Docs Home Pulumi IaC Pulumi ESC Pulumi Cloud Packages Tutorials
  1. Packages
  2. Amazon EKS
  3. API Docs
  4. NodeGroupV2
Amazon EKS v3.8.1 published on Wednesday, Jan 29, 2025 by Pulumi
pulumi/pulumi-eks

eks.NodeGroupV2

Explore with Pulumi AI

Amazon EKS v3.8.1 published on Wednesday, Jan 29, 2025 by Pulumi
pulumi/pulumi-eks

NodeGroup is a component that wraps the AWS EC2 instances that provide compute capacity for an EKS cluster.

Create NodeGroupV2 Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new NodeGroupV2(name: string, args: NodeGroupV2Args, opts?: ComponentResourceOptions);
@overload
def NodeGroupV2(resource_name: str,
                args: NodeGroupV2Args,
                opts: Optional[ResourceOptions] = None)

@overload
def NodeGroupV2(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                cluster: Optional[Union[Cluster, CoreDataArgs]] = None,
                labels: Optional[Mapping[str, str]] = None,
                cluster_ingress_rule_id: Optional[str] = None,
                min_refresh_percentage: Optional[int] = None,
                bottlerocket_settings: Optional[Mapping[str, Any]] = None,
                cloud_formation_tags: Optional[Mapping[str, str]] = None,
                ami_type: Optional[str] = None,
                cluster_ingress_rule: Optional[pulumi_aws.ec2.SecurityGroupRule] = None,
                max_size: Optional[int] = None,
                desired_capacity: Optional[int] = None,
                enable_detailed_monitoring: Optional[bool] = None,
                encrypt_root_block_device: Optional[bool] = None,
                extra_node_security_groups: Optional[Sequence[pulumi_aws.ec2.SecurityGroup]] = None,
                launch_template_tag_specifications: Optional[Sequence[pulumi_aws.ec2.LaunchTemplateTagSpecificationArgs]] = None,
                ignore_scaling_changes: Optional[bool] = None,
                instance_profile: Optional[pulumi_aws.iam.InstanceProfile] = None,
                instance_profile_name: Optional[str] = None,
                instance_type: Optional[str] = None,
                key_name: Optional[str] = None,
                kubelet_extra_args: Optional[str] = None,
                ami_id: Optional[str] = None,
                gpu: Optional[bool] = None,
                auto_scaling_group_tags: Optional[Mapping[str, str]] = None,
                bootstrap_extra_args: Optional[str] = None,
                min_size: Optional[int] = None,
                node_associate_public_ip_address: Optional[bool] = None,
                node_public_key: Optional[str] = None,
                node_root_volume_delete_on_termination: Optional[bool] = None,
                node_root_volume_encrypted: Optional[bool] = None,
                node_root_volume_iops: Optional[int] = None,
                node_root_volume_size: Optional[int] = None,
                node_root_volume_throughput: Optional[int] = None,
                node_root_volume_type: Optional[str] = None,
                node_security_group: Optional[pulumi_aws.ec2.SecurityGroup] = None,
                node_security_group_id: Optional[str] = None,
                node_subnet_ids: Optional[Sequence[str]] = None,
                node_user_data: Optional[str] = None,
                node_user_data_override: Optional[str] = None,
                nodeadm_extra_options: Optional[Sequence[NodeadmOptionsArgs]] = None,
                operating_system: Optional[OperatingSystem] = None,
                spot_price: Optional[str] = None,
                taints: Optional[Mapping[str, TaintArgs]] = None,
                version: Optional[str] = None)
func NewNodeGroupV2(ctx *Context, name string, args NodeGroupV2Args, opts ...ResourceOption) (*NodeGroupV2, error)
public NodeGroupV2(string name, NodeGroupV2Args args, ComponentResourceOptions? opts = null)
public NodeGroupV2(String name, NodeGroupV2Args args)
public NodeGroupV2(String name, NodeGroupV2Args args, ComponentResourceOptions options)

type: eks:NodeGroupV2
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. NodeGroupV2Args
The arguments to resource properties.
opts ComponentResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. NodeGroupV2Args
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. NodeGroupV2Args
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. NodeGroupV2Args
The arguments to resource properties.
opts ComponentResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. NodeGroupV2Args
The arguments to resource properties.
options ComponentResourceOptions
Bag of options to control resource's behavior.

NodeGroupV2 Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The NodeGroupV2 resource accepts the following input properties:

Cluster This property is required. Pulumi.Eks.Cluster | CoreData
The target EKS cluster.
AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags Dictionary<string, string>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
BottlerocketSettings Dictionary<string, object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags Dictionary<string, string>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
ClusterIngressRuleId string
The ID of the ingress rule that gives node group access.
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile Pulumi.Aws.Iam.InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
InstanceProfileName string
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
InstanceType string
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
KeyName string
Name of the key pair to use for SSH access to worker nodes.
KubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
Labels Dictionary<string, string>
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
LaunchTemplateTagSpecifications List<Pulumi.Aws.Ec2.Inputs.LaunchTemplateTagSpecification>
The tag specifications to apply to the launch template.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinRefreshPercentage int
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
NodeAssociatePublicIpAddress bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeDeleteOnTermination bool
Whether the root block device should be deleted on termination of the instance. Defaults to true.
NodeRootVolumeEncrypted bool
Whether to encrypt a cluster node's root volume. Defaults to false.
NodeRootVolumeIops int
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
NodeRootVolumeSize int
The size in GiB of a cluster node's root volume. Defaults to 20.
NodeRootVolumeThroughput int
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
NodeRootVolumeType string
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds List<string>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions List<NodeadmOptions>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
OperatingSystem Pulumi.Eks.OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

SpotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
Taints Dictionary<string, TaintArgs>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
Cluster This property is required. Cluster | CoreDataArgs
The target EKS cluster.
AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags map[string]string

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
BottlerocketSettings map[string]interface{}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags map[string]string

