Amazon EKS v3.8.1, Jan 29 25

Amazon EKS v3.8.1 published on Wednesday, Jan 29, 2025 by Pulumi

eks.ManagedNodeGroup

Explore with Pulumi AI

Amazon EKS v3.8.1 published on Wednesday, Jan 29, 2025 by Pulumi

pulumi/pulumi-eks

Example Usage

Basic Managed Node Group

using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
using Awsx = Pulumi.Awsx;
using Eks = Pulumi.Eks;

return await Deployment.RunAsync(() => 
{
    var eksVpc = new Awsx.Ec2.Vpc("eks-vpc", new()
    {
        EnableDnsHostnames = true,
        CidrBlock = "10.0.0.0/16",
    });

    var eksCluster = new Eks.Cluster("eks-cluster", new()
    {
        VpcId = eksVpc.VpcId,
        AuthenticationMode = Eks.AuthenticationMode.Api,
        PublicSubnetIds = eksVpc.PublicSubnetIds,
        PrivateSubnetIds = eksVpc.PrivateSubnetIds,
        SkipDefaultNodeGroup = true,
    });

    var nodeRole = new Aws.Iam.Role("node-role", new()
    {
        AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = "sts:AssumeRole",
                    ["Effect"] = "Allow",
                    ["Sid"] = "",
                    ["Principal"] = new Dictionary<string, object?>
                    {
                        ["Service"] = "ec2.amazonaws.com",
                    },
                },
            },
        }),
    });

    var workerNodePolicy = new Aws.Iam.RolePolicyAttachment("worker-node-policy", new()
    {
        Role = nodeRole.Name,
        PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
    });

    var cniPolicy = new Aws.Iam.RolePolicyAttachment("cni-policy", new()
    {
        Role = nodeRole.Name,
        PolicyArn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
    });

    var registryPolicy = new Aws.Iam.RolePolicyAttachment("registry-policy", new()
    {
        Role = nodeRole.Name,
        PolicyArn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    });

    var nodeGroup = new Eks.ManagedNodeGroup("node-group", new()
    {
        Cluster = eksCluster,
        NodeRole = nodeRole,
    });

    return new Dictionary<string, object?>{};
});

package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-awsx/sdk/v2/go/awsx/ec2"
	"github.com/pulumi/pulumi-eks/sdk/v3/go/eks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		eksVpc, err := ec2.NewVpc(ctx, "eks-vpc", &ec2.VpcArgs{
			EnableDnsHostnames: pulumi.Bool(true),
			CidrBlock:          "10.0.0.0/16",
		})
		if err != nil {
			return err
		}
		eksCluster, err := eks.NewCluster(ctx, "eks-cluster", &eks.ClusterArgs{
			VpcId:                eksVpc.VpcId,
			AuthenticationMode:   eks.AuthenticationModeApi,
			PublicSubnetIds:      eksVpc.PublicSubnetIds,
			PrivateSubnetIds:     eksVpc.PrivateSubnetIds,
			SkipDefaultNodeGroup: true,
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Sid":    "",
					"Principal": map[string]interface{}{
						"Service": "ec2.amazonaws.com",
					},
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		nodeRole, err := iam.NewRole(ctx, "node-role", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "worker-node-policy", &iam.RolePolicyAttachmentArgs{
			Role:      nodeRole.Name,
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "cni-policy", &iam.RolePolicyAttachmentArgs{
			Role:      nodeRole.Name,
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "registry-policy", &iam.RolePolicyAttachmentArgs{
			Role:      nodeRole.Name,
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"),
		})
		if err != nil {
			return err
		}
		_, err = eks.NewManagedNodeGroup(ctx, "node-group", &eks.ManagedNodeGroupArgs{
			Cluster:  eksCluster,
			NodeRole: nodeRole,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.awsx.ec2.Vpc;
import com.pulumi.awsx.ec2.VpcArgs;
import com.pulumi.eks.Cluster;
import com.pulumi.eks.ClusterArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.eks.ManagedNodeGroup;
import com.pulumi.eks.ManagedNodeGroupArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var eksVpc = new Vpc("eksVpc", VpcArgs.builder()
            .enableDnsHostnames(true)
            .cidrBlock("10.0.0.0/16")
            .build());

        var eksCluster = new Cluster("eksCluster", ClusterArgs.builder()
            .vpcId(eksVpc.vpcId())
            .authenticationMode("API")
            .publicSubnetIds(eksVpc.publicSubnetIds())
            .privateSubnetIds(eksVpc.privateSubnetIds())
            .skipDefaultNodeGroup(true)
            .build());

        var nodeRole = new Role("nodeRole", RoleArgs.builder()
            .assumeRolePolicy(serializeJson(
                jsonObject(
                    jsonProperty("Version", "2012-10-17"),
                    jsonProperty("Statement", jsonArray(jsonObject(
                        jsonProperty("Action", "sts:AssumeRole"),
                        jsonProperty("Effect", "Allow"),
                        jsonProperty("Sid", ""),
                        jsonProperty("Principal", jsonObject(
                            jsonProperty("Service", "ec2.amazonaws.com")
                        ))
                    )))
                )))
            .build());

        var workerNodePolicy = new RolePolicyAttachment("workerNodePolicy", RolePolicyAttachmentArgs.builder()
            .role(nodeRole.name())
            .policyArn("arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy")
            .build());

        var cniPolicy = new RolePolicyAttachment("cniPolicy", RolePolicyAttachmentArgs.builder()
            .role(nodeRole.name())
            .policyArn("arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy")
            .build());

        var registryPolicy = new RolePolicyAttachment("registryPolicy", RolePolicyAttachmentArgs.builder()
            .role(nodeRole.name())
            .policyArn("arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly")
            .build());

        var nodeGroup = new ManagedNodeGroup("nodeGroup", ManagedNodeGroupArgs.builder()
            .cluster(eksCluster)
            .nodeRole(nodeRole)
            .build());
    }
}

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";

const eksVpc = new awsx.ec2.Vpc("eks-vpc", {
    enableDnsHostnames: true,
    cidrBlock: "10.0.0.0/16",
});
const eksCluster = new eks.Cluster("eks-cluster", {
    vpcId: eksVpc.vpcId,
    authenticationMode: eks.AuthenticationMode.Api,
    publicSubnetIds: eksVpc.publicSubnetIds,
    privateSubnetIds: eksVpc.privateSubnetIds,
    skipDefaultNodeGroup: true,
});
const nodeRole = new aws.iam.Role("node-role", {assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
        Action: "sts:AssumeRole",
        Effect: "Allow",
        Sid: "",
        Principal: {
            Service: "ec2.amazonaws.com",
        },
    }],
})});
const workerNodePolicy = new aws.iam.RolePolicyAttachment("worker-node-policy", {
    role: nodeRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
});
const cniPolicy = new aws.iam.RolePolicyAttachment("cni-policy", {
    role: nodeRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
});
const registryPolicy = new aws.iam.RolePolicyAttachment("registry-policy", {
    role: nodeRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
});
const nodeGroup = new eks.ManagedNodeGroup("node-group", {
    cluster: eksCluster,
    nodeRole: nodeRole,
});

import pulumi
import json
import pulumi_aws as aws
import pulumi_awsx as awsx
import pulumi_eks as eks

eks_vpc = awsx.ec2.Vpc("eks-vpc",
    enable_dns_hostnames=True,
    cidr_block="10.0.0.0/16")
eks_cluster = eks.Cluster("eks-cluster",
    vpc_id=eks_vpc.vpc_id,
    authentication_mode=eks.AuthenticationMode.API,
    public_subnet_ids=eks_vpc.public_subnet_ids,
    private_subnet_ids=eks_vpc.private_subnet_ids,
    skip_default_node_group=True)
node_role = aws.iam.Role("node-role", assume_role_policy=json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Sid": "",
        "Principal": {
            "Service": "ec2.amazonaws.com",
        },
    }],
}))
worker_node_policy = aws.iam.RolePolicyAttachment("worker-node-policy",
    role=node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy")
cni_policy = aws.iam.RolePolicyAttachment("cni-policy",
    role=node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy")
registry_policy = aws.iam.RolePolicyAttachment("registry-policy",
    role=node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly")
node_group = eks.ManagedNodeGroup("node-group",
    cluster=eks_cluster,
    node_role=node_role)

resources:
  eks-vpc:
    type: awsx:ec2:Vpc
    properties:
      enableDnsHostnames: true
      cidrBlock: 10.0.0.0/16
  eks-cluster:
    type: eks:Cluster
    properties:
      vpcId: ${eks-vpc.vpcId}
      authenticationMode: API
      publicSubnetIds: ${eks-vpc.publicSubnetIds}
      privateSubnetIds: ${eks-vpc.privateSubnetIds}
      skipDefaultNodeGroup: true
  node-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action: sts:AssumeRole
              Effect: Allow
              Sid: ""
              Principal:
                Service: ec2.amazonaws.com
  worker-node-policy:
    type: aws:iam:RolePolicyAttachment
    properties:
      role: ${node-role.name}
      policyArn: "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
  cni-policy:
    type: aws:iam:RolePolicyAttachment
    properties:
      role: ${node-role.name}
      policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  registry-policy:
    type: aws:iam:RolePolicyAttachment
    properties:
      role: ${node-role.name}
      policyArn: "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
  node-group:
    type: eks:ManagedNodeGroup
    properties:
      cluster: ${eks-cluster}
      nodeRole: ${node-role}

