From f712da2e1c082ca10e4dc94a6b86b15856915709 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Tue, 1 Mar 2022 17:02:55 -0800 Subject: [PATCH 01/30] refactor vpa to use helm-addon module --- modules/kubernetes-addons/README.md | 7 +- modules/kubernetes-addons/main.tf | 12 ++-- modules/kubernetes-addons/variables.tf | 20 ++++-- modules/kubernetes-addons/vpa/README.md | 37 +++------- modules/kubernetes-addons/vpa/locals.tf | 81 +++++++--------------- modules/kubernetes-addons/vpa/main.tf | 81 ++-------------------- modules/kubernetes-addons/vpa/outputs.tf | 18 ----- modules/kubernetes-addons/vpa/values.yaml | 2 +- modules/kubernetes-addons/vpa/variables.tf | 45 ++++++------ 9 files changed, 94 insertions(+), 209 deletions(-) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 6a424f58da..09d4a06485 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -124,7 +124,7 @@ No resources. | [enable\_prometheus](#input\_enable\_prometheus) | Enable Community Prometheus add-on | `bool` | `false` | no | | [enable\_spark\_k8s\_operator](#input\_enable\_spark\_k8s\_operator) | Enable Spark on K8s Operator add-on | `bool` | `false` | no | | [enable\_traefik](#input\_enable\_traefik) | Enable Traefik add-on | `bool` | `false` | no | -| [enable\_vpa](#input\_enable\_vpa) | Enable Kubernetes Vertical Pod Autoscaler add-on | `bool` | `false` | no | +| [enable\_vpa](#input\_enable\_vpa) | Enable Vertical Pod Autoscaler add-on | `bool` | `false` | no | | [enable\_yunikorn](#input\_enable\_yunikorn) | Enable Apache YuniKorn K8s scheduler add-on | `bool` | `false` | no | | [fargate\_fluentbit\_addon\_config](#input\_fargate\_fluentbit\_addon\_config) | Fargate fluentbit add-on config | `any` | `{}` | no | | [ingress\_nginx\_helm\_config](#input\_ingress\_nginx\_helm\_config) | Ingress Nginx Helm Chart config | `any` | `{}` | no | @@ -148,7 +148,9 @@ No resources. | [spark\_k8s\_operator\_helm\_config](#input\_spark\_k8s\_operator\_helm\_config) | Spark on K8s Operator Helm Chart config | `any` | `{}` | no | | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no | | [traefik\_helm\_config](#input\_traefik\_helm\_config) | Traefik Helm Chart config | `any` | `{}` | no | -| [vpa\_helm\_config](#input\_vpa\_helm\_config) | Vertical Pod Autoscaler Helm Chart config | `any` | `{}` | no | +| [vpa\_helm\_config](#input\_vpa\_helm\_config) | VPA Helm Chart config | `any` | `null` | no | +| [vpa\_irsa\_permissions\_boundary](#input\_vpa\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | +| [vpa\_irsa\_policies](#input\_vpa\_irsa\_policies) | IAM policy ARNs for VPA IRSA | `list(string)` | `[]` | no | | [yunikorn\_helm\_config](#input\_yunikorn\_helm\_config) | Yunikorn Helm Chart config | `any` | `null` | no | | [yunikorn\_irsa\_permissions\_boundary](#input\_yunikorn\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | | [yunikorn\_irsa\_policies](#input\_yunikorn\_irsa\_policies) | IAM policy ARNs for Yunikorn IRSA | `list(string)` | `[]` | no | @@ -156,5 +158,4 @@ No resources. ## Outputs No outputs. - diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 8150b5f97a..82b9a81b77 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -211,10 +211,14 @@ module "traefik" { } module "vpa" { - count = var.enable_vpa ? 1 : 0 - source = "./vpa" - helm_config = var.vpa_helm_config - manage_via_gitops = var.argocd_manage_add_ons + count = var.enable_vpa ? 1 : 0 + source = "./vpa" + eks_cluster_id = var.eks_cluster_id + helm_config = var.vpa_helm_config + irsa_policies = var.vpa_irsa_policies + irsa_permissions_boundary = var.vpa_irsa_permissions_boundary + tags = var.tags + manage_via_gitops = var.argocd_manage_add_ons } module "yunikorn" { diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index 37babaa480..338eb06ff1 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -403,17 +403,29 @@ variable "keda_irsa_policies" { default = [] } -#-----------Vertical Pod Autoscaler(VPA) ADDON------------- +#------Vertical Pod Autoscaler(VPA) ADDON-------- variable "enable_vpa" { type = bool default = false - description = "Enable Kubernetes Vertical Pod Autoscaler add-on" + description = "Enable Vertical Pod Autoscaler add-on" } variable "vpa_helm_config" { type = any - default = {} - description = "Vertical Pod Autoscaler Helm Chart config" + default = null + description = "VPA Helm Chart config" +} + +variable "vpa_irsa_policies" { + type = list(string) + default = [] + description = "IAM policy ARNs for VPA IRSA" +} + +variable "vpa_irsa_permissions_boundary" { + type = string + default = "" + description = "IAM Policy ARN for IRSA IAM role permissions boundary" } #-----------Apache YuniKorn ADDON------------- diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index ff23fcdcbd..338d1bf303 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -9,53 +9,38 @@ -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -SPDX-License-Identifier: MIT-0 - -Permission is hereby granted, free of charge, to any person obtaining a copy of this -software and associated documentation files (the "Software"), to deal in the Software -without restriction, including without limitation the rights to use, copy, modify, -merge, publish, distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, -INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A -PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - ## Requirements No requirements. ## Providers -| Name | Version | -|------|---------| -| [helm](#provider\_helm) | n/a | +No providers. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | ## Resources -| Name | Type | -|------|------| -| [helm_release.vpa](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +No resources. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [helm\_config](#input\_helm\_config) | Kubernetes Vertical Pod Autoscaler Helm chart config | `any` | `{}` | no | -| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | +| [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | +| [helm\_config](#input\_helm\_config) | Helm provider config for VPA | `any` | `{}` | no | +| [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | +| [irsa\_policies](#input\_irsa\_policies) | IAM Policy ARN list for any IRSA policies | `list(string)` | `[]` | no | +| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no | +| [tags](#input\_tags) | Common Tags for AWS resources | `map(string)` | `{}` | no | ## Outputs | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | - diff --git a/modules/kubernetes-addons/vpa/locals.tf b/modules/kubernetes-addons/vpa/locals.tf index c31c574e4d..015677a2d5 100644 --- a/modules/kubernetes-addons/vpa/locals.tf +++ b/modules/kubernetes-addons/vpa/locals.tf @@ -1,71 +1,38 @@ -/* - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: MIT-0 - * - * Permission is hereby granted, free of charge, to any person obtaining a copy of this - * software and associated documentation files (the "Software"), to deal in the Software - * without restriction, including without limitation the rights to use, copy, modify, - * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, - * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A - * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - locals { + name = "vpa" service_account_name = "vpa-sa" - namespace = "vpa" default_helm_config = { - name = "vpa" - chart = "vpa" - repository = "https://charts.fairwinds.com/stable" - version = "1.0.0" - namespace = "vpa" - timeout = "1200" - create_namespace = true - description = "Kubernetes Vertical Pod Autoscaler" - lint = false - wait = true - wait_for_jobs = false - verify = false - keyring = "" - repository_key_file = "" - repository_cert_file = "" - repository_ca_file = "" - repository_username = "" - repository_password = "" - disable_webhooks = false - reuse_values = false - reset_values = false - force_update = false - recreate_pods = false - cleanup_on_fail = false - max_history = 0 - atomic = false - skip_crds = false - render_subchart_notes = true - disable_openapi_validation = false - dependency_update = false - replace = false - postrender = "" - set = [] - set_sensitive = [] - values = local.default_helm_values + name = local.name + chart = local.name + repository = "https://charts.fairwinds.com/stable" + version = "1.0.0" + namespace = local.name + description = "Kubernetes Vertical Pod Autoscaler" + values = local.default_helm_values + timeout = "1200" } + default_helm_values = [templatefile("${path.module}/values.yaml", { + sa-name = local.service_account_name + })] + helm_config = merge( local.default_helm_config, var.helm_config ) - default_helm_values = [templatefile("${path.module}/values.yaml", { - vpa_sa_name = local.service_account_name - })] + irsa_config = { + kubernetes_namespace = local.helm_config["namespace"] + kubernetes_service_account = local.service_account_name + create_kubernetes_namespace = true + create_kubernetes_service_account = true + iam_role_path = "/" + tags = var.tags + eks_cluster_id = var.eks_cluster_id + irsa_iam_policies = var.irsa_policies + irsa_iam_permissions_boundary = var.irsa_permissions_boundary + } argocd_gitops_config = { enable = true diff --git a/modules/kubernetes-addons/vpa/main.tf b/modules/kubernetes-addons/vpa/main.tf index c91f7c3b5f..91ec36fbe4 100644 --- a/modules/kubernetes-addons/vpa/main.tf +++ b/modules/kubernetes-addons/vpa/main.tf @@ -1,77 +1,6 @@ -/* - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: MIT-0 - * - * Permission is hereby granted, free of charge, to any person obtaining a copy of this - * software and associated documentation files (the "Software"), to deal in the Software - * without restriction, including without limitation the rights to use, copy, modify, - * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, - * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A - * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - -resource "helm_release" "vpa" { - count = var.manage_via_gitops ? 