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
ClusterIngressRuleId string
The ID of the ingress rule that gives node group access.
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
ExtraNodeSecurityGroups SecurityGroup

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
InstanceProfileName string
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
InstanceType string
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
KeyName string
Name of the key pair to use for SSH access to worker nodes.
KubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
Labels map[string]string
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
LaunchTemplateTagSpecifications LaunchTemplateTagSpecificationArgs
The tag specifications to apply to the launch template.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinRefreshPercentage int
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
NodeAssociatePublicIpAddress bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeDeleteOnTermination bool
Whether the root block device should be deleted on termination of the instance. Defaults to true.
NodeRootVolumeEncrypted bool
Whether to encrypt a cluster node's root volume. Defaults to false.
NodeRootVolumeIops int
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
NodeRootVolumeSize int
The size in GiB of a cluster node's root volume. Defaults to 20.
NodeRootVolumeThroughput int
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
NodeRootVolumeType string
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
NodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds []string

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions []NodeadmOptionsArgs

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
OperatingSystem OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

SpotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
Taints map[string]TaintArgs
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
cluster This property is required. Cluster | CoreData
The target EKS cluster.
amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String,String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocketSettings Map<String,Object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String,String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
clusterIngressRuleId String
The ID of the ingress rule that gives node group access.
desiredCapacity Integer
The number of worker nodes that should be running in the cluster. Defaults to 2.
enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encryptRootBlockDevice Boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups List<SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instanceProfileName String
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instanceType String
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
keyName String
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs String
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels Map<String,String>
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launchTemplateTagSpecifications List<LaunchTemplateTagSpecification>
The tag specifications to apply to the launch template.
maxSize Integer
The maximum number of worker nodes running in the cluster. Defaults to 2.
minRefreshPercentage Integer
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
minSize Integer
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress Boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey String
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeDeleteOnTermination Boolean
Whether the root block device should be deleted on termination of the instance. Defaults to true.
nodeRootVolumeEncrypted Boolean
Whether to encrypt a cluster node's root volume. Defaults to false.
nodeRootVolumeIops Integer
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
nodeRootVolumeSize Integer
The size in GiB of a cluster node's root volume. Defaults to 20.
nodeRootVolumeThroughput Integer
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
nodeRootVolumeType String
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
nodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride String

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<NodeadmOptions>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operatingSystem OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spotPrice String
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Map<String,TaintArgs>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version String
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
cluster This property is required. Cluster | CoreData
The target EKS cluster.
amiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags {[key: string]: string}

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocketSettings {[key: string]: any}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags {[key: string]: string}

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule pulumiAwsec2SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
clusterIngressRuleId string
The ID of the ingress rule that gives node group access.
desiredCapacity number
The number of worker nodes that should be running in the cluster. Defaults to 2.
enableDetailedMonitoring boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encryptRootBlockDevice boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignoreScalingChanges boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile pulumiAwsiamInstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instanceProfileName string
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instanceType string
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
keyName string
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels {[key: string]: string}
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launchTemplateTagSpecifications pulumiAwstypesinputec2LaunchTemplateTagSpecification[]
The tag specifications to apply to the launch template.
maxSize number
The maximum number of worker nodes running in the cluster. Defaults to 2.
minRefreshPercentage number
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
minSize number
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeDeleteOnTermination boolean
Whether the root block device should be deleted on termination of the instance. Defaults to true.
nodeRootVolumeEncrypted boolean
Whether to encrypt a cluster node's root volume. Defaults to false.
nodeRootVolumeIops number
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
nodeRootVolumeSize number
The size in GiB of a cluster node's root volume. Defaults to 20.
nodeRootVolumeThroughput number
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
nodeRootVolumeType string
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds string[]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions NodeadmOptions[]

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operatingSystem OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints {[key: string]: TaintArgs}
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
cluster This property is required. Cluster | CoreDataArgs
The target EKS cluster.
ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
ami_type str

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

auto_scaling_group_tags Mapping[str, str]

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrap_extra_args str
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocket_settings Mapping[str, Any]

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloud_formation_tags Mapping[str, str]

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

cluster_ingress_rule pulumi_aws.ec2.SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
cluster_ingress_rule_id str
The ID of the ingress rule that gives node group access.
desired_capacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
enable_detailed_monitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encrypt_root_block_device bool
Encrypt the root block device of the nodes in the node group.
extra_node_security_groups Sequence[pulumi_aws.ec2.SecurityGroup]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignore_scaling_changes bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instance_profile pulumi_aws.iam.InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instance_profile_name str
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instance_type str
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
key_name str
Name of the key pair to use for SSH access to worker nodes.
kubelet_extra_args str
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels Mapping[str, str]
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launch_template_tag_specifications Sequence[pulumi_aws.ec2.LaunchTemplateTagSpecificationArgs]
The tag specifications to apply to the launch template.
max_size int
The maximum number of worker nodes running in the cluster. Defaults to 2.
min_refresh_percentage int
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
min_size int
The minimum number of worker nodes running in the cluster. Defaults to 1.
node_associate_public_ip_address bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
node_public_key str
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
node_root_volume_delete_on_termination bool
Whether the root block device should be deleted on termination of the instance. Defaults to true.
node_root_volume_encrypted bool
Whether to encrypt a cluster node's root volume. Defaults to false.
node_root_volume_iops int
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
node_root_volume_size int
The size in GiB of a cluster node's root volume. Defaults to 20.
node_root_volume_throughput int
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
node_root_volume_type str
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
node_security_group pulumi_aws.ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

node_security_group_id str

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

node_subnet_ids Sequence[str]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

node_user_data str
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
node_user_data_override str

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadm_extra_options Sequence[NodeadmOptionsArgs]