Enabling EFA Support

using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
using Awsx = Pulumi.Awsx;
using Eks = Pulumi.Eks;
using Kubernetes = Pulumi.Kubernetes;

return await Deployment.RunAsync(() => 
{
    var eksVpc = new Awsx.Ec2.Vpc("eks-vpc", new()
    {
        EnableDnsHostnames = true,
        CidrBlock = "10.0.0.0/16",
    });

    var eksCluster = new Eks.Cluster("eks-cluster", new()
    {
        VpcId = eksVpc.VpcId,
        AuthenticationMode = Eks.AuthenticationMode.Api,
        PublicSubnetIds = eksVpc.PublicSubnetIds,
        PrivateSubnetIds = eksVpc.PrivateSubnetIds,
        SkipDefaultNodeGroup = true,
    });

    var k8SProvider = new Kubernetes.Provider.Provider("k8sProvider", new()
    {
        KubeConfig = eksCluster.Kubeconfig,
    });

    var nodeRole = new Aws.Iam.Role("node-role", new()
    {
        AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["Version"] = "2012-10-17",
            ["Statement"] = new[]
            {
                new Dictionary<string, object?>
                {
                    ["Action"] = "sts:AssumeRole",
                    ["Effect"] = "Allow",
                    ["Sid"] = "",
                    ["Principal"] = new Dictionary<string, object?>
                    {
                        ["Service"] = "ec2.amazonaws.com",
                    },
                },
            },
        }),
    });

    var workerNodePolicy = new Aws.Iam.RolePolicyAttachment("worker-node-policy", new()
    {
        Role = nodeRole.Name,
        PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
    });

    var cniPolicy = new Aws.Iam.RolePolicyAttachment("cni-policy", new()
    {
        Role = nodeRole.Name,
        PolicyArn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
    });

    var registryPolicy = new Aws.Iam.RolePolicyAttachment("registry-policy", new()
    {
        Role = nodeRole.Name,
        PolicyArn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    });

    // The node group for running system pods (e.g. coredns, etc.)
    var systemNodeGroup = new Eks.ManagedNodeGroup("system-node-group", new()
    {
        Cluster = eksCluster,
        NodeRole = nodeRole,
    });

    // The EFA device plugin for exposing EFA interfaces as extended resources
    var devicePlugin = new Kubernetes.Helm.V3.Release("device-plugin", new()
    {
        Version = "0.5.7",
        RepositoryOpts = new Kubernetes.Types.Inputs.Helm.V3.RepositoryOptsArgs
        {
            Repo = "https://aws.github.io/eks-charts",
        },
        Chart = "aws-efa-k8s-device-plugin",
        Namespace = "kube-system",
        Atomic = true,
        Values = 
        {
            { "tolerations", new[]
            {
                
                {
                    { "key", "efa-enabled" },
                    { "operator", "Exists" },
                    { "effect", "NoExecute" },
                },
            } },
        },
    }, new CustomResourceOptions
    {
        Provider = k8SProvider,
    });

    // The node group for running EFA enabled workloads
    var efaNodeGroup = new Eks.ManagedNodeGroup("efa-node-group", new()
    {
        Cluster = eksCluster,
        NodeRole = nodeRole,
        InstanceTypes = new[]
        {
            "g6.8xlarge",
        },
        Gpu = true,
        ScalingConfig = new Aws.Eks.Inputs.NodeGroupScalingConfigArgs
        {
            MinSize = 2,
            DesiredSize = 2,
            MaxSize = 4,
        },
        EnableEfaSupport = true,
        PlacementGroupAvailabilityZone = "us-west-2b",

        // Taint the nodes so that only pods with the efa-enabled label can be scheduled on them
        Taints = new[]
        {
            new Aws.Eks.Inputs.NodeGroupTaintArgs
            {
                Key = "efa-enabled",
                Value = "true",
                Effect = "NO_EXECUTE",
            },
        },

        // Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd
        NodeadmExtraOptions = new[]
        {
            new Eks.Inputs.NodeadmOptionsArgs
            {
                ContentType = "application/node.eks.aws",
                Content = @"apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  instance:
    localStorage:
      strategy: RAID0
",
            },
        },
    });

});

package main

import (
	"encoding/json"

	awseks "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-awsx/sdk/v2/go/awsx/ec2"
	"github.com/pulumi/pulumi-eks/sdk/v3/go/eks"
	"github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes"
	helmv3 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/helm/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		eksVpc, err := ec2.NewVpc(ctx, "eks-vpc", &ec2.VpcArgs{
			EnableDnsHostnames: pulumi.Bool(true),
			CidrBlock:          "10.0.0.0/16",
		})
		if err != nil {
			return err
		}
		eksCluster, err := eks.NewCluster(ctx, "eks-cluster", &eks.ClusterArgs{
			VpcId:                eksVpc.VpcId,
			AuthenticationMode:   eks.AuthenticationModeApi,
			PublicSubnetIds:      eksVpc.PublicSubnetIds,
			PrivateSubnetIds:     eksVpc.PrivateSubnetIds,
			SkipDefaultNodeGroup: true,
		})
		if err != nil {
			return err
		}
		k8SProvider, err := kubernetes.NewProvider(ctx, "k8sProvider", &kubernetes.ProviderArgs{
			Kubeconfig: eksCluster.Kubeconfig,
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Sid":    "",
					"Principal": map[string]interface{}{
						"Service": "ec2.amazonaws.com",
					},
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		nodeRole, err := iam.NewRole(ctx, "node-role", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "worker-node-policy", &iam.RolePolicyAttachmentArgs{
			Role:      nodeRole.Name,
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "cni-policy", &iam.RolePolicyAttachmentArgs{
			Role:      nodeRole.Name,
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "registry-policy", &iam.RolePolicyAttachmentArgs{
			Role:      nodeRole.Name,
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"),
		})
		if err != nil {
			return err
		}

        // The node group for running system pods (e.g. coredns, etc.)
		_, err = eks.NewManagedNodeGroup(ctx, "system-node-group", &eks.ManagedNodeGroupArgs{
			Cluster:  eksCluster,
			NodeRole: nodeRole,
		})
		if err != nil {
			return err
		}

        // The EFA device plugin for exposing EFA interfaces as extended resources
		_, err = helmv3.NewRelease(ctx, "device-plugin", &helmv3.ReleaseArgs{
			Version: pulumi.String("0.5.7"),
			RepositoryOpts: &helmv3.RepositoryOptsArgs{
				Repo: pulumi.String("https://aws.github.io/eks-charts"),
			},
			Chart:     pulumi.String("aws-efa-k8s-device-plugin"),
			Namespace: pulumi.String("kube-system"),
			Atomic:    pulumi.Bool(true),
			Values: pulumi.Map{
				"tolerations": pulumi.Any{
					[]map[string]interface{}{
                        {
                            "key":      "efa-enabled",
                            "operator": "Exists",
                            "effect":   "NoExecute",
                        }
					},
				},
			},
		}, pulumi.Provider(k8SProvider))
		if err != nil {
			return err
		}

        // The node group for running EFA enabled workloads
		_, err = eks.NewManagedNodeGroup(ctx, "efa-node-group", &eks.ManagedNodeGroupArgs{
			Cluster:  eksCluster,
			NodeRole: nodeRole,
			InstanceTypes: pulumi.StringArray{
				pulumi.String("g6.8xlarge"),
			},
			Gpu: pulumi.Bool(true),
			ScalingConfig: &eks.NodeGroupScalingConfigArgs{
				MinSize:     pulumi.Int(2),
				DesiredSize: pulumi.Int(2),
				MaxSize:     pulumi.Int(4),
			},
			EnableEfaSupport:               true,
			PlacementGroupAvailabilityZone: pulumi.String("us-west-2b"),

            // Taint the nodes so that only pods with the efa-enabled label can be scheduled on them
			Taints: eks.NodeGroupTaintArray{
				&eks.NodeGroupTaintArgs{
					Key:    pulumi.String("efa-enabled"),
					Value:  pulumi.String("true"),
					Effect: pulumi.String("NO_EXECUTE"),
				},
			},

            // Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd
            // These are faster than the regular EBS volumes
			NodeadmExtraOptions: eks.NodeadmOptionsArray{
				&eks.NodeadmOptionsArgs{
					ContentType: pulumi.String("application/node.eks.aws"),
					Content: pulumi.String(`apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  instance:
    localStorage:
      strategy: RAID0
`),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";
import * as kubernetes from "@pulumi/kubernetes";

const eksVpc = new awsx.ec2.Vpc("eks-vpc", {
    enableDnsHostnames: true,
    cidrBlock: "10.0.0.0/16",
});
const eksCluster = new eks.Cluster("eks-cluster", {
    vpcId: eksVpc.vpcId,
    authenticationMode: eks.AuthenticationMode.Api,
    publicSubnetIds: eksVpc.publicSubnetIds,
    privateSubnetIds: eksVpc.privateSubnetIds,
    skipDefaultNodeGroup: true,
});
const k8SProvider = new kubernetes.Provider("k8sProvider", {kubeconfig: eksCluster.kubeconfig});
const nodeRole = new aws.iam.Role("node-role", {assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
        Action: "sts:AssumeRole",
        Effect: "Allow",
        Sid: "",
        Principal: {
            Service: "ec2.amazonaws.com",
        },
    }],
})});
const workerNodePolicy = new aws.iam.RolePolicyAttachment("worker-node-policy", {
    role: nodeRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
});
const cniPolicy = new aws.iam.RolePolicyAttachment("cni-policy", {
    role: nodeRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
});
const registryPolicy = new aws.iam.RolePolicyAttachment("registry-policy", {
    role: nodeRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
});

// The node group for running system pods (e.g. coredns, etc.)
const systemNodeGroup = new eks.ManagedNodeGroup("system-node-group", {
    cluster: eksCluster,
    nodeRole: nodeRole,
});

// The EFA device plugin for exposing EFA interfaces as extended resources
const devicePlugin = new kubernetes.helm.v3.Release("device-plugin", {
    version: "0.5.7",
    repositoryOpts: {
        repo: "https://aws.github.io/eks-charts",
    },
    chart: "aws-efa-k8s-device-plugin",
    namespace: "kube-system",
    atomic: true,
    values: {
        tolerations: [{
            key: "efa-enabled",
            operator: "Exists",
            effect: "NoExecute",
        }],
    },
}, {
    provider: k8SProvider,
});

// The node group for running EFA enabled workloads
const efaNodeGroup = new eks.ManagedNodeGroup("efa-node-group", {
    cluster: eksCluster,
    nodeRole: nodeRole,
    instanceTypes: ["g6.8xlarge"],
    gpu: true,
    scalingConfig: {
        minSize: 2,
        desiredSize: 2,
        maxSize: 4,
    },
    enableEfaSupport: true,
    placementGroupAvailabilityZone: "us-west-2b",

    // Taint the nodes so that only pods with the efa-enabled label can be scheduled on them
    taints: [{
        key: "efa-enabled",
        value: "true",
        effect: "NO_EXECUTE",
    }],

    // Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd
    // These are faster than the regular EBS volumes
    nodeadmExtraOptions: [{
        contentType: "application/node.eks.aws",
        content: `apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  instance:
    localStorage:
      strategy: RAID0
`,
    }],
});

import pulumi
import json
import pulumi_aws as aws
import pulumi_awsx as awsx
import pulumi_eks as eks
import pulumi_kubernetes as kubernetes

eks_vpc = awsx.ec2.Vpc("eks-vpc",
    enable_dns_hostnames=True,
    cidr_block="10.0.0.0/16")
eks_cluster = eks.Cluster("eks-cluster",
    vpc_id=eks_vpc.vpc_id,
    authentication_mode=eks.AuthenticationMode.API,
    public_subnet_ids=eks_vpc.public_subnet_ids,
    private_subnet_ids=eks_vpc.private_subnet_ids,
    skip_default_node_group=True)
k8_s_provider = kubernetes.Provider("k8sProvider", kubeconfig=eks_cluster.kubeconfig)
node_role = aws.iam.Role("node-role", assume_role_policy=json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Sid": "",
        "Principal": {
            "Service": "ec2.amazonaws.com",
        },
    }],
}))
worker_node_policy = aws.iam.RolePolicyAttachment("worker-node-policy",
    role=node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy")
cni_policy = aws.iam.RolePolicyAttachment("cni-policy",
    role=node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy")
registry_policy = aws.iam.RolePolicyAttachment("registry-policy",
    role=node_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly")

# The node group for running system pods (e.g. coredns, etc.)
system_node_group = eks.ManagedNodeGroup("system-node-group",
    cluster=eks_cluster,
    node_role=node_role)

# The EFA device plugin for exposing EFA interfaces as extended resources
device_plugin = kubernetes.helm.v3.Release("device-plugin",
    version="0.5.7",
    repository_opts={
        "repo": "https://aws.github.io/eks-charts",
    },
    chart="aws-efa-k8s-device-plugin",
    namespace="kube-system",
    atomic=True,
    values={
        "tolerations": [{
            "key": "efa-enabled",
            "operator": "Exists",
            "effect": "NoExecute",
        }],
    },
    opts = pulumi.ResourceOptions(provider=k8_s_provider))

# The node group for running EFA enabled workloads
efa_node_group = eks.ManagedNodeGroup("efa-node-group",
    cluster=eks_cluster,
    node_role=node_role,
    instance_types=["g6.8xlarge"],
    gpu=True,
    scaling_config={
        "min_size": 2,
        "desired_size": 2,
        "max_size": 4,
    },
    enable_efa_support=True,
    placement_group_availability_zone="us-west-2b",

    # Taint the nodes so that only pods with the efa-enabled label can be scheduled on them
    taints=[{
        "key": "efa-enabled",
        "value": "true",
        "effect": "NO_EXECUTE",
    }],

    # Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd
    # These are faster than the regular EBS volumes
    nodeadm_extra_options=[{
        "content_type": "application/node.eks.aws",
        "content": """apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  instance:
    localStorage:
      strategy: RAID0
""",
    }])

name: eks-mng-docs
description: A Pulumi YAML program to deploy a Kubernetes cluster on AWS
runtime: yaml
resources:
  eks-vpc:
    type: awsx:ec2:Vpc
    properties:
      enableDnsHostnames: true
      cidrBlock: 10.0.0.0/16
  eks-cluster:
    type: eks:Cluster
    properties:
      vpcId: ${eks-vpc.vpcId}
      authenticationMode: API
      publicSubnetIds: ${eks-vpc.publicSubnetIds}
      privateSubnetIds: ${eks-vpc.privateSubnetIds}
      skipDefaultNodeGroup: true
  k8sProvider:
    type: pulumi:providers:kubernetes
    properties:
      kubeconfig: ${eks-cluster.kubeconfig}
  node-role:
    type: aws:iam:Role
    properties:
      assumeRolePolicy:
        fn::toJSON:
          Version: 2012-10-17
          Statement:
            - Action: sts:AssumeRole
              Effect: Allow
              Sid: ""
              Principal:
                Service: ec2.amazonaws.com
  worker-node-policy:
    type: aws:iam:RolePolicyAttachment
    properties:
      role: ${node-role.name}
      policyArn: "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
  cni-policy:
    type: aws:iam:RolePolicyAttachment
    properties:
      role: ${node-role.name}
      policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  registry-policy:
    type: aws:iam:RolePolicyAttachment
    properties:
      role: ${node-role.name}
      policyArn: "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
  
  # The node group for running system pods (e.g. coredns, etc.)
  system-node-group:
    type: eks:ManagedNodeGroup
    properties:
      cluster: ${eks-cluster}
      nodeRole: ${node-role}

  # EFA device plugin for exposing EFA interfaces as extended resources
  device-plugin:
    type: kubernetes:helm.sh/v3:Release
    properties:
      version: "0.5.7"
      repositoryOpts:
        repo: "https://aws.github.io/eks-charts"
      chart: "aws-efa-k8s-device-plugin"
      namespace: "kube-system"
      atomic: true
      values:
        tolerations:
          - key: "efa-enabled"
            operator: "Exists"
            effect: "NoExecute"
    options:
      provider: ${k8sProvider}

  # The node group for running EFA enabled workloads
  efa-node-group:
    type: eks:ManagedNodeGroup
    properties:
      cluster: ${eks-cluster}
      nodeRole: ${node-role}
      instanceTypes: ["g6.8xlarge"]
      gpu: true
      scalingConfig:
        minSize: 2
        desiredSize: 2
        maxSize: 4
      enableEfaSupport: true
      placementGroupAvailabilityZone: "us-west-2b"
      # Taint the nodes so that only pods with the efa-enabled label can be scheduled on them
      taints:
        - key: "efa-enabled"
          value: "true"
          effect: "NO_EXECUTE"
      # Instances with GPUs usually have nvme instance store volumes, so we can mount them in RAID-0 for kubelet and containerd
      # These are faster than the regular EBS volumes
      nodeadmExtraOptions:
        - contentType: "application/node.eks.aws"
          content: |
            apiVersion: node.eks.aws/v1alpha1
            kind: NodeConfig
            spec:
              instance:
                localStorage:
                  strategy: RAID0

Create ManagedNodeGroup Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ManagedNodeGroup(name: string, args: ManagedNodeGroupArgs, opts?: ComponentResourceOptions);

