feat(tf): update terragrunt dependency github.com/terraform-aws-modules/terraform-aws-eks to v20

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/terraform-aws-modules/terraform-aws-eks	github	major	v19.21.0 -> v20.8.5

---

Release Notes

terraform-aws-modules/terraform-aws-eks (github.com/terraform-aws-modules/terraform-aws-eks)

v20.8.5

Compare Source

Bug Fixes

• Forces cluster outputs to wait until access entries are complete (#​3000) (e2a39c0)

v20.8.4

Compare Source

Bug Fixes

• Pass nodeadm user data variables from root module down to nodegroup sub-modules (#​2981) (84effa0)

v20.8.3

Compare Source

Bug Fixes

• Ensure the correct service CIDR and IP family is used in the rendered user data (#​2963) (aeb9f0c)

v20.8.2

Compare Source

Bug Fixes

• Ensure a default ip_family value is provided to guarantee a CNI policy is attached to nodes (#​2967) (29dcca3)

v20.8.1

Compare Source

Bug Fixes

• Do not attach policy if Karpenter node role is not created by module (#​2964) (3ad19d7)

v20.8.0

Compare Source

Features

• Replace the use of toset() with static keys for node IAM role policy attachment (#​2962) (57f5130)

v20.7.0

Compare Source

Features

• Add supprot for creating placement group for managed node group (#​2959) (3031631)

v20.6.0

Compare Source

Features

• Add support for tracking latest AMI release version on managed nodegroups (#​2951) (393da7e)

v20.5.3

Compare Source

Bug Fixes

• Update AWS provider version to support AL2023_* AMI types; ensure AL2023 user data receives cluster service CIDR (#​2960) (dfe4114)

v20.5.2

Compare Source

Bug Fixes

• Use the launch_template_tags on the launch template (#​2957) (0ed32d7)

v20.5.1

Compare Source

Bug Fixes

• Update CI workflow versions to remove deprecated runtime warnings (#​2956) (d14cc92)

v20.5.0

Compare Source

Features

• Add support for AL2023 nodeadm user data (#​2942) (7c99bb1)

v20.4.0

Compare Source

Features

• Add support for enabling EFA resources (#​2936) (7f472ec)

v20.3.0

Compare Source

Features

• Add support for addon and identity provider custom tags (#​2938) (f6255c4)

v20.2.2

Compare Source

20.2.2 (2024-02-21)

Bug Fixes

• Replace Karpenter SQS policy dynamic service princpal DNS suffixes with static amazonaws.com (#​2941) (081c762)

v20.2.1

Compare Source

20.2.1 (2024-02-08)

Bug Fixes

• Karpenter enable_spot_termination = false should not result in an error (#​2907) (671fc6e)

v20.2.0

Compare Source

Features

• Allow enable/disable of EKS pod identity for the Karpenter controller (#​2902) (cc6919d)

v20.1.1

Compare Source

20.1.1 (2024-02-06)

Bug Fixes

• Update access entries kubernetes_groups default value to null (#​2897) (1e32e6a)

v20.1.0

Compare Source

Features

• Add output for access_policy_associations (#​2904) (0d2a4c2)

v20.0.1

Compare Source

20.0.1 (2024-02-03)

Bug Fixes

• Correct cluster access entry to create multiple policy associations per access entry (#​2892) (4177913)

v20.0.0

Compare Source

⚠ BREAKING CHANGES

• Replace the use of aws-auth configmap with EKS cluster access entry (#​2858)

See the UPGRADE-20.0.md guide for further details on the changes and guidance for upgrading

List of backwards incompatible changes

• Minium supported AWS provider version increased to v5.34
• Minimum supported Terraform version increased to v1.3 to support Terraform state moved blocks as well as other advanced features
• The resolve_conflicts argument within the cluster_addons configuration has been replaced with resolve_conflicts_on_create and resolve_conflicts_on_delete now that resolve_conflicts is deprecated
• The default/fallback value for the preserve argument of cluster_addonsis now set to true. This has shown to be useful for users deprovisioning clusters while avoiding the situation where the CNI is deleted too early and causes resources to be left orphaned resulting in conflicts.
• The Karpenter sub-module's use of the irsa naming convention has been removed, along with an update to the Karpenter controller IAM policy to align with Karpenter's v1beta1/v0.32 changes. Instead of referring to the role as irsa or pod_identity, its simply just an IAM role used by the Karpenter controller and there is support for use with either IRSA and/or Pod Identity (default) at this time
• The aws-auth ConfigMap resources have been moved to a standalone sub-module. This removes the Kubernetes provider requirement from the main module and allows for the aws-auth ConfigMap to be managed independently of the main module. This sub-module will be removed entirely in the next major release.
• Support for cluster access management has been added with the default authentication mode set as API_AND_CONFIG_MAP. This is a one way change if applied; if you wish to use CONFIG_MAP, you will need to set authentication_mode = "CONFIG_MAP" explicitly when upgrading.
• Karpenter EventBridge rule key spot_interrupt updated to correct mis-spelling (was spot_interupt). This will cause the rule to be replaced

Additional changes

Added

• A module tag has been added to the cluster control plane
• Support for cluster access entries. The bootstrap_cluster_creator_admin_permissions setting on the control plane has been hardcoded to false since this operation is a one time operation only at cluster creation per the EKS API. Instead, users can enable/disable enable_cluster_creator_admin_permissions at any time to achieve the same functionality. This takes the identity that Terraform is using to make API calls and maps it into a cluster admin via an access entry. For users on existing clusters, you will need to remove the default cluster administrator that was created by EKS prior to the cluster access entry APIs - see the section Removing the default cluster administrator for more details.
• Support for specifying the CloudWatch log group class (standard or infrequent access)
• Native support for Windows based managed nodegroups similar to AL2 and Bottlerocket
• Self-managed nodegroups now support instance_maintenance_policy and have added max_healthy_percentage, scale_in_protected_instances, and standby_instances arguments to the instance_refresh.preferences block

Modified

• For sts:AssumeRole permissions by services, the use of dynamically looking up the DNS suffix has been replaced with the static value of amazonaws.com. This does not appear to change by partition and instead requires users to set this manually for non-commercial regions.
• The default value for kms_key_enable_default_policy has changed from false to true to align with the default behavior of the aws_kms_key resource
• The Karpenter default value for create_instance_profile has changed from true to false to align with the changes in Karpenter v0.32
• The Karpenter variable create_instance_profile default value has changed from true to false. Starting with Karpenter v0.32.0, Karpenter accepts an IAM role and creates the EC2 instance profile used by the nodes

Removed

• The complete example has been removed due to its redundancy with the other examples
• References to the IRSA sub-module in the IAM repository have been removed. Once https://github.com/clowdhaus/terraform-aws-eks-pod-identity has been updated and moved into the organization, the documentation here will be updated to mention the new module.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.