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operating_system OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spot_price str
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Mapping[str, TaintArgs]
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version str
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
cluster This property is required. eks:Cluster | Property Map
The target EKS cluster.
amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocketSettings Map<Any>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule aws:ec2:SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
clusterIngressRuleId String
The ID of the ingress rule that gives node group access.
desiredCapacity Number
The number of worker nodes that should be running in the cluster. Defaults to 2.
enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encryptRootBlockDevice Boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile aws:iam:InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instanceProfileName String
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instanceType String
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
keyName String
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs String
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels Map<String>
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launchTemplateTagSpecifications List<Property Map>
The tag specifications to apply to the launch template.
maxSize Number
The maximum number of worker nodes running in the cluster. Defaults to 2.
minRefreshPercentage Number
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
minSize Number
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress Boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey String
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeDeleteOnTermination Boolean
Whether the root block device should be deleted on termination of the instance. Defaults to true.
nodeRootVolumeEncrypted Boolean
Whether to encrypt a cluster node's root volume. Defaults to false.
nodeRootVolumeIops Number
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
nodeRootVolumeSize Number
The size in GiB of a cluster node's root volume. Defaults to 20.
nodeRootVolumeThroughput Number
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
nodeRootVolumeType String
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride String

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<Property Map>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operatingSystem "AL2" | "AL2023" | "Bottlerocket" | "AL2023"

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spotPrice String
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Map<Property Map>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version String
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the NodeGroupV2 resource produces the following output properties:

AutoScalingGroup Pulumi.Aws.AutoScaling.Group
The AutoScalingGroup for the Node group. This type is defined in the AWS Classic package.
AutoScalingGroup Group
The AutoScalingGroup for the Node group. This type is defined in the AWS Classic package.
autoScalingGroup Group
The AutoScalingGroup for the Node group. This type is defined in the AWS Classic package.
autoScalingGroup pulumiAwsautoscalingGroup
The AutoScalingGroup for the Node group. This type is defined in the AWS Classic package.
auto_scaling_group pulumi_aws.autoscaling.Group
The AutoScalingGroup for the Node group. This type is defined in the AWS Classic package.
autoScalingGroup aws:autoscaling:Group
The AutoScalingGroup for the Node group. This type is defined in the AWS Classic package.

Supporting Types

AccessEntry
, AccessEntryArgs

PrincipalArn This property is required. string
The IAM Principal ARN which requires Authentication access to the EKS cluster.
AccessPolicies Dictionary<string, AccessPolicyAssociation>
The access policies to associate to the access entry.
KubernetesGroups List<string>
A list of groups within Kubernetes to which the IAM principal is mapped to.
Tags Dictionary<string, string>
The tags to apply to the AccessEntry.
Type Pulumi.Eks.AccessEntryType
The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
Username string
Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
PrincipalArn This property is required. string
The IAM Principal ARN which requires Authentication access to the EKS cluster.
AccessPolicies map[string]AccessPolicyAssociation
The access policies to associate to the access entry.
KubernetesGroups []string
A list of groups within Kubernetes to which the IAM principal is mapped to.
Tags map[string]string
The tags to apply to the AccessEntry.
Type AccessEntryType
The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
Username string
Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
principalArn This property is required. String
The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies Map<String,AccessPolicyAssociation>
The access policies to associate to the access entry.
kubernetesGroups List<String>
A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Map<String,String>
The tags to apply to the AccessEntry.
type AccessEntryType
The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username String
Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
principalArn This property is required. string
The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies {[key: string]: AccessPolicyAssociation}
The access policies to associate to the access entry.
kubernetesGroups string[]
A list of groups within Kubernetes to which the IAM principal is mapped to.
tags {[key: string]: string}
The tags to apply to the AccessEntry.
type AccessEntryType
The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username string
Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
principal_arn This property is required. str
The IAM Principal ARN which requires Authentication access to the EKS cluster.
access_policies Mapping[str, AccessPolicyAssociation]
The access policies to associate to the access entry.
kubernetes_groups Sequence[str]
A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Mapping[str, str]
The tags to apply to the AccessEntry.
type AccessEntryType
The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username str
Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
principalArn This property is required. String
The IAM Principal ARN which requires Authentication access to the EKS cluster.
accessPolicies Map<Property Map>
The access policies to associate to the access entry.
kubernetesGroups List<String>
A list of groups within Kubernetes to which the IAM principal is mapped to.
tags Map<String>
The tags to apply to the AccessEntry.
type "STANDARD" | "FARGATE_LINUX" | "EC2_LINUX" | "EC2_WINDOWS" | "EC2"
The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS. Defaults to STANDARD which provides the standard workflow. EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX types disallow users to input a username or kubernetesGroup, and prevent associating access policies.
username String
Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.

AccessEntryType
, AccessEntryTypeArgs

Standard
STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux
FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux
EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows
EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2
EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.
AccessEntryTypeStandard
STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
AccessEntryTypeFargateLinux
FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
AccessEntryTypeEC2Linux
EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
AccessEntryTypeEC2Windows
EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
AccessEntryTypeEC2
EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.
Standard
STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux
FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux
EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows
EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2
EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.
Standard
STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FargateLinux
FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2Linux
EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2Windows
EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2
EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.
STANDARD
STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
FARGATE_LINUX
FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
EC2_LINUX
EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
EC2_WINDOWS
EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
EC2
EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.
"STANDARD"
STANDARDStandard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
"FARGATE_LINUX"
FARGATE_LINUXFor IAM roles used with AWS Fargate profiles.
"EC2_LINUX"
EC2_LINUXFor IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
"EC2_WINDOWS"
EC2_WINDOWSFor IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
"EC2"
EC2For IAM roles associated with EC2 instances that need access policies. Allows the nodes to join the cluster.

