Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module for EKS 1.29 #53

Merged
merged 32 commits into from
Mar 26, 2024
Merged

Update module for EKS 1.29 #53

merged 32 commits into from
Mar 26, 2024

Conversation

micbegin
Copy link
Collaborator

@micbegin micbegin commented Mar 26, 2024
edited
Loading

What does this PR do?

Consult the CONTRIBUTING guide for submitting pull-requests.

  • Update module for EKS 1.29 and latest addons
  • Update pre-commit hooks versions
  • Replace deployment workflows with Terraform Reusable Workflow

Checklist

  • Yes, I have updated the documentation for this change.
  • Yes, pre-commit hooks have been executed successfully.

Additional Notes

micbegin added 28 commits March 25, 2024 13:47
@micbegin
Update pre-commit hooks versions
5b91e27
@micbegin
Add karpenter node pools helm chart
cd39603
@micbegin
Optimize karpenter helm values
e326d23
@micbegin
Fix karpenter default node pool iam role arn value
f4a68a5
@micbegin
Fix karpenter default node pool iam role name value
3e62fc6
@micbegin
rename karpenter default node pool and fix expiration indentation
e0a9e16
@micbegin
Remove spec from game 2048 helm chart values
0c26a41
@micbegin
Remove spec from game 2048 helm chart ingress values
626bc8a
@micbegin
Delete tfsec workflow
69a52d3
@micbegin
Update checkov workflow
d4e1684
@micbegin
Update tflint workflow
e81cd5f
@micbegin
Update terraform-docs workflow
8221c1d
@micbegin
Update pre-commit hooks versions
e7c9065
@micbegin
Update .editorconfig
05d7f2a
@micbegin
Update .gitignore
522d64d
@micbegin
Update CODEOWNERS
65ceca2
@micbegin
Update pull request template
7676c26
@micbegin
Update vscode configuration
3e60a0a
@micbegin
Add terraform-docs configuration
4c9284e
@micbegin
Add instance requirements to karpenter default node pool
8e5cd02
@micbegin
Remove double quotes from karpenter default node pool keys
df86f59
@micbegin
Move argocd helm values to helm folder
89c48cd
@micbegin
Delete old workflows
aa3e424
@micbegin
Update contributing guide
00c9393
@micbegin
Delete old karpenter provisioner manifest
b083862
@micbegin
Add argocd app of apps helm charts
7c3ce7a
@micbegin
Update module to support EKS 1.29 and latest addons
3c532e0
@micbegin
Add remote reusable deploy workflow
d07e378
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 26, 2024
edited
Loading

Deploy - dev

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

module.eks.module.kms.data.aws_partition.current[0]: Reading...
module.eks.module.kms.data.aws_caller_identity.current[0]: Reading...
module.external_dns_irsa_role.data.aws_region.current: Reading...
module.external_dns_irsa_role.data.aws_caller_identity.current: Reading...
module.external_dns_irsa_role.data.aws_partition.current: Reading...
data.aws_caller_identity.current: Reading...
module.eks.data.aws_caller_identity.current: Reading...
data.aws_vpc.eks: Reading...
data.aws_subnets.eks_selected_private_subnets: Reading...
module.eks.data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.external_dns_irsa_role.data.aws_partition.current: Read complete after 0s [id=aws]
module.external_dns_irsa_role.data.aws_region.current: Read complete after 0s [id=us-west-2]
module.eks.data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=2764486067]
module.eks.module.kms.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["kube-system"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.external_dns_irsa_role.data.aws_iam_policy_document.external_dns[0]: Reading...
module.karpenter.data.aws_caller_identity.current: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=3016102342]
module.external_dns_irsa_role.data.aws_iam_policy_document.external_dns[0]: Read complete after 0s [id=2545455088]
module.eks.module.fargate_profile["kube-system"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=3016102342]
module.eks.module.fargate_profile["karpenter"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.karpenter.data.aws_region.current: Reading...
module.karpenter.data.aws_iam_policy_document.node_assume_role[0]: Reading...
module.karpenter.data.aws_region.current: Read complete after 0s [id=us-west-2]
module.eks.module.fargate_profile["karpenter"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=3016102342]
module.load_balancer_controller_irsa_role.data.aws_partition.current: Reading...
module.karpenter.data.aws_iam_policy_document.node_assume_role[0]: Read complete after 0s [id=2560088296]
module.eks.module.fargate_profile["argocd"].data.aws_caller_identity.current: Reading...
module.load_balancer_controller_irsa_role.data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["kube-system"].data.aws_caller_identity.current: Reading...
module.eks.module.fargate_profile["karpenter"].data.aws_caller_identity.current: Reading...
module.eks.module.kms.data.aws_caller_identity.current[0]: Read complete after 0s [id=362500403135]
module.eks.data.aws_partition.current: Reading...
module.eks.data.aws_partition.current: Read complete after 0s [id=aws]
module.load_balancer_controller_irsa_role.data.aws_caller_identity.current: Reading...
module.external_dns_irsa_role.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.load_balancer_controller_irsa_role.data.aws_region.current: Reading...
module.load_balancer_controller_irsa_role.data.aws_region.current: Read complete after 0s [id=us-west-2]
module.karpenter.data.aws_partition.current: Reading...
module.karpenter.data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_subnets.eks_selected_public_subnets: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["kube-system"].data.aws_partition.current: Reading...
module.eks.module.fargate_profile["kube-system"].data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["argocd"].data.aws_partition.current: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["karpenter"].data.aws_partition.current: Reading...
module.eks.module.fargate_profile["karpenter"].data.aws_partition.current: Read complete after 0s [id=aws]
module.load_balancer_controller_irsa_role.data.aws_iam_policy_document.load_balancer_controller[0]: Reading...
module.load_balancer_controller_irsa_role.data.aws_iam_policy_document.load_balancer_controller[0]: Read complete after 0s [id=2997734474]
module.eks.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.data.aws_iam_session_context.current: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.karpenter.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["kube-system"].data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["karpenter"].data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.load_balancer_controller_irsa_role.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.data.aws_iam_session_context.current: Read complete after 0s [id=arn:aws:sts::362500403135:assumed-role/github-actions-eks-demo/terraform-execution-role]
data.aws_subnets.eks_selected_private_subnets: Read complete after 0s [id=us-west-2]
data.aws_subnets.eks_selected_public_subnets: Read complete after 0s [id=us-west-2]
data.aws_vpc.eks: Read complete after 1s [id=vpc-0096c8b8cbc54dd73]
data.aws_subnet.eks_private_subnets["subnet-051cf8d7ea7f4a513"]: Reading...
data.aws_subnet.eks_private_subnets["subnet-08f2223dc60683710"]: Reading...
data.aws_subnet.eks_private_subnets["subnet-0e0fb088632a7f001"]: Reading...
data.aws_subnet.eks_public_subnets["subnet-0c7fa226216f34c9c"]: Reading...
data.aws_subnet.eks_public_subnets["subnet-029ef29a271261efa"]: Reading...
data.aws_subnet.eks_public_subnets["subnet-09937c47a25c532d8"]: Reading...
data.aws_subnet.eks_private_subnets["subnet-08f2223dc60683710"]: Read complete after 0s [id=subnet-08f2223dc60683710]
data.aws_subnet.eks_private_subnets["subnet-051cf8d7ea7f4a513"]: Read complete after 0s [id=subnet-051cf8d7ea7f4a513]
data.aws_subnet.eks_public_subnets["subnet-0c7fa226216f34c9c"]: Read complete after 0s [id=subnet-0c7fa226216f34c9c]
data.aws_subnet.eks_public_subnets["subnet-029ef29a271261efa"]: Read complete after 0s [id=subnet-029ef29a271261efa]
data.aws_subnet.eks_private_subnets["subnet-0e0fb088632a7f001"]: Read complete after 0s [id=subnet-0e0fb088632a7f001]
data.aws_subnet.eks_public_subnets["subnet-09937c47a25c532d8"]: Read complete after 0s [id=subnet-09937c47a25c532d8]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # aws_ec2_tag.private_subnet_cluster_alb_tag["subnet-051cf8d7ea7f4a513"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "subnet-051cf8d7ea7f4a513"
      + value       = "shared"
    }

  # aws_ec2_tag.private_subnet_cluster_alb_tag["subnet-08f2223dc60683710"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "subnet-08f2223dc60683710"
      + value       = "shared"
    }

  # aws_ec2_tag.private_subnet_cluster_alb_tag["subnet-0e0fb088632a7f001"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "subnet-0e0fb088632a7f001"
      + value       = "shared"
    }