0 : 1 - name = local.helm_config["name"] - repository = local.helm_config["repository"] - chart = local.helm_config["chart"] - version = local.helm_config["version"] - timeout = local.helm_config["timeout"] - values = local.helm_config["values"] - create_namespace = local.helm_config["create_namespace"] - namespace = local.helm_config["namespace"] - lint = local.helm_config["lint"] - description = local.helm_config["description"] - repository_key_file = local.helm_config["repository_key_file"] - repository_cert_file = local.helm_config["repository_cert_file"] - repository_ca_file = local.helm_config["repository_ca_file"] - repository_username = local.helm_config["repository_username"] - repository_password = local.helm_config["repository_password"] - verify = local.helm_config["verify"] - keyring = local.helm_config["keyring"] - disable_webhooks = local.helm_config["disable_webhooks"] - reuse_values = local.helm_config["reuse_values"] - reset_values = local.helm_config["reset_values"] - force_update = local.helm_config["force_update"] - recreate_pods = local.helm_config["recreate_pods"] - cleanup_on_fail = local.helm_config["cleanup_on_fail"] - max_history = local.helm_config["max_history"] - atomic = local.helm_config["atomic"] - skip_crds = local.helm_config["skip_crds"] - render_subchart_notes = local.helm_config["render_subchart_notes"] - disable_openapi_validation = local.helm_config["disable_openapi_validation"] - wait = local.helm_config["wait"] - wait_for_jobs = local.helm_config["wait_for_jobs"] - dependency_update = local.helm_config["dependency_update"] - replace = local.helm_config["replace"] - - postrender { - binary_path = local.helm_config["postrender"] - } - - dynamic "set" { - iterator = each_item - for_each = local.helm_config["set"] - - content { - name = each_item.value.name - value = each_item.value.value - } - } - - dynamic "set_sensitive" { - iterator = each_item - for_each = local.helm_config["set_sensitive"] == null ? [] : local.helm_config["set_sensitive"] - - content { - name = each_item.value.name - value = each_item.value.value - } - } +module "helm_addon" { + source = "../helm-addon" + manage_via_gitops = var.manage_via_gitops + helm_config = local.helm_config + irsa_config = local.irsa_config } diff --git a/modules/kubernetes-addons/vpa/outputs.tf b/modules/kubernetes-addons/vpa/outputs.tf index c8beafa0e7..b30c86b380 100644 --- a/modules/kubernetes-addons/vpa/outputs.tf +++ b/modules/kubernetes-addons/vpa/outputs.tf @@ -1,21 +1,3 @@ -/* - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: MIT-0 - * - * Permission is hereby granted, free of charge, to any person obtaining a copy of this - * software and associated documentation files (the "Software"), to deal in the Software - * without restriction, including without limitation the rights to use, copy, modify, - * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, - * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A - * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - output "argocd_gitops_config" { description = "Configuration used for managing the add-on with ArgoCD" value = var.manage_via_gitops ? local.argocd_gitops_config : null diff --git a/modules/kubernetes-addons/vpa/values.yaml b/modules/kubernetes-addons/vpa/values.yaml index 45ab5dfd42..78d11b77b3 100644 --- a/modules/kubernetes-addons/vpa/values.yaml +++ b/modules/kubernetes-addons/vpa/values.yaml @@ -1,6 +1,6 @@ # Default values for vertical-pod-autoscaler. serviceAccount: - name: ${vpa_sa_name} + name: ${sa-name} recommender: image: diff --git a/modules/kubernetes-addons/vpa/variables.tf b/modules/kubernetes-addons/vpa/variables.tf index 95b71ee1ec..c2a8da803e 100644 --- a/modules/kubernetes-addons/vpa/variables.tf +++ b/modules/kubernetes-addons/vpa/variables.tf @@ -1,29 +1,34 @@ -/* - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: MIT-0 - * - * Permission is hereby granted, free of charge, to any person obtaining a copy of this - * software and associated documentation files (the "Software"), to deal in the Software - * without restriction, including without limitation the rights to use, copy, modify, - * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, - * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A - * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - variable "helm_config" { type = any + description = "Helm provider config for VPA" default = {} - description = "Kubernetes Vertical Pod Autoscaler Helm chart config" +} + +variable "eks_cluster_id" { + type = string + description = "EKS Cluster Id" } variable "manage_via_gitops" { type = bool default = false - description = "Determines if the add-on should be managed via GitOps." + description = "Determines if the add-on should be managed via GitOps" } + +variable "tags" { + type = map(string) + description = "Common Tags for AWS resources" + default = {} +} + +variable "irsa_policies" { + type = list(string) + default = [] + description = "IAM Policy ARN list for any IRSA policies" +} + +variable "irsa_permissions_boundary" { + type = string + default = "" + description = "IAM Policy ARN for IRSA IAM role permissions boundary" +} \ No newline at end of file From edbab53857d0d178d89356ecead12e23b9533cb8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 2 Mar 2022 01:05:48 +0000 Subject: [PATCH 02/30] terraform-docs: automated action --- modules/kubernetes-addons/README.md | 1 + modules/kubernetes-addons/vpa/README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 09d4a06485..422ca360bf 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -158,4 +158,5 @@ No resources. ## Outputs No outputs. + diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index 338d1bf303..f6a67e46e5 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -43,4 +43,5 @@ No resources. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + From 7b05d31cf37a4367c5de5ec3bdc5e6834d7dffc9 Mon Sep 17 00:00:00 2001 From: Vara Bonthu Date: Tue, 1 Mar 2022 19:51:14 +0000 Subject: [PATCH 03/30] Terrajet AWS Provider for Crossplane (#272) * Terraform provider jet aws * Crossplane Terrajet provider added * precommit format update * Crospslane examples updated * terraform-docs: automated action * crossplane docs updated * corssplane module docs updated * precommit format update * Mermaid flow design for Crossplane deployment * Readme type fix * removed time reosurce and added wait to cplane resource * data resources moved to root module * terraform-docs: automated action * Added tags to crossplane addon * Added note for iam policy Co-authored-by: github-actions[bot] --- docs/add-ons/crossplane.md | 34 +++++-- examples/crossplane/README.md | 91 ++++++++++++++++--- .../{s3.yaml => aws-provider-s3.yaml} | 8 +- .../jet-aws-provider-s3.yaml | 16 ++++ examples/crossplane/main.tf | 19 +++- modules/irsa/main.tf | 4 +- modules/kubernetes-addons/README.md | 13 ++- .../kubernetes-addons/crossplane/README.md | 32 +++---- ...config.yaml => aws-controller-config.yaml} | 2 +- .../aws-provider/aws-provider-config.yaml | 2 +- .../{provider-aws.yaml => aws-provider.yaml} | 4 +- .../jet-aws-controller-config.yaml | 10 ++ .../aws-provider/jet-aws-provider-config.yaml | 8 ++ .../aws-provider/jet-aws-provider.yaml | 9 ++ modules/kubernetes-addons/crossplane/data.tf | 4 - .../kubernetes-addons/crossplane/locals.tf | 7 +- modules/kubernetes-addons/crossplane/main.tf | 86 +++++++++++++++--- .../kubernetes-addons/crossplane/variables.tf | 22 ++++- modules/kubernetes-addons/data.tf | 5 + .../fargate-fluentbit/README.md | 3 +- .../fargate-fluentbit/data.tf | 1 - .../fargate-fluentbit/locals.tf | 2 +- .../fargate-fluentbit/variables.tf | 5 + modules/kubernetes-addons/main.tf | 17 ++-- modules/kubernetes-addons/variables.tf | 20 +++- 25 files changed, 337 insertions(+), 87 deletions(-) rename examples/crossplane/crossplane-aws-examples/{s3.yaml => aws-provider-s3.yaml} (68%) create mode 100644 examples/crossplane/crossplane-aws-examples/jet-aws-provider-s3.yaml rename modules/kubernetes-addons/crossplane/aws-provider/{controller-config.yaml => aws-controller-config.yaml} (86%) rename modules/kubernetes-addons/crossplane/aws-provider/{provider-aws.yaml => aws-provider.yaml} (71%) create mode 100644 modules/kubernetes-addons/crossplane/aws-provider/jet-aws-controller-config.yaml create mode 100644 modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider-config.yaml create mode 100644 modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider.yaml create mode 100644 modules/kubernetes-addons/data.tf delete mode 100644 modules/kubernetes-addons/fargate-fluentbit/data.tf diff --git a/docs/add-ons/crossplane.md b/docs/add-ons/crossplane.md index 30b02a6c49..7a4866b914 100644 --- a/docs/add-ons/crossplane.md +++ b/docs/add-ons/crossplane.md @@ -39,26 +39,40 @@ You can optionally customize the Helm chart that deploys `Crossplane` via the fo ``` ### Crossplane AWS Provider Deployment -AWS Provider for Crossplane gets deployed by default when you enable `enable_crossplane = true`. -The below configuration helps you to upgrade the AWS provider version and lets you define custom IAM policies to manage AWS resources through IRSA. +This module provides options to deploy the following AWS providers for Crossplane. These providers disabled by default, and it can be enabled using the config