AccessPolicyAssociation
, AccessPolicyAssociationArgs

AccessScope This property is required. Pulumi.Aws.Eks.Inputs.AccessPolicyAssociationAccessScope
The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
PolicyArn This property is required. string
The ARN of the access policy to associate with the principal
AccessScope This property is required. AccessPolicyAssociationAccessScope
The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
PolicyArn This property is required. string
The ARN of the access policy to associate with the principal
accessScope This property is required. AccessPolicyAssociationAccessScope
The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn This property is required. String
The ARN of the access policy to associate with the principal
accessScope This property is required. pulumiAwstypesinputeksAccessPolicyAssociationAccessScope
The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn This property is required. string
The ARN of the access policy to associate with the principal
access_scope This property is required. pulumi_aws.eks.AccessPolicyAssociationAccessScopeArgs
The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policy_arn This property is required. str
The ARN of the access policy to associate with the principal
accessScope This property is required. Property Map
The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace. This type is defined in the AWS Classic package.
policyArn This property is required. String
The ARN of the access policy to associate with the principal

ClusterNodeGroupOptions
, ClusterNodeGroupOptionsArgs

AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags Dictionary<string, string>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
BottlerocketSettings Dictionary<string, object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags Dictionary<string, string>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule Pulumi.Aws.Ec2.SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
ClusterIngressRuleId string
The ID of the ingress rule that gives node group access.
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
ExtraNodeSecurityGroups List<Pulumi.Aws.Ec2.SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile Pulumi.Aws.Iam.InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
InstanceProfileName string
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
InstanceType string
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
KeyName string
Name of the key pair to use for SSH access to worker nodes.
KubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
Labels Dictionary<string, string>
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
LaunchTemplateTagSpecifications List<Pulumi.Aws.Ec2.Inputs.LaunchTemplateTagSpecification>
The tag specifications to apply to the launch template.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinRefreshPercentage int
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
NodeAssociatePublicIpAddress bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeDeleteOnTermination bool
Whether the root block device should be deleted on termination of the instance. Defaults to true.
NodeRootVolumeEncrypted bool
Whether to encrypt a cluster node's root volume. Defaults to false.
NodeRootVolumeIops int
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
NodeRootVolumeSize int
The size in GiB of a cluster node's root volume. Defaults to 20.
NodeRootVolumeThroughput int
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
NodeRootVolumeType string
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
NodeSecurityGroup Pulumi.Aws.Ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds List<string>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions List<NodeadmOptions>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
OperatingSystem Pulumi.Eks.OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

SpotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
Taints Dictionary<string, Taint>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
AmiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
AmiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

AutoScalingGroupTags map[string]string

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

BootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
BottlerocketSettings map[string]interface{}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

CloudFormationTags map[string]string

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

ClusterIngressRule SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
ClusterIngressRuleId string
The ID of the ingress rule that gives node group access.
DesiredCapacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
EnableDetailedMonitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

EncryptRootBlockDevice bool
Encrypt the root block device of the nodes in the node group.
ExtraNodeSecurityGroups SecurityGroup

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

Gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
IgnoreScalingChanges bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

InstanceProfile InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
InstanceProfileName string
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
InstanceType string
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
KeyName string
Name of the key pair to use for SSH access to worker nodes.
KubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
Labels map[string]string
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
LaunchTemplateTagSpecifications LaunchTemplateTagSpecification
The tag specifications to apply to the launch template.
MaxSize int
The maximum number of worker nodes running in the cluster. Defaults to 2.
MinRefreshPercentage int
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
MinSize int
The minimum number of worker nodes running in the cluster. Defaults to 1.
NodeAssociatePublicIpAddress bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
NodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
NodeRootVolumeDeleteOnTermination bool
Whether the root block device should be deleted on termination of the instance. Defaults to true.
NodeRootVolumeEncrypted bool
Whether to encrypt a cluster node's root volume. Defaults to false.
NodeRootVolumeIops int
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
NodeRootVolumeSize int
The size in GiB of a cluster node's root volume. Defaults to 20.
NodeRootVolumeThroughput int
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
NodeRootVolumeType string
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
NodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

NodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

NodeSubnetIds []string

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

NodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
NodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

NodeadmExtraOptions []NodeadmOptions

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
OperatingSystem OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

SpotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
Taints map[string]Taint
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
Version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String,String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocketSettings Map<String,Object>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String,String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
clusterIngressRuleId String
The ID of the ingress rule that gives node group access.
desiredCapacity Integer
The number of worker nodes that should be running in the cluster. Defaults to 2.
enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encryptRootBlockDevice Boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups List<SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instanceProfileName String
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instanceType String
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
keyName String
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs String
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels Map<String,String>
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launchTemplateTagSpecifications List<LaunchTemplateTagSpecification>
The tag specifications to apply to the launch template.
maxSize Integer
The maximum number of worker nodes running in the cluster. Defaults to 2.
minRefreshPercentage Integer
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
minSize Integer
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress Boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey String
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeDeleteOnTermination Boolean
Whether the root block device should be deleted on termination of the instance. Defaults to true.
nodeRootVolumeEncrypted Boolean
Whether to encrypt a cluster node's root volume. Defaults to false.
nodeRootVolumeIops Integer
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
nodeRootVolumeSize Integer
The size in GiB of a cluster node's root volume. Defaults to 20.
nodeRootVolumeThroughput Integer
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
nodeRootVolumeType String
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
nodeSecurityGroup SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride String

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<NodeadmOptions>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operatingSystem OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spotPrice String
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Map<String,Taint>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version String
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
amiId string

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType string

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags {[key: string]: string}

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs string
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocketSettings {[key: string]: any}

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags {[key: string]: string}

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule pulumiAwsec2SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
clusterIngressRuleId string
The ID of the ingress rule that gives node group access.
desiredCapacity number
The number of worker nodes that should be running in the cluster. Defaults to 2.
enableDetailedMonitoring boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encryptRootBlockDevice boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups pulumiAwsec2SecurityGroup[]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignoreScalingChanges boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile pulumiAwsiamInstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instanceProfileName string
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instanceType string
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
keyName string
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs string
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels {[key: string]: string}
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launchTemplateTagSpecifications pulumiAwstypesinputec2LaunchTemplateTagSpecification[]
The tag specifications to apply to the launch template.
maxSize number
The maximum number of worker nodes running in the cluster. Defaults to 2.
minRefreshPercentage number
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
minSize number
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey string
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeDeleteOnTermination boolean
Whether the root block device should be deleted on termination of the instance. Defaults to true.
nodeRootVolumeEncrypted boolean
Whether to encrypt a cluster node's root volume. Defaults to false.
nodeRootVolumeIops number
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
nodeRootVolumeSize number
The size in GiB of a cluster node's root volume. Defaults to 20.
nodeRootVolumeThroughput number
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
nodeRootVolumeType string
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
nodeSecurityGroup pulumiAwsec2SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId string

