", \u0026ec2.VpcArgs{\n\t\t\tEnableDnsHostnames: pulumi.Bool(true),\n\t\t\tCidrBlock: \"10.0.0.0/16\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\teksCluster, err := eks.NewCluster(ctx, \"eks-cluster\", \u0026eks.ClusterArgs{\n\t\t\tVpcId: eksVpc.VpcId,\n\t\t\tAuthenticationMode: eks.AuthenticationModeApi,\n\t\t\tPublicSubnetIds: eksVpc.PublicSubnetIds,\n\t\t\tPrivateSubnetIds: eksVpc.PrivateSubnetIds,\n\t\t\tSkipDefaultNodeGroup: true,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tk8SProvider, err := kubernetes.NewProvider(ctx, \"k8sProvider\", \u0026kubernetes.ProviderArgs{\n\t\t\tKubeconfig: eksCluster.Kubeconfig,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": []map[string]interface{}{\n\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\"Action\": \"sts:AssumeRole\",\n\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\"Sid\": \"\",\n\t\t\t\t\t\"Principal\": map[string]interface{}{\n\t\t\t\t\t\t\"Service\": \"ec2.amazonaws.com\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\tnodeRole, err := iam.NewRole(ctx, \"node-role\", \u0026iam.RoleArgs{\n\t\t\tAssumeRolePolicy: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRolePolicyAttachment(ctx, \"worker-node-policy\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: nodeRole.Name,\n\t\t\tPolicyArn: pulumi.String(\"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRolePolicyAttachment(ctx, \"cni-policy\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: nodeRole.Name,\n\t\t\tPolicyArn: pulumi.String(\"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRolePolicyAttachment(ctx, \"registry-policy\", \u0026iam.RolePolicyAttachmentArgs{\n\t\t\tRole: nodeRole.Name,\n\t\t\tPolicyArn: pulumi.String(\"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n // The node group for running system pods (e.g. coredns, etc.)\n\t\t_, err = eks.NewManagedNodeGroup(ctx, \"system-node-group\", \u0026eks.ManagedNodeGroupArgs{\n\t\t\tCluster: eksCluster,\n\t\t\tNodeRole: nodeRole,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n // The EFA device plugin for exposing EFA interfaces as extended resources\n\t\t_, err = helmv3.NewRelease(ctx, \"device-plugin\", \u0026helmv3.ReleaseArgs{\n\t\t\tVersion: pulumi.String(\"0.5.7\"),\n\t\t\tRepositoryOpts: \u0026helmv3.RepositoryOptsArgs{\n\t\t\t\tRepo: pulumi.String(\"https://aws.github.io/eks-charts\"),\n\t\t\t},\n\t\t\tChart: pulumi.String(\"aws-efa-k8s-device-plugin\"),\n\t\t\tNamespace: pulumi.String(\"kube-system\"),\n\t\t\tAtomic: pulumi.Bool(true),\n\t\t\tValues: pulumi.Map{\n\t\t\t\t\"tolerations\": pulumi.Any{\n\t\t\t\t\t[]map[string]interface{}{\n {\n \"key\": \"efa-enabled\",\n \"operator\": \"Exists\",\n \"effect\": \"NoExecute\",\n }\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, pulumi.Provider(k8SProvider))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n // The node group for running EFA enabled workloads\n\t\t_, err = eks.NewManagedNodeGroup(ctx, \"efa-node-group\", \u0026eks.ManagedNodeGroupArgs{\n\t\t\tCluster: eksCluster,\n\t\t\tNodeRole: nodeRole,\n\t\t\tInstanceTypes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"g6.8xlarge\"),\n\t\t\t},\n\t\t\tGpu: pulumi.Bool(true),\n\t\t\tScalingConfig: \u0026eks.NodeGroupScalingConfigArgs{\n\t\t\t\tMinSize: pulumi.Int(2),\n\t\t\t\tDesiredSize: pulumi.Int(2),\n\t\t\t\tMaxSize: pulumi.Int(4),\n\t\t\t},\n\t\t\tEnableEfaSupport: true,\n\t\t\tPlacementGroupAvailabilityZone: pulumi.String(\"us-west-2b\"),\n\n // Taint the nodes so that only pods with the efa-enabled label can be scheduled on them\n\t\t\tTaints: eks.NodeGroupTaintArray{\n\t\t\t\t\u0026eks.NodeGroupTaintArgs{\n\t\t\t\t\tKey: pulumi.String(\"efa-enabled\"),\n\t\t\t\t\tValue: pulumi.String(\"true\"),\n\t\t\t\t\tEffect: pulumi.String(\"NO_EXECUTE\"),\n\t\t\t\t},\n\t\t\t},\n\n // Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd\n // These are faster than the regular EBS volumes\n\t\t\tNodeadmExtraOptions: eks.NodeadmOptionsArray{\n\t\t\t\t\u0026eks.NodeadmOptionsArgs{\n\t\t\t\t\tContentType: pulumi.String(\"application/node.eks.aws\"),\n\t\t\t\t\tContent: pulumi.String(`apiVersion: node.eks.aws/v1alpha1\nkind: NodeConfig\nspec:\n instance:\n localStorage:\n strategy: RAID0\n`),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n\n```\n\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\nusing Awsx = Pulumi.Awsx;\nusing Eks = Pulumi.Eks;\nusing Kubernetes = Pulumi.Kubernetes;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var eksVpc = new Awsx.Ec2.Vpc(\"eks-vpc\", new()\n {\n EnableDnsHostnames = true,\n CidrBlock = \"10.0.0.0/16\",\n });\n\n var eksCluster = new Eks.Cluster(\"eks-cluster\", new()\n {\n VpcId = eksVpc.VpcId,\n AuthenticationMode = Eks.AuthenticationMode.Api,\n PublicSubnetIds = eksVpc.PublicSubnetIds,\n PrivateSubnetIds = eksVpc.PrivateSubnetIds,\n SkipDefaultNodeGroup = true,\n });\n\n var k8SProvider = new Kubernetes.Provider.Provider(\"k8sProvider\", new()\n {\n KubeConfig = eksCluster.Kubeconfig,\n });\n\n var nodeRole = new Aws.Iam.Role(\"node-role\", new()\n {\n AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"Version\"] = \"2012-10-17\",\n [\"Statement\"] = new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n [\"Action\"] = \"sts:AssumeRole\",\n [\"Effect\"] = \"Allow\",\n [\"Sid\"] = \"\",\n [\"Principal\"] = new Dictionary\u003cstring, object?