below. -Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role. + - [AWS Provider](https://github.com/crossplane/provider-aws) + - [Terrajet AWS Provider](https://github.com/crossplane-contrib/provider-jet-aws) -Please find more details from [AWS Provider](https://github.com/crossplane/provider-aws) +_NOTE: Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role. +This example config uses AdministratorAccess, but you should select a policy with the minimum permissions required to provision your resources._ +Config to deploy [AWS Provider](https://github.com/crossplane/provider-aws) ```hcl - crossplane_provider_aws = { - provider_aws_version = "v0.23.0" - additional_irsa_policies = [""] - } +# Creates ProviderConfig -> aws-provider +crossplane_aws_provider = { + enable = true + provider_aws_version = "v0.24.1" # Get the latest version from https://github.com/crossplane/provider-aws + additional_irsa_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"] +} +``` + +Config to deploy [Terrajet AWS Provider](https://github.com/crossplane-contrib/provider-jet-aws) +```hcl +# Creates ProviderConfig -> jet-aws-provider +crossplane_jet_aws_provider = { + enable = true + provider_aws_version = "v0.4.1" # Get the latest version from https://github.com/crossplane-contrib/provider-jet-aws + additional_irsa_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"] +} ``` -Checkout the full [example](examples/crossplane) to deploy Crossplane with `kubernetes-addons` module +Checkout the full [example](../../examples/crossplane) to deploy Crossplane with `kubernetes-addons` module ### GitOps Configuration The following properties made available for use when managing the add-on via GitOps. -Refer to [locals.tf](modules/kubernetes-addons/crossplane/locals.tf) for latest config. GitOps with ArgoCD Add-on repo is located [here](https://github.com/aws-samples/ssp-eks-add-ons/blob/main/chart/values.yaml) +Refer to [locals.tf](../../modules/kubernetes-addons/crossplane/locals.tf) for latest config. GitOps with ArgoCD Add-on repo is located [here](https://github.com/aws-samples/ssp-eks-add-ons/blob/main/chart/values.yaml) ```hcl argocd_gitops_config = { diff --git a/examples/crossplane/README.md b/examples/crossplane/README.md index b60627c7a6..890227c205 100644 --- a/examples/crossplane/README.md +++ b/examples/crossplane/README.md @@ -5,6 +5,34 @@ This example deploys the following Basic EKS Cluster with VPC - Creates EKS Cluster Control plane with one managed node group - Crossplane Add-on to EKS Cluster - AWS Provider for Crossplane + - Terrajet AWS Provider for Crossplane + +## Crossplane Design + +```mermaid +graph TD; + subgraph AWS Cloud + id1(VPC)-->Private-Subnet1; + id1(VPC)-->Private-Subnet2; + id1(VPC)-->Private-Subnet3; + id1(VPC)-->Public-Subnet1; + id1(VPC)-->Public-Subnet2; + id1(VPC)-->Public-Subnet3; + Public-Subnet1-->InternetGateway + Public-Subnet2-->InternetGateway + Public-Subnet3-->InternetGateway + Public-Subnet3-->Single-NATGateway + Private-Subnet1-->EKS{{"EKS #9829;"}} + Private-Subnet2-->EKS + Private-Subnet3-->EKS + EKS==>ManagedNodeGroup; + ManagedNodeGroup-->|enable_crossplane=true|id2([Crossplane]); + subgraph Kubernetes Add-ons + id2([Crossplane])-.->|crossplane_aws_provider.enable=true|id3([AWS-Provider]); + id2([Crossplane])-.->|crossplane_jet_aws_provider.enable=true|id4([Terrajet-AWS-Provider]); + end + end +``` ## How to Deploy ### Prerequisites: @@ -53,35 +81,74 @@ This following command used to update the `kubeconfig` in your local machine whe `~/.kube/config` file gets updated with cluster details and certificate from the below command - $ aws eks --region update-kubeconfig --name +```shell script +aws eks --region update-kubeconfig --name +``` #### Step6: List all the worker nodes by running the command below - $ kubectl get nodes +```shell script +kubectl get nodes +``` + +#### Step7: List all the pods running in `crossplane` namespace + +```shell script +kubectl get pods -n crossplane +``` + +### AWS Provider for Crossplane +This example shows how to deploy S3 bucket using Crossplane AWS provider + + - Open the file below + +```shell script +vi ~/examples/crossplane/crossplane-aws-examples/aws-provider-s3.yaml +``` + - Edit the below `aws-provider-s3.yaml` to update the new bucket name + + - Enter the new `bucket name` and `region` in YAML file. Save the file using :wq! -#### Step7: List all the pods running in `kube-system` namespace + - Apply the K8s manifest + +```shell script +cd ~/examples/crossplane/crossplane-aws-examples/ +kubectl apply -f aws-provider-s3.yaml +``` - $ kubectl get pods -n kube-system + - Login to AWS Console and verify the new S3 bucket -### Deploy S3 bucket using Crossplane +To Delete the bucket +```shell script +cd ~/examples/crossplane/crossplane-aws-examples/ +kubectl delete -f aws-provider-s3.yaml +``` +### Terrajet AWS Provider for Crossplane +This example shows how to deploy S3 bucket using Crossplane Terrajet AWS Provider - - Edit the `s3.yaml` to update the new bucket name + - Open the file below ```shell script - vi ~/examples/crossplane/crossplane-aws-examples/s3.yaml +vi ~/examples/crossplane/crossplane-aws-examples/jet-aws-provider-s3.yaml ``` -Enter the new bucket name and region in YAML file -Save the file using :wq! + - Edit the below `jet-aws-provider-s3.yaml` to update the new bucket name - - Use `kubectl` to apply the `s3.yaml` + - Enter the new `bucket name` and `region` in YAML file. Save the file using :wq! + + - Apply the K8s manifest ```shell script - cd ~/examples/crossplane/crossplane-aws-examples/ - kubectl apply -f s3.yaml +cd ~/examples/crossplane/crossplane-aws-examples/ +kubectl apply -f jet-aws-provider-s3.yaml ``` - Login to AWS Console and verify the new S3 bucket +To Delete the bucket +```shell script +cd ~/examples/crossplane/crossplane-aws-examples/ +kubectl delete -f jet-aws-provider-s3.yaml +``` ## How to Destroy The following command destroys the resources created by `terraform apply` diff --git a/examples/crossplane/crossplane-aws-examples/s3.yaml b/examples/crossplane/crossplane-aws-examples/aws-provider-s3.yaml similarity index 68% rename from examples/crossplane/crossplane-aws-examples/s3.yaml rename to examples/crossplane/crossplane-aws-examples/aws-provider-s3.yaml index 98e5825295..ef5e702b13 100644 --- a/examples/crossplane/crossplane-aws-examples/s3.yaml +++ b/examples/crossplane/crossplane-aws-examples/aws-provider-s3.yaml @@ -1,14 +1,14 @@ apiVersion: s3.aws.crossplane.io/v1beta1 kind: Bucket metadata: - name: new-bucket + name: sample-xplane-aws-s3-bucket annotations: # This will be the actual bucket name. It must be globally unique, so you # probably want to change it before trying to apply this example. - crossplane.io/external-name: + crossplane.io/external-name: "" spec: forProvider: - locationConstraint: + locationConstraint: "" # choose your own region acl: private publicAccessBlockConfiguration: blockPublicAcls: true @@ -16,4 +16,4 @@ spec: ignorePublicAcls: true restrictPublicBuckets: true providerConfigRef: - name: default + name: aws-provider-config diff --git a/examples/crossplane/crossplane-aws-examples/jet-aws-provider-s3.yaml b/examples/crossplane/crossplane-aws-examples/jet-aws-provider-s3.yaml new file mode 100644 index 0000000000..84f35e80be --- /dev/null +++ b/examples/crossplane/crossplane-aws-examples/jet-aws-provider-s3.yaml @@ -0,0 +1,16 @@ +apiVersion: s3.aws.jet.crossplane.io/v1alpha2 +kind: Bucket +metadata: + name: xplane-jet-aws-s3-bucket + annotations: + # This will be the actual bucket name. It must be globally unique, so you + # probably want to change it before trying to apply this example. + crossplane.io/external-name: "" +spec: + forProvider: + region: "" # choose your own region + acl: private + tags: + Name: "" + providerConfigRef: + name: jet-aws-provider-config diff --git a/examples/crossplane/main.tf b/examples/crossplane/main.tf index bed370a5ea..bb0f9ebbbb 100644 --- a/examples/crossplane/main.tf +++ b/examples/crossplane/main.tf @@ -142,9 +142,22 @@ module "kubernetes-addons" { # Refer to docs/add-ons/crossplane.md for advanced configuration enable_crossplane = true - # Optional config to deploy specific version of AWS Provider and attach additional IAM policies to manage AWS resources using Crossplane - crossplane_provider_aws = { - provider_aws_version = "v0.23.0" + # You can choose to install either of crossplane_aws_provider or crossplane_jet_aws_provider to work with AWS + # Creates ProviderConfig -> aws-provider + crossplane_aws_provider = { + enable = true + provider_aws_version = "v0.24.1" + # NOTE: Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role. + # This example config uses AmazonS3FullAccess for demo purpose only, but you should select a policy with the minimum permissions required to provision your resources. + additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] + } + + # Creates ProviderConfig -> jet-aws-provider + crossplane_jet_aws_provider = { + enable = true + provider_aws_version = "v0.4.1" + # NOTE: Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role. + # This example config uses AmazonS3FullAccess for demo purpose only, but you should select a policy with the minimum permissions required to provision your resources. additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] } } diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index e03004ecb6..f557faacfb 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -42,7 +42,7 @@ resource "kubernetes_service_account_v1" "irsa" { } resource "aws_iam_role" "irsa" { - name = format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "*"), "irsa") + name = format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa") description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}." assume_role_policy = join("", data.aws_iam_policy_document.irsa_with_oidc.*.json) path = var.iam_role_path @@ -51,7 +51,7 @@ resource "aws_iam_role" "irsa" { tags = merge( { - "Name" = "${var.eks_cluster_id}-${var.kubernetes_service_account}-irsa", + "Name" = format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa"), "app.kubernetes.io/managed-by" = "terraform-ssp-amazon-eks" }, var.tags diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 422ca360bf..2a097c65b1 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -30,7 +30,9 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | ## Modules @@ -64,7 +66,11 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -96,8 +102,9 @@ No resources. | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [cert\_manager\_helm\_config](#input\_cert\_manager\_helm\_config) | Cert Manager Helm Chart config | `any` | `{}` | no | | [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | +| [crossplane\_aws\_provider](#input\_crossplane\_aws\_provider) | AWS Provider config for Crossplane | 
