Skip to content

Commit

Permalink
Updated Examples With new Changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@svelango
svelango committed Aug 17, 2022
1 parent fb42583 commit 376db9f
Show file tree
Hide file tree
Showing 12 changed files with 133 additions and 129 deletions.
147 changes: 74 additions & 73 deletions examples/appmesh-mtls/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,85 +5,42 @@ provider "aws" {
provider "kubernetes" {
host = module.eks_blueprints.eks_cluster_endpoint
cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.this.token
}

exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id]
provider "helm" {
kubernetes {
host = module.eks_blueprints.eks_cluster_endpoint
cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.this.token
}
}

provider "kubectl" {
apply_retry_count = 10
host = module.eks_blueprints.eks_cluster_endpoint
cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data)
load_config_file = false

exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id]
}
token = data.aws_eks_cluster_auth.this.token
}

provider "helm" {
kubernetes {
host = module.eks_blueprints.eks_cluster_endpoint
cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data)

exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id]
}
}
data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}

data "aws_availability_zones" "available" {}
data "aws_partition" "current" {}

locals {
tenant = var.tenant # AWS account name or unique id for tenant
environment = var.environment # Environment area eg., preprod or prod
zone = var.zone # Environment with in one sub_tenant or business unit

cluster_version = "1.21"
region = "us-west-2"

vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
cluster_name = join("-", [local.tenant, local.environment, local.zone, "eks"])
name = basename(path.cwd)

terraform_version = "Terraform v1.0.1"
}

module "aws_vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"

name = join("-", [local.tenant, local.environment, local.zone, "vpc"])
cidr = local.vpc_cidr
azs = local.azs

public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)]
region = "us-west-2"

enable_nat_gateway = true
create_igw = true
enable_dns_hostnames = true
single_nat_gateway = true
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)

public_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/cluster/${local.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = "1"
tags = {
Blueprint = local.name
GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints"
}
}

Expand All @@ -93,18 +50,13 @@ module "aws_vpc" {
module "eks_blueprints" {
source = "../.."

tenant = local.tenant
environment = local.environment
zone = local.zone
terraform_version = local.terraform_version
cluster_name = local.name
cluster_version = "1.22"

# EKS Cluster VPC and Subnet mandatory config
vpc_id = module.aws_vpc.vpc_id
private_subnet_ids = module.aws_vpc.private_subnets

# EKS CONTROL PLANE VARIABLES
cluster_version = local.cluster_version

# EKS MANAGED NODE GROUPS
managed_node_groups = {
mg_4 = {
Expand All @@ -114,11 +66,18 @@ module "eks_blueprints" {
subnet_ids = module.aws_vpc.private_subnets
}
}
tags = local.tags
}

module "eks_blueprints_kubernetes_addons" {
source = "../../modules/kubernetes-addons"
eks_cluster_id = module.eks_blueprints.eks_cluster_id
source = "../../modules/kubernetes-addons"

eks_cluster_id = module.eks_blueprints.eks_cluster_id
eks_cluster_endpoint = module.eks_blueprints.eks_cluster_endpoint
eks_oidc_provider = module.eks_blueprints.oidc_provider
eks_cluster_version = module.eks_blueprints.eks_cluster_version
eks_cluster_domain = var.eks_cluster_domain

aws_privateca_acmca_arn = aws_acmpca_certificate_authority.example.arn

# EKS Managed Add-ons
Expand All @@ -127,11 +86,11 @@ module "eks_blueprints_kubernetes_addons" {
enable_amazon_eks_kube_proxy = true

#K8s Add-ons
enable_appmesh_controller = true
enable_appmesh_controller = true
enable_cert_manager = true
enable_aws_privateca_issuer = true
enable_aws_privateca_issuer = true

depends_on = [module.eks_blueprints.managed_node_groups]
tags = local.tags
}

resource "aws_acmpca_certificate_authority" "example" {
Expand Down Expand Up @@ -186,6 +145,7 @@ resource "kubectl_manifest" "cluster_pca_issuer" {
region : local.region
}
})

}

#-------------------------------
Expand Down Expand Up @@ -226,7 +186,48 @@ resource "kubectl_manifest" "example_pca_certificate" {
})

depends_on = [
module.eks_blueprints_kubernetes_addons,
kubectl_manifest.cluster_pca_issuer,
]
}