\u003e\n {\n [\"Service\"] = \"ec2.amazonaws.com\",\n },\n },\n },\n }),\n });\n\n var workerNodePolicy = new Aws.Iam.RolePolicyAttachment(\"worker-node-policy\", new()\n {\n Role = nodeRole.Name,\n PolicyArn = \"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy\",\n });\n\n var cniPolicy = new Aws.Iam.RolePolicyAttachment(\"cni-policy\", new()\n {\n Role = nodeRole.Name,\n PolicyArn = \"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy\",\n });\n\n var registryPolicy = new Aws.Iam.RolePolicyAttachment(\"registry-policy\", new()\n {\n Role = nodeRole.Name,\n PolicyArn = \"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly\",\n });\n\n // The node group for running system pods (e.g. coredns, etc.)\n var systemNodeGroup = new Eks.ManagedNodeGroup(\"system-node-group\", new()\n {\n Cluster = eksCluster,\n NodeRole = nodeRole,\n });\n\n // The EFA device plugin for exposing EFA interfaces as extended resources\n var devicePlugin = new Kubernetes.Helm.V3.Release(\"device-plugin\", new()\n {\n Version = \"0.5.7\",\n RepositoryOpts = new Kubernetes.Types.Inputs.Helm.V3.RepositoryOptsArgs\n {\n Repo = \"https://aws.github.io/eks-charts\",\n },\n Chart = \"aws-efa-k8s-device-plugin\",\n Namespace = \"kube-system\",\n Atomic = true,\n Values = \n {\n { \"tolerations\", new[]\n {\n \n {\n { \"key\", \"efa-enabled\" },\n { \"operator\", \"Exists\" },\n { \"effect\", \"NoExecute\" },\n },\n } },\n },\n }, new CustomResourceOptions\n {\n Provider = k8SProvider,\n });\n\n // The node group for running EFA enabled workloads\n var efaNodeGroup = new Eks.ManagedNodeGroup(\"efa-node-group\", new()\n {\n Cluster = eksCluster,\n NodeRole = nodeRole,\n InstanceTypes = new[]\n {\n \"g6.8xlarge\",\n },\n Gpu = true,\n ScalingConfig = new Aws.Eks.Inputs.NodeGroupScalingConfigArgs\n {\n MinSize = 2,\n DesiredSize = 2,\n MaxSize = 4,\n },\n EnableEfaSupport = true,\n PlacementGroupAvailabilityZone = \"us-west-2b\",\n\n // Taint the nodes so that only pods with the efa-enabled label can be scheduled on them\n Taints = new[]\n {\n new Aws.Eks.Inputs.NodeGroupTaintArgs\n {\n Key = \"efa-enabled\",\n Value = \"true\",\n Effect = \"NO_EXECUTE\",\n },\n },\n\n // Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd\n NodeadmExtraOptions = new[]\n {\n new Eks.Inputs.NodeadmOptionsArgs\n {\n ContentType = \"application/node.eks.aws\",\n Content = @\"apiVersion: node.eks.aws/v1alpha1\nkind: NodeConfig\nspec:\n instance:\n localStorage:\n strategy: RAID0\n\",\n },\n },\n });\n\n});\n\n```\n\n{{% /example %}}\n{{% /examples %}}\n","properties":{"nodeGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:eks%2FnodeGroup:NodeGroup","description":"The AWS managed node group."},"placementGroupName":{"type":"string","description":"The name of the placement group created for the managed node group."}},"required":["nodeGroup","placementGroupName"],"inputProperties":{"amiId":{"type":"string","description":"The AMI ID to use for the worker nodes.\nDefaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.\n\nNote: `amiId` is mutually exclusive with `gpu` and `amiType`.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html."},"amiType":{"type":"string","description":"Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to `AL2_x86_64`.\nNote: `amiType` and `amiId` are mutually exclusive.\n\nSee the AWS documentation (https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid AMI Types. This provider will only perform drift detection if a configuration value is provided."},"bootstrapExtraArgs":{"type":"string","plain":true,"description":"Additional args to pass directly to `/etc/eks/bootstrap.sh`. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the `--apiserver-endpoint`, `--b64-cluster-ca` and `--kubelet-extra-args` flags are included automatically based on other configuration parameters.\n\nNote that this field conflicts with `launchTemplate`."},"bottlerocketSettings":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"The configuration settings for Bottlerocket OS.\nThe settings will get merged with the base settings the provider uses to configure Bottlerocket.\n\nThis includes:\n - settings.kubernetes.api-server\n - settings.kubernetes.cluster-certificate\n - settings.kubernetes.cluster-name\n - settings.kubernetes.cluster-dns-ip\n\nFor an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/."},"capacityType":{"type":"string","description":"Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT`. This provider will only perform drift detection if a configuration value is provided."},"cluster":{"oneOf":[{"$ref":"#/resources/eks:index:Cluster"},{"$ref":"#/types/eks:index:CoreData"}],"description":"The target EKS cluster."},"clusterName":{"type":"string","description":"Name of the EKS Cluster."},"diskSize":{"type":"integer","description":"Disk size in GiB for worker nodes. Defaults to `20`. This provider will only perform drift detection if a configuration value is provided."},"enableEfaSupport":{"type":"boolean","plain":true,"description":"Determines whether to enable Elastic Fabric Adapter (EFA) support for the node group. If multiple different instance types are configured for the node group, the first one will be used to determine the network interfaces to use. Requires `placementGroupAvailabilityZone` to be set."},"enableIMDSv2":{"type":"boolean","plain":true,"description":"Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html.\nDefaults to `false`.\n\nNote that this field conflicts with `launchTemplate`. If you are providing a custom `launchTemplate`, you should enable this feature within the `launchTemplateMetadataOptions` of the supplied `launchTemplate`."},"forceUpdateVersion":{"type":"boolean","description":"Force version update if existing pods are unable to be drained due to a pod disruption budget issue."},"gpu":{"type":"boolean","description":"Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes.\nDefaults to false.\n\nNote: `gpu` and `amiId` are mutually exclusive.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html."},"ignoreScalingChanges":{"type":"boolean","plain":true,"description":"Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.\n\nSee [EKS best practices](https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/) for more details."},"instanceTypes":{"type":"array","items":{"type":"string"},"description":"Set of instance types associated with the EKS Node Group. Defaults to `[\"t3.medium\"]`. This provider will only perform drift detection if a configuration value is provided. Currently, the EKS API only accepts a single value in the set."},"kubeletExtraArgs":{"type":"string","plain":true,"description":"Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. To escape characters in the extra argsvalue, wrap the value in quotes. For example, `kubeletExtraArgs = '--allowed-unsafe-sysctls \"net.core.somaxconn\"'`.\nNote that this field conflicts with `launchTemplate`."},"labels":{"type":"object","additionalProperties":{"type":"string"},"description":"Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed."},"launchTemplate":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FNodeGroupLaunchTemplate:NodeGroupLaunchTemplate","description":"Launch Template settings.\n\nNote: This field is mutually exclusive with `kubeletExtraArgs` and `bootstrapExtraArgs`."},"nodeGroupName":{"type":"string","description":"Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with `nodeGroupNamePrefix`."},"nodeGroupNamePrefix":{"type":"string","description":"Creates a unique name beginning with the specified prefix. Conflicts with `nodeGroupName`."},"nodeRole":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2Frole:Role","description":"The IAM Role that provides permissions for the EKS Node Group.\n\nNote, `nodeRole` and `nodeRoleArn` are mutually exclusive, and a single option must be used."},"nodeRoleArn":{"type":"string","description":"Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.\n\nNote, `nodeRoleArn` and `nodeRole` are mutually exclusive, and a single option must be used."},"nodeadmExtraOptions":{"type":"array","items":{"$ref":"#/types/eks:index:NodeadmOptions"},"description":"Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way.\nThe base settings the provider sets are:\n - cluster.name\n - cluster.apiServerEndpoint\n - cluster.certificateAuthority\n - cluster.cidr\n\nNote: This is only applicable when using AL2023.\nSee for more details:\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/"},"operatingSystem":{"$ref":"#/types/eks:index:OperatingSystem","description":"The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration.\nValid values are `RECOMMENDED`, `AL2`, `AL2023` and `Bottlerocket`.\n\nDefaults to the current recommended OS."},"placementGroupAvailabilityZone":{"type":"string","description":"The availability zone of the placement group for EFA support. Required if `enableEfaSupport` is true."},"releaseVersion":{"type":"string","description":"AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version."},"remoteAccess":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FNodeGroupRemoteAccess:NodeGroupRemoteAccess","description":"Remote access settings."},"scalingConfig":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FNodeGroupScalingConfig:NodeGroupScalingConfig","description":"Scaling settings.\n\nDefault scaling amounts of the node group autoscaling group are:\n - desiredSize: 2\n - minSize: 1\n - maxSize: 2"},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: `kubernetes.io/cluster/CLUSTER_NAME` (where `CLUSTER_NAME` is replaced with the name of the EKS Cluster).\n\nDefault subnetIds is chosen from the following list, in order, if subnetIds arg is not set:\n - core.subnetIds\n - core.privateIds\n - core.publicSubnetIds\n\nThis default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11"},"tags":{"type":"object","additionalProperties":{"type":"string"},"description":"Key-value mapping of resource tags."},"taints":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:eks%2FNodeGroupTaint:NodeGroupTaint"},"description":"The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group."},"userData":{"type":"string","description":"User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data."},"version":{"type":"string"}},"requiredInputs":["cluster"],"isComponent":true},"eks:index:NodeGroup":{"description":"NodeGroup is a component that wraps the AWS EC2 instances that provide compute capacity for an EKS cluster.","properties":{"autoScalingGroupName":{"type":"string","description":"The AutoScalingGroup name for the Node group."},"cfnStack":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:cloudformation%2Fstack:Stack","description":"The CloudFormation Stack which defines the Node AutoScalingGroup."},"extraNodeSecurityGroups":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"description":"The additional security groups for the node group that captures user-specific rules."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the node group to communicate with the cluster, or undefined if using `nodeSecurityGroupId`."},"nodeSecurityGroupId":{"type":"string","description":"The ID of the security group for the node group to communicate with the cluster."}},"required":["nodeSecurityGroupId","extraNodeSecurityGroups","cfnStack","autoScalingGroupName"],"inputProperties":{"amiId":{"type":"string","description":"The AMI ID to use for the worker nodes.\n\nDefaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.\n\nNote: `amiId` and `gpu` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html."