  # aws_ec2_tag.private_subnet_cluster_karpenter_tag["subnet-051cf8d7ea7f4a513"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_karpenter_tag" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-dev-01"
      + resource_id = "subnet-051cf8d7ea7f4a513"
      + value       = "eks-demo-dev-01"
    }

  # aws_ec2_tag.private_subnet_cluster_karpenter_tag["subnet-08f2223dc60683710"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_karpenter_tag" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-dev-01"
      + resource_id = "subnet-08f2223dc60683710"
      + value       = "eks-demo-dev-01"
    }

  # aws_ec2_tag.private_subnet_cluster_karpenter_tag["subnet-0e0fb088632a7f001"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_karpenter_tag" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-dev-01"
      + resource_id = "subnet-0e0fb088632a7f001"
      + value       = "eks-demo-dev-01"
    }

  # aws_ec2_tag.public_subnet_cluster_alb_tag["subnet-029ef29a271261efa"] will be created
  + resource "aws_ec2_tag" "public_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "subnet-029ef29a271261efa"
      + value       = "shared"
    }

  # aws_ec2_tag.public_subnet_cluster_alb_tag["subnet-09937c47a25c532d8"] will be created
  + resource "aws_ec2_tag" "public_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "subnet-09937c47a25c532d8"
      + value       = "shared"
    }

  # aws_ec2_tag.public_subnet_cluster_alb_tag["subnet-0c7fa226216f34c9c"] will be created
  + resource "aws_ec2_tag" "public_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "subnet-0c7fa226216f34c9c"
      + value       = "shared"
    }

  # aws_ec2_tag.vpc_tag will be created
  + resource "aws_ec2_tag" "vpc_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-dev-01"
      + resource_id = "vpc-0096c8b8cbc54dd73"
      + value       = "shared"
    }

  # helm_release.argocd_applications will be created
  + resource "helm_release" "argocd_applications" {
      + atomic                     = false
      + chart                      = "argocd"
      + cleanup_on_fail            = false
      + create_namespace           = false
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 0
      + metadata                   = (known after apply)
      + name                       = "argocd-apps"
      + namespace                  = "argocd"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + values                     = (known after apply)
      + verify                     = false
      + version                    = "0.1.0"
      + wait                       = true
      + wait_for_jobs              = false
    }

  # module.eks.data.aws_eks_addon_version.this["coredns"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_addon_version" "this" {
      + addon_name         = "coredns"
      + id                 = (known after apply)
      + kubernetes_version = "1.29"
      + version            = (known after apply)
    }

  # module.eks.data.aws_eks_addon_version.this["kube-proxy"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_addon_version" "this" {
      + addon_name         = "kube-proxy"
      + id                 = (known after apply)
      + kubernetes_version = "1.29"
      + version            = (known after apply)
    }

  # module.eks.data.aws_eks_addon_version.this["vpc-cni"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_addon_version" "this" {
      + addon_name         = "vpc-cni"
      + id                 = (known after apply)
      + kubernetes_version = "1.29"
      + version            = (known after apply)
    }

  # module.eks.data.tls_certificate.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "tls_certificate" "this" {
      + certificates = (known after apply)
      + id           = (known after apply)
      + url          = (known after apply)
    }

  # module.eks.aws_cloudwatch_log_group.this[0] will be created
  + resource "aws_cloudwatch_log_group" "this" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/eks/eks-demo-dev-01/cluster"
      + name_prefix       = (known after apply)
      + retention_in_days = 90
      + skip_destroy      = false
      + tags              = {
          + "Name"                                   = "/aws/eks/eks-demo-dev-01/cluster"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all          = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "Name"                                   = "/aws/eks/eks-demo-dev-01/cluster"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
    }

  # module.eks.aws_ec2_tag.cluster_primary_security_group["karpenter.sh/discovery/eks-demo-dev-01"] will be created
  + resource "aws_ec2_tag" "cluster_primary_security_group" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-dev-01"
      + resource_id = (known after apply)
      + value       = "eks-demo-dev-01"
    }

  # module.eks.aws_eks_access_entry.this["admins"] will be created
  + resource "aws_eks_access_entry" "this" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = "eks-demo-dev-01"
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = (known after apply)
      + modified_at       = (known after apply)
      + principal_arn     = "arn:aws:iam::362500403135:role/eks-admins"
      + tags              = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all          = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + type              = "STANDARD"
      + user_name         = (known after apply)
    }

  # module.eks.aws_eks_access_entry.this["cluster_creator"] will be created
  + resource "aws_eks_access_entry" "this" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = "eks-demo-dev-01"
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = (known after apply)
      + modified_at       = (known after apply)
      + principal_arn     = "arn:aws:iam::362500403135:role/github-actions-eks-demo"
      + tags              = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all          = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + type              = "STANDARD"
      + user_name         = (known after apply)
    }

  # module.eks.aws_eks_access_policy_association.this["admins_cluster_admin"] will be created
  + resource "aws_eks_access_policy_association" "this" {
      + associated_at = (known after apply)
      + cluster_name  = "eks-demo-dev-01"
      + id            = (known after apply)
      + modified_at   = (known after apply)
      + policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
      + principal_arn = "arn:aws:iam::362500403135:role/eks-admins"

      + access_scope {
          + type = "cluster"
        }
    }

  # module.eks.aws_eks_access_policy_association.this["cluster_creator_admin"] will be created
  + resource "aws_eks_access_policy_association" "this" {
      + associated_at = (known after apply)
      + cluster_name  = "eks-demo-dev-01"
      + id            = (known after apply)
      + modified_at   = (known after apply)
      + policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
      + principal_arn = "arn:aws:iam::362500403135:role/github-actions-eks-demo"

      + access_scope {
          + type = "cluster"
        }
    }

  # module.eks.aws_eks_addon.this["coredns"] will be created
  + resource "aws_eks_addon" "this" {
      + addon_name                  = "coredns"
      + addon_version               = "v1.11.1-eksbuild.6"
      + arn                         = (known after apply)
      + cluster_name                = "eks-demo-dev-01"
      + configuration_values        = jsonencode(
            {
              + computeType = "fargate"
              + resources   = {
                  + limits   = {
                      + cpu    = "0.25"
                      + memory = "256M"
                    }
                  + requests = {
                      + cpu    = "0.25"
                      + memory = "256M"
                    }
                }
            }
        )
      + created_at                  = (known after apply)
      + id                          = (known after apply)
      + modified_at                 = (known after apply)
      + preserve                    = true
      + resolve_conflicts_on_create = "OVERWRITE"
      + resolve_conflicts_on_update = "OVERWRITE"
      + tags                        = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all                    = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }

      + timeouts {}
    }

  # module.eks.aws_eks_addon.this["kube-proxy"] will be created
  + resource "aws_eks_addon" "this" {
      + addon_name                  = "kube-proxy"
      + addon_version               = "v1.29.1-eksbuild.2"
      + arn                         = (known after apply)
      + cluster_name                = "eks-demo-dev-01"
      + configuration_values        = (known after apply)
      + created_at                  = (known after apply)
      + id                          = (known after apply)
      + modified_at                 = (known after apply)
      + preserve                    = true
      + resolve_conflicts_on_create = "OVERWRITE"
      + resolve_conflicts_on_update = "OVERWRITE"
      + tags                        = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all                    = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }

      + timeouts {}
    }

  # module.eks.aws_eks_addon.this["vpc-cni"] will be created
  + resource "aws_eks_addon" "this" {
      + addon_name                  = "vpc-cni"
      + addon_version               = "v1.17.1-eksbuild.1"
      + arn                         = (known after apply)
      + cluster_name                = "eks-demo-dev-01"
      + configuration_values        = (known after apply)
      + created_at                  = (known after apply)
      + id                          = (known after apply)
      + modified_at                 = (known after apply)
      + preserve                    = true
      + resolve_conflicts_on_create = "OVERWRITE"
      + resolve_conflicts_on_update = "OVERWRITE"
      + tags                        = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all                    = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }

      + timeouts {}
    }

  # module.eks.aws_eks_cluster.this[0] will be created
  + resource "aws_eks_cluster" "this" {
      + arn                       = (known after apply)
      + certificate_authority     = (known after apply)
      + cluster_id                = (known after apply)
      + created_at                = (known after apply)
      + enabled_cluster_log_types = [
          + "api",
          + "audit",
          + "authenticator",
        ]
      + endpoint                  = (known after apply)
      + id                        = (known after apply)
      + identity                  = (known after apply)
      + name                      = "eks-demo-dev-01"
      + platform_version          = (known after apply)
      + role_arn                  = (known after apply)
      + status                    = (known after apply)
      + tags                      = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
          + "terraform-aws-modules"                  = "eks"
        }
      + tags_all                  = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
          + "terraform-aws-modules"                  = "eks"
        }
      + version                   = "1.29"

