From 4d283bcc6f9672175436bea050c883ae78c387f1 Mon Sep 17 00:00:00 2001 From: svelango Date: Fri, 28 Oct 2022 16:24:27 -0500 Subject: [PATCH] feat: Add support for AppMesh controller addon with AppMesh mTLS example (#539) Co-authored-by: Elango Sundararajan Co-authored-by: Bryant Biggs --- .github/workflows/plan-examples.py | 1 + examples/appmesh-mtls/README.md | 61 +++++ examples/appmesh-mtls/main.tf | 231 ++++++++++++++++++ examples/appmesh-mtls/outputs.tf | 4 + examples/appmesh-mtls/variables.tf | 17 ++ examples/appmesh-mtls/versions.tf | 29 +++ examples/karpenter/README.md | 2 +- modules/kubernetes-addons/README.md | 4 + .../appmesh-controller/README.md | 43 ++++ .../appmesh-controller/main.tf | 149 +++++++++++ .../appmesh-controller/outputs.tf | 0 .../appmesh-controller/variables.tf | 34 +++ .../appmesh-controller/versions.tf | 10 + modules/kubernetes-addons/main.tf | 8 + modules/kubernetes-addons/variables.tf | 19 ++ 15 files changed, 611 insertions(+), 1 deletion(-) create mode 100644 examples/appmesh-mtls/README.md create mode 100644 examples/appmesh-mtls/main.tf create mode 100644 examples/appmesh-mtls/outputs.tf create mode 100644 examples/appmesh-mtls/variables.tf create mode 100644 examples/appmesh-mtls/versions.tf create mode 100644 modules/kubernetes-addons/appmesh-controller/README.md create mode 100644 modules/kubernetes-addons/appmesh-controller/main.tf create mode 100644 modules/kubernetes-addons/appmesh-controller/outputs.tf create mode 100644 modules/kubernetes-addons/appmesh-controller/variables.tf create mode 100644 modules/kubernetes-addons/appmesh-controller/versions.tf diff --git a/.github/workflows/plan-examples.py b/.github/workflows/plan-examples.py index e68bd201f9..d361b5385e 100644 --- a/.github/workflows/plan-examples.py +++ b/.github/workflows/plan-examples.py @@ -9,6 +9,7 @@ def get_examples(): returning a string formatted json array of the example directories minus those that are excluded """ exclude = { + 'examples/appmesh-mtls', # excluded until Rout53 is setup 'examples/eks-cluster-with-external-dns', # excluded until Rout53 is setup 'examples/ci-cd/gitlab-ci-cd', # excluded since GitLab auth, backend, etc. required 'examples/fully-private-eks-cluster/vpc', # skipping until issue #711 is addressed diff --git a/examples/appmesh-mtls/README.md b/examples/appmesh-mtls/README.md new file mode 100644 index 0000000000..0af6fdcf33 --- /dev/null +++ b/examples/appmesh-mtls/README.md @@ -0,0 +1,61 @@ +# EKS Cluster w/ AppMesh mTLS + +This example shows how to provision an EKS cluster with AppMesh mTLS enabled. + +## Prerequisites: + +Ensure that you have the following tools installed locally: + +1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) +2. [kubectl](https://Kubernetes.io/docs/tasks/tools/) +3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) + +## Deploy + +To provision this example: + +```sh +terraform init +terraform apply +``` + +Enter `yes` at command prompt to apply + + +## Validate + +The following command will update the `kubeconfig` on your local machine and allow you to interact with your EKS Cluster using `kubectl` to validate the deployment. + +1. Run `update-kubeconfig` command: + +```sh +aws eks --region update-kubeconfig --name +``` + +2. List the nodes running currently + +```sh +kubectl get nodes + +# Output should look like below +NAME STATUS ROLES AGE VERSION +ip-10-0-30-125.us-west-2.compute.internal Ready 2m19s v1.22.9-eks-810597c +``` + +3. List out the pods running currently: + +```sh +kubectl get pods -A + +# TODO +``` + +## Destroy + +To teardown and remove the resources created in this example: + +```sh +terraform destroy -target="module.eks_blueprints_kubernetes_addons" -auto-approve +terraform destroy -target="module.eks_blueprints" -auto-approve +terraform destroy -auto-approve +``` diff --git a/examples/appmesh-mtls/main.tf b/examples/appmesh-mtls/main.tf new file mode 100644 index 0000000000..73eaf51025 --- /dev/null +++ b/examples/appmesh-mtls/main.tf @@ -0,0 +1,231 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token +} + +provider "helm" { + kubernetes { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token + } +} + +provider "kubectl" { + apply_retry_count = 10 + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} + +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + +data "aws_availability_zones" "available" {} + +locals { + name = basename(path.cwd) + region = "us-west-2" + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + + tags = { + Blueprint = local.name + GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" + } +} + +#--------------------------------------------------------------- +# EKS Blueprints +#--------------------------------------------------------------- + +module "eks_blueprints" { + source = "../.." + + cluster_name = local.name + cluster_version = "1.23" + + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + + managed_node_groups = { + this = { + node_group_name = local.name + instance_types = ["m5.large"] + subnet_ids = module.vpc.private_subnets + + min_size = 1 + max_size = 2 + desired_size = 1 + + update_config = [{ + max_unavailable_percentage = 30 + }] + } + } + + tags = local.tags +} + +module "eks_blueprints_kubernetes_addons" { + source = "../../modules/kubernetes-addons" + + eks_cluster_id = module.eks_blueprints.eks_cluster_id + eks_cluster_endpoint = module.eks_blueprints.eks_cluster_endpoint + eks_oidc_provider = module.eks_blueprints.oidc_provider + eks_cluster_version = module.eks_blueprints.eks_cluster_version + eks_cluster_domain = var.eks_cluster_domain + + enable_amazon_eks_vpc_cni = true + enable_amazon_eks_coredns = true + enable_amazon_eks_kube_proxy = true + + aws_privateca_acmca_arn = aws_acmpca_certificate_authority.example.arn + enable_appmesh_controller = true + enable_cert_manager = true + enable_aws_privateca_issuer = true + + tags = local.tags +} + +#--------------------------------------------------------------- +# Certificate Resources +#--------------------------------------------------------------- + +resource "aws_acmpca_certificate_authority" "example" { + type = "ROOT" + + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = "example.com" + } + } +} + +resource "aws_acmpca_certificate" "example" { + certificate_authority_arn = aws_acmpca_certificate_authority.example.arn + certificate_signing_request = aws_acmpca_certificate_authority.example.certificate_signing_request + signing_algorithm = "SHA512WITHRSA" + + template_arn = "arn:aws:acm-pca:::template/RootCACertificate/V1" + + validity { + type = "YEARS" + value = 10 + } +} + +resource "aws_acmpca_certificate_authority_certificate" "example" { + certificate_authority_arn = aws_acmpca_certificate_authority.example.arn + + certificate = aws_acmpca_certificate.example.certificate + certificate_chain = aws_acmpca_certificate.example.certificate_chain +} + +# This resource creates a CRD of AWSPCAClusterIssuer Kind, which then represents the ACM PCA in K8 +resource "kubectl_manifest" "cluster_pca_issuer" { + yaml_body = yamlencode({ + apiVersion = "awspca.cert-manager.io/v1beta1" + kind = "AWSPCAClusterIssuer" + + metadata = { + name = module.eks_blueprints.eks_cluster_id + } + + spec = { + arn = aws_acmpca_certificate_authority.example.arn + region : local.region + } + }) +} + +# This resource creates a CRD of Certificate Kind, which then represents certificate issued from ACM PCA, +# mounted as K8 secret +resource "kubectl_manifest" "example_pca_certificate" { + yaml_body = yamlencode({ + apiVersion = "cert-manager.io/v1" + kind = "Certificate" + + metadata = { + name = var.certificate_name + namespace = "default" + } + + spec = { + commonName = var.certificate_dns + duration = "2160h0m0s" + issuerRef = { + group = "awspca.cert-manager.io" + kind = "AWSPCAClusterIssuer" + name : module.eks_blueprints.eks_cluster_id + } + renewBefore = "360h0m0s" + # This is the name with which the K8 Secret will be available + secretName = "${var.certificate_name}-clusterissuer" + usages = [ + "server auth", + "client auth" + ] + privateKey = { + algorithm : "RSA" + size : 2048 + } + } + }) + + depends_on = [ + kubectl_manifest.cluster_pca_issuer, + ] +} + +#--------------------------------------------------------------- +# Supporting Resources +#--------------------------------------------------------------- + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 3.