},"amiType":{"type":"string","description":"The AMI Type to use for the worker nodes. \n\nOnly applicable when setting an AMI ID that is of type `arm64`. \n\nNote: `amiType` and `gpu` are mutually exclusive.\n\n"},"autoScalingGroupTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.\n\nPer AWS, all stack-level tags, including automatically created tags, and the `cloudFormationTags` option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html\n\nNote: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both."},"bootstrapExtraArgs":{"type":"string","description":"Additional args to pass directly to `/etc/eks/bootstrap.sh`. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the `--apiserver-endpoint`, `--b64-cluster-ca` and `--kubelet-extra-args` flags are included automatically based on other configuration parameters."},"bottlerocketSettings":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"The configuration settings for Bottlerocket OS.\nThe settings will get merged with the base settings the provider uses to configure Bottlerocket.\n\nThis includes:\n - settings.kubernetes.api-server\n - settings.kubernetes.cluster-certificate\n - settings.kubernetes.cluster-name\n - settings.kubernetes.cluster-dns-ip\n\nFor an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/."},"cloudFormationTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the CloudFormation Stack of the Worker NodeGroup.\n\nNote: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both."},"cluster":{"oneOf":[{"$ref":"#/resources/eks:index:Cluster"},{"$ref":"#/types/eks:index:CoreData"}],"description":"The target EKS cluster."},"clusterIngressRule":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule","description":"The ingress rule that gives node group access."},"clusterIngressRuleId":{"type":"string","description":"The ID of the ingress rule that gives node group access."},"desiredCapacity":{"type":"integer","description":"The number of worker nodes that should be running in the cluster. Defaults to 2."},"enableDetailedMonitoring":{"type":"boolean","description":"Enables/disables detailed monitoring of the EC2 instances.\n\nWith detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals.\nWhen enabled, you can also get aggregated data across groups of similar instances.\n\nNote: You are charged per metric that is sent to CloudWatch. You are not charged for data storage.\nFor more information, see \"Paid tier\" and \"Example 1 - EC2 Detailed Monitoring\" here https://aws.amazon.com/cloudwatch/pricing/."},"encryptRootBlockDevice":{"type":"boolean","description":"Encrypt the root block device of the nodes in the node group."},"extraNodeSecurityGroups":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"description":"Extra security groups to attach on all nodes in this worker node group.\n\nThis additional set of security groups captures any user application rules that will be needed for the nodes."},"gpu":{"type":"boolean","description":"Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.\n\nDefaults to false.\n\nNote: `gpu` and `amiId` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html\n- https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html"},"instanceProfile":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile","plain":true,"description":"The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive."},"instanceProfileName":{"type":"string","description":"The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive."},"instanceType":{"type":"string","description":"The instance type to use for the cluster's nodes. Defaults to \"t3.medium\"."},"keyName":{"type":"string","description":"Name of the key pair to use for SSH access to worker nodes."},"kubeletExtraArgs":{"type":"string","description":"Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. Note that the `labels` and `taints` properties will be applied to this list (using `--node-labels` and `--register-with-taints` respectively) after to the explicit `kubeletExtraArgs`."},"labels":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the `--node-labels` kubelet argument."},"maxSize":{"type":"integer","description":"The maximum number of worker nodes running in the cluster. Defaults to 2."},"minSize":{"type":"integer","description":"The minimum number of worker nodes running in the cluster. Defaults to 1."},"nodeAssociatePublicIpAddress":{"type":"boolean","description":"Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs."},"nodePublicKey":{"type":"string","description":"Public key material for SSH access to worker nodes. See allowed formats at:\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html\nIf not provided, no SSH access is enabled on VMs."},"nodeRootVolumeDeleteOnTermination":{"type":"boolean","description":"Whether the root block device should be deleted on termination of the instance. Defaults to true."},"nodeRootVolumeEncrypted":{"type":"boolean","description":"Whether to encrypt a cluster node's root volume. Defaults to false."},"nodeRootVolumeIops":{"type":"integer","description":"The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'."},"nodeRootVolumeSize":{"type":"integer","description":"The size in GiB of a cluster node's root volume. Defaults to 20."},"nodeRootVolumeThroughput":{"type":"integer","description":"Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'."},"nodeRootVolumeType":{"type":"string","description":"Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the worker node group to communicate with the cluster.\n\nThis security group requires specific inbound and outbound rules.