streamnative · mitch-hamm · Apr 16, 2026 · Apr 16, 2026
@@ -221,6 +221,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir
 | <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The version of Kubernetes to be installed. | `string` | `"1.20"` | no |
 | <a name="input_create_cluster_security_group"></a> [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Whether to create a new security group for the EKS cluster. If set to false, you must provide an existing security group via the cluster\_security\_group\_id variable. | `bool` | `true` | no |
+| <a name="input_authentication_mode"></a> [authentication\_mode](#input\_authentication\_mode) | The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP` | `string` | `API_AND_CONFIG_MAP` | no |
 | <a name="input_create_iam_policies"></a> [create\_iam\_policies](#input\_create\_iam\_policies) | deprecated | `bool` | `false` | no |
 | <a name="input_create_node_security_group"></a> [create\_node\_security\_group](#input\_create\_node\_security\_group) | Whether to create a new security group for the EKS nodes. If set to false, you must provide an existing security group via the node\_security\_group\_id variable. | `bool` | `true` | no |
 | <a name="input_disable_public_eks_endpoint"></a> [disable\_public\_eks\_endpoint](#input\_disable\_public\_eks\_endpoint) | Whether to disable public access to the EKS control plane endpoint. If set to "true", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to "false" unless you are familiar with this type of configuration. | `bool` | `false` | no |

@@ -254,6 +254,7 @@ module "eks" {
   cluster_security_group_name                = try(var.cluster_networking.cluster_security_group_name, null)
   cluster_security_group_additional_rules    = try(var.cluster_networking.cluster_security_group_additional_rules, var.cluster_security_group_additional_rules, {})
   create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group
+  authentication_mode                        = var.authentication_mode
 
   eks_managed_node_groups         = local.eks_managed_node_groups
   eks_managed_node_group_defaults = local.node_group_defaults

@@ -218,6 +218,12 @@ variable "manage_aws_auth_configmap" {
   type        = bool
 }
 
+variable "authentication_mode" {
+  default     = "API_AND_CONFIG_MAP"
+  description = "The authentication mode for the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`"
+  type        = string
+}
+
 variable "map_additional_iam_roles" {
   default     = []
   description = "A list of IAM role bindings to add to the aws-auth ConfigMap."