object({
    enable                   = bool
    provider_aws_version     = string
    additional_irsa_policies = list(string)
  })
| 
{
  "additional_irsa_policies": [],
  "enable": false,
  "provider_aws_version": "v0.24.1"
}
| no | | [crossplane\_helm\_config](#input\_crossplane\_helm\_config) | Crossplane Helm Chart config | `any` | `null` | no | -| [crossplane\_provider\_aws](#input\_crossplane\_provider\_aws) | AWS Provider config for Crossplane | 
object({
    provider_aws_version     = string
    additional_irsa_policies = list(string)
  })
| 
{
  "additional_irsa_policies": [],
  "provider_aws_version": "v0.23.0"
}
| no | +| [crossplane\_jet\_aws\_provider](#input\_crossplane\_jet\_aws\_provider) | AWS Provider Jet AWS config for Crossplane | 
object({
    enable                   = bool
    provider_aws_version     = string
    additional_irsa_policies = list(string)
  })
| 
{
  "additional_irsa_policies": [],
  "enable": false,
  "provider_aws_version": "v0.24.1"
}
| no | | [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | EKS Worker Security group Id created by EKS module | `string` | `""` | no | | [enable\_agones](#input\_enable\_agones) | Enable Agones GamServer add-on | `bool` | `false` | no | diff --git a/modules/kubernetes-addons/crossplane/README.md b/modules/kubernetes-addons/crossplane/README.md index 817a9f423b..2c6e55b1af 100644 --- a/modules/kubernetes-addons/crossplane/README.md +++ b/modules/kubernetes-addons/crossplane/README.md @@ -15,18 +15,14 @@ Crossplane Add-on can be deployed as follows enable_crossplane = true ``` -AWS Provider for Crossplane will be installed by default with IRSA. -Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role. -This example uses AdministratorAccess, but you should select a policy with the minimum permissions required to provision your resources. -Please find more details from [AWS Provider](https://github.com/crossplane/provider-aws) +This module allows you to deploy the following AWS providers for Crossplane. These providers disabled by default. -```hcl - crossplane_provider_aws = { - provider_aws_version = "v0.23.0" - additional_irsa_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"] - } -``` + - [AWS Provider](https://github.com/crossplane/provider-aws) + - [Provider Jet AWS](https://github.com/crossplane-contrib/provider-jet-aws) + +Refer to [docs](../../../docs/add-ons/crossplane.md) on how to deploy AWS Providers. +___ ## Requirements @@ -42,7 +38,6 @@ Please find more details from [AWS Provider](https://github.com/crossplane/provi | [aws](#provider\_aws) | n/a | | [kubectl](#provider\_kubectl) | >= 1.13.1 | | [kubernetes](#provider\_kubernetes) | n/a | -| [time](#provider\_time) | n/a | ## Modules @@ -50,28 +45,33 @@ Please find more details from [AWS Provider](https://github.com/crossplane/provi |------|--------|---------| | [aws\_provider\_irsa](#module\_aws\_provider\_irsa) | ../../../modules/irsa | n/a | | [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | +| [jet\_aws\_provider\_irsa](#module\_jet\_aws\_provider\_irsa) | ../../../modules/irsa | n/a | ## Resources | Name | Type | |------|------| | [aws_iam_policy.aws_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.jet_aws_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [kubectl_manifest.aws_controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubectl_manifest.aws_provider](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubectl_manifest.aws_provider_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | -| [kubectl_manifest.controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.jet_aws_controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.jet_aws_provider](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.jet_aws_provider_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubernetes_namespace_v1.crossplane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource | -| [time_sleep.wait_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [crossplane\_provider\_aws](#input\_crossplane\_provider\_aws) | AWS Provider config for Crossplane | 
object({
    provider_aws_version     = string
    additional_irsa_policies = list(string)
  })
| n/a | yes | +| [account\_id](#input\_account\_id) | Current AWS Account ID | `string` | n/a | yes | +| [aws\_partition](#input\_aws\_partition) | AWS Identifier of the current partition e.g., aws or aws-cn | `string` | n/a | yes | +| [aws\_provider](#input\_aws\_provider) | AWS Provider config for Crossplane | 
object({
    enable                   = bool
    provider_aws_version     = string
    additional_irsa_policies = list(string)
  })
| n/a | yes | | [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS cluster Id | `string` | n/a | yes | | [helm\_config](#input\_helm\_config) | Helm provider config for the Argo Rollouts | `any` | `{}` | no | +| [jet\_aws\_provider](#input\_jet\_aws\_provider) | AWS Provider Jet AWS config for Crossplane | 
object({
    enable                   = bool
    provider_aws_version     = string
    additional_irsa_policies = list(string)
  })
| n/a | yes | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | | [tags](#input\_tags) | Common Tags for AWS resources | `map(string)` | `{}` | no | diff --git a/modules/kubernetes-addons/crossplane/aws-provider/controller-config.yaml b/modules/kubernetes-addons/crossplane/aws-provider/aws-controller-config.yaml similarity index 86% rename from modules/kubernetes-addons/crossplane/aws-provider/controller-config.yaml rename to modules/kubernetes-addons/crossplane/aws-provider/aws-controller-config.yaml index 8be77d281a..a5e32117bb 100644 --- a/modules/kubernetes-addons/crossplane/aws-provider/controller-config.yaml +++ b/modules/kubernetes-addons/crossplane/aws-provider/aws-controller-config.yaml @@ -2,7 +2,7 @@ apiVersion: pkg.crossplane.io/v1alpha1 kind: ControllerConfig metadata: - name: aws-config + name: aws-controller-config annotations: eks.amazonaws.com/role-arn: ${iam-role-arn} spec: diff --git a/modules/kubernetes-addons/crossplane/aws-provider/aws-provider-config.yaml b/modules/kubernetes-addons/crossplane/aws-provider/aws-provider-config.yaml index abc4f21441..9d05f4b943 100644 --- a/modules/kubernetes-addons/crossplane/aws-provider/aws-provider-config.yaml +++ b/modules/kubernetes-addons/crossplane/aws-provider/aws-provider-config.yaml @@ -2,7 +2,7 @@ apiVersion: aws.crossplane.io/v1beta1 kind: ProviderConfig metadata: - name: default + name: aws-provider-config spec: credentials: source: InjectedIdentity diff --git a/modules/kubernetes-addons/crossplane/aws-provider/provider-aws.yaml b/modules/kubernetes-addons/crossplane/aws-provider/aws-provider.yaml similarity index 71% rename from modules/kubernetes-addons/crossplane/aws-provider/provider-aws.yaml rename to modules/kubernetes-addons/crossplane/aws-provider/aws-provider.yaml index 3c46c2d46e..f3a3638f10 100644 --- a/modules/kubernetes-addons/crossplane/aws-provider/provider-aws.yaml +++ b/modules/kubernetes-addons/crossplane/aws-provider/aws-provider.yaml @@ -2,8 +2,8 @@ apiVersion: pkg.crossplane.io/v1 kind: Provider metadata: - name: provider-aws + name: ${aws-provider-name} spec: package: crossplane/provider-aws:${provider-aws-version} controllerConfigRef: - name: aws-config + name: aws-controller-config diff --git a/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-controller-config.yaml b/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-controller-config.yaml new file mode 100644 index 0000000000..7ec09192e3 --- /dev/null +++ b/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-controller-config.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: jet-aws-controller-config + annotations: + eks.amazonaws.com/role-arn: ${iam-role-arn} +spec: + podSecurityContext: + fsGroup: 2000 diff --git a/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider-config.yaml b/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider-config.yaml new file mode 100644 index 0000000000..8f61bbe16b --- /dev/null +++ b/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider-config.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: aws.jet.