#---------------------------------------------------------------
# Supporting Resources
#---------------------------------------------------------------


module "aws_vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"

name = local.name
cidr = local.vpc_cidr

azs = local.azs
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)]

enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true

# Manage so we can name
manage_default_network_acl = true
default_network_acl_tags = { Name = "${local.name}-default" }
manage_default_route_table = true
default_route_table_tags = { Name = "${local.name}-default" }
manage_default_security_group = true
default_security_group_tags = { Name = "${local.name}-default" }

public_subnet_tags = {
"kubernetes.io/cluster/${local.name}" = "shared"
"kubernetes.io/role/elb" = 1
}

private_subnet_tags = {
"kubernetes.io/cluster/${local.name}" = "shared"
"kubernetes.io/role/internal-elb" = 1
}

tags = local.tags
}
Empty file added examples/appmesh-mtls/outputs.tf
View file
Empty file.
24 changes: 6 additions & 18 deletions examples/appmesh-mtls/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,17 @@
variable "tenant" {
variable "eks_cluster_domain" {
description = "Route53 domain for the cluster."
type = string
description = "Account Name or unique account unique id e.g., apps or management or aws007"
default = "pca001"
}

variable "environment" {
type = string
default = "preprod"
description = "Environment area, e.g. prod or preprod "
}

variable "zone" {
type = string
description = "zone, e.g. dev or qa or load or ops etc..."
default = "dev"
default = "example.com"
}

variable "certificate_name" {
type = string
description = "name for the certificate"
type = string
default = "example"
}

variable "certificate_dns" {
type = string
description = "CommonName used in the Certificate, usually DNS "
type = string
default = "example.com"
}
}
17 changes: 14 additions & 3 deletions examples/appmesh-mtls/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,24 @@ terraform {
source = "hashicorp/aws"
version = ">= 3.72"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = ">= 2.10"
}
helm = {
source = "hashicorp/helm"
version = ">= 2.4.1"
}
kubectl = {
source = "gavinbunney/kubectl"
version = ">= 1.14"
}
}