      + access_config {
          + authentication_mode                         = "API_AND_CONFIG_MAP"
          + bootstrap_cluster_creator_admin_permissions = false
        }

      + encryption_config {
          + resources = [
              + "secrets",
            ]

          + provider {
              + key_arn = (known after apply)
            }
        }

      + kubernetes_network_config {
          + ip_family         = "ipv4"
          + service_ipv4_cidr = (known after apply)
          + service_ipv6_cidr = (known after apply)
        }

      + timeouts {}

      + vpc_config {
          + cluster_security_group_id = (known after apply)
          + endpoint_private_access   = true
          + endpoint_public_access    = true
          + public_access_cidrs       = [
              + "0.0.0.0/0",
            ]
          + subnet_ids                = [
              + "subnet-051cf8d7ea7f4a513",
              + "subnet-08f2223dc60683710",
              + "subnet-0e0fb088632a7f001",
            ]
          + vpc_id                    = (known after apply)
        }
    }

  # module.eks.aws_iam_openid_connect_provider.oidc_provider[0] will be created
  + resource "aws_iam_openid_connect_provider" "oidc_provider" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "sts.amazonaws.com",
        ]
      + id              = (known after apply)
      + tags            = {
          + "Name"                                   = "eks-demo-dev-01-eks-irsa"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all        = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "Name"                                   = "eks-demo-dev-01-eks-irsa"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + thumbprint_list = (known after apply)
      + url             = (known after apply)
    }

  # module.eks.aws_iam_policy.cluster_encryption[0] will be created
  + resource "aws_iam_policy" "cluster_encryption" {
      + arn         = (known after apply)
      + description = "Cluster encryption policy to allow cluster role to utilize CMK provided"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "eks-demo-dev-01-cluster-ClusterEncryption"
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags        = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all    = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
    }

  # module.eks.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "eks.amazonaws.com"
                        }
                      + Sid       = "EKSClusterAssumeRole"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = "eks-demo-dev-01-cluster-"
      + path                  = "/"
      + tags                  = {
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + tags_all              = {
          + "Blueprint"                              = "eks-blueprints-actions-workflow"
          + "GithubRepo"                             = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-dev-01" = "eks-demo-dev-01"
        }
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = "eks-demo-dev-01-cluster"
          + policy = jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "logs:CreateLogGroup",
                            ]
                          + Effect   = "Deny"
                          + Resource = "*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            )
        }
    }

  # module.eks.aws_iam_role_policy_attachment.cluster_encryption[0] will be created
  + resource "aws_iam_role_policy_attachment" "cluster_encryption" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = (known after apply)
    }

  # module.eks.aws_iam_role_policy_attachment.this["AmazonEKSClusterPolicy"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
      + role       = (known after apply)
    }

  # module.eks.aws_iam_role_policy_attachment.this["AmazonEKSVPCResourceController"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
      + role       = (known after apply)
    }

  # module.eks.time_sleep.this[0] will be created
  + resource "time_sleep" "this" {
      + create_duration = "30s"
      + id              = (known after apply)
      + triggers        = {
          + "cluster_certificate_authority_data" = (known after apply)
          + "cluster_endpoint"                   = (known after apply)
          + "cluster_name"                       = "eks-demo-dev-01"
          + "cluster_service_cidr"               = (known after apply)
          + "cluster_version"                    = "1.29"
        }
    }

  # module.eks_blueprints_addons.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.eks_blueprints_addons.data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.eks_blueprints_addons.data.aws_region.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_region" "current" {
      + description = (known after apply)
      + endpoint    = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
    }

  # module.eks_blueprints_addons.time_sleep.this will be created
  + resource "time_sleep" "this" {
      + create_duration = "30s"
      + id              = (known after apply)
      + triggers        = {
          + "cluster_endpoint"  = (known after apply)
          + "cluster_name"      = "eks-demo-dev-01"
          + "custom"            = ""
          + "oidc_provider_arn" = (known after apply)
        }
    }

  # module.external_dns_irsa_role.data.aws_iam_policy_document.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "this" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = (known after apply)
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "system:serviceaccount:kube-system:external-dns",
                ]
              + variable = (known after apply)
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.external_dns_irsa_role.aws_iam_policy.external_dns[0] will be created
  + resource "aws_iam_policy" "external_dns" {
      + arn         = (known after apply)
      + description = "External DNS policy to allow management of Route53 hosted zone records"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "AmazonEKS_External_DNS_Policy-"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = "route53:ChangeResourceRecordSets"
                      + Effect   = "Allow"
                      + Resource = "arn:aws:route53:::hostedzone/Z0053446TEDTI1D9V3U9"
                    },
                  + {
                      + Action   = [
                          + "route53:ListTagsForResource",
                          + "route53:ListResourceRecordSets",
                          + "route53:ListHostedZones",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags        = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + tags_all    = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.external_dns_irsa_role.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "eks-demo-dev-01-external-dns-irsa"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + tags_all              = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + unique_id             = (known after apply)
    }

  # module.external_dns_irsa_role.aws_iam_role_policy_attachment.external_dns[0] will be created
  + resource "aws_iam_role_policy_attachment" "external_dns" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "eks-demo-dev-01-external-dns-irsa"
    }

  # module.karpenter.data.aws_iam_policy_document.controller[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "controller" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "ec2:CreateFleet",
              + "ec2:RunInstances",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:launch-template/*",
              + "arn:aws:ec2:*:*:security-group/*",
              + "arn:aws:ec2:*:*:spot-instances-request/*",
              + "arn:aws:ec2:*:*:subnet/*",
              + "arn:aws:ec2:*::image/*",
              + "arn:aws:ec2:*::snapshot/*",
            ]
          + sid       = "AllowScopedEC2InstanceActions"
        }
      + statement {
          + actions   = [
              + "ec2:CreateFleet",
              + "ec2:CreateLaunchTemplate",
              + "ec2:RunInstances",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:fleet/*",
              + "arn:aws:ec2:*:*:instance/*",
              + "arn:aws:ec2:*:*:launch-template/*",
              + "arn:aws:ec2:*:*:network-interface/*",
              + "arn:aws:ec2:*:*:spot-instances-request/*",
              + "arn:aws:ec2:*:*:volume/*",
            ]
          + sid       = "AllowScopedEC2InstanceActionsWithTags"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:CreateTags",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:fleet/*",
              + "arn:aws:ec2:*:*:instance/*",
              + "arn:aws:ec2:*:*:launch-template/*",
              + "arn:aws:ec2:*:*:network-interface/*",
              + "arn:aws:ec2:*:*:spot-instances-request/*",
              + "arn:aws:ec2:*:*:volume/*",
            ]
          + sid       = "AllowScopedResourceCreationTagging"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "RunInstances",
                  + "CreateFleet",
                  + "CreateLaunchTemplate",
                ]
              + variable = "ec2:CreateAction"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:CreateTags",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:instance/*",
            ]
          + sid       = "AllowScopedResourceTagging"

          + condition {
              + test     = "ForAllValues:StringEquals"
              + values   = [
                  + "karpenter.sh/nodeclaim",
                  + "Name",
                ]
              + variable = "aws:TagKeys"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:DeleteLaunchTemplate",
              + "ec2:TerminateInstances",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:instance/*",
              + "arn:aws:ec2:*:*:launch-template/*",
            ]
          + sid       = "AllowScopedDeletion"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:DescribeAvailabilityZones",
              + "ec2:DescribeImages",
              + "ec2:DescribeInstanceTypeOfferings",
              + "ec2:DescribeInstanceTypes",
              + "ec2:DescribeInstances",
              + "ec2:DescribeLaunchTemplates",
              + "ec2:DescribeSecurityGroups",
              + "ec2:DescribeSpotPriceHistory",
              + "ec2:DescribeSubnets",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowRegionalReadActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:RequestedRegion"
            }
        }
      + statement {
          + actions   = [
              + "ssm:GetParameter",
            ]
          + resources = [
              + "arn:aws:ssm:us-west-2::parameter/aws/service/*",
            ]
          + sid       = "AllowSSMReadActions"
        }
      + statement {
          + actions   = [
              + "pricing:GetProducts",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowPricingReadActions"
        }
      + statement {
          + actions   = [
              + "sqs:DeleteMessage",
              + "sqs:GetQueueAttributes",
              + "sqs:GetQueueUrl",
              + "sqs:ReceiveMessage",
            ]
          + resources = [
              + (known after apply),
            ]
          + sid       = "AllowInterruptionQueueActions"
        }
      + statement {
          + actions   = [
              + "iam:PassRole",
            ]
          + resources = [
              + (known after apply),
            ]
          + sid       = "AllowPassingInstanceRole"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "ec2.amazonaws.com",
                ]
              + variable = "iam:PassedToService"
            }
        }
      + statement {
          + actions   = [
              + "iam:CreateInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowScopedInstanceProfileCreationActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:RequestTag/topology.kubernetes.io/region"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
            }
        }
      + statement {
          + actions   = [
              + "iam:TagInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowScopedInstanceProfileTagActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:ResourceTag/topology.kubernetes.io/region"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
            }
        }
      + statement {
          + actions   = [
              + "iam:AddRoleToInstanceProfile",
              + "iam:DeleteInstanceProfile",
              + "iam:RemoveRoleFromInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowScopedInstanceProfileActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-dev-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:ResourceTag/topology.kubernetes.io/region"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
            }
        }
      + statement {
          + actions   = [
              + "iam:GetInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowInstanceProfileReadActions"
        }
      + statement {
          + actions   = [
              + "eks:DescribeCluster",
            ]
          + resources = [
              + "arn:aws:eks:us-west-2:362500403135:cluster/eks-demo-dev-01",
            ]
          + sid       = "AllowAPIServerEndpointDiscovery"
        }
    }