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\n\nNote: The `nodeSecurityGroup` option and the cluster option`nodeSecurityGroupTags` are mutually exclusive."},"nodeSecurityGroupId":{"type":"string","description":"The ID of the security group for the worker node group to communicate with the cluster.\n\nThis security group requires specific inbound and outbound rules.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\n\nNote: The `nodeSecurityGroupId` option and the cluster option `nodeSecurityGroupTags` are mutually exclusive."},"nodeSubnetIds":{"type":"array","items":{"type":"string"},"description":"The set of subnets to override and use for the worker node group.\n\nSetting this option overrides which subnets to use for the worker node group, regardless if the cluster's `subnetIds` is set, or if `publicSubnetIds` and/or `privateSubnetIds` were set."},"nodeUserData":{"type":"string","description":"Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`)."},"nodeUserDataOverride":{"type":"string","description":"User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html"},"nodeadmExtraOptions":{"type":"array","items":{"$ref":"#/types/eks:index:NodeadmOptions"},"description":"Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way.\nThe base settings the provider sets are:\n - cluster.name\n - cluster.apiServerEndpoint\n - cluster.certificateAuthority\n - cluster.cidr\n\nNote: This is only applicable when using AL2023.\nSee for more details:\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/"},"operatingSystem":{"$ref":"#/types/eks:index:OperatingSystem","description":"The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration.\nValid values are `RECOMMENDED`, `AL2`, `AL2023` and `Bottlerocket`.\n\nDefaults to the current recommended OS."},"spotPrice":{"type":"string","description":"Bidding price for spot instance. If set, only spot instances will be added as worker node."},"taints":{"type":"object","additionalProperties":{"$ref":"#/types/eks:index:Taint"},"description":"Custom k8s node taints to be attached to each worker node. Adds the given taints to the `--register-with-taints` kubelet argument"},"version":{"type":"string","description":"Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used."}},"requiredInputs":["cluster"],"deprecationMessage":"NodeGroup uses AWS EC2 LaunchConfiguration which has been deprecated by AWS and doesn't support the newest instance types. Please use NodeGroupV2 instead.","isComponent":true},"eks:index:NodeGroupSecurityGroup":{"description":"NodeGroupSecurityGroup is a component that wraps creating a security group for node groups with the default ingress \u0026 egress rules required to connect and work with the EKS cluster security group.","properties":{"securityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for node groups with the default ingress \u0026 egress rules required to connect and work with the EKS cluster security group."},"securityGroupRule":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule","description":"The EKS cluster ingress rule."}},"required":["securityGroup","securityGroupRule"],"inputProperties":{"clusterSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group associated with the EKS cluster."},"eksCluster":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:eks%2Fcluster:Cluster","description":"The EKS cluster associated with the worker node group"},"tags":{"type":"object","additionalProperties":{"type":"string"},"description":"Key-value mapping of tags to apply to this security group."},"vpcId":{"type":"string","description":"The VPC in which to create the worker node group."}},"requiredInputs":["vpcId","clusterSecurityGroup","eksCluster"],"isComponent":true},"eks:index:NodeGroupV2":{"description":"NodeGroup is a component that wraps the AWS EC2 instances that provide compute capacity for an EKS cluster.","properties":{"autoScalingGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:autoscaling%2Fgroup:Group","description":"The AutoScalingGroup for the Node group."},"extraNodeSecurityGroups":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"description":"The additional security groups for the node group that captures user-specific rules."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the node group to communicate with the cluster, or undefined if using `nodeSecurityGroupId`."},"nodeSecurityGroupId":{"type":"string","description":"The ID of the security group for the node group to communicate with the cluster."}},"required":["nodeSecurityGroupId","extraNodeSecurityGroups","autoScalingGroup"],"inputProperties":{"amiId":{"type":"string","description":"The AMI ID to use for the worker nodes.\n\nDefaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.\n\nNote: `amiId` and `gpu` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html."},"amiType":{"type":"string","description":"The AMI Type to use for the worker nodes. \n\nOnly applicable when setting an AMI ID that is of type `arm64`. \n\nNote: `amiType` and `gpu` are mutually exclusive.\n\n"},"autoScalingGroupTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.\n\nPer AWS, all stack-level tags, including automatically created tags, and the `cloudFormationTags` option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html\n\nNote: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both."},"bootstrapExtraArgs":{"type":"string","description":"Additional args to pass directly to `/etc/eks/bootstrap.sh`. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the `--apiserver-endpoint`, `--b64-cluster-ca` and `--kubelet-extra-args` flags are included automatically based on other configuration parameters."