feat: upgrade Kubernetes API to version 1.34 (#45)

* feat: upgrade Kubernetes API to version 1.34

* fix: the issues while upgrading to 1.34

* feat: add a script for manual cleanups

Author: apetrovYa

.terraform-docs.yaml

@@ -77,7 +77,9 @@ content: |-
   {{ .Resources }}
   {{ .Inputs }}
   {{ .Outputs }}
-
+  
+  For detailed documentation about the structure and contents of each output, refer to the [Module Outputs](./docs/GUIDES.md#module-outputs)
+  section in the guides.
 output:
   file: "README.md"
   mode: replace

CONTRIBUTING.md

@@ -21,7 +21,7 @@ The instruments used to develop and maintain this Module are the following:
 
 | Id  | Tool                 |
 |-----|----------------------|
-| I0  | Docker               |                
+| I0  | Docker               |
 | I1  | Make                 |
 | I2  | Terraform            |
 | I3  | AWS CLI version 2    |

README.md

@@ -84,7 +84,7 @@ spec:
     role: "${module.kubernetes.eks_managed_node_groups["main"].iam_role_name}"
     subnetSelectorTerms:
         - tags:
-            karpenter.sh/discovery: "${try(var.cluster_autoscaler_subnet_selector, module.kubernetes.cluster_name)}"
+            karpenter.sh/discovery: "${coalesce(var.cluster_autoscaler_subnet_selector, module.kubernetes.cluster_name)}"
     securityGroupSelectorTerms:
         - tags:
             karpenter.sh/discovery: "${module.kubernetes.cluster_name}"

autoscaler.tf

@@ -271,3 +271,159 @@ Prometheus Operator monitors at cluster level for any PrometheusRule object.
 The module generates when the module is instantiated for the first time a random password and random user for Grafana root user creds. 
 These creds are stored in the AWS Secrets Manager. The actual path to the secret is stored in the output variable [cluster_ssm_params_paths](../outputs.tf).
 