  # module.karpenter.data.aws_iam_policy_document.controller_assume_role[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "controller_assume_role" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
              + "sts:TagSession",
            ]

          + principals {
              + identifiers = [
                  + "pods.eks.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = (known after apply)
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "system:serviceaccount:karpenter:karpenter",
                ]
              + variable = (known after apply)
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.karpenter.data.aws_iam_policy_document.queue[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "queue" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "sqs:SendMessage",
            ]
          + resources = [
              + (known after apply),
            ]
          + sid       = "SqsWrite"

          + principals {
              + identifiers = [
                  + "events.amazonaws.com",
                  + "sqs.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["health_event"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - AWS health event"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "AWS Health Event",
                ]
              + source      = [
                  + "aws.health",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterHealthEvent-"
      + tags           = {
          + "ClusterName" = "eks-demo-dev-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-dev-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["instance_rebalance"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - EC2 instance rebalance recommendation"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "EC2 Instance Rebalance Recommendation",
                ]
              + source      = [
                  + "aws.ec2",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterInstanceRebalance-"
      + tags           = {
          + "ClusterName" = "eks-demo-dev-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-dev-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["instance_state_change"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - EC2 instance state-change notification"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "EC2 Instance State-change Notification",
                ]
              + source      = [
                  + "aws.ec2",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterInstanceStateChange-"
      + tags           = {
          + "ClusterName" = "eks-demo-dev-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-dev-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["spot_interrupt"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - EC2 spot instance interruption warning"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "EC2 Spot Instance Interruption Warning",
                ]
              + source      = [
                  + "aws.ec2",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterSpotInterrupt-"
      + tags           = {
          + "ClusterName" = "eks-demo-dev-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-dev-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_target.this["health_event"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_cloudwatch_event_target.this["instance_rebalance"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_cloudwatch_event_target.this["instance_state_change"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_cloudwatch_event_target.this["spot_interrupt"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_eks_access_entry.node[0] will be created
  + resource "aws_eks_access_entry" "node" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = "eks-demo-dev-01"
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = (known after apply)
      + modified_at       = (known after apply)
      + principal_arn     = (known after apply)
      + tags_all          = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + type              = "EC2_LINUX"
      + user_name         = (known after apply)
    }

  # module.karpenter.aws_iam_policy.controller[0] will be created
  + resource "aws_iam_policy" "controller" {
      + arn         = (known after apply)
      + description = "Karpenter controller IAM policy"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "KarpenterController-"
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_iam_role.controller[0] will be created
  + resource "aws_iam_role" "controller" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + description           = "Karpenter controller IAM role"
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = "KarpenterController-"
      + path                  = "/"
      + tags_all              = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + unique_id             = (known after apply)
    }

  # module.karpenter.aws_iam_role.node[0] will be created
  + resource "aws_iam_role" "node" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                      + Sid       = "EKSNodeAssumeRole"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = "Karpenter-eks-demo-dev-01-"
      + path                  = "/"
      + tags_all              = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + unique_id             = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.controller[0] will be created
  + resource "aws_iam_role_policy_attachment" "controller" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node["AmazonEC2ContainerRegistryReadOnly"] will be created
  + resource "aws_iam_role_policy_attachment" "node" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node["AmazonEKSWorkerNodePolicy"] will be created
  + resource "aws_iam_role_policy_attachment" "node" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node["AmazonEKS_CNI_Policy"] will be created
  + resource "aws_iam_role_policy_attachment" "node" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node_additional["AmazonSSMManagedInstanceCore"] will be created
  + resource "aws_iam_role_policy_attachment" "node_additional" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
      + role       = (known after apply)
    }

  # module.karpenter.aws_sqs_queue.this[0] will be created
  + resource "aws_sqs_queue" "this" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 0
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = (known after apply)
      + max_message_size                  = 262144
      + message_retention_seconds         = 300
      + name                              = "Karpenter-eks-demo-dev-01"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 0
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = true
      + tags_all                          = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 30
    }

  # module.karpenter.aws_sqs_queue_policy.this[0] will be created
  + resource "aws_sqs_queue_policy" "this" {
      + id        = (known after apply)
      + policy    = (known after apply)
      + queue_url = (known after apply)
    }

  # module.load_balancer_controller_irsa_role.data.aws_iam_policy_document.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "this" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = (known after apply)
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "system:serviceaccount:kube-system:aws-load-balancer-controller",
                ]
              + variable = (known after apply)
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.load_balancer_controller_irsa_role.aws_iam_policy.load_balancer_controller[0] will be created
  + resource "aws_iam_policy" "load_balancer_controller" {
      + arn         = (known after apply)
      + description = "Provides permissions for AWS Load Balancer Controller addon"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "AmazonEKS_AWS_Load_Balancer_Controller-"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "iam:CreateServiceLinkedRole"
                      + Condition = {
                          + StringEquals = {
                              + "iam:AWSServiceName" = "elasticloadbalancing.amazonaws.com"
                            }
                        }
                      + Effect    = "Allow"
                      + Resource  = "*"
                    },
                  + {
                      + Action   = [
                          + "elasticloadbalancing:DescribeTrustStores",
                          + "elasticloadbalancing:DescribeTargetHealth",
                          + "elasticloadbalancing:DescribeTargetGroups",
                          + "elasticloadbalancing:DescribeTargetGroupAttributes",
                          + "elasticloadbalancing:DescribeTags",
                          + "elasticloadbalancing:DescribeSSLPolicies",
                          + "elasticloadbalancing:DescribeRules",
                          + "elasticloadbalancing:DescribeLoadBalancers",
                          + "elasticloadbalancing:DescribeLoadBalancerAttributes",
                          + "elasticloadbalancing:DescribeListeners",
                          + "elasticloadbalancing:DescribeListenerCertificates",
                          + "ec2:GetCoipPoolUsage",
                          + "ec2:DescribeVpcs",
                          + "ec2:DescribeVpcPeeringConnections",
                          + "ec2:DescribeTags",
                          + "ec2:DescribeSubnets",
                          + "ec2:DescribeSecurityGroups",
                          + "ec2:DescribeNetworkInterfaces",
                          + "ec2:DescribeInternetGateways",
                          + "ec2:DescribeInstances",
                          + "ec2:DescribeCoipPools",
                          + "ec2:DescribeAvailabilityZones",
                          + "ec2:DescribeAddresses",
                          + "ec2:DescribeAccountAttributes",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                  + {
                      + Action   = [
                          + "wafv2:GetWebACLForResource",
                          + "wafv2:GetWebACL",
                          + "wafv2:DisassociateWebACL",
                          + "wafv2:AssociateWebACL",
                          + "waf-regional:GetWebACLForResource",
                          + "waf-regional:GetWebACL",
                          + "waf-regional:DisassociateWebACL",
                          + "waf-regional:AssociateWebACL",
                          + "shield:GetSubscriptionState",
                          + "shield:DescribeProtection",
                          + "shield:DeleteProtection",
                          + "shield:CreateProtection",
                          + "iam:ListServerCertificates",
                          + "iam:GetSe ...
Output is too long and was truncated. You can read full Plan in Actions.