},"bottlerocketSettings":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"The configuration settings for Bottlerocket OS.\nThe settings will get merged with the base settings the provider uses to configure Bottlerocket.\n\nThis includes:\n - settings.kubernetes.api-server\n - settings.kubernetes.cluster-certificate\n - settings.kubernetes.cluster-name\n - settings.kubernetes.cluster-dns-ip\n\nFor an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/."},"cloudFormationTags":{"type":"object","additionalProperties":{"type":"string"},"description":"The tags to apply to the CloudFormation Stack of the Worker NodeGroup.\n\nNote: Given the inheritance of auto-generated CF tags and `cloudFormationTags`, you should either supply the tag in `autoScalingGroupTags` or `cloudFormationTags`, but not both."},"cluster":{"oneOf":[{"$ref":"#/resources/eks:index:Cluster"},{"$ref":"#/types/eks:index:CoreData"}],"description":"The target EKS cluster."},"clusterIngressRule":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroupRule:SecurityGroupRule","description":"The ingress rule that gives node group access."},"clusterIngressRuleId":{"type":"string","description":"The ID of the ingress rule that gives node group access."},"desiredCapacity":{"type":"integer","description":"The number of worker nodes that should be running in the cluster. Defaults to 2."},"enableDetailedMonitoring":{"type":"boolean","description":"Enables/disables detailed monitoring of the EC2 instances.\n\nWith detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals.\nWhen enabled, you can also get aggregated data across groups of similar instances.\n\nNote: You are charged per metric that is sent to CloudWatch. You are not charged for data storage.\nFor more information, see \"Paid tier\" and \"Example 1 - EC2 Detailed Monitoring\" here https://aws.amazon.com/cloudwatch/pricing/."},"encryptRootBlockDevice":{"type":"boolean","description":"Encrypt the root block device of the nodes in the node group."},"extraNodeSecurityGroups":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"},"description":"Extra security groups to attach on all nodes in this worker node group.\n\nThis additional set of security groups captures any user application rules that will be needed for the nodes."},"gpu":{"type":"boolean","description":"Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.\n\nDefaults to false.\n\nNote: `gpu` and `amiId` are mutually exclusive.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html\n- https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html"},"ignoreScalingChanges":{"type":"boolean","plain":true,"description":"Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.\n\nSee [EKS best practices](https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/) for more details."},"instanceProfile":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:iam%2FinstanceProfile:InstanceProfile","plain":true,"description":"The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive."},"instanceProfileName":{"type":"string","description":"The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive."},"instanceType":{"type":"string","description":"The instance type to use for the cluster's nodes. Defaults to \"t3.medium\"."},"keyName":{"type":"string","description":"Name of the key pair to use for SSH access to worker nodes."},"kubeletExtraArgs":{"type":"string","description":"Extra args to pass to the Kubelet. Corresponds to the options passed in the `--kubeletExtraArgs` flag to `/etc/eks/bootstrap.sh`. For example, '--port=10251 --address=0.0.0.0'. Note that the `labels` and `taints` properties will be applied to this list (using `--node-labels` and `--register-with-taints` respectively) after to the explicit `kubeletExtraArgs`."},"labels":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the `--node-labels` kubelet argument."},"launchTemplateTagSpecifications":{"type":"array","items":{"$ref":"/aws/v7.14.0/schema.json#/types/aws:ec2%2FLaunchTemplateTagSpecification:LaunchTemplateTagSpecification"},"description":"The tag specifications to apply to the launch template."},"maxSize":{"type":"integer","description":"The maximum number of worker nodes running in the cluster. Defaults to 2."},"minRefreshPercentage":{"type":"integer","description":"The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50."},"minSize":{"type":"integer","description":"The minimum number of worker nodes running in the cluster. Defaults to 1."},"nodeAssociatePublicIpAddress":{"type":"boolean","description":"Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs."},"nodePublicKey":{"type":"string","description":"Public key material for SSH access to worker nodes. See allowed formats at:\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html\nIf not provided, no SSH access is enabled on VMs."},"nodeRootVolumeDeleteOnTermination":{"type":"boolean","description":"Whether the root block device should be deleted on termination of the instance. Defaults to true."},"nodeRootVolumeEncrypted":{"type":"boolean","description":"Whether to encrypt a cluster node's root volume. Defaults to false."},"nodeRootVolumeIops":{"type":"integer","description":"The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'."},"nodeRootVolumeSize":{"type":"integer","description":"The size in GiB of a cluster node's root volume. Defaults to 20."},"nodeRootVolumeThroughput":{"type":"integer","description":"Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'."},"nodeRootVolumeType":{"type":"string","description":"Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'."},"nodeSecurityGroup":{"$ref":"/aws/v7.14.