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds string[]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData string
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride string

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions NodeadmOptions[]

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operatingSystem OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spotPrice string
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints {[key: string]: Taint}
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version string
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
ami_id str

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
ami_type str

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

auto_scaling_group_tags Mapping[str, str]

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrap_extra_args str
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocket_settings Mapping[str, Any]

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloud_formation_tags Mapping[str, str]

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

cluster_ingress_rule pulumi_aws.ec2.SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
cluster_ingress_rule_id str
The ID of the ingress rule that gives node group access.
desired_capacity int
The number of worker nodes that should be running in the cluster. Defaults to 2.
enable_detailed_monitoring bool

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encrypt_root_block_device bool
Encrypt the root block device of the nodes in the node group.
extra_node_security_groups Sequence[pulumi_aws.ec2.SecurityGroup]

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu bool

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignore_scaling_changes bool

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instance_profile pulumi_aws.iam.InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instance_profile_name str
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instance_type str
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
key_name str
Name of the key pair to use for SSH access to worker nodes.
kubelet_extra_args str
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels Mapping[str, str]
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launch_template_tag_specifications Sequence[pulumi_aws.ec2.LaunchTemplateTagSpecificationArgs]
The tag specifications to apply to the launch template.
max_size int
The maximum number of worker nodes running in the cluster. Defaults to 2.
min_refresh_percentage int
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
min_size int
The minimum number of worker nodes running in the cluster. Defaults to 1.
node_associate_public_ip_address bool
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
node_public_key str
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
node_root_volume_delete_on_termination bool
Whether the root block device should be deleted on termination of the instance. Defaults to true.
node_root_volume_encrypted bool
Whether to encrypt a cluster node's root volume. Defaults to false.
node_root_volume_iops int
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
node_root_volume_size int
The size in GiB of a cluster node's root volume. Defaults to 20.
node_root_volume_throughput int
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
node_root_volume_type str
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
node_security_group pulumi_aws.ec2.SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

node_security_group_id str

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

node_subnet_ids Sequence[str]

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

node_user_data str
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
node_user_data_override str

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadm_extra_options Sequence[NodeadmOptions]

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operating_system OperatingSystem

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spot_price str
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Mapping[str, Taint]
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version str
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
amiId String

The AMI ID to use for the worker nodes.

Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.

Note: amiId and gpu are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
amiType String

The AMI Type to use for the worker nodes.

Only applicable when setting an AMI ID that is of type arm64.

Note: amiType and gpu are mutually exclusive.

autoScalingGroupTags Map<String>

The tags to apply to the NodeGroup's AutoScalingGroup in the CloudFormation Stack.

Per AWS, all stack-level tags, including automatically created tags, and the cloudFormationTags option are propagated to resources that AWS CloudFormation supports, including the AutoScalingGroup. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

bootstrapExtraArgs String
Additional args to pass directly to /etc/eks/bootstrap.sh. For details on available options, see: https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh. Note that the --apiserver-endpoint, --b64-cluster-ca and --kubelet-extra-args flags are included automatically based on other configuration parameters.
bottlerocketSettings Map<Any>

The configuration settings for Bottlerocket OS. The settings will get merged with the base settings the provider uses to configure Bottlerocket.

This includes:

  • settings.kubernetes.api-server
  • settings.kubernetes.cluster-certificate
  • settings.kubernetes.cluster-name
  • settings.kubernetes.cluster-dns-ip

For an overview of the available settings, see https://bottlerocket.dev/en/os/1.20.x/api/settings/.

cloudFormationTags Map<String>

The tags to apply to the CloudFormation Stack of the Worker NodeGroup.

Note: Given the inheritance of auto-generated CF tags and cloudFormationTags, you should either supply the tag in autoScalingGroupTags or cloudFormationTags, but not both.

clusterIngressRule aws:ec2:SecurityGroupRule
The ingress rule that gives node group access. This type is defined in the AWS Classic package.
clusterIngressRuleId String
The ID of the ingress rule that gives node group access.
desiredCapacity Number
The number of worker nodes that should be running in the cluster. Defaults to 2.
enableDetailedMonitoring Boolean

Enables/disables detailed monitoring of the EC2 instances.

With detailed monitoring, all metrics, including status check metrics, are available in 1-minute intervals. When enabled, you can also get aggregated data across groups of similar instances.

Note: You are charged per metric that is sent to CloudWatch. You are not charged for data storage. For more information, see "Paid tier" and "Example 1 - EC2 Detailed Monitoring" here https://aws.amazon.com/cloudwatch/pricing/.

encryptRootBlockDevice Boolean
Encrypt the root block device of the nodes in the node group.
extraNodeSecurityGroups List<aws:ec2:SecurityGroup>

Extra security groups to attach on all nodes in this worker node group.

This additional set of security groups captures any user application rules that will be needed for the nodes.

gpu Boolean

Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.

Defaults to false.

Note: gpu and amiId are mutually exclusive.

See for more details:

  • https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
  • https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
ignoreScalingChanges Boolean

Whether to ignore changes to the desired size of the Auto Scaling Group. This is useful when using Cluster Autoscaler.