@overload
def ManagedNodeGroup(resource_name: str,
                     args: ManagedNodeGroupArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def ManagedNodeGroup(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     cluster: Optional[Union[Cluster, CoreDataArgs]] = None,
                     launch_template: Optional[pulumi_aws.eks.NodeGroupLaunchTemplateArgs] = None,
                     node_group_name: Optional[str] = None,
                     bottlerocket_settings: Optional[Mapping[str, Any]] = None,
                     capacity_type: Optional[str] = None,
                     ami_type: Optional[str] = None,
                     cluster_name: Optional[str] = None,
                     disk_size: Optional[int] = None,
                     enable_efa_support: Optional[bool] = None,
                     enable_imd_sv2: Optional[bool] = None,
                     force_update_version: Optional[bool] = None,
                     gpu: Optional[bool] = None,
                     ignore_scaling_changes: Optional[bool] = None,
                     instance_types: Optional[Sequence[str]] = None,
                     kubelet_extra_args: Optional[str] = None,
                     bootstrap_extra_args: Optional[str] = None,
                     labels: Optional[Mapping[str, str]] = None,
                     node_role: Optional[pulumi_aws.iam.Role] = None,
                     node_group_name_prefix: Optional[str] = None,
                     ami_id: Optional[str] = None,
                     node_role_arn: Optional[str] = None,
                     nodeadm_extra_options: Optional[Sequence[NodeadmOptionsArgs]] = None,
                     operating_system: Optional[OperatingSystem] = None,
                     placement_group_availability_zone: Optional[str] = None,
                     release_version: Optional[str] = None,
                     remote_access: Optional[pulumi_aws.eks.NodeGroupRemoteAccessArgs] = None,
                     scaling_config: Optional[pulumi_aws.eks.NodeGroupScalingConfigArgs] = None,
                     subnet_ids: Optional[Sequence[str]] = None,
                     tags: Optional[Mapping[str, str]] = None,
                     taints: Optional[Sequence[pulumi_aws.eks.NodeGroupTaintArgs]] = None,
                     user_data: Optional[str] = None,
                     version: Optional[str] = None)

func NewManagedNodeGroup(ctx *Context, name string, args ManagedNodeGroupArgs, opts ...ResourceOption) (*ManagedNodeGroup, error)

public ManagedNodeGroup(string name, ManagedNodeGroupArgs args, ComponentResourceOptions? opts = null)

public ManagedNodeGroup(String name, ManagedNodeGroupArgs args)
public ManagedNodeGroup(String name, ManagedNodeGroupArgs args, ComponentResourceOptions options)

type: eks:ManagedNodeGroup
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ManagedNodeGroupArgs: The arguments to resource properties.
opts ComponentResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ManagedNodeGroupArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ManagedNodeGroupArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ManagedNodeGroupArgs: The arguments to resource properties.
opts ComponentResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ManagedNodeGroupArgs: The arguments to resource properties.
options ComponentResourceOptions: Bag of options to control resource's behavior.

ManagedNodeGroup Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ManagedNodeGroup resource accepts the following input properties:

Cluster Pulumi.Eks.Cluster | CoreData

The target EKS cluster.

AmiId string

The AMI ID to use for the worker nodes. Defaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.

Note: amiId is mutually exclusive with gpu and amiType.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

AmiType string

Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to AL2_x86_64. Note: amiType and amiId are mutually exclusive.

See the AWS documentation (https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType) for valid AMI Types. This provider will only perform drift detection if a configuration value is provided.

BootstrapExtraArgs string

Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.

Note that this field conflicts with launchTemplate.

BottlerocketSettings Dictionary<string, object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CapacityType string

Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT. This provider will only perform drift detection if a configuration value is provided.

ClusterName string

Name of the EKS Cluster.

DiskSize int

Disk size in GiB for worker nodes. Defaults to 20. This provider will only perform drift detection if a configuration value is provided.

EnableEfaSupport bool

Determines whether to enable Elastic Fabric Adapter (EFA) support for the node group. If multiple different instance types are configured for the node group, the first one will be used to determine the network interfaces to use. Requires placementGroupAvailabilityZone to be set.

EnableIMDSv2 bool

Enables the ability to use EC2 Instance Metadata Service v2, which provides a more secure way to access instance metadata. For more information, see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html. Defaults to false.

Note that this field conflicts with launchTemplate. If you are providing a custom launchTemplate, you should enable this feature within the launchTemplateMetadataOptions of the supplied launchTemplate.

ForceUpdateVersion bool

Force version update if existing pods are unable to be drained due to a pod disruption budget issue.

Gpu bool

Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes. Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html.

IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceTypes List<string>

Set of instance types associated with the EKS Node Group. Defaults to ["t3.medium"]. This provider will only perform drift detection if a configuration value is provided. Currently, the EKS API only accepts a single value in the set.

KubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. To escape characters in the extra argsvalue, wrap the value in quotes. For example, kubeletExtraArgs = '--allowed-unsafe-sysctls "net.core.somaxconn"'. Note that this field conflicts with launchTemplate.

Labels Dictionary<string, string>

Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.

LaunchTemplate Pulumi.Aws.Eks.Inputs.NodeGroupLaunchTemplate

Launch Template settings.

Note: This field is mutually exclusive with kubeletExtraArgs and bootstrapExtraArgs. This type is defined in the AWS Classic package.

NodeGroupName string

Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with nodeGroupNamePrefix.

NodeGroupNamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with nodeGroupName.

NodeRole Pulumi.Aws.Iam.Role

The IAM Role that provides permissions for the EKS Node Group.

Note, nodeRole and nodeRoleArn are mutually exclusive, and a single option must be used. This type is defined in the AWS Classic package.

NodeRoleArn string

Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.

Note, nodeRoleArn and nodeRole are mutually exclusive, and a single option must be used.

NodeadmExtraOptions List<NodeadmOptions>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

OperatingSystem Pulumi.Eks.OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

PlacementGroupAvailabilityZone string

The availability zone of the placement group for EFA support. Required if enableEfaSupport is true.

ReleaseVersion string

AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.

RemoteAccess Pulumi.Aws.Eks.Inputs.NodeGroupRemoteAccess

Remote access settings. This type is defined in the AWS Classic package.

ScalingConfig Pulumi.Aws.Eks.Inputs.NodeGroupScalingConfig

Scaling settings.

Default scaling amounts of the node group autoscaling group are:

desiredSize: 2
minSize: 1
maxSize: 2 This type is defined in the AWS Classic package.

SubnetIds List<string>

Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: kubernetes.io/cluster/CLUSTER_NAME (where CLUSTER_NAME is replaced with the name of the EKS Cluster).

Default subnetIds is chosen from the following list, in order, if subnetIds arg is not set:

core.subnetIds
core.privateIds
core.publicSubnetIds

This default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11

Tags Dictionary<string, string>

Key-value mapping of resource tags.

Taints List<Pulumi.Aws.Eks.Inputs.NodeGroupTaint>

The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group.

UserData string

User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data.

Version string

Cluster Cluster | CoreDataArgs

The target EKS cluster.

AmiId string

The AMI ID to use for the worker nodes. Defaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.

Note: amiId is mutually exclusive with gpu and amiType.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

AmiType string

Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to AL2_x86_64. Note: amiType and amiId are mutually exclusive.

BootstrapExtraArgs string

Note that this field conflicts with launchTemplate.

BottlerocketSettings map[string]interface{}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CapacityType string

Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT. This provider will only perform drift detection if a configuration value is provided.

ClusterName string

Name of the EKS Cluster.

DiskSize int

Disk size in GiB for worker nodes. Defaults to 20. This provider will only perform drift detection if a configuration value is provided.

EnableEfaSupport bool

EnableIMDSv2 bool

ForceUpdateVersion bool

Force version update if existing pods are unable to be drained due to a pod disruption budget issue.

Gpu bool

Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes. Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html.

IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceTypes []string

KubeletExtraArgs string

Labels map[string]string

Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.

LaunchTemplate NodeGroupLaunchTemplateArgs

Launch Template settings.

Note: This field is mutually exclusive with kubeletExtraArgs and bootstrapExtraArgs. This type is defined in the AWS Classic package.

NodeGroupName string

Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with nodeGroupNamePrefix.

NodeGroupNamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with nodeGroupName.

NodeRole Role

The IAM Role that provides permissions for the EKS Node Group.

Note, nodeRole and nodeRoleArn are mutually exclusive, and a single option must be used. This type is defined in the AWS Classic package.

NodeRoleArn string

Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.

Note, nodeRoleArn and nodeRole are mutually exclusive, and a single option must be used.

NodeadmExtraOptions []NodeadmOptionsArgs

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

OperatingSystem OperatingSystem

Defaults to the current recommended OS.

PlacementGroupAvailabilityZone string

The availability zone of the placement group for EFA support. Required if enableEfaSupport is true.

ReleaseVersion string

AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.

RemoteAccess NodeGroupRemoteAccessArgs

Remote access settings. This type is defined in the AWS Classic package.

ScalingConfig NodeGroupScalingConfigArgs

Scaling settings.

Default scaling amounts of the node group autoscaling group are:

desiredSize: 2
minSize: 1
maxSize: 2 This type is defined in the AWS Classic package.