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup","description":"The security group for the worker node group to communicate with the cluster.\n\nThis security group requires specific inbound and outbound rules.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\n\nNote: The `nodeSecurityGroup` option and the cluster option`nodeSecurityGroupTags` are mutually exclusive."},"nodeSecurityGroupId":{"type":"string","description":"The ID of the security group for the worker node group to communicate with the cluster.\n\nThis security group requires specific inbound and outbound rules.\n\nSee for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html\n\nNote: The `nodeSecurityGroupId` option and the cluster option `nodeSecurityGroupTags` are mutually exclusive."},"nodeSubnetIds":{"type":"array","items":{"type":"string"},"description":"The set of subnets to override and use for the worker node group.\n\nSetting this option overrides which subnets to use for the worker node group, regardless if the cluster's `subnetIds` is set, or if `publicSubnetIds` and/or `privateSubnetIds` were set."},"nodeUserData":{"type":"string","description":"Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`)."},"nodeUserDataOverride":{"type":"string","description":"User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).\n\nSee for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html"},"nodeadmExtraOptions":{"type":"array","items":{"$ref":"#/types/eks:index:NodeadmOptions"},"description":"Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way.\nThe base settings the provider sets are:\n - cluster.name\n - cluster.apiServerEndpoint\n - cluster.certificateAuthority\n - cluster.cidr\n\nNote: This is only applicable when using AL2023.\nSee for more details:\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/\n - https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/"},"operatingSystem":{"$ref":"#/types/eks:index:OperatingSystem","description":"The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration.\nValid values are `RECOMMENDED`, `AL2`, `AL2023` and `Bottlerocket`.\n\nDefaults to the current recommended OS."},"spotPrice":{"type":"string","description":"Bidding price for spot instance. If set, only spot instances will be added as worker node."},"taints":{"type":"object","additionalProperties":{"$ref":"#/types/eks:index:Taint"},"description":"Custom k8s node taints to be attached to each worker node. Adds the given taints to the `--register-with-taints` kubelet argument"},"version":{"type":"string","description":"Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used."}},"requiredInputs":["cluster"],"isComponent":true},"eks:index:VpcCniAddon":{"description":"VpcCniAddon manages the configuration of the Amazon VPC CNI plugin for Kubernetes by leveraging the EKS managed add-on.\nFor more information see: https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html","inputProperties":{"addonVersion":{"type":"string","description":"The version of the addon to use. If not specified, the latest version of the addon for the cluster's Kubernetes version will be used."},"clusterName":{"type":"string","description":"The name of the EKS cluster."},"clusterVersion":{"type":"string","description":"The Kubernetes version of the cluster. This is used to determine the addon version to use if `addonVersion` is not specified."},"cniConfigureRpfilter":{"type":"boolean","description":"Specifies whether ipamd should configure rp filter for primary interface. Default is `false`."},"cniCustomNetworkCfg":{"type":"boolean","description":"Specifies that your pods may use subnets and security groups that are independent of your worker node's VPC configuration. By default, pods share the same subnet and security groups as the worker node's primary interface. Setting this variable to true causes ipamd to use the security groups and VPC subnet in a worker node's ENIConfig for elastic network interface allocation. You must create an ENIConfig custom resource for each subnet that your pods will reside in, and then annotate or label each worker node to use a specific ENIConfig (multiple worker nodes can be annotated or labelled with the same ENIConfig). Worker nodes can only be annotated with a single ENIConfig at a time, and the subnet in the ENIConfig must belong to the same Availability Zone that the worker node resides in. For more information, see CNI Custom Networking in the Amazon EKS User Guide. Default is `false`"},"cniExternalSnat":{"type":"boolean","description":"Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. Disable SNAT if you need to allow inbound communication to your pods from external VPNs, direct connections, and external VPCs, and your pods do not need to access the Internet directly via an Internet Gateway. However, your nodes must be running in a private subnet and connected to the internet through an AWS NAT Gateway or another external NAT device. Default is `false`"},"configurationValues":{"type":"object","additionalProperties":{"$ref":"pulumi.json#/Any"},"description":"Custom configuration values for the vpc-cni addon. This object must match the schema derived from [describe-addon-configuration](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-addon-configuration.html)."},"customNetworkConfig":{"type":"boolean","description":"Specifies that your pods may use subnets and security groups (within the same VPC as your control plane resources) that are independent of your cluster's `resourcesVpcConfig`.\n\nDefaults to false."