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + # Manage so we can name + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} diff --git a/examples/appmesh-mtls/outputs.tf b/examples/appmesh-mtls/outputs.tf new file mode 100644 index 0000000000..55552d3138 --- /dev/null +++ b/examples/appmesh-mtls/outputs.tf @@ -0,0 +1,4 @@ +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = module.eks_blueprints.configure_kubectl +} diff --git a/examples/appmesh-mtls/variables.tf b/examples/appmesh-mtls/variables.tf new file mode 100644 index 0000000000..a40e103715 --- /dev/null +++ b/examples/appmesh-mtls/variables.tf @@ -0,0 +1,17 @@ +variable "eks_cluster_domain" { + description = "Route53 domain for the cluster" + type = string + default = "example.com" +} + +variable "certificate_name" { + description = "name for the certificate" + type = string + default = "example" +} + +variable "certificate_dns" { + description = "CommonName used in the Certificate, usually DNS" + type = string + default = "example.com" +} diff --git a/examples/appmesh-mtls/versions.tf b/examples/appmesh-mtls/versions.tf new file mode 100644 index 0000000000..20cf3ecb44 --- /dev/null +++ b/examples/appmesh-mtls/versions.tf @@ -0,0 +1,29 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/appmesh-mtls/terraform.tfstate" + # } +} diff --git a/examples/karpenter/README.md b/examples/karpenter/README.md index 2854aa61a5..eb82b663b3 100644 --- a/examples/karpenter/README.md +++ b/examples/karpenter/README.md @@ -111,7 +111,7 @@ After few times you should see 2 new nodes (one created by each provisioner) # Output should look like below NAME STATUS ROLES AGE VERSION PROVISIONER-NAME ip-10-0-10-14.us-west-2.compute.internal Ready 11m v1.22.9-eks-810597c default - ip-10-0-11-16.us-west-2.compute.internal Ready 70m v1.22.9-eks-810597c + ip-10-0-11-16.us-west-2.compute.internal Ready 70m v1.22.9-eks-810597c ip-10-0-12-138.us-west-2.compute.internal Ready 4m57s v1.22.9-eks-810597c default-lt We now have : diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 8ce7e3f16e..767dc9ff61 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -27,6 +27,7 @@ | [agones](#module\_agones) | ./agones | n/a | | [airflow](#module\_airflow) | ./airflow | n/a | | [app\_2048](#module\_app\_2048) | ./app-2048 | n/a | +| [appmesh\_controller](#module\_appmesh\_controller) | ./appmesh-controller | n/a | | [argo\_rollouts](#module\_argo\_rollouts) | ./argo-rollouts | n/a | | [argocd](#module\_argocd) | ./argocd | n/a | | [aws\_cloudwatch\_metrics](#module\_aws\_cloudwatch\_metrics) | ./aws-cloudwatch-metrics | n/a | @@ -111,6 +112,8 @@ | [amazon\_eks\_vpc\_cni\_config](#input\_amazon\_eks\_vpc\_cni\_config) | ConfigMap of Amazon EKS VPC CNI add-on | `any` | `{}` | no | | [amazon\_prometheus\_workspace\_endpoint](#input\_amazon\_prometheus\_workspace\_endpoint) | AWS Managed Prometheus WorkSpace Endpoint | `string` | `null` | no | | [amazon\_prometheus\_workspace\_region](#input\_amazon\_prometheus\_workspace\_region) | AWS Managed Prometheus WorkSpace Region | `string` | `null` | no | +| [appmesh\_helm\_config](#input\_appmesh\_helm\_config) | AppMesh Helm Chart config | `any` | `{}` | no | +| [appmesh\_irsa\_policies](#input\_appmesh\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no | | [argo\_rollouts\_helm\_config](#input\_argo\_rollouts\_helm\_config) | Argo Rollouts Helm Chart config | `any` | `null` | no | | [argocd\_applications](#input\_argocd\_applications) | Argo CD Applications config to bootstrap the cluster | `any` | `{}` | no | | [argocd\_helm\_config](#input\_argocd\_helm\_config) | Argo CD Kubernetes add-on config | `any` | `{}` | no | @@ -173,6 +176,7 @@ | [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | Enable VPC CNI add-on | `bool` | `false` | no | | [enable\_amazon\_prometheus](#input\_enable\_amazon\_prometheus) | Enable AWS Managed Prometheus service | `bool` | `false` | no | | [enable\_app\_2048](#input\_enable\_app\_2048) | Enable