terraform-aws-modules · bryantbiggs · Feb 2, 2024 · Oct 9, 2023 · Nov 7, 2023 · Nov 7, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.5
+    rev: v1.85.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

diff --git a/README.md b/README.md
diff --git a/docs/UPGRADE-20.0.md b/docs/UPGRADE-20.0.md
@@ -0,0 +1,91 @@
+# Upgrade from v19.x to v20.x
+
+Please consult the `examples` directory for reference example configurations. If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Minium supported AWS provider version increased to `v5.0`
+- Minimum supported Terraform version increased to `v1.1` to support Terraform state `moved` blocks
+- The `resolve_conflicts` argument within the `cluster_addons` configuration has been replaced with `resolve_conflicts_on_create` and `resolve_conflicts_on_delete` now that `resolve_conflicts` is deprecated
+- The `cluster_addons` `preserve` argument default/fallback value is now set to `true`. This has shown to be useful for users deprovisioning clusters while avoiding the situation where the CNI is deleted too early and causes resources to be left orphaned which results in conflicts.
+- The Karpenter sub-module's use of the `irsa` naming convention has been replaced with `pod-identity` along with an update to the Karpenter controller IAM policy to align with the `v1beta1`/`v0.32` changes
+- The `aws-auth` ConfigMap resources have been moved to a standalone sub-module. This removes the Kubernetes provider requirement from the main module and allows for the `aws-auth` ConfigMap to be managed independently of the main module.
+
+## Additional changes
+
+### Added
+
+   - A module tag has been added to the cluster and compute resources created
+
+### Modified
+
+   - For `sts:AssumeRole` permissions by services, the use of dynamically looking up the DNS suffix has been replaced with the static value of `amazonaws.com`. This does not appear to change by partition and instead requires users to set this manually for non-commercial regions.
+   - The default value for `kms_key_enable_default_policy` has changed from `false` to `true` to align with the default behavior of the `aws_kms_key` resource
+   - The Karpenter default value for `create_instance_profile` has changed from `true` to `false` to align with the changes in Karpenter v0.32
+
+### Removed
+
+   -
+
+### Variable and output changes
+
+1. Removed variables:
+
+   - `cluster_iam_role_dns_suffix` - replaced with a static string of `amazonaws.com`
+   - Karpenter
+      - `irsa_tag_key`
+      - `irsa_tag_values`
+      - `irsa_subnet_account_id`
+      - `enable_karpenter_instance_profile_creation`
+
+2. Renamed variables:
+
+   - Karpenter
+      - `create_irsa` -> `create_pod_identity_role`
+      - `irsa_name` -> `pod_identity_role_name`
+      - `irsa_use_name_prefix` -> `pod_identity_role_name_prefix`
+      - `irsa_path` -> `pod_identity_role_path`
+      - `irsa_description` -> `pod_identity_role_description`
+      - `irsa_max_session_duration` -> `pod_identity_role_max_session_duration`
+      - `irsa_permissions_boundary_arn` -> `pod_identity_role_permissions_boundary_arn`
+      - `irsa_tags` -> `pod_identity_role_tags`
+      - `policies` -> `pod_identity_role_policies`
+      - `irsa_policy_name` -> `pod_identity_policy_name`
+      - `irsa_ssm_parameter_arns` -> `ami_id_ssm_parameter_arns`
+
+3. Added variables:
+
+   - Karpenter
+      - `pod_identity_policy_use_name_prefix`
+      - `pod_identity_policy_description`
+      - `enable_irsa`
+
+4. Removed outputs:
+
+   - `aws_auth_configmap_yaml` 
+
+5. Renamed outputs:
+
+   - Karpenter
+      - `irsa_name` -> `pod_identity_role_name`
+      - `irsa_arn` -> `pod_identity_role_arn`
+      - `irsa_unique_id` -> `pod_identity_role_unique_id`
+
+6. Added outputs:
+
+   -
+
+## Upgrade Migrations
+
+### Diff of Before (v18.x) vs After (v19.x)
+
+```diff
+ module "eks" {
+   source  = "terraform-aws-modules/eks/aws"
+-  version = "~> 19.17.1"
++  version = "~> 20.0"
+
+}
+```
+
+## Terraform State Moves
diff --git a/docs/irsa_integration.md b/docs/irsa_integration.md
@@ -12,22 +12,14 @@ module "eks" {
 
   cluster_addons = {
     vpc-cni = {
-      resolve_conflicts        = "OVERWRITE"
-      service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
+      resolve_conflicts_on_update = "OVERWRITE"
+      service_account_role_arn    = module.vpc_cni_irsa.iam_role_arn
     }
   }
 
   vpc_id     = "vpc-1234556abcdef"
   subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
 
-  eks_managed_node_group_defaults = {
-    # We are using the IRSA created below for permissions
-    # However, we have to provision a new cluster with the policy attached FIRST
-    # before we can disable. Without this initial policy,
-    # the VPC CNI fails to assign IPs and nodes cannot join the new cluster
-    iam_role_attach_cni_policy = true
-  }
-
   eks_managed_node_groups = {
     default = {}
   }

diff --git a/examples/complete/README.md b/examples/complete/README.md