SubnetIds []string

Default subnetIds is chosen from the following list, in order, if subnetIds arg is not set:

core.subnetIds
core.privateIds
core.publicSubnetIds

This default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11

Tags map[string]string

Key-value mapping of resource tags.

Taints NodeGroupTaintArgs

The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group.

UserData string

User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data.

Version string

cluster Cluster | CoreData

The target EKS cluster.

amiId String

The AMI ID to use for the worker nodes. Defaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.

Note: amiId is mutually exclusive with gpu and amiType.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType String

Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to AL2_x86_64. Note: amiType and amiId are mutually exclusive.

bootstrapExtraArgs String

Note that this field conflicts with launchTemplate.

bottlerocketSettings Map<String,Object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

capacityType String

Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT. This provider will only perform drift detection if a configuration value is provided.

clusterName String

Name of the EKS Cluster.

diskSize Integer

Disk size in GiB for worker nodes. Defaults to 20. This provider will only perform drift detection if a configuration value is provided.

enableEfaSupport Boolean

enableIMDSv2 Boolean

forceUpdateVersion Boolean

Force version update if existing pods are unable to be drained due to a pod disruption budget issue.

gpu Boolean

Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes. Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html.

ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceTypes List<String>

kubeletExtraArgs String

labels Map<String,String>

Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.

launchTemplate NodeGroupLaunchTemplate

Launch Template settings.

Note: This field is mutually exclusive with kubeletExtraArgs and bootstrapExtraArgs. This type is defined in the AWS Classic package.

nodeGroupName String

Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with nodeGroupNamePrefix.

nodeGroupNamePrefix String

Creates a unique name beginning with the specified prefix. Conflicts with nodeGroupName.

nodeRole Role

The IAM Role that provides permissions for the EKS Node Group.

Note, nodeRole and nodeRoleArn are mutually exclusive, and a single option must be used. This type is defined in the AWS Classic package.

nodeRoleArn String

Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.

Note, nodeRoleArn and nodeRole are mutually exclusive, and a single option must be used.

nodeadmExtraOptions List<NodeadmOptions>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem OperatingSystem

Defaults to the current recommended OS.

placementGroupAvailabilityZone String

The availability zone of the placement group for EFA support. Required if enableEfaSupport is true.

releaseVersion String

AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.

remoteAccess NodeGroupRemoteAccess

Remote access settings. This type is defined in the AWS Classic package.

scalingConfig NodeGroupScalingConfig

Scaling settings.

Default scaling amounts of the node group autoscaling group are:

desiredSize: 2
minSize: 1
maxSize: 2 This type is defined in the AWS Classic package.

subnetIds List<String>

Default subnetIds is chosen from the following list, in order, if subnetIds arg is not set:

core.subnetIds
core.privateIds
core.publicSubnetIds

This default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11

tags Map<String,String>

Key-value mapping of resource tags.

taints List<NodeGroupTaint>

The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group.

userData String

User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data.

version String

cluster Cluster | CoreData

The target EKS cluster.

amiId string

The AMI ID to use for the worker nodes. Defaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.

Note: amiId is mutually exclusive with gpu and amiType.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType string

Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to AL2_x86_64. Note: amiType and amiId are mutually exclusive.

bootstrapExtraArgs string

Note that this field conflicts with launchTemplate.

bottlerocketSettings {[key: string]: any}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

capacityType string

Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT. This provider will only perform drift detection if a configuration value is provided.

clusterName string

Name of the EKS Cluster.

diskSize number

Disk size in GiB for worker nodes. Defaults to 20. This provider will only perform drift detection if a configuration value is provided.

enableEfaSupport boolean

enableIMDSv2 boolean

forceUpdateVersion boolean

Force version update if existing pods are unable to be drained due to a pod disruption budget issue.

gpu boolean

Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes. Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html.

ignoreScalingChanges boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceTypes string[]

kubeletExtraArgs string

labels {[key: string]: string}

Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.

launchTemplate pulumiAwstypesinputeksNodeGroupLaunchTemplate

Launch Template settings.

Note: This field is mutually exclusive with kubeletExtraArgs and bootstrapExtraArgs. This type is defined in the AWS Classic package.

nodeGroupName string

Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with nodeGroupNamePrefix.

nodeGroupNamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with nodeGroupName.

nodeRole pulumiAwsiamRole

The IAM Role that provides permissions for the EKS Node Group.

Note, nodeRole and nodeRoleArn are mutually exclusive, and a single option must be used. This type is defined in the AWS Classic package.

nodeRoleArn string

Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.

Note, nodeRoleArn and nodeRole are mutually exclusive, and a single option must be used.

nodeadmExtraOptions NodeadmOptions[]

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem OperatingSystem

Defaults to the current recommended OS.

placementGroupAvailabilityZone string

The availability zone of the placement group for EFA support. Required if enableEfaSupport is true.

releaseVersion string

AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.

remoteAccess pulumiAwstypesinputeksNodeGroupRemoteAccess

Remote access settings. This type is defined in the AWS Classic package.

scalingConfig pulumiAwstypesinputeksNodeGroupScalingConfig

Scaling settings.

Default scaling amounts of the node group autoscaling group are:

desiredSize: 2
minSize: 1
maxSize: 2 This type is defined in the AWS Classic package.

subnetIds string[]

Default subnetIds is chosen from the following list, in order, if subnetIds arg is not set:

core.subnetIds
core.privateIds
core.publicSubnetIds

This default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11

tags {[key: string]: string}

Key-value mapping of resource tags.

taints pulumiAwstypesinputeksNodeGroupTaint[]

The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group.

userData string

User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data.

version string

cluster Cluster | CoreDataArgs

The target EKS cluster.

ami_id str

The AMI ID to use for the worker nodes. Defaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.

Note: amiId is mutually exclusive with gpu and amiType.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

ami_type str

Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to AL2_x86_64. Note: amiType and amiId are mutually exclusive.

bootstrap_extra_args str

Note that this field conflicts with launchTemplate.

bottlerocket_settings Mapping[str, Any]

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

capacity_type str

Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT. This provider will only perform drift detection if a configuration value is provided.

cluster_name str

Name of the EKS Cluster.

disk_size int

Disk size in GiB for worker nodes. Defaults to 20. This provider will only perform drift detection if a configuration value is provided.

enable_efa_support bool

enable_imd_sv2 bool

force_update_version bool

Force version update if existing pods are unable to be drained due to a pod disruption budget issue.

gpu bool

Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes. Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html.

ignore_scaling_changes bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instance_types Sequence[str]

kubelet_extra_args str

labels Mapping[str, str]

Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.

launch_template pulumi_aws.eks.NodeGroupLaunchTemplateArgs

Launch Template settings.

Note: This field is mutually exclusive with kubeletExtraArgs and bootstrapExtraArgs. This type is defined in the AWS Classic package.

node_group_name str

Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with nodeGroupNamePrefix.

node_group_name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with nodeGroupName.

node_role pulumi_aws.iam.Role

The IAM Role that provides permissions for the EKS Node Group.

Note, nodeRole and nodeRoleArn are mutually exclusive, and a single option must be used. This type is defined in the AWS Classic package.

node_role_arn str

Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.

Note, nodeRoleArn and nodeRole are mutually exclusive, and a single option must be used.

nodeadm_extra_options Sequence[NodeadmOptionsArgs]

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operating_system OperatingSystem

Defaults to the current recommended OS.

placement_group_availability_zone str

The availability zone of the placement group for EFA support. Required if enableEfaSupport is true.

release_version str

AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.

remote_access pulumi_aws.eks.NodeGroupRemoteAccessArgs

Remote access settings. This type is defined in the AWS Classic package.

scaling_config pulumi_aws.eks.NodeGroupScalingConfigArgs

Scaling settings.

Default scaling amounts of the node group autoscaling group are:

desiredSize: 2
minSize: 1
maxSize: 2 This type is defined in the AWS Classic package.

subnet_ids Sequence[str]

Default subnetIds is chosen from the following list, in order, if subnetIds arg is not set:

core.subnetIds
core.privateIds
core.publicSubnetIds

This default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11

tags Mapping[str, str]

Key-value mapping of resource tags.

taints Sequence[pulumi_aws.eks.NodeGroupTaintArgs]

The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group.

user_data str

User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data.

version str

cluster eks:Cluster | Property Map

The target EKS cluster.

amiId String

The AMI ID to use for the worker nodes. Defaults to the latest recommended EKS Optimized AMI from the AWS Systems Manager Parameter Store.

Note: amiId is mutually exclusive with gpu and amiType.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType String

Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to AL2_x86_64. Note: amiType and amiId are mutually exclusive.

bootstrapExtraArgs String

Note that this field conflicts with launchTemplate.

bottlerocketSettings Map<Any>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

capacityType String

Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT. This provider will only perform drift detection if a configuration value is provided.

clusterName String

Name of the EKS Cluster.

diskSize Number

Disk size in GiB for worker nodes. Defaults to 20. This provider will only perform drift detection if a configuration value is provided.

enableEfaSupport Boolean

enableIMDSv2 Boolean

forceUpdateVersion Boolean

Force version update if existing pods are unable to be drained due to a pod disruption budget issue.

gpu Boolean

Use the latest recommended EKS Optimized AMI with GPU support for the worker nodes. Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html.

ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceTypes List<String>

kubeletExtraArgs String

labels Map<String>

Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.

launchTemplate Property Map

Launch Template settings.

Note: This field is mutually exclusive with kubeletExtraArgs and bootstrapExtraArgs. This type is defined in the AWS Classic package.

nodeGroupName String

Name of the EKS Node Group. If omitted, this provider will assign a random, unique name. Conflicts with nodeGroupNamePrefix.

nodeGroupNamePrefix String

Creates a unique name beginning with the specified prefix. Conflicts with nodeGroupName.

nodeRole aws:iam:Role

The IAM Role that provides permissions for the EKS Node Group.

Note, nodeRole and nodeRoleArn are mutually exclusive, and a single option must be used. This type is defined in the AWS Classic package.

nodeRoleArn String

Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.

Note, nodeRoleArn and nodeRole are mutually exclusive, and a single option must be used.

nodeadmExtraOptions List<Property Map>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem "AL2" | "AL2023" | "Bottlerocket" | "AL2023"

Defaults to the current recommended OS.

placementGroupAvailabilityZone String

The availability zone of the placement group for EFA support. Required if enableEfaSupport is true.

releaseVersion String

AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.

remoteAccess Property Map

Remote access settings. This type is defined in the AWS Classic package.

scalingConfig Property Map

Scaling settings.

Default scaling amounts of the node group autoscaling group are:

desiredSize: 2
minSize: 1
maxSize: 2 This type is defined in the AWS Classic package.

subnetIds List<String>

Default subnetIds is chosen from the following list, in order, if subnetIds arg is not set:

core.subnetIds
core.privateIds
core.publicSubnetIds

This default logic is based on the existing subnet IDs logic of this package: https://git.io/JeM11

tags Map<String>

Key-value mapping of resource tags.

taints List<Property Map>

The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group.

userData String

User specified code to run on node startup. This is expected to handle the full AWS EKS node bootstrapping. If omitted, the provider will configure the user data.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-user-data.

version String

Outputs

All input properties are implicitly available as output properties. Additionally, the ManagedNodeGroup resource produces the following output properties:

NodeGroup Pulumi.Aws.Eks.NodeGroup: The AWS managed node group. This type is defined in the AWS Classic package.
PlacementGroupName string: The name of the placement group created for the managed node group.

NodeGroup NodeGroup: The AWS managed node group. This type is defined in the AWS Classic package.
PlacementGroupName string: The name of the placement group created for the managed node group.

nodeGroup NodeGroup: The AWS managed node group. This type is defined in the AWS Classic package.
placementGroupName String: The name of the placement group created for the managed node group.

nodeGroup pulumiAwseksNodeGroup: The AWS managed node group. This type is defined in the AWS Classic package.
placementGroupName string: The name of the placement group created for the managed node group.

node_group pulumi_aws.eks.NodeGroup: The AWS managed node group. This type is defined in the AWS Classic package.
placement_group_name str: The name of the placement group created for the managed node group.

nodeGroup aws:eks:NodeGroup: The AWS managed node group. This type is defined in the AWS Classic package.
placementGroupName String: The name of the placement group created for the managed node group.

Supporting Types

AccessEntry, AccessEntryArgs

PrincipalArn string: The IAM Principal ARN which requires Authentication access to the EKS cluster.
AccessPolicies Dictionary<string, AccessPolicyAssociation>: The access policies to associate to the access entry.
KubernetesGroups List<string>: A list of groups within Kubernetes to which the IAM principal is mapped to.
Tags Dictionary<string, string>: The tags to apply to the AccessEntry.
Type Pulumi.Eks.AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
Username string: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

PrincipalArn string: The IAM Principal ARN which requires Authentication access to the EKS cluster.
AccessPolicies map[string]AccessPolicyAssociation: The access policies to associate to the access entry.
KubernetesGroups []string: A list of groups within Kubernetes to which the IAM principal is mapped to.
Tags map[string]string: The tags to apply to the AccessEntry.
Type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
Username string: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principalArn String: The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies Map<String,AccessPolicyAssociation>: The access policies to associate to the access entry.
kubernetesGroups List<String>: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Map<String,String>: The tags to apply to the AccessEntry.
type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username String: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principalArn string: The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies {[key: string]: AccessPolicyAssociation}: The access policies to associate to the access entry.
kubernetesGroups string[]: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags {[key: string]: string}: The tags to apply to the AccessEntry.
type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username string: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principal_arn str: The IAM Principal ARN which requires Authentication access to the EKS cluster.
access_policies Mapping[str, AccessPolicyAssociation]: The access policies to associate to the access entry.
kubernetes_groups Sequence[str]: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Mapping[str, str]: The tags to apply to the AccessEntry.
type AccessEntryType: The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username str: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

principalArn String: The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies Map<Property Map>: The access policies to associate to the access entry.
kubernetesGroups List<String>: A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Map<String>: The tags to apply to the AccessEntry.
type "STANDARD" | "FARGATE_LINUX" | "EC2_LINUX" | "EC2_WINDOWS" | "EC2": The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username String: Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

AccessEntryType, AccessEntryTypeArgs

Standard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

AccessEntryTypeStandard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
AccessEntryTypeFargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
AccessEntryTypeEC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
AccessEntryTypeEC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
AccessEntryTypeEC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

Standard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

Standard: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

STANDARD: STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FARGATE_LINUX: FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2_LINUX: EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2_WINDOWS: EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2: EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

"STANDARD": STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
"FARGATE_LINUX": FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
"EC2_LINUX": EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
"EC2_WINDOWS": EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
"EC2": EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

AccessPolicyAssociation, AccessPolicyAssociationArgs

AccessScope Pulumi.Aws.Eks.Inputs.AccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
PolicyArn string: The ARN of the access policy to associate with the principal

AccessScope AccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
PolicyArn string: The ARN of the access policy to associate with the principal

accessScope AccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn String: The ARN of the access policy to associate with the principal

accessScope pulumiAwstypesinputeksAccessPolicyAssociationAccessScope: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn string: The ARN of the access policy to associate with the principal

access_scope pulumi_aws.eks.AccessPolicyAssociationAccessScopeArgs: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policy_arn str: The ARN of the access policy to associate with the principal

accessScope Property Map: The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn String: The ARN of the access policy to associate with the principal

ClusterNodeGroupOptions, ClusterNodeGroupOptionsArgs

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags Dictionary<string, string>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string

BottlerocketSettings Dictionary<string, object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags Dictionary<string, string>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

ClusterIngressRuleId string

The ID of the ingress rule that gives node group access.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile Pulumi.Aws.Iam.InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

InstanceProfileName string

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

KeyName string

Name of the key pair to use for SSH access to worker nodes.

KubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

Labels Dictionary<string, string>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

LaunchTemplateTagSpecifications List<Pulumi.Aws.Ec2.Inputs.LaunchTemplateTagSpecification>

The tag specifications to apply to the launch template.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinRefreshPercentage int

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

NodeAssociatePublicIpAddress bool

Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeDeleteOnTermination bool

Whether the root block device should be deleted on termination of the instance. Defaults to true.

NodeRootVolumeEncrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

NodeRootVolumeIops int

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeRootVolumeThroughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

NodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds List<string>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string

Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).

NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions List<NodeadmOptions>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

OperatingSystem Pulumi.Eks.OperatingSystem

Defaults to the current recommended OS.

SpotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

Taints Dictionary<string, Taint>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags map[string]string

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string

BottlerocketSettings map[string]interface{}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags map[string]string

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

ClusterIngressRuleId string

The ID of the ingress rule that gives node group access.

DesiredCapacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

EncryptRootBlockDevice bool

Encrypt the root block device of the nodes in the node group.

ExtraNodeSecurityGroups SecurityGroup

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

InstanceProfileName string

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

InstanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

KeyName string

Name of the key pair to use for SSH access to worker nodes.

KubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

Labels map[string]string

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

LaunchTemplateTagSpecifications LaunchTemplateTagSpecification

The tag specifications to apply to the launch template.

MaxSize int

The maximum number of worker nodes running in the cluster. Defaults to 2.

MinRefreshPercentage int

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

MinSize int

The minimum number of worker nodes running in the cluster. Defaults to 1.

NodeAssociatePublicIpAddress bool

NodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

NodeRootVolumeDeleteOnTermination bool

Whether the root block device should be deleted on termination of the instance. Defaults to true.

NodeRootVolumeEncrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

NodeRootVolumeIops int

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

NodeRootVolumeSize int

The size in GiB of a cluster node's root volume. Defaults to 20.

NodeRootVolumeThroughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

NodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

NodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds []string

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string

NodeUserDataOverride string

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions []NodeadmOptions

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

OperatingSystem OperatingSystem

Defaults to the current recommended OS.

SpotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

Taints map[string]Taint

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

Version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String,String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String

bottlerocketSettings Map<String,Object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String,String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

clusterIngressRuleId String

The ID of the ingress rule that gives node group access.

desiredCapacity Integer

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups List<SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instanceProfileName String

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

keyName String

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs String

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels Map<String,String>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launchTemplateTagSpecifications List<LaunchTemplateTagSpecification>

The tag specifications to apply to the launch template.

maxSize Integer

The maximum number of worker nodes running in the cluster. Defaults to 2.

minRefreshPercentage Integer

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

minSize Integer

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress Boolean

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination Boolean

Whether the root block device should be deleted on termination of the instance. Defaults to true.

nodeRootVolumeEncrypted Boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops Integer

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

nodeRootVolumeSize Integer

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput Integer

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

nodeRootVolumeType String

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

nodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String

nodeUserDataOverride String

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<NodeadmOptions>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem OperatingSystem

Defaults to the current recommended OS.

spotPrice String

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Map<String,Taint>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags {[key: string]: string}

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs string

bottlerocketSettings {[key: string]: any}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags {[key: string]: string}

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule pulumiAwsec2SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

clusterIngressRuleId string

The ID of the ingress rule that gives node group access.

desiredCapacity number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableDetailedMonitoring boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encryptRootBlockDevice boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignoreScalingChanges boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile pulumiAwsiamInstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instanceProfileName string

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instanceType string

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

keyName string

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs string

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels {[key: string]: string}

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launchTemplateTagSpecifications pulumiAwstypesinputec2LaunchTemplateTagSpecification[]

The tag specifications to apply to the launch template.

maxSize number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minRefreshPercentage number

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

minSize number

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress boolean

nodePublicKey string

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination boolean

Whether the root block device should be deleted on termination of the instance. Defaults to true.

nodeRootVolumeEncrypted boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops number

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

nodeRootVolumeSize number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput number

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

nodeRootVolumeType string

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds string[]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData string

nodeUserDataOverride string

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions NodeadmOptions[]

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem OperatingSystem

Defaults to the current recommended OS.

spotPrice string

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints {[key: string]: Taint}

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version string

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

ami_type str

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

auto_scaling_group_tags Mapping[str, str]

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrap_extra_args str

bottlerocket_settings Mapping[str, Any]

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloud_formation_tags Mapping[str, str]

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

cluster_ingress_rule pulumi_aws.ec2.SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

cluster_ingress_rule_id str

The ID of the ingress rule that gives node group access.

desired_capacity int

The number of worker nodes that should be running in the cluster. Defaults to 2.

enable_detailed_monitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encrypt_root_block_device bool

Encrypt the root block device of the nodes in the node group.

extra_node_security_groups Sequence[pulumi_aws.ec2.SecurityGroup]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignore_scaling_changes bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instance_profile pulumi_aws.iam.InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instance_profile_name str

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instance_type str

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

key_name str

Name of the key pair to use for SSH access to worker nodes.

kubelet_extra_args str

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels Mapping[str, str]

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launch_template_tag_specifications Sequence[pulumi_aws.ec2.LaunchTemplateTagSpecificationArgs]

The tag specifications to apply to the launch template.

max_size int

The maximum number of worker nodes running in the cluster. Defaults to 2.

min_refresh_percentage int

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

min_size int

The minimum number of worker nodes running in the cluster. Defaults to 1.

node_associate_public_ip_address bool

node_public_key str

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

node_root_volume_delete_on_termination bool

Whether the root block device should be deleted on termination of the instance. Defaults to true.

node_root_volume_encrypted bool

Whether to encrypt a cluster node's root volume. Defaults to false.

node_root_volume_iops int

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

node_root_volume_size int

The size in GiB of a cluster node's root volume. Defaults to 20.

node_root_volume_throughput int

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

node_root_volume_type str

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

node_security_group pulumi_aws.ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

node_security_group_id str

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

node_subnet_ids Sequence[str]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

node_user_data str

node_user_data_override str

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadm_extra_options Sequence[NodeadmOptions]

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operating_system OperatingSystem

Defaults to the current recommended OS.

spot_price str

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Mapping[str, Taint]

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version str

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.

amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String

bottlerocketSettings Map<Any>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

settings.kubernetes.api-server
settings.kubernetes.cluster-certificate
settings.kubernetes.cluster-name
settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule aws:ec2:SecurityGroupRule

The ingress rule that gives node group access. This type is defined in the AWS Classic package.

clusterIngressRuleId String

The ID of the ingress rule that gives node group access.

desiredCapacity Number

The number of worker nodes that should be running in the cluster. Defaults to 2.

enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

encryptRootBlockDevice Boolean

Encrypt the root block device of the nodes in the node group.

extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html

ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile aws:iam:InstanceProfile

The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.

instanceProfileName String

The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.

instanceType String

The instance type to use for the cluster's nodes. Defaults to "t3.medium".

keyName String

Name of the key pair to use for SSH access to worker nodes.

kubeletExtraArgs String

Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.

labels Map<String>

Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.

launchTemplateTagSpecifications List<Property Map>

The tag specifications to apply to the launch template.

maxSize Number

The maximum number of worker nodes running in the cluster. Defaults to 2.

minRefreshPercentage Number

The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.

minSize Number

The minimum number of worker nodes running in the cluster. Defaults to 1.

nodeAssociatePublicIpAddress Boolean

nodePublicKey String

Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.

nodeRootVolumeDeleteOnTermination Boolean

Whether the root block device should be deleted on termination of the instance. Defaults to true.

nodeRootVolumeEncrypted Boolean

Whether to encrypt a cluster node's root volume. Defaults to false.

nodeRootVolumeIops Number

The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.

nodeRootVolumeSize Number

The size in GiB of a cluster node's root volume. Defaults to 20.

nodeRootVolumeThroughput Number

Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.

nodeRootVolumeType String

Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.

nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String

nodeUserDataOverride String

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<Property Map>

cluster.name
cluster.apiServerEndpoint
cluster.certificateAuthority
cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

https://awslabs.github.io/amazon-eks-ami/nodeadm/
https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/

operatingSystem "AL2" | "AL2023" | "Bottlerocket" | "AL2023"

Defaults to the current recommended OS.

spotPrice String

Bidding price for spot instance. If set, only spot instances will be added as worker node.

taints Map<Property Map>

Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument

version String

Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

CoreData, CoreDataArgs

Cluster Pulumi.Aws.Eks.Cluster: This type is defined in the AWS Classic package.
ClusterIamRole Pulumi.Aws.Iam.Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
Endpoint string: The EKS cluster's Kubernetes API server endpoint.
InstanceRoles List<Pulumi.Aws.Iam.Role>: The IAM instance roles for the cluster's nodes.
NodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
Provider Pulumi.Kubernetes.Provider: This type is defined in the pulumi package.
SubnetIds List<string>: List of subnet IDs for the EKS cluster.
VpcId string: ID of the cluster's VPC.
AccessEntries List<AccessEntry>: The access entries added to the cluster.
AwsProvider Pulumi.Aws.Provider: This type is defined in the pulumi package.
ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup: This type is defined in the AWS Classic package.
EksNodeAccess Pulumi.Kubernetes.Core.V1.ConfigMap: This type is defined in the Kubernetes package.
EncryptionConfig Pulumi.Aws.Eks.Inputs.ClusterEncryptionConfig: This type is defined in the AWS Classic package.
FargateProfile Pulumi.Aws.Eks.FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
Kubeconfig object: The kubeconfig file for the cluster.
NodeSecurityGroupTags Dictionary<string, string>: Tags attached to the security groups associated with the cluster's worker nodes.
OidcProvider Pulumi.Aws.Iam.OpenIdConnectProvider: This type is defined in the AWS Classic package.
PrivateSubnetIds List<string>: List of subnet IDs for the private subnets.
PublicSubnetIds List<string>: List of subnet IDs for the public subnets.
StorageClasses Dictionary<string, Pulumi.Kubernetes.Storage.V1.StorageClass>: The storage class used for persistent storage by the cluster.
Tags Dictionary<string, string>: A map of tags assigned to the EKS cluster.
VpcCni Pulumi.Eks.VpcCniAddon: The VPC CNI for the cluster.