backend "local" {
path = "local_tf_state/terraform-main.tfstate"
}
# ## Used for end-to-end testing on project; update to suit your needs
# backend "s3" {
# bucket = "terraform-ssp-github-actions-state"
# region = "us-west-2"
# key = "e2e/crossplane/terraform.tfstate"
# }
}
2 changes: 1 addition & 1 deletion examples/fully-private-eks-cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ rm -vf ${HOME}/.aws/credentials
aws sts get-caller-identity --query Arn
```
The output should look something like `"arn:aws:sts::<AccountId>:assumed-role/<RoleName>/<instanceId>"`

> You can find your instanceId on the Cloud9 instance with this command `curl -s http://169.254.169.254/latest/meta-data/instance-id`
### Deployment Steps
Expand Down
4 changes: 4 additions & 0 deletions modules/kubernetes-addons/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
| <a name="module_adot_collector_memcached"></a> [adot\_collector\_memcached](#module\_adot\_collector\_memcached) | ./adot-collector-memcached | n/a |
| <a name="module_adot_collector_nginx"></a> [adot\_collector\_nginx](#module\_adot\_collector\_nginx) | ./adot-collector-nginx | n/a |
| <a name="module_agones"></a> [agones](#module\_agones) | ./agones | n/a |
| <a name="module_appmesh_controller"></a> [appmesh\_controller](#module\_appmesh\_controller) | ./appmesh-controller | n/a |
| <a name="module_argo_rollouts"></a> [argo\_rollouts](#module\_argo\_rollouts) | ./argo-rollouts | n/a |
| <a name="module_argocd"></a> [argocd](#module\_argocd) | ./argocd | n/a |
| <a name="module_aws_cloudwatch_metrics"></a> [aws\_cloudwatch\_metrics](#module\_aws\_cloudwatch\_metrics) | ./aws-cloudwatch-metrics | n/a |
Expand Down Expand Up @@ -89,6 +90,8 @@
| <a name="input_amazon_eks_vpc_cni_config"></a> [amazon\_eks\_vpc\_cni\_config](#input\_amazon\_eks\_vpc\_cni\_config) | ConfigMap of Amazon EKS VPC CNI add-on | `any` | `{}` | no |
| <a name="input_amazon_prometheus_workspace_endpoint"></a> [amazon\_prometheus\_workspace\_endpoint](#input\_amazon\_prometheus\_workspace\_endpoint) | AWS Managed Prometheus WorkSpace Endpoint | `string` | `null` | no |
| <a name="input_amazon_prometheus_workspace_region"></a> [amazon\_prometheus\_workspace\_region](#input\_amazon\_prometheus\_workspace\_region) | AWS Managed Prometheus WorkSpace Region | `string` | `null` | no |
| <a name="input_appmesh_helm_config"></a> [appmesh\_helm\_config](#input\_appmesh\_helm\_config) | AppMesh Helm Chart config | `any` | `{}` | no |
| <a name="input_appmesh_irsa_policies"></a> [appmesh\_irsa\_policies](#input\_appmesh\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
| <a name="input_argo_rollouts_helm_config"></a> [argo\_rollouts\_helm\_config](#input\_argo\_rollouts\_helm\_config) | Argo Rollouts Helm Chart config | `any` | `null` | no |
| <a name="input_argocd_applications"></a> [argocd\_applications](#input\_argocd\_applications) | Argo CD Applications config to bootstrap the cluster | `any` | `{}` | no |
| <a name="input_argocd_helm_config"></a> [argocd\_helm\_config](#input\_argocd\_helm\_config) | Argo CD Kubernetes add-on config | `any` | `{}` | no |
Expand Down Expand Up @@ -140,6 +143,7 @@
| <a name="input_enable_amazon_eks_kube_proxy"></a> [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no |
| <a name="input_enable_amazon_eks_vpc_cni"></a> [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | Enable VPC CNI add-on | `bool` | `false` | no |
| <a name="input_enable_amazon_prometheus"></a> [enable\_amazon\_prometheus](#input\_enable\_amazon\_prometheus) | Enable AWS Managed Prometheus service | `bool` | `false` | no |
| <a name="input_enable_appmesh_controller"></a> [enable\_appmesh\_controller](#input\_enable\_appmesh\_controller) | Enable AppMesh add-on | `bool` | `false` | no |
| <a name="input_enable_argo_rollouts"></a> [enable\_argo\_rollouts](#input\_enable\_argo\_rollouts) | Enable Argo Rollouts add-on | `bool` | `false` | no |
| <a name="input_enable_argocd"></a> [enable\_argocd](#input\_enable\_argocd) | Enable Argo CD Kubernetes add-on | `bool` | `false` | no |
| <a name="input_enable_aws_cloudwatch_metrics"></a> [enable\_aws\_cloudwatch\_metrics](#input\_enable\_aws\_cloudwatch\_metrics) | Enable AWS CloudWatch Metrics add-on for Container Insights | `bool` | `false` | no |
Expand Down
10 changes: 8 additions & 2 deletions modules/kubernetes-addons/appmesh-controller/data.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
data "aws_region" "current" {}
data "aws_partition" "current" {}

locals {
partition = data.aws_partition.current.partition
dns_suffix = data.aws_partition.current.dns_suffix
}

data "aws_iam_policy_document" "appmesh" {
statement {
Expand Down Expand Up @@ -48,13 +54,13 @@ data "aws_iam_policy_document" "appmesh" {
statement {
sid = "CreateServiceLinkedRole"
effect = "Allow"
resources = ["arn:aws:iam::*:role/aws-service-role/appmesh.amazonaws.com/AWSServiceRoleForAppMesh"]
resources = ["arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"]
actions = ["iam:CreateServiceLinkedRole"]

condition {
test = "StringLike"
variable = "iam:AWSServiceName"
values = ["appmesh.amazonaws.com"]
values = ["appmesh.${local.dns_suffix}"]
}
}

Expand Down
30 changes: 12 additions & 18 deletions modules/kubernetes-addons/appmesh-controller/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,15 @@ locals {
namespace = "appmesh-system"
name = "appmesh-controller"
service_account_name = local.name
aws_region_name = data.aws_region.current.name

default_helm_config = {
name = local.name
chart = local.name
repository = "https://aws.github.io/eks-charts"
version = "1.4.6"
namespace = local.namespace
timeout = "1200"
create_namespace = false
description = "AWS App Mesh Helm Chart"
values = local.default_helm_values
name = local.name
chart = local.name
repository = "https://aws.github.io/eks-charts"
version = "1.4.6"
namespace = local.namespace
description = "AWS App Mesh Helm Chart"
values = local.default_helm_values
}

default_helm_values = []
Expand All @@ -26,22 +23,19 @@ locals {
irsa_config = {
kubernetes_namespace = local.helm_config["namespace"]
kubernetes_service_account = local.service_account_name
create_kubernetes_namespace = true
create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)
create_kubernetes_service_account = true
irsa_iam_policies = concat([aws_iam_policy.appmesh.arn], var.irsa_policies)
}

set_values = [{
name = "serviceAccount.name"
value = local.service_account_name
set_values = [
{
name = "serviceAccount.name"
value = local.service_account_name
},
{
name = "serviceAccount.create"
value = false
},
{
name = "region"
value = local.aws_region_name
}
]

Expand Down
Empty file added modules/kubernetes-addons/appmesh-controller/outputs.tf
View file
Empty file.
Loading

0 comments on commit 376db9f

Please sign in to comment.