sample app 2048 | `bool` | `false` | no | +| [enable\_appmesh\_controller](#input\_enable\_appmesh\_controller) | Enable AppMesh add-on | `bool` | `false` | no | | [enable\_argo\_rollouts](#input\_enable\_argo\_rollouts) | Enable Argo Rollouts add-on | `bool` | `false` | no | | [enable\_argocd](#input\_enable\_argocd) | Enable Argo CD Kubernetes add-on | `bool` | `false` | no | | [enable\_aws\_cloudwatch\_metrics](#input\_enable\_aws\_cloudwatch\_metrics) | Enable AWS CloudWatch Metrics add-on for Container Insights | `bool` | `false` | no | diff --git a/modules/kubernetes-addons/appmesh-controller/README.md b/modules/kubernetes-addons/appmesh-controller/README.md new file mode 100644 index 0000000000..8ef01d0796 --- /dev/null +++ b/modules/kubernetes-addons/appmesh-controller/README.md @@ -0,0 +1,43 @@ +# AppMesh Controller + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 3.72 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.72 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
    irsa_iam_role_path             = string
    irsa_iam_permissions_boundary  = string
  })
| n/a | yes | +| [helm\_config](#input\_helm\_config) | Helm provider config for the Karpenter | `any` | `{}` | no | +| [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no | +| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | + +## Outputs + +No outputs. + diff --git a/modules/kubernetes-addons/appmesh-controller/main.tf b/modules/kubernetes-addons/appmesh-controller/main.tf new file mode 100644 index 0000000000..48272e7700 --- /dev/null +++ b/modules/kubernetes-addons/appmesh-controller/main.tf @@ -0,0 +1,149 @@ +locals { + name = try(var.helm_config.name, "appmesh-controller") + namespace = try(var.helm_config.namespace, "appmesh-system") + + partition = data.aws_partition.current.partition + dns_suffix = data.aws_partition.current.dns_suffix +} + +data "aws_partition" "current" {} + +module "helm_addon" { + source = "../helm-addon" + + helm_config = merge( + { + name = local.name + chart = local.name + repository = "https://aws.github.io/eks-charts" + version = "1.7.0" + namespace = local.namespace + description = "AWS App Mesh Helm Chart" + }, + var.helm_config + ) + + set_values = [ + { + name = "serviceAccount.name" + value = local.name + }, + { + name = "serviceAccount.create" + value = false + } + ] + + irsa_config = { + create_kubernetes_namespace = false + kubernetes_namespace = local.namespace + create_kubernetes_service_account = true + kubernetes_service_account = local.name + irsa_iam_policies = concat([aws_iam_policy.this.arn], var.irsa_policies) + } + + manage_via_gitops = var.manage_via_gitops + addon_context = var.addon_context +} + +resource "aws_iam_policy" "this" { + name = "${var.addon_context.eks_cluster_id}-appmesh" + description = "IAM Policy for App Mesh" + policy = data.aws_iam_policy_document.this.json +} + +data "aws_iam_policy_document" "this" { + statement { + sid = "appmesh" + effect = "Allow" + resources = ["*"] + + actions = [ + "appmesh:ListVirtualRouters", + "appmesh:ListVirtualServices", + "appmesh:ListRoutes", + "appmesh:ListGatewayRoutes", + "appmesh:ListMeshes", + "appmesh:ListVirtualNodes", + "appmesh:ListVirtualGateways", + "appmesh:DescribeMesh", + "appmesh:DescribeVirtualRouter", + "appmesh:DescribeRoute", + "appmesh:DescribeVirtualNode", + "appmesh:DescribeVirtualGateway", + "appmesh:DescribeGatewayRoute", + "appmesh:DescribeVirtualService", + "appmesh:CreateMesh", + "appmesh:CreateVirtualRouter", + "appmesh:CreateVirtualGateway", + "appmesh:CreateVirtualService", + "appmesh:CreateGatewayRoute", + "appmesh:CreateRoute", + "appmesh:CreateVirtualNode", + "appmesh:UpdateMesh", + "appmesh:UpdateRoute", + "appmesh:UpdateVirtualGateway", + "appmesh:UpdateVirtualRouter", + "appmesh:UpdateGatewayRoute", + "appmesh:UpdateVirtualService", + "appmesh:UpdateVirtualNode", + "appmesh:DeleteMesh", + "appmesh:DeleteRoute", + "appmesh:DeleteVirtualRouter", + "appmesh:DeleteGatewayRoute", + "appmesh:DeleteVirtualService", + "appmesh:DeleteVirtualNode", + "appmesh:DeleteVirtualGateway" + ] + } + + statement { + sid = "CreateServiceLinkedRole" + effect = "Allow" + resources = ["arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"] + actions = ["iam:CreateServiceLinkedRole"] + + condition { + test = "StringLike" + variable = "iam:AWSServiceName" + values = ["appmesh.