Cluster Cluster: This type is defined in the AWS Classic package.
ClusterIamRole Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
Endpoint string: The EKS cluster's Kubernetes API server endpoint.
InstanceRoles Role: The IAM instance roles for the cluster's nodes.
NodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
Provider Provider: This type is defined in the pulumi package.
SubnetIds []string: List of subnet IDs for the EKS cluster.
VpcId string: ID of the cluster's VPC.
AccessEntries []AccessEntry: The access entries added to the cluster.
AwsProvider Provider: This type is defined in the pulumi package.
ClusterSecurityGroup SecurityGroup: This type is defined in the AWS Classic package.
EksNodeAccess ConfigMap: This type is defined in the Kubernetes package.
EncryptionConfig ClusterEncryptionConfig: This type is defined in the AWS Classic package.
FargateProfile FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
Kubeconfig interface{}: The kubeconfig file for the cluster.
NodeSecurityGroupTags map[string]string: Tags attached to the security groups associated with the cluster's worker nodes.
OidcProvider OpenIdConnectProvider: This type is defined in the AWS Classic package.
PrivateSubnetIds []string: List of subnet IDs for the private subnets.
PublicSubnetIds []string: List of subnet IDs for the public subnets.
StorageClasses StorageClass: The storage class used for persistent storage by the cluster.
Tags map[string]string: A map of tags assigned to the EKS cluster.
VpcCni VpcCniAddon: The VPC CNI for the cluster.

cluster Cluster: This type is defined in the AWS Classic package.
clusterIamRole Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint String: The EKS cluster's Kubernetes API server endpoint.
instanceRoles List<Role>: The IAM instance roles for the cluster's nodes.
nodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
provider Provider: This type is defined in the pulumi package.
subnetIds List<String>: List of subnet IDs for the EKS cluster.
vpcId String: ID of the cluster's VPC.
accessEntries List<AccessEntry>: The access entries added to the cluster.
awsProvider Provider: This type is defined in the pulumi package.
clusterSecurityGroup SecurityGroup: This type is defined in the AWS Classic package.
eksNodeAccess ConfigMap: This type is defined in the Kubernetes package.
encryptionConfig ClusterEncryptionConfig: This type is defined in the AWS Classic package.
fargateProfile FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Object: The kubeconfig file for the cluster.
nodeSecurityGroupTags Map<String,String>: Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider OpenIdConnectProvider: This type is defined in the AWS Classic package.
privateSubnetIds List<String>: List of subnet IDs for the private subnets.
publicSubnetIds List<String>: List of subnet IDs for the public subnets.
storageClasses Map<String,StorageClass>: The storage class used for persistent storage by the cluster.
tags Map<String,String>: A map of tags assigned to the EKS cluster.
vpcCni VpcCniAddon: The VPC CNI for the cluster.

cluster pulumiAwseksCluster: This type is defined in the AWS Classic package.
clusterIamRole pulumiAwsiamRole: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint string: The EKS cluster's Kubernetes API server endpoint.
instanceRoles pulumiAwsiamRole[]: The IAM instance roles for the cluster's nodes.
nodeGroupOptions ClusterNodeGroupOptions: The cluster's node group options.
provider pulumiKubernetesProvider: This type is defined in the pulumi package.
subnetIds string[]: List of subnet IDs for the EKS cluster.
vpcId string: ID of the cluster's VPC.
accessEntries AccessEntry[]: The access entries added to the cluster.
awsProvider pulumiAwsProvider: This type is defined in the pulumi package.
clusterSecurityGroup pulumiAwsec2SecurityGroup: This type is defined in the AWS Classic package.
eksNodeAccess pulumiKubernetescorev1ConfigMap: This type is defined in the Kubernetes package.
encryptionConfig pulumiAwstypesinputeksClusterEncryptionConfig: This type is defined in the AWS Classic package.
fargateProfile pulumiAwseksFargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig any: The kubeconfig file for the cluster.
nodeSecurityGroupTags {[key: string]: string}: Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider pulumiAwsiamOpenIdConnectProvider: This type is defined in the AWS Classic package.
privateSubnetIds string[]: List of subnet IDs for the private subnets.
publicSubnetIds string[]: List of subnet IDs for the public subnets.
storageClasses {[key: string]: pulumiKubernetesstoragev1StorageClass}: The storage class used for persistent storage by the cluster.
tags {[key: string]: string}: A map of tags assigned to the EKS cluster.
vpcCni VpcCniAddon: The VPC CNI for the cluster.

cluster pulumi_aws.eks.Cluster: This type is defined in the AWS Classic package.
cluster_iam_role pulumi_aws.iam.Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint str: The EKS cluster's Kubernetes API server endpoint.
instance_roles Sequence[pulumi_aws.iam.Role]: The IAM instance roles for the cluster's nodes.
node_group_options ClusterNodeGroupOptions: The cluster's node group options.
provider pulumi_kubernetes.Provider: This type is defined in the pulumi package.
subnet_ids Sequence[str]: List of subnet IDs for the EKS cluster.
vpc_id str: ID of the cluster's VPC.
access_entries Sequence[AccessEntry]: The access entries added to the cluster.
aws_provider pulumi_aws.Provider: This type is defined in the pulumi package.
cluster_security_group pulumi_aws.ec2.SecurityGroup: This type is defined in the AWS Classic package.
eks_node_access pulumi_kubernetes.core.v1.ConfigMap: This type is defined in the Kubernetes package.
encryption_config pulumi_aws.eks.ClusterEncryptionConfigArgs: This type is defined in the AWS Classic package.
fargate_profile pulumi_aws.eks.FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Any: The kubeconfig file for the cluster.
node_security_group_tags Mapping[str, str]: Tags attached to the security groups associated with the cluster's worker nodes.
oidc_provider pulumi_aws.iam.OpenIdConnectProvider: This type is defined in the AWS Classic package.
private_subnet_ids Sequence[str]: List of subnet IDs for the private subnets.
public_subnet_ids Sequence[str]: List of subnet IDs for the public subnets.
storage_classes Mapping[str, pulumi_kubernetes.storage.v1.StorageClass]: The storage class used for persistent storage by the cluster.
tags Mapping[str, str]: A map of tags assigned to the EKS cluster.
vpc_cni VpcCniAddon: The VPC CNI for the cluster.

cluster aws:eks:Cluster: This type is defined in the AWS Classic package.
clusterIamRole aws:iam:Role: The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint String: The EKS cluster's Kubernetes API server endpoint.
instanceRoles List<aws:iam:Role>: The IAM instance roles for the cluster's nodes.
nodeGroupOptions Property Map: The cluster's node group options.
provider pulumi:providers:kubernetes: This type is defined in the pulumi package.
subnetIds List<String>: List of subnet IDs for the EKS cluster.
vpcId String: ID of the cluster's VPC.
accessEntries List<Property Map>: The access entries added to the cluster.
awsProvider pulumi:providers:aws: This type is defined in the pulumi package.
clusterSecurityGroup aws:ec2:SecurityGroup: This type is defined in the AWS Classic package.
eksNodeAccess kubernetes:core/v1:ConfigMap: This type is defined in the Kubernetes package.
encryptionConfig Property Map: This type is defined in the AWS Classic package.
fargateProfile aws:eks:FargateProfile: The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Any: The kubeconfig file for the cluster.
nodeSecurityGroupTags Map<String>: Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider aws:iam:OpenIdConnectProvider: This type is defined in the AWS Classic package.
privateSubnetIds List<String>: List of subnet IDs for the private subnets.
publicSubnetIds List<String>: List of subnet IDs for the public subnets.
storageClasses Map<kubernetes:storage.k8s.io/v1:StorageClass>: The storage class used for persistent storage by the cluster.
tags Map<String>: A map of tags assigned to the EKS cluster.
vpcCni eks:VpcCniAddon: The VPC CNI for the cluster.

NodeadmOptions, NodeadmOptionsArgs

Content string: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
ContentType string: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

Content string: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
ContentType string: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content String: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType String: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content string: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType string: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content str: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
content_type str: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

content String: The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType String: The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

OperatingSystem, OperatingSystemArgs

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Bottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

OperatingSystemAL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

OperatingSystemAL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

OperatingSystemBottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

OperatingSystemRECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Bottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Bottlerocket

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

BOTTLEROCKET

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

RECOMMENDED

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

"AL2"

AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

"AL2023"

AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

"Bottlerocket"

BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html

"AL2023"

AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Taint, TaintArgs

Effect string: The effect of the taint.
Value string: The value of the taint.

Effect string: The effect of the taint.
Value string: The value of the taint.

effect String: The effect of the taint.
value String: The value of the taint.

effect string: The effect of the taint.
value string: The value of the taint.

effect str: The effect of the taint.
value str: The value of the taint.

effect String: The effect of the taint.
value String: The value of the taint.

Package Details

Repository: Amazon EKS pulumi/pulumi-eks
License: Apache-2.0

Amazon EKS v3.8.1 published on Wednesday, Jan 29, 2025 by Pulumi

pulumi/pulumi-eks

eks.ManagedNodeGroup

On this page

On this page

Example Usage

Basic Managed Node Group

Enabling EFA Support

Create ManagedNodeGroup Resource

Constructor syntax

Parameters

ManagedNodeGroup Resource Properties

Inputs

Outputs

Supporting Types

AccessEntry, AccessEntryArgs

AccessEntryType, AccessEntryTypeArgs

AccessPolicyAssociation, AccessPolicyAssociationArgs

ClusterNodeGroupOptions, ClusterNodeGroupOptionsArgs

CoreData, CoreDataArgs

NodeadmOptions, NodeadmOptionsArgs

OperatingSystem, OperatingSystemArgs

Taint, TaintArgs

Package Details

On this page

On this page