Pushed by: @micbegin, Action: pull_request, Working Directory: /home/runner/work/eks-blueprints-actions-workflow/eks-blueprints-actions-workflow, Workflow: Deploy dev

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 26, 2024
edited
Loading

Deploy - test

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

data.aws_subnets.eks_selected_public_subnets: Reading...
module.eks.module.kms.data.aws_partition.current[0]: Reading...
module.load_balancer_controller_irsa_role.data.aws_region.current: Reading...
module.eks.data.aws_caller_identity.current: Reading...
module.karpenter.data.aws_iam_policy_document.node_assume_role[0]: Reading...
module.eks.module.fargate_profile["kube-system"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.load_balancer_controller_irsa_role.data.aws_caller_identity.current: Reading...
data.aws_vpc.eks: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.eks.module.fargate_profile["karpenter"].data.aws_iam_policy_document.assume_role_policy[0]: Reading...
module.eks.module.kms.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["kube-system"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=3016102342]
module.eks.module.fargate_profile["karpenter"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=3016102342]
module.load_balancer_controller_irsa_role.data.aws_region.current: Read complete after 0s [id=us-west-2]
module.karpenter.data.aws_iam_policy_document.node_assume_role[0]: Read complete after 0s [id=2560088296]
module.eks.module.fargate_profile["argocd"].data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=3016102342]
module.karpenter.data.aws_region.current: Reading...
module.external_dns_irsa_role.data.aws_iam_policy_document.external_dns[0]: Reading...
module.external_dns_irsa_role.data.aws_partition.current: Reading...
module.eks.module.kms.data.aws_caller_identity.current[0]: Reading...
module.karpenter.data.aws_partition.current: Reading...
module.external_dns_irsa_role.data.aws_partition.current: Read complete after 0s [id=aws]
module.karpenter.data.aws_region.current: Read complete after 0s [id=us-west-2]
module.eks.data.aws_partition.current: Reading...
module.external_dns_irsa_role.data.aws_iam_policy_document.external_dns[0]: Read complete after 0s [id=2545455088]
module.karpenter.data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_caller_identity.current: Reading...
module.load_balancer_controller_irsa_role.data.aws_partition.current: Reading...
module.external_dns_irsa_role.data.aws_caller_identity.current: Reading...
module.load_balancer_controller_irsa_role.data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["kube-system"].data.aws_partition.current: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_partition.current: Reading...
module.eks.module.fargate_profile["kube-system"].data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.module.fargate_profile["karpenter"].data.aws_partition.current: Reading...
module.eks.module.fargate_profile["argocd"].data.aws_partition.current: Read complete after 0s [id=aws]
module.karpenter.data.aws_caller_identity.current: Reading...
module.eks.module.fargate_profile["karpenter"].data.aws_partition.current: Read complete after 0s [id=aws]
module.eks.data.aws_iam_policy_document.assume_role_policy[0]: Reading...
data.aws_subnets.eks_selected_private_subnets: Reading...
module.eks.data.aws_iam_policy_document.assume_role_policy[0]: Read complete after 0s [id=2764486067]
module.eks.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["argocd"].data.aws_caller_identity.current: Reading...
module.eks.module.fargate_profile["karpenter"].data.aws_caller_identity.current: Reading...
module.load_balancer_controller_irsa_role.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["kube-system"].data.aws_caller_identity.current: Reading...
module.eks.module.kms.data.aws_caller_identity.current[0]: Read complete after 0s [id=362500403135]
module.external_dns_irsa_role.data.aws_region.current: Reading...
module.external_dns_irsa_role.data.aws_region.current: Read complete after 0s [id=us-west-2]
module.eks.data.aws_iam_session_context.current: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.external_dns_irsa_role.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.load_balancer_controller_irsa_role.data.aws_iam_policy_document.load_balancer_controller[0]: Reading...
module.karpenter.data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.load_balancer_controller_irsa_role.data.aws_iam_policy_document.load_balancer_controller[0]: Read complete after 0s [id=2997734474]
module.eks.module.fargate_profile["argocd"].data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["kube-system"].data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
module.eks.module.fargate_profile["karpenter"].data.aws_caller_identity.current: Read complete after 0s [id=362500403135]
data.aws_subnets.eks_selected_public_subnets: Read complete after 0s [id=us-west-2]
data.aws_subnets.eks_selected_private_subnets: Read complete after 0s [id=us-west-2]
data.aws_vpc.eks: Read complete after 0s [id=vpc-0096c8b8cbc54dd73]
data.aws_subnet.eks_private_subnets["subnet-0e0fb088632a7f001"]: Reading...
data.aws_subnet.eks_private_subnets["subnet-051cf8d7ea7f4a513"]: Reading...
data.aws_subnet.eks_private_subnets["subnet-08f2223dc60683710"]: Reading...
data.aws_subnet.eks_public_subnets["subnet-029ef29a271261efa"]: Reading...
data.aws_subnet.eks_public_subnets["subnet-0c7fa226216f34c9c"]: Reading...
data.aws_subnet.eks_public_subnets["subnet-09937c47a25c532d8"]: Reading...
module.eks.data.aws_iam_session_context.current: Read complete after 0s [id=arn:aws:sts::362500403135:assumed-role/github-actions-eks-demo/terraform-execution-role]
data.aws_subnet.eks_private_subnets["subnet-08f2223dc60683710"]: Read complete after 0s [id=subnet-08f2223dc60683710]
data.aws_subnet.eks_public_subnets["subnet-0c7fa226216f34c9c"]: Read complete after 1s [id=subnet-0c7fa226216f34c9c]
data.aws_subnet.eks_private_subnets["subnet-051cf8d7ea7f4a513"]: Read complete after 1s [id=subnet-051cf8d7ea7f4a513]
data.aws_subnet.eks_private_subnets["subnet-0e0fb088632a7f001"]: Read complete after 1s [id=subnet-0e0fb088632a7f001]
data.aws_subnet.eks_public_subnets["subnet-09937c47a25c532d8"]: Read complete after 1s [id=subnet-09937c47a25c532d8]
data.aws_subnet.eks_public_subnets["subnet-029ef29a271261efa"]: Read complete after 1s [id=subnet-029ef29a271261efa]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # aws_ec2_tag.private_subnet_cluster_alb_tag["subnet-051cf8d7ea7f4a513"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "subnet-051cf8d7ea7f4a513"
      + value       = "shared"
    }

  # aws_ec2_tag.private_subnet_cluster_alb_tag["subnet-08f2223dc60683710"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "subnet-08f2223dc60683710"
      + value       = "shared"
    }

  # aws_ec2_tag.private_subnet_cluster_alb_tag["subnet-0e0fb088632a7f001"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "subnet-0e0fb088632a7f001"
      + value       = "shared"
    }

  # aws_ec2_tag.private_subnet_cluster_karpenter_tag["subnet-051cf8d7ea7f4a513"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_karpenter_tag" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-test-01"
      + resource_id = "subnet-051cf8d7ea7f4a513"
      + value       = "eks-demo-test-01"
    }

  # aws_ec2_tag.private_subnet_cluster_karpenter_tag["subnet-08f2223dc60683710"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_karpenter_tag" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-test-01"
      + resource_id = "subnet-08f2223dc60683710"
      + value       = "eks-demo-test-01"
    }

  # aws_ec2_tag.private_subnet_cluster_karpenter_tag["subnet-0e0fb088632a7f001"] will be created
  + resource "aws_ec2_tag" "private_subnet_cluster_karpenter_tag" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-test-01"
      + resource_id = "subnet-0e0fb088632a7f001"
      + value       = "eks-demo-test-01"
    }

  # aws_ec2_tag.public_subnet_cluster_alb_tag["subnet-029ef29a271261efa"] will be created
  + resource "aws_ec2_tag" "public_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "subnet-029ef29a271261efa"
      + value       = "shared"
    }

  # aws_ec2_tag.public_subnet_cluster_alb_tag["subnet-09937c47a25c532d8"] will be created
  + resource "aws_ec2_tag" "public_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "subnet-09937c47a25c532d8"
      + value       = "shared"
    }

  # aws_ec2_tag.public_subnet_cluster_alb_tag["subnet-0c7fa226216f34c9c"] will be created
  + resource "aws_ec2_tag" "public_subnet_cluster_alb_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "subnet-0c7fa226216f34c9c"
      + value       = "shared"
    }

  # aws_ec2_tag.vpc_tag will be created
  + resource "aws_ec2_tag" "vpc_tag" {
      + id          = (known after apply)
      + key         = "kubernetes.io/cluster/eks-demo-test-01"
      + resource_id = "vpc-0096c8b8cbc54dd73"
      + value       = "shared"
    }