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: jet-aws-provider-config +spec: + credentials: + source: InjectedIdentity diff --git a/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider.yaml b/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider.yaml new file mode 100644 index 0000000000..499b6108fb --- /dev/null +++ b/modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${aws-provider-name} +spec: + package: crossplane/provider-jet-aws:${provider-aws-version} + controllerConfigRef: + name: jet-aws-controller-config diff --git a/modules/kubernetes-addons/crossplane/data.tf b/modules/kubernetes-addons/crossplane/data.tf index 8ee718fc73..d1e4b51769 100644 --- a/modules/kubernetes-addons/crossplane/data.tf +++ b/modules/kubernetes-addons/crossplane/data.tf @@ -1,7 +1,3 @@ -data "aws_caller_identity" "current" {} - -data "aws_partition" "current" {} - data "aws_iam_policy_document" "s3_policy" { statement { sid = "VisualEditor0" diff --git a/modules/kubernetes-addons/crossplane/locals.tf b/modules/kubernetes-addons/crossplane/locals.tf index 3982c09077..0722c98da9 100644 --- a/modules/kubernetes-addons/crossplane/locals.tf +++ b/modules/kubernetes-addons/crossplane/locals.tf @@ -5,7 +5,7 @@ locals { name = "crossplane" chart = "crossplane" repository = "https://charts.crossplane.io/stable/" - version = "1.6.2" + version = "1.6.3" namespace = local.namespace description = "Crossplane Helm chart" values = local.default_helm_values @@ -20,6 +20,11 @@ locals { operating-system = "linux" })] + aws_provider_sa = "aws-provider" + jet_aws_provider_sa = "jet-aws-provider" + aws_current_account_id = var.account_id + aws_current_partition = var.aws_partition + argocd_gitops_config = { enable = true } diff --git a/modules/kubernetes-addons/crossplane/main.tf b/modules/kubernetes-addons/crossplane/main.tf index 21518ecfe1..d41cc190a1 100644 --- a/modules/kubernetes-addons/crossplane/main.tf +++ b/modules/kubernetes-addons/crossplane/main.tf @@ -17,49 +17,105 @@ module "helm_addon" { depends_on = [kubernetes_namespace_v1.crossplane] } -resource "kubectl_manifest" "controller_config" { - yaml_body = templatefile("${path.module}/aws-provider/controller-config.yaml", { - iam-role-arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${var.eks_cluster_id}-provider-aws--irsa" +#-------------------------------------- +# AWS Provider +#-------------------------------------- +resource "kubectl_manifest" "aws_controller_config" { + count = var.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/aws-provider/aws-controller-config.yaml", { + iam-role-arn = "arn:${local.aws_current_partition}:iam::${local.aws_current_account_id}:role/${var.eks_cluster_id}-${local.aws_provider_sa}-irsa" }) depends_on = [module.helm_addon] } resource "kubectl_manifest" "aws_provider" { - yaml_body = templatefile("${path.module}/aws-provider/provider-aws.yaml", { - provider-aws-version = var.crossplane_provider_aws.provider_aws_version + count = var.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/aws-provider/aws-provider.yaml", { + provider-aws-version = var.aws_provider.provider_aws_version + aws-provider-name = local.aws_provider_sa }) - depends_on = [kubectl_manifest.controller_config] + wait = true + depends_on = [kubectl_manifest.aws_controller_config] } module "aws_provider_irsa" { + count = var.aws_provider.enable == true ? 1 : 0 source = "../../../modules/irsa" eks_cluster_id = var.eks_cluster_id create_kubernetes_namespace = false create_kubernetes_service_account = false kubernetes_namespace = local.namespace - kubernetes_service_account = "provider-aws-*" - irsa_iam_policies = concat([aws_iam_policy.aws_provider.arn], var.crossplane_provider_aws.additional_irsa_policies) + kubernetes_service_account = "${local.aws_provider_sa}-*" + irsa_iam_policies = concat([aws_iam_policy.aws_provider[0].arn], var.aws_provider.additional_irsa_policies) tags = var.tags depends_on = [kubectl_manifest.aws_provider] } resource "aws_iam_policy" "aws_provider" { + count = var.aws_provider.enable == true ? 1 : 0 description = "Crossplane AWS Provider IAM policy" - name = "${var.eks_cluster_id}-aws-provider-irsa" + name = "${var.eks_cluster_id}-${local.aws_provider_sa}-irsa" policy = data.aws_iam_policy_document.s3_policy.json tags = var.tags } -# Wait for the AWS Provider CRDs to be fully created before initiating aws_provider_config deployment -resource "time_sleep" "wait_30_seconds" { +resource "kubectl_manifest" "aws_provider_config" { + count = var.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/aws-provider/aws-provider-config.yaml", {}) + depends_on = [kubectl_manifest.aws_provider] +} + +#-------------------------------------- +# Terrajet AWS Provider +#-------------------------------------- +resource "kubectl_manifest" "jet_aws_controller_config" { + count = var.jet_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/aws-provider/jet-aws-controller-config.yaml", { + iam-role-arn = "arn:${local.aws_current_partition}:iam::${local.aws_current_account_id}:role/${var.eks_cluster_id}-${local.jet_aws_provider_sa}-irsa" + }) + + depends_on = [module.helm_addon] +} + +resource "kubectl_manifest" "jet_aws_provider" { + count = var.jet_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/aws-provider/jet-aws-provider.yaml", { + provider-aws-version = var.jet_aws_provider.provider_aws_version + aws-provider-name = local.jet_aws_provider_sa + }) + wait = true - create_duration = "30s" + depends_on = [kubectl_manifest.jet_aws_controller_config] } -resource "kubectl_manifest" "aws_provider_config" { - yaml_body = templatefile("${path.module}/aws-provider/aws-provider-config.yaml", {}) +module "jet_aws_provider_irsa" { + count = var.jet_aws_provider.enable == true ? 1 : 0 + + source = "../../../modules/irsa" + eks_cluster_id = var.eks_cluster_id + create_kubernetes_namespace = false + create_kubernetes_service_account = false + kubernetes_namespace = local.namespace + kubernetes_service_account = "${local.jet_aws_provider_sa}-*" + irsa_iam_policies = concat([aws_iam_policy.jet_aws_provider[0].arn], var.jet_aws_provider.additional_irsa_policies) + tags = var.tags + + depends_on = [kubectl_manifest.jet_aws_provider] +} + +resource "aws_iam_policy" "jet_aws_provider" { + count = var.jet_aws_provider.enable == true ? 1 : 0 + description = "Crossplane Jet AWS Provider IAM policy" + name = "${var.eks_cluster_id}-${local.jet_aws_provider_sa}-irsa" + policy = data.aws_iam_policy_document.s3_policy.json + tags = var.tags +} + +resource "kubectl_manifest" "jet_aws_provider_config" { + count = var.jet_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/aws-provider/jet-aws-provider-config.yaml", {}) - depends_on = [kubectl_manifest.aws_provider, time_sleep.wait_30_seconds] + depends_on = [kubectl_manifest.jet_aws_provider] } diff --git a/modules/kubernetes-addons/crossplane/variables.tf b/modules/kubernetes-addons/crossplane/variables.tf index 69cec57c0c..440ee7d7d9 100644 --- a/modules/kubernetes-addons/crossplane/variables.tf +++ b/modules/kubernetes-addons/crossplane/variables.tf @@ -21,10 +21,30 @@ variable "tags" { default = {} } -variable "crossplane_provider_aws" { +variable "aws_provider" { description = "AWS Provider config for Crossplane" type = object({ + enable = bool provider_aws_version = string additional_irsa_policies = list(string) }) } + +variable "jet_aws_provider" { + description = "AWS Provider Jet AWS config for Crossplane" + type = object({ + enable = bool + provider_aws_version = string + additional_irsa_policies = list(string) + }) +} + +variable "account_id" { + description = "Current AWS Account ID" + type = string +} + +variable "aws_partition" { + description = "AWS Identifier of the current partition e.g., aws or aws-cn" + type = string +} diff --git a/modules/kubernetes-addons/data.tf b/modules/kubernetes-addons/data.tf new file mode 100644 index 0000000000..e528018a6d --- /dev/null +++ b/modules/kubernetes-addons/data.tf @@ -0,0 +1,5 @@ +data "aws_partition" "current" {} + +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} diff --git a/modules/kubernetes-addons/fargate-fluentbit/README.md b/modules/kubernetes-addons/fargate-fluentbit/README.md index e182c636b7..a809704879 100644 --- a/modules/kubernetes-addons/fargate-fluentbit/README.md +++ b/modules/kubernetes-addons/fargate-fluentbit/README.md @@ -83,7 +83,6 @@ No requirements. | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | | [kubernetes](#provider\_kubernetes) | n/a | ## Modules @@ -96,7 +95,6 @@ No modules. |------|------| | [kubernetes_config_map.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | | [kubernetes_namespace.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -104,6 +102,7 @@ No modules. |------|-------------|------|---------|:--------:| | [addon\_config](#input\_addon\_config) | Fargate fluentbit configuration | `any` | `{}` | no | | [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS cluster Id | `string` | n/a | yes | +| [region](#input\_region) | AWS region | `string` | n/a | yes | ## Outputs diff --git a/modules/kubernetes-addons/fargate-fluentbit/data.tf b/modules/kubernetes-addons/fargate-fluentbit/data.tf deleted file mode 100644 index 2502393bf3..0000000000 --- a/modules/kubernetes-addons/fargate-fluentbit/data.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_region" "current" {} diff --git a/modules/kubernetes-addons/fargate-fluentbit/locals.tf b/modules/kubernetes-addons/fargate-fluentbit/locals.tf index d30d5d2d11..7807b1c6fd 100644 --- a/modules/kubernetes-addons/fargate-fluentbit/locals.tf +++ b/modules/kubernetes-addons/fargate-fluentbit/locals.tf @@ -8,7 +8,7 @@ locals { [OUTPUT] Name cloudwatch_logs Match * - region ${data.aws_region.current.id} + region ${var.region} log_group_name ${local.cwlog_group} log_stream_prefix ${local.cwlog_stream_prefix} auto_create_group true diff --git a/modules/kubernetes-addons/fargate-fluentbit/variables.tf b/modules/kubernetes-addons/fargate-fluentbit/variables.tf index 7cdd2ed847..fcf28ca762 100644 --- a/modules/kubernetes-addons/fargate-fluentbit/variables.tf +++ b/modules/kubernetes-addons/fargate-fluentbit/variables.tf @@ -26,3 +26,8 @@ variable "addon_config" { description = "Fargate fluentbit configuration" default = {} } + +variable "region" { + type = string + description = "AWS region" +} diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 82b9a81b77..527bce9bd6 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -130,12 +130,16 @@ module "cluster_autoscaler" { } module "crossplane" { - count = var.enable_crossplane ? 