${local.dns_suffix}"] + } + } + + statement { + sid = "ACMAccess" + effect = "Allow" + resources = ["*"] + actions = [ + "acm:ListCertificates", + "acm:DescribeCertificate", + "acm-pca:DescribeCertificateAuthority", + "acm-pca:ListCertificateAuthorities" + ] + } + + statement { + sid = "ServiceDiscovery" + effect = "Allow" + resources = ["*"] + actions = [ + "servicediscovery:CreateService", + "servicediscovery:DeleteService", + "servicediscovery:GetService", + "servicediscovery:GetInstance", + "servicediscovery:RegisterInstance", + "servicediscovery:DeregisterInstance", + "servicediscovery:ListInstances", + "servicediscovery:ListNamespaces", + "servicediscovery:ListServices", + "servicediscovery:GetInstancesHealthStatus", + "servicediscovery:UpdateInstanceCustomHealthStatus", + "servicediscovery:GetOperation", + "route53:GetHealthCheck", + "route53:CreateHealthCheck", + "route53:UpdateHealthCheck", + "route53:ChangeResourceRecordSets", + "route53:DeleteHealthCheck" + ] + } +} diff --git a/modules/kubernetes-addons/appmesh-controller/outputs.tf b/modules/kubernetes-addons/appmesh-controller/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/kubernetes-addons/appmesh-controller/variables.tf b/modules/kubernetes-addons/appmesh-controller/variables.tf new file mode 100644 index 0000000000..5846ed3a5a --- /dev/null +++ b/modules/kubernetes-addons/appmesh-controller/variables.tf @@ -0,0 +1,34 @@ +variable "irsa_policies" { + description = "Additional IAM policies for a IAM role for service accounts" + type = list(string) + default = [] +} + +variable "helm_config" { + description = "Helm provider config for the Karpenter" + type = any + default = {} +} + +variable "addon_context" { + description = "Input configuration for the addon" + type = object({ + aws_caller_identity_account_id = string + aws_caller_identity_arn = string + aws_eks_cluster_endpoint = string + aws_partition_id = string + aws_region_name = string + eks_cluster_id = string + eks_oidc_issuer_url = string + eks_oidc_provider_arn = string + tags = map(string) + irsa_iam_role_path = string + irsa_iam_permissions_boundary = string + }) +} + +variable "manage_via_gitops" { + description = "Determines if the add-on should be managed via GitOps." + type = bool + default = false +} diff --git a/modules/kubernetes-addons/appmesh-controller/versions.tf b/modules/kubernetes-addons/appmesh-controller/versions.tf new file mode 100644 index 0000000000..f92f41b9e7 --- /dev/null +++ b/modules/kubernetes-addons/appmesh-controller/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + } +} diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index d2a34bc78b..4d7088d9cf 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -186,6 +186,14 @@ module "aws_node_termination_handler" { addon_context = local.addon_context } +module "appmesh_controller" { + count = var.enable_appmesh_controller ? 1 : 0 + source = "./appmesh-controller" + helm_config = var.appmesh_helm_config + irsa_policies = var.appmesh_irsa_policies + addon_context = local.addon_context +} + module "cert_manager" { count = var.enable_cert_manager ? 1 : 0 source = "./cert-manager" diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index faa135fceb..dc84a60670 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -193,6 +193,25 @@ variable "coredns_autoscaler_helm_config" { default = {} } +#-----------AWS Appmesh------------- +variable "enable_appmesh_controller" { + description = "Enable AppMesh add-on" + type = bool + default = false +} + +variable "appmesh_helm_config" { + description = "AppMesh Helm Chart config" + type = any + default = {} +} + +variable "appmesh_irsa_policies" { + description = "Additional IAM policies for a IAM role for service accounts" + type = list(string) + default = [] +} + #-----------Crossplane ADDON------------- variable "enable_crossplane" { description = "Enable Crossplane add-on"