See EKS best practices for more details.

instanceProfile aws:iam:InstanceProfile
The IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive. This type is defined in the AWS Classic package.
instanceProfileName String
The name of the IAM InstanceProfile to use on the NodeGroup. Properties instanceProfile and instanceProfileName are mutually exclusive.
instanceType String
The instance type to use for the cluster's nodes. Defaults to "t3.medium".
keyName String
Name of the key pair to use for SSH access to worker nodes.
kubeletExtraArgs String
Extra args to pass to the Kubelet. Corresponds to the options passed in the --kubeletExtraArgs flag to /etc/eks/bootstrap.sh. For example, '--port=10251 --address=0.0.0.0'. Note that the labels and taints properties will be applied to this list (using --node-labels and --register-with-taints respectively) after to the explicit kubeletExtraArgs.
labels Map<String>
Custom k8s node labels to be attached to each worker node. Adds the given key/value pairs to the --node-labels kubelet argument.
launchTemplateTagSpecifications List<Property Map>
The tag specifications to apply to the launch template.
maxSize Number
The maximum number of worker nodes running in the cluster. Defaults to 2.
minRefreshPercentage Number
The minimum amount of instances that should remain available during an instance refresh, expressed as a percentage. Defaults to 50.
minSize Number
The minimum number of worker nodes running in the cluster. Defaults to 1.
nodeAssociatePublicIpAddress Boolean
Whether or not to auto-assign public IP addresses on the EKS worker nodes. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
nodePublicKey String
Public key material for SSH access to worker nodes. See allowed formats at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html If not provided, no SSH access is enabled on VMs.
nodeRootVolumeDeleteOnTermination Boolean
Whether the root block device should be deleted on termination of the instance. Defaults to true.
nodeRootVolumeEncrypted Boolean
Whether to encrypt a cluster node's root volume. Defaults to false.
nodeRootVolumeIops Number
The amount of provisioned IOPS. This is only valid with a volumeType of 'io1'.
nodeRootVolumeSize Number
The size in GiB of a cluster node's root volume. Defaults to 20.
nodeRootVolumeThroughput Number
Provisioned throughput performance in integer MiB/s for a cluster node's root volume. This is only valid with a volumeType of 'gp3'.
nodeRootVolumeType String
Configured EBS type for a cluster node's root volume. Default is 'gp2'. Supported values are 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'.
nodeSecurityGroup aws:ec2:SecurityGroup

The security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroup option and the cluster optionnodeSecurityGroupTags are mutually exclusive. This type is defined in the AWS Classic package.

nodeSecurityGroupId String

The ID of the security group for the worker node group to communicate with the cluster.

This security group requires specific inbound and outbound rules.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

Note: The nodeSecurityGroupId option and the cluster option nodeSecurityGroupTags are mutually exclusive.

nodeSubnetIds List<String>

The set of subnets to override and use for the worker node group.

Setting this option overrides which subnets to use for the worker node group, regardless if the cluster's subnetIds is set, or if publicSubnetIds and/or privateSubnetIds were set.

nodeUserData String
Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a #!).
nodeUserDataOverride String

User specified code to run on node startup. This code is expected to handle the full AWS EKS bootstrapping code and signal node readiness to the managing CloudFormation stack. This code must be a complete and executable user data script in bash (Linux) or powershell (Windows).

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/worker.html

nodeadmExtraOptions List<Property Map>

Extra nodeadm configuration sections to be added to the nodeadm user data. This can be shell scripts, nodeadm NodeConfig or any other user data compatible script. When configuring additional nodeadm NodeConfig sections, they'll be merged with the base settings the provider sets. You can overwrite base settings or provide additional settings this way. The base settings the provider sets are:

  • cluster.name
  • cluster.apiServerEndpoint
  • cluster.certificateAuthority
  • cluster.cidr

Note: This is only applicable when using AL2023. See for more details:

  • https://awslabs.github.io/amazon-eks-ami/nodeadm/
  • https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/
operatingSystem "AL2" | "AL2023" | "Bottlerocket" | "AL2023"

The type of OS to use for the node group. Will be used to determine the right EKS optimized AMI to use based on the instance types and gpu configuration. Valid values are RECOMMENDED, AL2, AL2023 and Bottlerocket.

Defaults to the current recommended OS.

spotPrice String
Bidding price for spot instance. If set, only spot instances will be added as worker node.
taints Map<Property Map>
Custom k8s node taints to be attached to each worker node. Adds the given taints to the --register-with-taints kubelet argument
version String
Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.