1 : 0 - source = "./crossplane" - helm_config = var.crossplane_helm_config - eks_cluster_id = var.eks_cluster_id - manage_via_gitops = var.argocd_manage_add_ons - crossplane_provider_aws = var.crossplane_provider_aws + count = var.enable_crossplane ? 1 : 0 + source = "./crossplane" + helm_config = var.crossplane_helm_config + eks_cluster_id = var.eks_cluster_id + manage_via_gitops = var.argocd_manage_add_ons + aws_provider = var.crossplane_aws_provider + jet_aws_provider = var.crossplane_jet_aws_provider + account_id = data.aws_caller_identity.current.account_id + aws_partition = data.aws_partition.current.id + tags = var.tags } module "fargate_fluentbit" { @@ -143,6 +147,7 @@ module "fargate_fluentbit" { source = "./fargate-fluentbit" eks_cluster_id = var.eks_cluster_id addon_config = var.fargate_fluentbit_addon_config + region = data.aws_region.current.id } module "ingress_nginx" { diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index 338eb06ff1..37b83a8668 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -102,14 +102,30 @@ variable "crossplane_helm_config" { description = "Crossplane Helm Chart config" } -variable "crossplane_provider_aws" { +variable "crossplane_aws_provider" { description = "AWS Provider config for Crossplane" type = object({ + enable = bool provider_aws_version = string additional_irsa_policies = list(string) }) default = { - provider_aws_version = "v0.23.0" + enable = false + provider_aws_version = "v0.24.1" + additional_irsa_policies = [] + } +} + +variable "crossplane_jet_aws_provider" { + description = "AWS Provider Jet AWS config for Crossplane" + type = object({ + enable = bool + provider_aws_version = string + additional_irsa_policies = list(string) + }) + default = { + enable = false + provider_aws_version = "v0.24.1" additional_irsa_policies = [] } } From bb8217478df5d5e431447a1c8b5380b1c616416b Mon Sep 17 00:00:00 2001 From: Luigi Di Fraia Date: Wed, 2 Mar 2022 11:35:09 +0000 Subject: [PATCH 04/30] Add support for the AWS EFS CSI driver as a k8s add-on (#266) * Addon for the EFS CSI driver * Misc updates * Generate with terraform-docs * Naming convention * Add a blank line * Remove unused aws_region * Change markers for terraform-docs * Disable SA creation as it's handled by the IRSA module * Change version * Node SA doesn't apply to this version * Add example for EFS * Expand example * Remove test file * Remove prompt to make commands copy&paste friendly * Re-add fargate profile * Name convention changes * Only mention TF output once * Override SA name * Update chart version and handle node SA too * Encrypt the storage * Use the new approach as per Vara's review * Re-generate docs * Remove values.yaml as its whole contents are already set via set_values * Add empty line at the end of the file * Include a docs entry for the AWS EFS CSI driver * Add doc for the AWS EFS CSI driver * Expand description * Generalise policy name for both controller and node * Add EFS CSI driver entries * Add further steps to test provisioning * Correct destroy command option * Fix the SG definition to match mount target CIDR blocks * Remove extra spaces * Changes made by pre-commit * Remove Helm config items that match defaults; also use default timeout * Changes made by pre-commit * Rename example folder to aws-efs-csi-driver Co-authored-by: Luigi Di Fraia --- docs/add-ons/aws-efs-csi-driver.md | 52 +++++ docs/add-ons/index.md | 1 + examples/aws-efs-csi-driver/README.md | 164 ++++++++++++++ examples/aws-efs-csi-driver/main.tf | 200 ++++++++++++++++++ modules/kubernetes-addons/README.md | 3 + .../aws-efs-csi-driver/README.md | 59 ++++++ .../aws-efs-csi-driver/data.tf | 38 ++++ .../aws-efs-csi-driver/locals.tf | 59 ++++++ .../aws-efs-csi-driver/main.tf | 32 +++ .../aws-efs-csi-driver/outputs.tf | 22 ++ .../aws-efs-csi-driver/variables.tf | 51 +++++ modules/kubernetes-addons/locals.tf | 1 + modules/kubernetes-addons/main.tf | 9 + modules/kubernetes-addons/variables.tf | 13 ++ 14 files changed, 704 insertions(+) create mode 100644 docs/add-ons/aws-efs-csi-driver.md create mode 100644 examples/aws-efs-csi-driver/README.md create mode 100644 examples/aws-efs-csi-driver/main.tf create mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/README.md create mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/data.tf create mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/locals.tf create mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/main.tf create mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf create mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/variables.tf diff --git a/docs/add-ons/aws-efs-csi-driver.md b/docs/add-ons/aws-efs-csi-driver.md new file mode 100644 index 0000000000..5c4fe8b578 --- /dev/null +++ b/docs/add-ons/aws-efs-csi-driver.md @@ -0,0 +1,52 @@ +# AWS EFS CSI Driver + +This add-on deploys the [AWS EFS CSI driver](https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html) into an EKS cluster. + +## Usage + +The [AWS EFS CSI driver](https://github.com/aws-samples/aws-eks-accelerator-for-terraform/tree/main/modules/kubernetes-addons/aws-efs-csi-driver) can be deployed by enabling the add-on via the following. Check out the full [example](../../examples/aws-efs-csi-driver/main.tf) to deploy an EKS Cluster with EFS backing the dynamic provisioning of persistent volumes. + +```hcl + enable_aws_efs_csi_driver = true +``` + +Once deployed, you will be able to see a number of supporting resources in the `kube-system` namespace. + +```sh +$ kubectl get deployment efs-csi-controller -n kube-system + +NAME READY UP-TO-DATE AVAILABLE AGE +efs-csi-controller 2/2 2 2 4m29s +``` + +```sh +$ kubectl get daemonset efs-csi-node -n kube-system + +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +efs-csi-node 3 3 3 3 3 beta.kubernetes.io/os=linux 4m32s +``` + +You can optionally customize the Helm chart that deploys the driver via the following configuration. + +```hcl + enable_aws_efs_csi_driver = true + + # Optional aws_efs_csi_driver_helm_config + aws_efs_csi_driver_helm_config = { + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" + version = "2.2.3" + } +``` + +### GitOps Configuration + +The following properties are made available for use when managing the add-on via GitOps. + +Refer to [locals.tf](../../modules/kubernetes-addons/aws-efs-csi-driver/locals.tf) for the latest config. The GitOps with ArgoCD Add-on repo is located [here](https://github.com/aws-samples/ssp-eks-add-ons). + +```hcl + argocd_gitops_config = { + enable = true + serviceAccountName = local.service_account_name + } +``` diff --git a/docs/add-ons/index.md b/docs/add-ons/index.md index 62653f6032..eda1da258f 100644 --- a/docs/add-ons/index.md +++ b/docs/add-ons/index.md @@ -9,6 +9,7 @@ The framework currently provides support for the following add-ons: | [Agones](../add-ons/agones.md) | Deploys Agones into an EKS cluster. | | [Amazon EKS Add-ons](../add-ons/managed-add-ons.md) | Enables Amazon EKS add-ons. | | [ArgoCD](../add-ons/argocd.md) | Deploys ArgoCD into an EKS cluster. | +| [AWS EFS CSI driver](../add-ons/aws-efs-csi-driver.md) | Deploys the AWS EFS CSI driver into an EKS cluster. | | [AWS for Fluent Bit](../add-ons/aws-for-fluent-bit.md) | Deploys Fluent Bit into an EKS cluster. | | [AWS Load Balancer Controller](../add-ons/aws-load-balancer-controller.md) | Deploys the AWS Load Balancer Controller into an EKS cluster. | | [AWS Distro for Open Telemetry](../add-ons/aws-open-telemetry.md) | Deploys the AWS Open Telemetry Collector into an EKS cluster. | diff --git a/examples/aws-efs-csi-driver/README.md b/examples/aws-efs-csi-driver/README.md new file mode 100644 index 0000000000..f11828fe48 --- /dev/null +++ b/examples/aws-efs-csi-driver/README.md @@ -0,0 +1,164 @@ +# EKS Cluster Deployment with new VPC and EFS +This example deploys the following Basic EKS Cluster with VPC + - Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets + - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets + - Creates EKS Cluster Control plane with one managed node group and fargate profile + - Creates EFS file system for backing the dynamic provisioning of persistent volumes + +## How to Deploy +### Prerequisites: +Ensure that you have installed the following tools in your Mac or Windows Laptop before start working with this module and run Terraform Plan and Apply +1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) +3. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) + +### Deployment Steps +#### Step1: Clone the repo using the command below + +```shell script +git clone https://github.com/aws-samples/aws-eks-accelerator-for-terraform.git +``` + +#### Step2: Run Terraform INIT +Initialize a working directory with configuration files + +```shell script +cd examples/aws-efs-csi-driver/ +terraform init +``` + +#### Step3: Run Terraform PLAN +Verify the resources created by this execution + +```shell script +export AWS_REGION= # Select your own region +terraform plan +``` + +#### Step4: Finally, Terraform APPLY +To create resources + +```shell script +terraform apply +``` + +Enter `yes` to apply + +### Configure `kubectl` and test cluster +EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. +This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. + +#### Step5: Run `update-kubeconfig` command + +`~/.kube/config` file gets updated with cluster details and certificate from the below command + + aws eks --region ${AWS_REGION} update-kubeconfig --name aws001-preprod-dev-eks + +#### Step6: List all the worker nodes by running the command below + + kubectl get nodes + +#### Step7: List all the pods running in `kube-system` namespace + + kubectl get pods -n kube-system + +#### Step8: Create a storage class to leverage the EFS file system + +Retrieve your Amazon EFS file system ID + + terraform output -raw efs_file_system_id + +Download a `StorageClass` manifest for Amazon EFS + + curl -o storageclass.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml + +Edit the file and replace the value for `fileSystemId` with your file system ID + + fileSystemId: fs-xxxxxxxxxxxxxxxxx + +Deploy the storage class + + kubectl apply -f storageclass.yaml + +#### Step9: Test automatic provisioning + +Download a manifest that deploys a `Pod` and a `PersistentVolumeClaim` + + curl -o pod.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/pod.yaml + +Deploy the `Pod` + + kubectl apply -f pod.yaml + +Confirm that a persistent volume was created with a status of `Bound` to a `PersistentVolumeClaim` + + kubectl get pv + +Wait until the sample app `Pod`'s `STATUS` becomes `Running` + + kubectl wait --for=condition=ready pod efs-app + +Confirm that the data is written to the volume + + kubectl exec efs-app -- bash -c "cat data/out" + Wed Feb 23 13:37:24 UTC 2022 + Wed Feb 23 13:37:29 UTC 2022 + Wed Feb 23 13:37:34 UTC 2022 + Wed Feb 23 13:37:39 UTC 2022 + Wed Feb 23 13:37:44 UTC 2022 + Wed Feb 23 13:37:49 UTC 2022 + +## How to Destroy +The following command destroys the resources created by `terraform apply` + +```shell script +cd examples/aws-efs-csi-driver/ +terraform destroy -auto-approve +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.1 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [helm](#requirement\_helm) | >= 2.4.1 | +| [kubernetes](#requirement\_kubernetes) | >= 2.6.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.1.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-eks-accelerator-for-terraform](#module\_aws-eks-accelerator-for-terraform) | ../.. | n/a | +| [aws\_vpc](#module\_aws\_vpc) | terraform-aws-modules/vpc/aws | v3.2.0 | +| [kubernetes-addons](#module\_kubernetes-addons) | ../../modules/kubernetes-addons | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_efs_file_system.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource | +| [aws_efs_mount_target.efs_mt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource | +| [aws_security_group.efs_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [efs\_file\_system\_id](#output\_efs\_file\_system\_id) | ID of the EFS file system to use for creating a storage class | + diff --git a/examples/aws-efs-csi-driver/main.tf b/examples/aws-efs-csi-driver/main.tf new file mode 100644 index 0000000000..bb748a26a9 --- /dev/null +++ b/examples/aws-efs-csi-driver/main.tf @@ -0,0 +1,200 @@ +terraform { + required_version = ">= 1.0.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.66.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.6.1" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + } + + backend "local" { + path = "local_tf_state/terraform-main.tfstate" + } +} + +data "aws_region" "current" {} + +data "aws_availability_zones" "available" {} + +data "aws_eks_cluster" "cluster" { + name = module.aws-eks-accelerator-for-terraform.eks_cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.aws-eks-accelerator-for-terraform.eks_cluster_id +} + +provider "aws" { + region = data.aws_region.current.id + alias = "default" +} + +provider "kubernetes" { + experiments { + manifest_resource = true + } + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token +} + +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.cluster.endpoint + token = data.aws_eks_cluster_auth.cluster.token + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + } +} + +locals { + tenant = "aws001" # AWS account name or unique id for tenant + environment = "preprod" # Environment area eg., preprod or prod + zone = "dev" # Environment with in one sub_tenant or business unit + kubernetes_version = "1.21" + + vpc_cidr = "10.0.0.0/16" + vpc_name = join("-", [local.tenant, local.environment, local.zone, "vpc"]) + cluster_name = join("-", [local.tenant, local.environment, local.zone, "eks"]) + + terraform_version = "Terraform v1.0.1" +} + +module "aws_vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "v3.2.0" + + name = local.vpc_name + cidr = local.vpc_cidr + azs = data.aws_availability_zones.available.names + + public_subnets = [for k, v in data.aws_availability_zones.available.names : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in data.aws_availability_zones.available.names : cidrsubnet(local.vpc_cidr, 8, k + 10)] + + enable_nat_gateway = true + create_igw = true + enable_dns_hostnames = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = "1" + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + } +} + +#--------------------------------------------------------------- +# Example to consume aws-eks-accelerator-for-terraform module +#--------------------------------------------------------------- +module "aws-eks-accelerator-for-terraform" { + source = "../.." + + tenant = local.tenant + environment = local.environment + zone = local.zone + terraform_version = local.terraform_version + + # EKS Cluster VPC and Subnet mandatory config + vpc_id = module.aws_vpc.vpc_id + private_subnet_ids = module.aws_vpc.private_subnets + + # EKS CONTROL PLANE VARIABLES + create_eks = true + kubernetes_version = local.kubernetes_version + + # EKS MANAGED NODE GROUPS + managed_node_groups = { + mg_4 = { + node_group_name = "managed-ondemand" + instance_types = ["m4.large"] + min_size = "2" + subnet_ids = module.aws_vpc.private_subnets + } + } + + # FARGATE + fargate_profiles = { + default = { + fargate_profile_name = "default" + fargate_profile_namespaces = [ + { + namespace = "default" + k8s_labels = { + Environment = "preprod" + Zone = "dev" + env = "fargate" + } + }] + subnet_ids = module.aws_vpc.private_subnets + additional_tags = { + ExtraTag = "Fargate" + } + }, + } +} + +#--------------------------------------------- +# Deploy Kubernetes Add-ons with sub module +#--------------------------------------------- +module "kubernetes-addons" { + source = "../../modules/kubernetes-addons" + eks_cluster_id = module.aws-eks-accelerator-for-terraform.eks_cluster_id + + # EKS Managed Add-ons + enable_amazon_eks_vpc_cni = true + enable_amazon_eks_coredns = true + enable_amazon_eks_kube_proxy = true + + # K8s Add-ons + enable_aws_load_balancer_controller = true + enable_metrics_server = true + enable_cluster_autoscaler = true + enable_aws_efs_csi_driver = true + + depends_on = [module.aws-eks-accelerator-for-terraform.managed_node_groups] +} + +#-------------- +# Deploy EFS +#-------------- +resource "aws_efs_file_system" "efs" { + creation_token = "efs" + encrypted = true +} + +resource "aws_efs_mount_target" "efs_mt" { + count = length(module.aws_vpc.private_subnets) + file_system_id = aws_efs_file_system.efs.id + subnet_id = module.aws_vpc.private_subnets[count.index] + security_groups = [aws_security_group.efs_sg.id] +} + +resource "aws_security_group" "efs_sg" { + name = "efs-sg" + description = "Allow inbound NFS traffic from private subnets of the VPC" + vpc_id = module.aws_vpc.vpc_id + + ingress { + cidr_blocks = module.aws_vpc.private_subnets_cidr_blocks + from_port = 2049 + to_port = 2049 + protocol = "tcp" + } +} + +output "efs_file_system_id" { + description = "ID of the EFS file system to use for creating a storage class" + value = aws_efs_file_system.efs.id +} diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 2a097c65b1..16abd36109 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [argocd](#module\_argocd) | ./argocd | n/a | | [aws\_coredns](#module\_aws\_coredns) | ./aws-coredns | n/a | | [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | ./aws-ebs-csi-driver | n/a | +| [aws\_efs\_csi\_driver](#module\_aws\_efs\_csi\_driver) | ./aws-efs-csi-driver | n/a | | [aws\_for\_fluent\_bit](#module\_aws\_for\_fluent\_bit) | ./aws-for-fluentbit | n/a | | [aws\_kube\_proxy](#module\_aws\_kube\_proxy) | ./aws-kube-proxy | n/a | | [aws\_load\_balancer\_controller](#module\_aws\_load\_balancer\_controller) | ./aws-load-balancer-controller | n/a | @@ -92,6 +93,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [argocd\_helm\_config](#input\_argocd\_helm\_config) | Argo CD Kubernetes add-on config | `any` | `{}` | no | | [argocd\_manage\_add\_ons](#input\_argocd\_manage\_add\_ons) | Enable managing add-on configuration via ArgoCD | `bool` | `false` | no | | [auto\_scaling\_group\_names](#input\_auto\_scaling\_group\_names) | List of self-managed node groups autoscaling group names | `list(string)` | `[]` | no | +| [aws\_efs\_csi\_driver\_helm\_config](#input\_aws\_efs\_csi\_driver\_helm\_config) | AWS EFS CSI driver Helm Chart config | `any` | `{}` | no | | [aws\_for\_fluentbit\_cw\_log\_group\_kms\_key\_arn](#input\_aws\_for\_fluentbit\_cw\_log\_group\_kms\_key\_arn) | FluentBit CloudWatch Log group KMS Key | `string` | `null` | no | | [aws\_for\_fluentbit\_cw\_log\_group\_name](#input\_aws\_for\_fluentbit\_cw\_log\_group\_name) | FluentBit CloudWatch