  # helm_release.argocd_applications will be created
  + resource "helm_release" "argocd_applications" {
      + atomic                     = false
      + chart                      = "argocd"
      + cleanup_on_fail            = false
      + create_namespace           = false
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 0
      + metadata                   = (known after apply)
      + name                       = "argocd-apps"
      + namespace                  = "argocd"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + values                     = (known after apply)
      + verify                     = false
      + version                    = "0.1.0"
      + wait                       = true
      + wait_for_jobs              = false
    }

  # module.eks.data.aws_eks_addon_version.this["coredns"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_addon_version" "this" {
      + addon_name         = "coredns"
      + id                 = (known after apply)
      + kubernetes_version = "1.29"
      + version            = (known after apply)
    }

  # module.eks.data.aws_eks_addon_version.this["kube-proxy"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_addon_version" "this" {
      + addon_name         = "kube-proxy"
      + id                 = (known after apply)
      + kubernetes_version = "1.29"
      + version            = (known after apply)
    }

  # module.eks.data.aws_eks_addon_version.this["vpc-cni"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_addon_version" "this" {
      + addon_name         = "vpc-cni"
      + id                 = (known after apply)
      + kubernetes_version = "1.29"
      + version            = (known after apply)
    }

  # module.eks.data.tls_certificate.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "tls_certificate" "this" {
      + certificates = (known after apply)
      + id           = (known after apply)
      + url          = (known after apply)
    }

  # module.eks.aws_cloudwatch_log_group.this[0] will be created
  + resource "aws_cloudwatch_log_group" "this" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/eks/eks-demo-test-01/cluster"
      + name_prefix       = (known after apply)
      + retention_in_days = 90
      + skip_destroy      = false
      + tags              = {
          + "Name"                                    = "/aws/eks/eks-demo-test-01/cluster"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all          = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "Name"                                    = "/aws/eks/eks-demo-test-01/cluster"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
    }

  # module.eks.aws_ec2_tag.cluster_primary_security_group["karpenter.sh/discovery/eks-demo-test-01"] will be created
  + resource "aws_ec2_tag" "cluster_primary_security_group" {
      + id          = (known after apply)
      + key         = "karpenter.sh/discovery/eks-demo-test-01"
      + resource_id = (known after apply)
      + value       = "eks-demo-test-01"
    }

  # module.eks.aws_eks_access_entry.this["admins"] will be created
  + resource "aws_eks_access_entry" "this" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = "eks-demo-test-01"
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = (known after apply)
      + modified_at       = (known after apply)
      + principal_arn     = "arn:aws:iam::362500403135:role/eks-admins"
      + tags              = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all          = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + type              = "STANDARD"
      + user_name         = (known after apply)
    }

  # module.eks.aws_eks_access_entry.this["cluster_creator"] will be created
  + resource "aws_eks_access_entry" "this" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = "eks-demo-test-01"
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = (known after apply)
      + modified_at       = (known after apply)
      + principal_arn     = "arn:aws:iam::362500403135:role/github-actions-eks-demo"
      + tags              = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all          = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + type              = "STANDARD"
      + user_name         = (known after apply)
    }

  # module.eks.aws_eks_access_policy_association.this["admins_cluster_admin"] will be created
  + resource "aws_eks_access_policy_association" "this" {
      + associated_at = (known after apply)
      + cluster_name  = "eks-demo-test-01"
      + id            = (known after apply)
      + modified_at   = (known after apply)
      + policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
      + principal_arn = "arn:aws:iam::362500403135:role/eks-admins"

      + access_scope {
          + type = "cluster"
        }
    }

  # module.eks.aws_eks_access_policy_association.this["cluster_creator_admin"] will be created
  + resource "aws_eks_access_policy_association" "this" {
      + associated_at = (known after apply)
      + cluster_name  = "eks-demo-test-01"
      + id            = (known after apply)
      + modified_at   = (known after apply)
      + policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
      + principal_arn = "arn:aws:iam::362500403135:role/github-actions-eks-demo"

      + access_scope {
          + type = "cluster"
        }
    }

  # module.eks.aws_eks_addon.this["coredns"] will be created
  + resource "aws_eks_addon" "this" {
      + addon_name                  = "coredns"
      + addon_version               = "v1.11.1-eksbuild.6"
      + arn                         = (known after apply)
      + cluster_name                = "eks-demo-test-01"
      + configuration_values        = jsonencode(
            {
              + computeType = "fargate"
              + resources   = {
                  + limits   = {
                      + cpu    = "0.25"
                      + memory = "256M"
                    }
                  + requests = {
                      + cpu    = "0.25"
                      + memory = "256M"
                    }
                }
            }
        )
      + created_at                  = (known after apply)
      + id                          = (known after apply)
      + modified_at                 = (known after apply)
      + preserve                    = true
      + resolve_conflicts_on_create = "OVERWRITE"
      + resolve_conflicts_on_update = "OVERWRITE"
      + tags                        = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all                    = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }

      + timeouts {}
    }

  # module.eks.aws_eks_addon.this["kube-proxy"] will be created
  + resource "aws_eks_addon" "this" {
      + addon_name                  = "kube-proxy"
      + addon_version               = "v1.29.1-eksbuild.2"
      + arn                         = (known after apply)
      + cluster_name                = "eks-demo-test-01"
      + configuration_values        = (known after apply)
      + created_at                  = (known after apply)
      + id                          = (known after apply)
      + modified_at                 = (known after apply)
      + preserve                    = true
      + resolve_conflicts_on_create = "OVERWRITE"
      + resolve_conflicts_on_update = "OVERWRITE"
      + tags                        = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all                    = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }

      + timeouts {}
    }

  # module.eks.aws_eks_addon.this["vpc-cni"] will be created
  + resource "aws_eks_addon" "this" {
      + addon_name                  = "vpc-cni"
      + addon_version               = "v1.17.1-eksbuild.1"
      + arn                         = (known after apply)
      + cluster_name                = "eks-demo-test-01"
      + configuration_values        = (known after apply)
      + created_at                  = (known after apply)
      + id                          = (known after apply)
      + modified_at                 = (known after apply)
      + preserve                    = true
      + resolve_conflicts_on_create = "OVERWRITE"
      + resolve_conflicts_on_update = "OVERWRITE"
      + tags                        = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all                    = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }

      + timeouts {}
    }

  # module.eks.aws_eks_cluster.this[0] will be created
  + resource "aws_eks_cluster" "this" {
      + arn                       = (known after apply)
      + certificate_authority     = (known after apply)
      + cluster_id                = (known after apply)
      + created_at                = (known after apply)
      + enabled_cluster_log_types = [
          + "api",
          + "audit",
          + "authenticator",
        ]
      + endpoint                  = (known after apply)
      + id                        = (known after apply)
      + identity                  = (known after apply)
      + name                      = "eks-demo-test-01"
      + platform_version          = (known after apply)
      + role_arn                  = (known after apply)
      + status                    = (known after apply)
      + tags                      = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
          + "terraform-aws-modules"                   = "eks"
        }
      + tags_all                  = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
          + "terraform-aws-modules"                   = "eks"
        }
      + version                   = "1.29"

      + access_config {
          + authentication_mode                         = "API_AND_CONFIG_MAP"
          + bootstrap_cluster_creator_admin_permissions = false
        }

      + encryption_config {
          + resources = [
              + "secrets",
            ]

          + provider {
              + key_arn = (known after apply)
            }
        }

      + kubernetes_network_config {
          + ip_family         = "ipv4"
          + service_ipv4_cidr = (known after apply)
          + service_ipv6_cidr = (known after apply)
        }

      + timeouts {}

      + vpc_config {
          + cluster_security_group_id = (known after apply)
          + endpoint_private_access   = true
          + endpoint_public_access    = true
          + public_access_cidrs       = [
              + "0.0.0.0/0",
            ]
          + subnet_ids                = [
              + "subnet-051cf8d7ea7f4a513",
              + "subnet-08f2223dc60683710",
              + "subnet-0e0fb088632a7f001",
            ]
          + vpc_id                    = (known after apply)
        }
    }

  # module.eks.aws_iam_openid_connect_provider.oidc_provider[0] will be created
  + resource "aws_iam_openid_connect_provider" "oidc_provider" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "sts.amazonaws.com",
        ]
      + id              = (known after apply)
      + tags            = {
          + "Name"                                    = "eks-demo-test-01-eks-irsa"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all        = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "Name"                                    = "eks-demo-test-01-eks-irsa"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + thumbprint_list = (known after apply)
      + url             = (known after apply)
    }