CoreData
, CoreDataArgs

Cluster This property is required. Pulumi.Aws.Eks.Cluster
This type is defined in the AWS Classic package.
ClusterIamRole This property is required. Pulumi.Aws.Iam.Role
The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
Endpoint This property is required. string
The EKS cluster's Kubernetes API server endpoint.
InstanceRoles This property is required. List<Pulumi.Aws.Iam.Role>
The IAM instance roles for the cluster's nodes.
NodeGroupOptions This property is required. ClusterNodeGroupOptions
The cluster's node group options.
Provider This property is required. Pulumi.Kubernetes.Provider
This type is defined in the pulumi package.
SubnetIds This property is required. List<string>
List of subnet IDs for the EKS cluster.
VpcId This property is required. string
ID of the cluster's VPC.
AccessEntries List<AccessEntry>
The access entries added to the cluster.
AwsProvider Pulumi.Aws.Provider
This type is defined in the pulumi package.
ClusterSecurityGroup Pulumi.Aws.Ec2.SecurityGroup
This type is defined in the AWS Classic package.
EksNodeAccess Pulumi.Kubernetes.Core.V1.ConfigMap
This type is defined in the Kubernetes package.
EncryptionConfig Pulumi.Aws.Eks.Inputs.ClusterEncryptionConfig
This type is defined in the AWS Classic package.
FargateProfile Pulumi.Aws.Eks.FargateProfile
The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
Kubeconfig object
The kubeconfig file for the cluster.
NodeSecurityGroupTags Dictionary<string, string>
Tags attached to the security groups associated with the cluster's worker nodes.
OidcProvider Pulumi.Aws.Iam.OpenIdConnectProvider
This type is defined in the AWS Classic package.
PrivateSubnetIds List<string>
List of subnet IDs for the private subnets.
PublicSubnetIds List<string>
List of subnet IDs for the public subnets.
StorageClasses Dictionary<string, Pulumi.Kubernetes.Storage.V1.StorageClass>
The storage class used for persistent storage by the cluster.
Tags Dictionary<string, string>
A map of tags assigned to the EKS cluster.
VpcCni Pulumi.Eks.VpcCniAddon
The VPC CNI for the cluster.
Cluster This property is required. Cluster
This type is defined in the AWS Classic package.
ClusterIamRole This property is required. Role
The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
Endpoint This property is required. string
The EKS cluster's Kubernetes API server endpoint.
InstanceRoles This property is required. Role
The IAM instance roles for the cluster's nodes.
NodeGroupOptions This property is required. ClusterNodeGroupOptions
The cluster's node group options.
Provider This property is required. Provider
This type is defined in the pulumi package.
SubnetIds This property is required. []string
List of subnet IDs for the EKS cluster.
VpcId This property is required. string
ID of the cluster's VPC.
AccessEntries []AccessEntry
The access entries added to the cluster.
AwsProvider Provider
This type is defined in the pulumi package.
ClusterSecurityGroup SecurityGroup
This type is defined in the AWS Classic package.
EksNodeAccess ConfigMap
This type is defined in the Kubernetes package.
EncryptionConfig ClusterEncryptionConfig
This type is defined in the AWS Classic package.
FargateProfile FargateProfile
The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
Kubeconfig interface{}
The kubeconfig file for the cluster.
NodeSecurityGroupTags map[string]string
Tags attached to the security groups associated with the cluster's worker nodes.
OidcProvider OpenIdConnectProvider
This type is defined in the AWS Classic package.
PrivateSubnetIds []string
List of subnet IDs for the private subnets.
PublicSubnetIds []string
List of subnet IDs for the public subnets.
StorageClasses StorageClass
The storage class used for persistent storage by the cluster.
Tags map[string]string
A map of tags assigned to the EKS cluster.
VpcCni VpcCniAddon
The VPC CNI for the cluster.
cluster This property is required. Cluster
This type is defined in the AWS Classic package.
clusterIamRole This property is required. Role
The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint This property is required. String
The EKS cluster's Kubernetes API server endpoint.
instanceRoles This property is required. List<Role>
The IAM instance roles for the cluster's nodes.
nodeGroupOptions This property is required. ClusterNodeGroupOptions
The cluster's node group options.
provider This property is required. Provider
This type is defined in the pulumi package.
subnetIds This property is required. List<String>
List of subnet IDs for the EKS cluster.
vpcId This property is required. String
ID of the cluster's VPC.
accessEntries List<AccessEntry>
The access entries added to the cluster.
awsProvider Provider
This type is defined in the pulumi package.
clusterSecurityGroup SecurityGroup
This type is defined in the AWS Classic package.
eksNodeAccess ConfigMap
This type is defined in the Kubernetes package.
encryptionConfig ClusterEncryptionConfig
This type is defined in the AWS Classic package.
fargateProfile FargateProfile
The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Object
The kubeconfig file for the cluster.
nodeSecurityGroupTags Map<String,String>
Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider OpenIdConnectProvider
This type is defined in the AWS Classic package.
privateSubnetIds List<String>
List of subnet IDs for the private subnets.
publicSubnetIds List<String>
List of subnet IDs for the public subnets.
storageClasses Map<String,StorageClass>
The storage class used for persistent storage by the cluster.
tags Map<String,String>
A map of tags assigned to the EKS cluster.
vpcCni VpcCniAddon
The VPC CNI for the cluster.
cluster This property is required. pulumiAwseksCluster
This type is defined in the AWS Classic package.
clusterIamRole This property is required. pulumiAwsiamRole
The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint This property is required. string
The EKS cluster's Kubernetes API server endpoint.
instanceRoles This property is required. pulumiAwsiamRole[]
The IAM instance roles for the cluster's nodes.
nodeGroupOptions This property is required. ClusterNodeGroupOptions
The cluster's node group options.
provider This property is required. pulumiKubernetesProvider
This type is defined in the pulumi package.
subnetIds This property is required. string[]
List of subnet IDs for the EKS cluster.
vpcId This property is required. string
ID of the cluster's VPC.
accessEntries AccessEntry[]
The access entries added to the cluster.
awsProvider pulumiAwsProvider
This type is defined in the pulumi package.
clusterSecurityGroup pulumiAwsec2SecurityGroup
This type is defined in the AWS Classic package.
eksNodeAccess pulumiKubernetescorev1ConfigMap
This type is defined in the Kubernetes package.
encryptionConfig pulumiAwstypesinputeksClusterEncryptionConfig
This type is defined in the AWS Classic package.
fargateProfile pulumiAwseksFargateProfile
The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig any
The kubeconfig file for the cluster.
nodeSecurityGroupTags {[key: string]: string}
Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider pulumiAwsiamOpenIdConnectProvider
This type is defined in the AWS Classic package.
privateSubnetIds string[]
List of subnet IDs for the private subnets.
publicSubnetIds string[]
List of subnet IDs for the public subnets.
storageClasses {[key: string]: pulumiKubernetesstoragev1StorageClass}
The storage class used for persistent storage by the cluster.
tags {[key: string]: string}
A map of tags assigned to the EKS cluster.
vpcCni VpcCniAddon
The VPC CNI for the cluster.
cluster This property is required. pulumi_aws.eks.Cluster
This type is defined in the AWS Classic package.
cluster_iam_role This property is required. pulumi_aws.iam.Role
The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint This property is required. str
The EKS cluster's Kubernetes API server endpoint.
instance_roles This property is required. Sequence[pulumi_aws.iam.Role]
The IAM instance roles for the cluster's nodes.
node_group_options This property is required. ClusterNodeGroupOptions
The cluster's node group options.
provider This property is required. pulumi_kubernetes.Provider
This type is defined in the pulumi package.
subnet_ids This property is required. Sequence[str]
List of subnet IDs for the EKS cluster.
vpc_id This property is required. str
ID of the cluster's VPC.
access_entries Sequence[AccessEntry]
The access entries added to the cluster.
aws_provider pulumi_aws.Provider
This type is defined in the pulumi package.
cluster_security_group pulumi_aws.ec2.SecurityGroup
This type is defined in the AWS Classic package.
eks_node_access pulumi_kubernetes.core.v1.ConfigMap
This type is defined in the Kubernetes package.
encryption_config pulumi_aws.eks.ClusterEncryptionConfigArgs
This type is defined in the AWS Classic package.
fargate_profile pulumi_aws.eks.FargateProfile
The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Any
The kubeconfig file for the cluster.
node_security_group_tags Mapping[str, str]
Tags attached to the security groups associated with the cluster's worker nodes.
oidc_provider pulumi_aws.iam.OpenIdConnectProvider
This type is defined in the AWS Classic package.
private_subnet_ids Sequence[str]
List of subnet IDs for the private subnets.
public_subnet_ids Sequence[str]
List of subnet IDs for the public subnets.
storage_classes Mapping[str, pulumi_kubernetes.storage.v1.StorageClass]
The storage class used for persistent storage by the cluster.
tags Mapping[str, str]
A map of tags assigned to the EKS cluster.
vpc_cni VpcCniAddon
The VPC CNI for the cluster.
cluster This property is required. aws:eks:Cluster
This type is defined in the AWS Classic package.
clusterIamRole This property is required. aws:iam:Role
The IAM Role attached to the EKS Cluster This type is defined in the AWS Classic package.
endpoint This property is required. String
The EKS cluster's Kubernetes API server endpoint.
instanceRoles This property is required. List<aws:iam:Role>
The IAM instance roles for the cluster's nodes.
nodeGroupOptions This property is required. Property Map
The cluster's node group options.
provider This property is required. pulumi:providers:kubernetes
This type is defined in the pulumi package.
subnetIds This property is required. List<String>
List of subnet IDs for the EKS cluster.
vpcId This property is required. String
ID of the cluster's VPC.
accessEntries List<Property Map>
The access entries added to the cluster.
awsProvider pulumi:providers:aws
This type is defined in the pulumi package.
clusterSecurityGroup aws:ec2:SecurityGroup
This type is defined in the AWS Classic package.
eksNodeAccess kubernetes:core/v1:ConfigMap
This type is defined in the Kubernetes package.
encryptionConfig Property Map
This type is defined in the AWS Classic package.
fargateProfile aws:eks:FargateProfile
The Fargate profile used to manage which pods run on Fargate. This type is defined in the AWS Classic package.
kubeconfig Any
The kubeconfig file for the cluster.
nodeSecurityGroupTags Map<String>
Tags attached to the security groups associated with the cluster's worker nodes.
oidcProvider aws:iam:OpenIdConnectProvider
This type is defined in the AWS Classic package.
privateSubnetIds List<String>
List of subnet IDs for the private subnets.
publicSubnetIds List<String>
List of subnet IDs for the public subnets.
storageClasses Map<kubernetes:storage.k8s.io/v1:StorageClass>
The storage class used for persistent storage by the cluster.
tags Map<String>
A map of tags assigned to the EKS cluster.
vpcCni eks:VpcCniAddon
The VPC CNI for the cluster.

