Working eks_cluster role with VPC in module

modules/aws/eks_cluster/main.tf

@@ -6,6 +6,22 @@ locals {
   name = "${var.org_name_underscore}-${var.team_name_underscore}-${var.env}"
 }
 
+data "aws_caller_identity" "current" {}
+
+data "aws_eks_cluster" "default" {
+  name = module.eks.cluster_id
+}
+
+data "aws_eks_cluster_auth" "default" {
+  name = module.eks.cluster_id
+}
+
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.default.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.default.token
+}
+
 resource "aws_kms_key" "eks_secrets" {
   description             = "Encryption key for EKS secrets for cluster: ${var.cluster_name}"
   deletion_window_in_days = 7
@@ -26,9 +42,13 @@ module "eks" {
   cluster_version                 = var.kubernetes_version
   cluster_endpoint_private_access = true
   cluster_endpoint_public_access  = true
+  cluster_ip_family               = "ipv6"
+  create_cni_ipv6_iam_policy      = true
 
-  vpc_id     = var.vpc_id
-  subnet_ids = var.subnet_ids
+  # vpc_id     = var.vpc_id
+  # subnet_ids = var.subnet_ids
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
 
   eks_managed_node_group_defaults = var.managed_node_group_defaults
   eks_managed_node_groups         = var.managed_node_groups
@@ -38,6 +58,130 @@ module "eks" {
     resources        = ["secrets"]
   }]
 
+  cluster_addons = {
+    coredns = {
+      resolve_conflicts = "OVERWRITE"
+    }
+    kube-proxy = {}
+    vpc-cni = {
+      resolve_conflicts        = "OVERWRITE"
+      service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
+    }
+  }
+
+  manage_aws_auth_configmap = true
+  aws_auth_users = [
+    {
+      userarn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+      username = "root"
+      groups   = ["system:masters"]
+    }
+  ]
+
+  cluster_security_group_additional_rules = {
+    egress_nodes_ephemeral_ports_tcp = {
+      description                = "To node 1025-65535"
+      protocol                   = "tcp"
+      from_port                  = 1025
+      to_port                    = 65535
+      type                       = "egress"
+      source_node_security_group = true
+    }
+  }
+
+  node_security_group_additional_rules = {
+    ingress_self_all = {
+      description = "Node to node all ports/protocols"
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      type        = "ingress"
+      self        = true
+    }
+    ingress_ephemeral_ports_tcp_from_cp = {
+      description              = "Controlplane to Nodes Ephemeral ports"
+      protocol                 = "tcp"
+      from_port                = 1025
+      to_port                  = 65535
+      type                     = "ingress"
+      source_security_group_id = module.eks.cluster_security_group_id
+    }
+    egress_all = {
+      description      = "Node all egress"
+      protocol         = "-1"
+      from_port        = 0
+      to_port          = 0
+      type             = "egress"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    }
+  }
+
+  tags = merge(var.custom_tags, {
+    Org         = var.org_name_underscore
+    Team        = var.team_name_underscore
+    Environment = var.env
+  })
+}
+
+module "vpc_cni_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 4.12"
+
+  role_name_prefix      = "VPC-CNI-IRSA"
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv6   = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
+  }
+
+  tags = merge(var.custom_tags, {
+    Org         = var.org_name_underscore
+    Team        = var.team_name_underscore
+    Environment = var.env
+  })
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 3.0"
+
+  name = var.cluster_name
+  cidr = "10.0.0.0/16"
+
+  azs             = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+
+  enable_ipv6                     = true
+  assign_ipv6_address_on_creation = true
+  create_egress_only_igw          = true
+
+  public_subnet_ipv6_prefixes  = [0, 1, 2]
+  private_subnet_ipv6_prefixes = [3, 4, 5]
+
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+
+  enable_flow_log                      = true
+  create_flow_log_cloudwatch_iam_role  = true
+  create_flow_log_cloudwatch_log_group = true
+
+  public_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/elb"                    = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"           = 1
+  }
+
   tags = merge(var.custom_tags, {
     Org         = var.org_name_underscore
     Team        = var.team_name_underscore

modules/aws/eks_cluster/variables.tf

@@ -53,19 +53,20 @@ variable "managed_node_group_defaults" {
   description = "The (AWS) managed node group defaults"
   type        = any
   default = {
-    disk_size      = 8
-    instance_types = ["t3.nano"]
+    disk_size                  = 8
+    instance_types             = ["t3a.micro"]
+    iam_role_attach_cni_policy = true
   }
 }
 
 variable "managed_node_groups" {
   description = "The managed node groups to provision"
   type        = any
   default = {
-    example = {
-      min_size     = 1
+    example_node_group = {
+      min_size     = 2
       max_size     = 10
-      desired_size = 1
+      desired_size = 2
     }
   }
 }