},"disableTcpEarlyDemux":{"type":"boolean","description":"Allows the kubelet's liveness and readiness probes to connect via TCP when pod ENI is enabled. This will slightly increase local TCP connection latency."},"enableNetworkPolicy":{"type":"boolean","description":"Enables using Kubernetes network policies. In Kubernetes, by default, all pod-to-pod communication is allowed. Communication can be restricted with Kubernetes NetworkPolicy objects.\n\nSee for more information: [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)."},"enablePodEni":{"type":"boolean","description":"Specifies whether to allow IPAMD to add the `vpc.amazonaws.com/has-trunk-attached` label to the node if the instance has capacity to attach an additional ENI. Default is `false`. If using liveness and readiness probes, you will also need to disable TCP early demux."},"enablePrefixDelegation":{"type":"boolean","description":"IPAMD will start allocating (/28) prefixes to the ENIs with ENABLE_PREFIX_DELEGATION set to true."},"eniConfigLabelDef":{"type":"string","description":"Specifies the ENI_CONFIG_LABEL_DEF environment variable value for worker nodes. This is used to tell Kubernetes to automatically apply the ENIConfig for each Availability Zone\nRef: https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html (step 5(c))\n\nDefaults to the official AWS CNI image in ECR."},"eniMtu":{"type":"integer","description":"Used to configure the MTU size for attached ENIs. The valid range is from 576 to 9001.\n\nDefaults to 9001."},"externalSnat":{"type":"boolean","description":"Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied.\n\nDefaults to false."},"logFile":{"type":"string","description":"Specifies the file path used for logs.\n\nDefaults to \"stdout\" to emit Pod logs for `kubectl logs`."},"logLevel":{"type":"string","description":"Specifies the log level used for logs.\n\nDefaults to \"DEBUG\"\nValid values: \"DEBUG\", \"INFO\", \"WARN\", \"ERROR\", or \"FATAL\"."},"nodePortSupport":{"type":"boolean","description":"Specifies whether NodePort services are enabled on a worker node's primary network interface. This requires additional iptables rules and that the kernel's reverse path filter on the primary interface is set to loose.\n\nDefaults to true."},"resolveConflictsOnCreate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnCreate","plain":true,"description":"How to resolve field value conflicts when migrating a self-managed add-on to an Amazon EKS add-on. Valid values are `NONE` and `OVERWRITE`. For more details see the [CreateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateAddon.html) API Docs.","default":"OVERWRITE"},"resolveConflictsOnUpdate":{"type":"string","$ref":"#/types/eks:index:ResolveConflictsOnUpdate","plain":true,"description":"How to resolve field value conflicts for an Amazon EKS add-on if you've changed a value from the Amazon EKS default value. Valid values are `NONE`, `OVERWRITE`, and `PRESERVE`. For more details see the [UpdateAddon](https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateAddon.html) API Docs.","default":"OVERWRITE"},"securityContextPrivileged":{"type":"boolean","description":"Pass privilege to containers securityContext. This is required when SELinux is enabled. This value will not be passed to the CNI config by default"},"serviceAccountRoleArn":{"type":"string","description":"The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role.\n\nFor more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the Amazon EKS User Guide.\n\nNote: To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the Amazon EKS User Guide."},"tags":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."},"vethPrefix":{"type":"string","description":"Specifies the veth prefix used to generate the host-side veth device name for the CNI.\n\nThe prefix can be at most 4 characters long.\n\nDefaults to \"eni\"."},"warmEniTarget":{"type":"integer","description":"Specifies the number of free elastic network interfaces (and all of their available IP addresses) that the ipamD daemon should attempt to keep available for pod assignment on the node.\n\nDefaults to 1."},"warmIpTarget":{"type":"integer","description":"Specifies the number of free IP addresses that the ipamD daemon should attempt to keep available for pod assignment on the node."},"warmPrefixTarget":{"type":"integer","description":"WARM_PREFIX_TARGET will allocate one full (/28) prefix even if a single IP is consumed with the existing prefix. Ref: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md"}},"requiredInputs":["clusterName"],"aliases":[{"type":"eks:index:VpcCni"}],"isComponent":true}},"functions":{"eks:index:Cluster/getKubeconfig":{"description":"Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in `KubeconfigOptions`.\n\nThe kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.\n\nSee for more details:\n- https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html\n- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html\n- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html","inputs":{"properties":{"__self__":{"$ref":"#/resources/eks:index:Cluster"},"profileName":{"type":"string","description":"AWS credential profile name to always use instead of the default AWS credential provider chain.\n\nThe profile is passed to kubeconfig as an authentication environment setting."},"roleArn":{"type":"string","description":"Role ARN to assume instead of the default AWS credential provider chain.\n\nThe role is passed to kubeconfig as an authentication exec argument."}},"required":["__self__"]},"outputs":{"properties":{"result":{"description":"The kubeconfig for the cluster.","type":"string"}},"required":["result"]}}}}