NodeadmOptions
, NodeadmOptionsArgs

Content This property is required. string
The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
ContentType This property is required. string
The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.
Content This property is required. string
The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
ContentType This property is required. string
The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.
content This property is required. String
The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType This property is required. String
The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.
content This property is required. string
The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType This property is required. string
The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.
content This property is required. str
The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
content_type This property is required. str
The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.
content This property is required. String
The actual content of the MIME document part, such as shell script code or nodeadm configuration. Must be compatible with the specified contentType.
contentType This property is required. String
The MIME type of the content. Examples are text/x-shellscript; charset="us-ascii" for shell scripts, and application/node.eks.aws nodeadm configuration.

OperatingSystem
, OperatingSystemArgs

AL2
AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023
AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
Bottlerocket
BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html
RECOMMENDED
AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

OperatingSystemAL2
AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

OperatingSystemAL2023
AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
OperatingSystemBottlerocket
BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html
OperatingSystemRECOMMENDED
AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2
AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023
AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
Bottlerocket
BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html
RECOMMENDED
AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2
AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023
AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
Bottlerocket
BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html
RECOMMENDED
AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

AL2
AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

AL2023
AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
BOTTLEROCKET
BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html
RECOMMENDED
AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

"AL2"
AL2EKS optimized OS based on Amazon Linux 2 (AL2).

Deprecated: Amazon Linux 2 is deprecated. Please use Amazon Linux 2023 instead. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/al2023.html

"AL2023"
AL2023EKS optimized OS based on Amazon Linux 2023 (AL2023). See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
"Bottlerocket"
BottlerocketEKS optimized Container OS based on Bottlerocket. See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html
"AL2023"
AL2023

The recommended EKS optimized OS. Currently Amazon Linux 2023 (AL2023). This will be kept up to date with AWS' recommendations for EKS optimized operating systems.

See for more details: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html

Taint
, TaintArgs

Effect This property is required. string
The effect of the taint.
Value This property is required. string
The value of the taint.
Effect This property is required. string
The effect of the taint.
Value This property is required. string
The value of the taint.
effect This property is required. String
The effect of the taint.
value This property is required. String
The value of the taint.
effect This property is required. string
The effect of the taint.
value This property is required. string
The value of the taint.
effect This property is required. str
The effect of the taint.
value This property is required. str
The value of the taint.
effect This property is required. String
The effect of the taint.
value This property is required. String
The value of the taint.

Package Details

Repository
Amazon EKS pulumi/pulumi-eks
License
Apache-2.0
Amazon EKS v3.8.1 published on Wednesday, Jan 29, 2025 by Pulumi
pulumi/pulumi-eks