  # module.eks.aws_iam_policy.cluster_encryption[0] will be created
  + resource "aws_iam_policy" "cluster_encryption" {
      + arn         = (known after apply)
      + description = "Cluster encryption policy to allow cluster role to utilize CMK provided"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "eks-demo-test-01-cluster-ClusterEncryption"
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags        = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all    = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
    }

  # module.eks.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "eks.amazonaws.com"
                        }
                      + Sid       = "EKSClusterAssumeRole"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = "eks-demo-test-01-cluster-"
      + path                  = "/"
      + tags                  = {
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + tags_all              = {
          + "Blueprint"                               = "eks-blueprints-actions-workflow"
          + "GithubRepo"                              = "github.com/aws-samples/eks-blueprints-actions-workflow"
          + "karpenter.sh/discovery/eks-demo-test-01" = "eks-demo-test-01"
        }
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = "eks-demo-test-01-cluster"
          + policy = jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "logs:CreateLogGroup",
                            ]
                          + Effect   = "Deny"
                          + Resource = "*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            )
        }
    }

  # module.eks.aws_iam_role_policy_attachment.cluster_encryption[0] will be created
  + resource "aws_iam_role_policy_attachment" "cluster_encryption" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = (known after apply)
    }

  # module.eks.aws_iam_role_policy_attachment.this["AmazonEKSClusterPolicy"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
      + role       = (known after apply)
    }

  # module.eks.aws_iam_role_policy_attachment.this["AmazonEKSVPCResourceController"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
      + role       = (known after apply)
    }

  # module.eks.time_sleep.this[0] will be created
  + resource "time_sleep" "this" {
      + create_duration = "30s"
      + id              = (known after apply)
      + triggers        = {
          + "cluster_certificate_authority_data" = (known after apply)
          + "cluster_endpoint"                   = (known after apply)
          + "cluster_name"                       = "eks-demo-test-01"
          + "cluster_service_cidr"               = (known after apply)
          + "cluster_version"                    = "1.29"
        }
    }

  # module.eks_blueprints_addons.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.eks_blueprints_addons.data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.eks_blueprints_addons.data.aws_region.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_region" "current" {
      + description = (known after apply)
      + endpoint    = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
    }

  # module.eks_blueprints_addons.time_sleep.this will be created
  + resource "time_sleep" "this" {
      + create_duration = "30s"
      + id              = (known after apply)
      + triggers        = {
          + "cluster_endpoint"  = (known after apply)
          + "cluster_name"      = "eks-demo-test-01"
          + "custom"            = ""
          + "oidc_provider_arn" = (known after apply)
        }
    }

  # module.external_dns_irsa_role.data.aws_iam_policy_document.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "this" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = (known after apply)
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "system:serviceaccount:kube-system:external-dns",
                ]
              + variable = (known after apply)
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.external_dns_irsa_role.aws_iam_policy.external_dns[0] will be created
  + resource "aws_iam_policy" "external_dns" {
      + arn         = (known after apply)
      + description = "External DNS policy to allow management of Route53 hosted zone records"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "AmazonEKS_External_DNS_Policy-"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = "route53:ChangeResourceRecordSets"
                      + Effect   = "Allow"
                      + Resource = "arn:aws:route53:::hostedzone/Z0053446TEDTI1D9V3U9"
                    },
                  + {
                      + Action   = [
                          + "route53:ListTagsForResource",
                          + "route53:ListResourceRecordSets",
                          + "route53:ListHostedZones",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags        = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + tags_all    = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.external_dns_irsa_role.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "eks-demo-test-01-external-dns-irsa"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + tags_all              = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + unique_id             = (known after apply)
    }

  # module.external_dns_irsa_role.aws_iam_role_policy_attachment.external_dns[0] will be created
  + resource "aws_iam_role_policy_attachment" "external_dns" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "eks-demo-test-01-external-dns-irsa"
    }

  # module.karpenter.data.aws_iam_policy_document.controller[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "controller" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "ec2:CreateFleet",
              + "ec2:RunInstances",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:launch-template/*",
              + "arn:aws:ec2:*:*:security-group/*",
              + "arn:aws:ec2:*:*:spot-instances-request/*",
              + "arn:aws:ec2:*:*:subnet/*",
              + "arn:aws:ec2:*::image/*",
              + "arn:aws:ec2:*::snapshot/*",
            ]
          + sid       = "AllowScopedEC2InstanceActions"
        }
      + statement {
          + actions   = [
              + "ec2:CreateFleet",
              + "ec2:CreateLaunchTemplate",
              + "ec2:RunInstances",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:fleet/*",
              + "arn:aws:ec2:*:*:instance/*",
              + "arn:aws:ec2:*:*:launch-template/*",
              + "arn:aws:ec2:*:*:network-interface/*",
              + "arn:aws:ec2:*:*:spot-instances-request/*",
              + "arn:aws:ec2:*:*:volume/*",
            ]
          + sid       = "AllowScopedEC2InstanceActionsWithTags"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:CreateTags",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:fleet/*",
              + "arn:aws:ec2:*:*:instance/*",
              + "arn:aws:ec2:*:*:launch-template/*",
              + "arn:aws:ec2:*:*:network-interface/*",
              + "arn:aws:ec2:*:*:spot-instances-request/*",
              + "arn:aws:ec2:*:*:volume/*",
            ]
          + sid       = "AllowScopedResourceCreationTagging"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "RunInstances",
                  + "CreateFleet",
                  + "CreateLaunchTemplate",
                ]
              + variable = "ec2:CreateAction"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:CreateTags",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:instance/*",
            ]
          + sid       = "AllowScopedResourceTagging"

          + condition {
              + test     = "ForAllValues:StringEquals"
              + values   = [
                  + "karpenter.sh/nodeclaim",
                  + "Name",
                ]
              + variable = "aws:TagKeys"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:DeleteLaunchTemplate",
              + "ec2:TerminateInstances",
            ]
          + resources = [
              + "arn:aws:ec2:*:*:instance/*",
              + "arn:aws:ec2:*:*:launch-template/*",
            ]
          + sid       = "AllowScopedDeletion"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.sh/nodepool"
            }
        }
      + statement {
          + actions   = [
              + "ec2:DescribeAvailabilityZones",
              + "ec2:DescribeImages",
              + "ec2:DescribeInstanceTypeOfferings",
              + "ec2:DescribeInstanceTypes",
              + "ec2:DescribeInstances",
              + "ec2:DescribeLaunchTemplates",
              + "ec2:DescribeSecurityGroups",
              + "ec2:DescribeSpotPriceHistory",
              + "ec2:DescribeSubnets",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowRegionalReadActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:RequestedRegion"
            }
        }
      + statement {
          + actions   = [
              + "ssm:GetParameter",
            ]
          + resources = [
              + "arn:aws:ssm:us-west-2::parameter/aws/service/*",
            ]
          + sid       = "AllowSSMReadActions"
        }
      + statement {
          + actions   = [
              + "pricing:GetProducts",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowPricingReadActions"
        }
      + statement {
          + actions   = [
              + "sqs:DeleteMessage",
              + "sqs:GetQueueAttributes",
              + "sqs:GetQueueUrl",
              + "sqs:ReceiveMessage",
            ]
          + resources = [
              + (known after apply),
            ]
          + sid       = "AllowInterruptionQueueActions"
        }
      + statement {
          + actions   = [
              + "iam:PassRole",
            ]
          + resources = [
              + (known after apply),
            ]
          + sid       = "AllowPassingInstanceRole"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "ec2.amazonaws.com",
                ]
              + variable = "iam:PassedToService"
            }
        }
      + statement {
          + actions   = [
              + "iam:CreateInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowScopedInstanceProfileCreationActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:RequestTag/topology.kubernetes.io/region"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
            }
        }
      + statement {
          + actions   = [
              + "iam:TagInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowScopedInstanceProfileTagActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:RequestTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:ResourceTag/topology.kubernetes.io/region"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
            }
        }
      + statement {
          + actions   = [
              + "iam:AddRoleToInstanceProfile",
              + "iam:DeleteInstanceProfile",
              + "iam:RemoveRoleFromInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowScopedInstanceProfileActions"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "owned",
                ]
              + variable = "aws:ResourceTag/kubernetes.io/cluster/eks-demo-test-01"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:ResourceTag/topology.kubernetes.io/region"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "*",
                ]
              + variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
            }
        }
      + statement {
          + actions   = [
              + "iam:GetInstanceProfile",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "AllowInstanceProfileReadActions"
        }
      + statement {
          + actions   = [
              + "eks:DescribeCluster",
            ]
          + resources = [
              + "arn:aws:eks:us-west-2:362500403135:cluster/eks-demo-test-01",
            ]
          + sid       = "AllowAPIServerEndpointDiscovery"
        }
    }