+## Module Outputs
+
+This section documents all outputs exposed by the module, providing detailed information about the structure and contents of each output.
+
+### `cluster`
+
+The main EKS cluster configuration output. Contains comprehensive information about the Kubernetes cluster, including:
+
+- **`access_entries`**: Map of access entries for cluster authentication. Each entry contains:
+  - `access_entry_arn`: ARN of the access entry
+  - `cluster_name`: Name of the EKS cluster
+  - `created_at` / `modified_at`: Timestamps
+  - `id`: Unique identifier
+  - `kubernetes_groups`: Set of Kubernetes groups
+  - `principal_arn`: ARN of the IAM principal
+  - `tags` / `tags_all`: Resource tags
+  - `type`: Access entry type (e.g., "STANDARD")
+  - `user_name`: Assumed role user name
+
+- **`access_policy_associations`**: Map of access policy associations, including:
+  - `access_scope`: List of access scopes (cluster/namespace level)
+  - `associated_at` / `modified_at`: Timestamps
+  - `policy_arn`: ARN of the associated policy
+  - `principal_arn`: ARN of the IAM principal
+
+- **`cloudwatch_log_group_arn`** / **`cloudwatch_log_group_name`**: CloudWatch log group details for cluster logs
+
+- **`cluster_addons`**: Map of installed EKS addons (e.g., `coredns`, `vpc-cni`, `kube-proxy`, `eks-pod-identity-agent`, `snapshot-controller`). Each addon contains:
+  - `addon_name`: Name of the addon
+  - `addon_version`: Version string
+  - `arn`: ARN of the addon
+  - `created_at` / `modified_at`: Timestamps
+  - `configuration_values`: YAML configuration
+  - `preserve`: Whether addon is preserved on delete
+  - `resolve_conflicts_on_create` / `resolve_conflicts_on_update`: Conflict resolution strategy
+  - `service_account_role_arn`: IAM role ARN for the addon
+
+- **`cluster_arn`**: ARN of the EKS cluster
+- **`cluster_certificate_authority_data`**: Base64-encoded certificate authority data
+- **`cluster_dualstack_oidc_issuer_url`** / **`cluster_oidc_issuer_url`**: OIDC issuer URLs
+- **`cluster_endpoint`**: Kubernetes API server endpoint URL
+- **`cluster_iam_role_arn`** / **`cluster_iam_role_name`** / **`cluster_iam_role_unique_id`**: Cluster IAM role details
+- **`cluster_ip_family`**: IP family (e.g., "ipv4")
+- **`cluster_name`**: Name of the cluster
+- **`cluster_platform_version`**: EKS platform version
+- **`cluster_primary_security_group_id`**: Primary security group ID
+- **`cluster_security_group_arn`** / **`cluster_security_group_id`**: Cluster security group details
+- **`cluster_service_cidr`**: Service CIDR block
+- **`cluster_status`**: Current cluster status (e.g., "ACTIVE")
+- **`cluster_version`**: Kubernetes version (e.g., "1.34")
+- **`cluster_tls_certificate_sha1_fingerprint`**: TLS certificate fingerprint
+
+- **`eks_managed_node_groups`**: Map of EKS managed node groups. Each group contains:
+  - `iam_role_arn` / `iam_role_name` / `iam_role_unique_id`: Node group IAM role details
+  - `node_group_arn`: ARN of the node group
+  - `node_group_autoscaling_group_names`: List of Auto Scaling group names
+  - `node_group_id`: Unique identifier
+  - `node_group_labels`: Labels applied to nodes
+  - `node_group_resources`: Resource details including Auto Scaling groups
+  - `node_group_status`: Current status (e.g., "ACTIVE")
+  - `node_group_taints`: Set of taints applied to nodes
+  - `platform`: Platform type (e.g., "linux")
+  - `launch_template_*`: Launch template details (if used)
+
+- **`eks_managed_node_groups_autoscaling_group_names`**: List of all Auto Scaling group names
+
+- **`fargate_profiles`**: Map of Fargate profiles (if configured)
+
+- **`kms_key_arn`** / **`kms_key_id`** / **`kms_key_policy`**: KMS encryption key details
+
+- **`node_security_group_arn`** / **`node_security_group_id`**: Node security group details
+
+- **`oidc_provider`** / **`oidc_provider_arn`**: OIDC provider details
+
+- **`self_managed_node_groups`** / **`self_managed_node_groups_autoscaling_group_names`**: Self-managed node groups (if configured)
+
+### `cluster_network`
+
+Network configuration output containing both internal and external network details.
+
+- **`internal`**: Internal network configuration (when using module-managed VPC):
+  - **`network`**: List containing VPC network objects with:
+    - **Subnet information**:
+      - `public_subnets` / `public_subnet_arns` / `public_subnets_cidr_blocks`: Public subnet details
+      - `private_subnets` / `private_subnet_arns` / `private_subnets_cidr_blocks`: Private subnet details
+      - `intra_subnets` / `intra_subnet_arns` / `intra_subnets_cidr_blocks`: Intra-VPC subnet details
+      - `database_subnets` / `database_subnet_arns` / `database_subnets_cidr_blocks`: Database subnet details
+      - Subnet objects with full details (IDs, ARNs, availability zones, CIDR blocks, tags, etc.)
+    - **Route tables**: IDs and association IDs for public, private, intra, and database subnets
+    - **NAT Gateways**: IDs, interface IDs, Elastic IP allocation IDs, and public IPs
+    - **Internet Gateway**: ID and ARN
+    - **VPC details**: ID, ARN, CIDR block, DNS settings, owner ID, main route table ID
+    - **Availability zones**: List of AZs used
+  - **`vpc_endpoints`**: List of VPC endpoint configurations with security group details
+
+- **`external`**: External network configuration (when using existing VPC):
+  - `vpc_id`: VPC ID
+  - `node_subnet_ids`: Subnet IDs for worker nodes
+  - `control_plane_subnet_ids`: Subnet IDs for control plane
+
+### `cluster_storage_classes`
+
+Map of storage class configurations. Contains:
+
+- **`default`**: List of default storage classes (e.g., `standard`, `golden`, `platinum`). Each storage class includes:
+  - `id`: Storage class name
+  - `allow_volume_expansion`: Whether volume expansion is allowed
+  - `reclaim_policy`: Policy (e.g., "Retain")
+  - `volume_binding_mode`: Binding mode (e.g., "WaitForFirstConsumer")
+  - `storage_provisioner`: Provisioner (e.g., "ebs.csi.aws.com")
+  - `parameters`: Map of storage class parameters (e.g., `type`, `encrypted`, `csi.storage.k8s.io/fstype`)
+  - `metadata`: List containing Kubernetes metadata (annotations, labels, name, etc.)
+
+- **`additional`**: List of additional custom storage classes (if configured)
+
+### `cluster_autoscaler_resources`
+
+Autoscaler resource names for use by cluster users. Contains:
+
+- **`default`**: Default autoscaler resources:
+  - `ec2_node_class`: Name of the default EC2NodeClass resource
+  - `node_pool`: Name of the default NodePool resource
+
+These can be referenced in Kubernetes manifests to use the default autoscaler configuration.
+
+### `cluster_ssm_params_paths`
+
+SSM Parameter Store paths for sensitive values stored by the module. Contains:
+
+- **`prometheus_stack`**: Prometheus/Grafana stack credentials:
+  - `grafana_root_username`: SSM parameter path for Grafana admin username
+  - `grafana_root_password`: SSM parameter path for Grafana admin password
+
+Use these paths to retrieve credentials from AWS Systems Manager Parameter Store.
+
+### Sensitive Outputs
+
+The following outputs are marked as sensitive and contain Helm chart values or deployment configurations:
+
+- **`cluster_autoscaler`**: Complete autoscaler (Karpenter) Helm chart values and deployment configuration
+- **`cluster_descheduler`**: Descheduler Helm chart values and deployment configuration
+- **`cluster_ingresses`**: Ingress controller configurations:
+  - `private`: Private ingress controller details:
+    - `values`: Helm chart values
+    - `hostname`: Load balancer hostname
+  - `public`: Public ingress controller details:
+    - `values`: Helm chart values
+    - `hostname`: Load balancer hostname
+- **`cluster_logging`**: Logging stack configuration:
+  - `storage`: Grafana Loki storage configuration (Helm values)
+  - `collector`: Promtail collector configuration (Helm values)
+- **`cluster_monitoring`**: Prometheus/Grafana monitoring stack Helm chart values and configuration
+- **`cluster_node_rebooter`**: Node rebooter/patcher Helm chart values and configuration
+
+**Note**: These sensitive outputs contain complete Helm chart configurations and should be handled carefully. They are primarily useful for debugging or when you need to reference specific deployment details in other Terraform configurations.
+

docs/GUIDES.md

@@ -45,7 +45,7 @@ locals {
 
 module "internal_network" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "5.19.0"
+  version = "5.20.0"
 
   create_vpc            = var.cluster_network_type == "internal"
   name                  = local.network_prefix_name

internal_network.tf

@@ -44,7 +44,7 @@ terraform-sec:
 > @docker run --rm -it -v "${PWD}:/src" aquasec/tfsec:v0.62.0 /src
 
 # It generates the README.md file. It depends on the rules in the specification of the rule.
-terraform-docs: clean
+terraform-docs:
 > @echo "[info] Formatting"
 > @terraform fmt -recursive
 > @echo "[info] Generating README.md."