  # module.karpenter.data.aws_iam_policy_document.controller_assume_role[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "controller_assume_role" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
              + "sts:TagSession",
            ]

          + principals {
              + identifiers = [
                  + "pods.eks.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = (known after apply)
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "system:serviceaccount:karpenter:karpenter",
                ]
              + variable = (known after apply)
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.karpenter.data.aws_iam_policy_document.queue[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "queue" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "sqs:SendMessage",
            ]
          + resources = [
              + (known after apply),
            ]
          + sid       = "SqsWrite"

          + principals {
              + identifiers = [
                  + "events.amazonaws.com",
                  + "sqs.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["health_event"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - AWS health event"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "AWS Health Event",
                ]
              + source      = [
                  + "aws.health",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterHealthEvent-"
      + tags           = {
          + "ClusterName" = "eks-demo-test-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-test-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["instance_rebalance"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - EC2 instance rebalance recommendation"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "EC2 Instance Rebalance Recommendation",
                ]
              + source      = [
                  + "aws.ec2",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterInstanceRebalance-"
      + tags           = {
          + "ClusterName" = "eks-demo-test-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-test-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["instance_state_change"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - EC2 instance state-change notification"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "EC2 Instance State-change Notification",
                ]
              + source      = [
                  + "aws.ec2",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterInstanceStateChange-"
      + tags           = {
          + "ClusterName" = "eks-demo-test-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-test-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_rule.this["spot_interrupt"] will be created
  + resource "aws_cloudwatch_event_rule" "this" {
      + arn            = (known after apply)
      + description    = "Karpenter interrupt - EC2 spot instance interruption warning"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail-type = [
                  + "EC2 Spot Instance Interruption Warning",
                ]
              + source      = [
                  + "aws.ec2",
                ]
            }
        )
      + id             = (known after apply)
      + name           = (known after apply)
      + name_prefix    = "KarpenterSpotInterrupt-"
      + tags           = {
          + "ClusterName" = "eks-demo-test-01"
        }
      + tags_all       = {
          + "Blueprint"   = "eks-blueprints-actions-workflow"
          + "ClusterName" = "eks-demo-test-01"
          + "GithubRepo"  = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_cloudwatch_event_target.this["health_event"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_cloudwatch_event_target.this["instance_rebalance"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_cloudwatch_event_target.this["instance_state_change"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_cloudwatch_event_target.this["spot_interrupt"] will be created
  + resource "aws_cloudwatch_event_target" "this" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = (known after apply)
      + target_id      = "KarpenterInterruptionQueueTarget"
    }

  # module.karpenter.aws_eks_access_entry.node[0] will be created
  + resource "aws_eks_access_entry" "node" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = "eks-demo-test-01"
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = (known after apply)
      + modified_at       = (known after apply)
      + principal_arn     = (known after apply)
      + tags_all          = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + type              = "EC2_LINUX"
      + user_name         = (known after apply)
    }

  # module.karpenter.aws_iam_policy.controller[0] will be created
  + resource "aws_iam_policy" "controller" {
      + arn         = (known after apply)
      + description = "Karpenter controller IAM policy"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "KarpenterController-"
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
    }

  # module.karpenter.aws_iam_role.controller[0] will be created
  + resource "aws_iam_role" "controller" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + description           = "Karpenter controller IAM role"
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = "KarpenterController-"
      + path                  = "/"
      + tags_all              = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + unique_id             = (known after apply)
    }

  # module.karpenter.aws_iam_role.node[0] will be created
  + resource "aws_iam_role" "node" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                      + Sid       = "EKSNodeAssumeRole"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = "Karpenter-eks-demo-test-01-"
      + path                  = "/"
      + tags_all              = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + unique_id             = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.controller[0] will be created
  + resource "aws_iam_role_policy_attachment" "controller" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node["AmazonEC2ContainerRegistryReadOnly"] will be created
  + resource "aws_iam_role_policy_attachment" "node" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node["AmazonEKSWorkerNodePolicy"] will be created
  + resource "aws_iam_role_policy_attachment" "node" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node["AmazonEKS_CNI_Policy"] will be created
  + resource "aws_iam_role_policy_attachment" "node" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
      + role       = (known after apply)
    }

  # module.karpenter.aws_iam_role_policy_attachment.node_additional["AmazonSSMManagedInstanceCore"] will be created
  + resource "aws_iam_role_policy_attachment" "node_additional" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
      + role       = (known after apply)
    }

  # module.karpenter.aws_sqs_queue.this[0] will be created
  + resource "aws_sqs_queue" "this" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 0
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = (known after apply)
      + max_message_size                  = 262144
      + message_retention_seconds         = 300
      + name                              = "Karpenter-eks-demo-test-01"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 0
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = true
      + tags_all                          = {
          + "Blueprint"  = "eks-blueprints-actions-workflow"
          + "GithubRepo" = "github.com/aws-samples/eks-blueprints-actions-workflow"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 30
    }

  # module.karpenter.aws_sqs_queue_policy.this[0] will be created
  + resource "aws_sqs_queue_policy" "this" {
      + id        = (known after apply)
      + policy    = (known after apply)
      + queue_url = (known after apply)
    }

  # module.load_balancer_controller_irsa_role.data.aws_iam_policy_document.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "this" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = (known after apply)
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "system:serviceaccount:kube-system:aws-load-balancer-controller",
                ]
              + variable = (known after apply)
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.load_balancer_controller_irsa_role.aws_iam_policy.load_balancer_controller[0] will be created
  + resource "aws_iam_policy" "load_balancer_controller" {
      + arn         = (known after apply)
      + description = "Provides permissions for AWS Load Balancer Controller addon"
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "AmazonEKS_AWS_Load_Balancer_Controller-"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "iam:CreateServiceLinkedRole"
                      + Condition = {
                          + StringEquals = {
                              + "iam:AWSServiceName" = "elasticloadbalancing.amazonaws.com"
                            }
                        }
                      + Effect    = "Allow"
                      + Resource  = "*"
                    },
                  + {
                      + Action   = [
                          + "elasticloadbalancing:DescribeTrustStores",
                          + "elasticloadbalancing:DescribeTargetHealth",
                          + "elasticloadbalancing:DescribeTargetGroups",
                          + "elasticloadbalancing:DescribeTargetGroupAttributes",
                          + "elasticloadbalancing:DescribeTags",
                          + "elasticloadbalancing:DescribeSSLPolicies",
                          + "elasticloadbalancing:DescribeRules",
                          + "elasticloadbalancing:DescribeLoadBalancers",
                          + "elasticloadbalancing:DescribeLoadBalancerAttributes",
                          + "elasticloadbalancing:DescribeListeners",
                          + "elasticloadbalancing:DescribeListenerCertificates",
                          + "ec2:GetCoipPoolUsage",
                          + "ec2:DescribeVpcs",
                          + "ec2:DescribeVpcPeeringConnections",
                          + "ec2:DescribeTags",
                          + "ec2:DescribeSubnets",
                          + "ec2:DescribeSecurityGroups",
                          + "ec2:DescribeNetworkInterfaces",
                          + "ec2:DescribeInternetGateways",
                          + "ec2:DescribeInstances",
                          + "ec2:DescribeCoipPools",
                          + "ec2:DescribeAvailabilityZones",
                          + "ec2:DescribeAddresses",
                          + "ec2:DescribeAccountAttributes",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                  + {
                      + Action   = [
                          + "wafv2:GetWebACLForResource",
                          + "wafv2:GetWebACL",
                          + "wafv2:DisassociateWebACL",
                          + "wafv2:AssociateWebACL",
                          + "waf-regional:GetWebACLForResource",
                          + "waf-regional:GetWebACL",
                          + "waf-regional:DisassociateWebACL",
                          + "waf-regional:AssociateWebACL",
                          + "shield:GetSubscriptionState",
                          + "shield:DescribeProtection",
                          + "shield:DeleteProtection",
                          + " ...
Output is too long and was truncated. You can read full Plan in Actions.

Pushed by: @micbegin, Action: pull_request, Working Directory: /home/runner/work/eks-blueprints-actions-workflow/eks-blueprints-actions-workflow, Workflow: Deploy test

@micbegin micbegin marked this pull request as ready for review March 26, 2024 19:47
@micbegin micbegin merged commit dd22f2d into main Mar 26, 2024
10 checks passed
@micbegin micbegin deleted the feature/eks-1.29 branch March 26, 2024 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@micbegin