Log group name | `string` | `null` | no | | [aws\_for\_fluentbit\_cw\_log\_group\_retention](#input\_aws\_for\_fluentbit\_cw\_log\_group\_retention) | FluentBit CloudWatch Log group retention period | `number` | `90` | no | @@ -115,6 +117,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [enable\_amazon\_prometheus](#input\_enable\_amazon\_prometheus) | Enable AWS Managed Prometheus service | `bool` | `false` | no | | [enable\_argo\_rollouts](#input\_enable\_argo\_rollouts) | Enable Argo Rollouts add-on | `bool` | `false` | no | | [enable\_argocd](#input\_enable\_argocd) | Enable Argo CD Kubernetes add-on | `bool` | `false` | no | +| [enable\_aws\_efs\_csi\_driver](#input\_enable\_aws\_efs\_csi\_driver) | Enable AWS EFS CSI driver add-on | `bool` | `false` | no | | [enable\_aws\_for\_fluentbit](#input\_enable\_aws\_for\_fluentbit) | Enable AWS for FluentBit add-on | `bool` | `false` | no | | [enable\_aws\_load\_balancer\_controller](#input\_enable\_aws\_load\_balancer\_controller) | Enable AWS Load Balancer Controller add-on | `bool` | `false` | no | | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/README.md b/modules/kubernetes-addons/aws-efs-csi-driver/README.md new file mode 100644 index 0000000000..3059ffddc8 --- /dev/null +++ b/modules/kubernetes-addons/aws-efs-csi-driver/README.md @@ -0,0 +1,59 @@ +# AWS EFS CSI driver Helm Chart + + +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: MIT-0 + +Permission is hereby granted, free of charge, to any person obtaining a copy of this +software and associated documentation files (the "Software"), to deal in the Software +without restriction, including without limitation the rights to use, copy, modify, +merge, publish, distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, +INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.aws_efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.aws_efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS cluster Id | `string` | n/a | yes | +| [helm\_config](#input\_helm\_config) | Helm provider config for the aws\_efs\_csi\_driver. | `any` | `{}` | no | +| [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | +| [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no | +| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | +| [tags](#input\_tags) | Common Tags for AWS resources | `map(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/data.tf b/modules/kubernetes-addons/aws-efs-csi-driver/data.tf new file mode 100644 index 0000000000..ddaa91834a --- /dev/null +++ b/modules/kubernetes-addons/aws-efs-csi-driver/data.tf @@ -0,0 +1,38 @@ +data "aws_iam_policy_document" "aws_efs_csi_driver" { + statement { + sid = "" + effect = "Allow" + resources = ["*"] + + actions = [ + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems", + ] + } + + statement { + sid = "" + effect = "Allow" + resources = ["*"] + actions = ["elasticfilesystem:CreateAccessPoint"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/efs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + sid = "" + effect = "Allow" + resources = ["*"] + actions = ["elasticfilesystem:DeleteAccessPoint"] + + condition { + test = "StringLike" + variable = "aws:ResourceTag/efs.csi.aws.com/cluster" + values = ["true"] + } + } +} diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf b/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf new file mode 100644 index 0000000000..4e8ed8b565 --- /dev/null +++ b/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf @@ -0,0 +1,59 @@ +locals { + name = "aws-efs-csi-driver" + service_account_name = "efs-csi-sa" + namespace = "kube-system" + + default_helm_config = { + name = local.name + chart = local.name + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" + version = "2.2.3" + namespace = local.namespace + values = local.default_helm_values + description = "The AWS EFS CSI driver Helm chart deployment configuration" + } + + helm_config = merge( + local.default_helm_config, + var.helm_config + ) + + default_helm_values = [] + + # Disable service account creation as that's handled by the IRSA add-on module + set_values = [ + { + name = "controller.serviceAccount.name" + value = local.service_account_name + }, + { + name = "controller.serviceAccount.create" + value = false + }, + { + name = "node.serviceAccount.name" + value = local.service_account_name + }, + { + name = "node.serviceAccount.create" + value = false + } + ] + + irsa_config = { + kubernetes_namespace = local.namespace + kubernetes_service_account = local.service_account_name + create_kubernetes_namespace = false + create_kubernetes_service_account = true + iam_role_path = "/" + eks_cluster_id = var.eks_cluster_id + irsa_iam_policies = concat([aws_iam_policy.aws_efs_csi_driver.arn], var.irsa_policies) + irsa_iam_permissions_boundary = var.irsa_iam_permissions_boundary + tags = var.tags + } + + argocd_gitops_config = { + enable = true + serviceAccountName = local.service_account_name + } +} diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/main.tf b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf new file mode 100644 index 0000000000..cdc5a1fdad --- /dev/null +++ b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf @@ -0,0 +1,32 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: MIT-0 + * + * Permission is hereby granted, free of charge, to any person obtaining a copy of this + * software and associated documentation files (the "Software"), to deal in the Software + * without restriction, including without limitation the rights to use, copy, modify, + * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, + * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A + * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +module "helm_addon" { + source = "../helm-addon" + manage_via_gitops = var.manage_via_gitops + set_values = local.set_values + helm_config = local.helm_config + irsa_config = local.irsa_config +} + +resource "aws_iam_policy" "aws_efs_csi_driver" { + name = "${var.eks_cluster_id}-efs-csi-policy" + description = "IAM Policy for AWS EFS CSI Driver" + policy = data.aws_iam_policy_document.aws_efs_csi_driver.json + tags = var.tags +} diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf b/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf new file mode 100644 index 0000000000..c8beafa0e7 --- /dev/null +++ b/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf @@ -0,0 +1,22 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: MIT-0 + * + * Permission is hereby granted, free of charge, to any person obtaining a copy of this + * software and associated documentation files (the "Software"), to deal in the Software + * without restriction, including without limitation the rights to use, copy, modify, + * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, + * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A + * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +output "argocd_gitops_config" { + description = "Configuration used for managing the add-on with ArgoCD" + value = var.manage_via_gitops ? local.argocd_gitops_config : null +} diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/variables.tf b/modules/kubernetes-addons/aws-efs-csi-driver/variables.tf new file mode 100644 index 0000000000..f575075e7e --- /dev/null +++ b/modules/kubernetes-addons/aws-efs-csi-driver/variables.tf @@ -0,0 +1,51 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: MIT-0 + * + * Permission is hereby granted, free of charge, to any person obtaining a copy of this + * software and associated documentation files (the "Software"), to deal in the Software + * without restriction, including without limitation the rights to use, copy, modify, + * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, + * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A + * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +variable "helm_config" { + type = any + description = "Helm provider config for the aws_efs_csi_driver." + default = {} +} + +variable "eks_cluster_id" { + type = string + description = "EKS cluster Id" +} + +variable "manage_via_gitops" { + type = bool + default = false + description = "Determines if the add-on should be managed via GitOps." +} + +variable "tags" { + type = map(string) + description = "Common Tags for AWS resources" +} + +variable "irsa_policies" { + type = list(string) + description = "Additional IAM policies for a IAM role for service accounts" + default = [] +} + +variable "irsa_iam_permissions_boundary" { + type = string + default = "" + description = "IAM Policy ARN for IRSA IAM role permissions boundary" +} diff --git a/modules/kubernetes-addons/locals.tf b/modules/kubernetes-addons/locals.tf index f73ae010ed..c2633cd00e 100644 --- a/modules/kubernetes-addons/locals.tf +++ b/modules/kubernetes-addons/locals.tf @@ -2,6 +2,7 @@ locals { # Configuration for managing add-ons via ArgoCD. argocd_add_on_config = { agones = var.enable_agones ? module.agones[0].argocd_gitops_config : null + awsEfsCsiDriver = var.enable_aws_efs_csi_driver ? module.aws_efs_csi_driver[0].argocd_gitops_config : null awsForFluentBit = var.enable_aws_for_fluentbit ? module.aws_for_fluent_bit[0].argocd_gitops_config : null awsLoadBalancerController = var.enable_aws_load_balancer_controller ? module.aws_load_balancer_controller[0].argocd_gitops_config : null certManager = var.enable_cert_manager ? module.cert_manager[0].argocd_gitops_config : null diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 527bce9bd6..5b02d5e4fb 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -80,6 +80,15 @@ module "argo_rollouts" { manage_via_gitops = var.argocd_manage_add_ons } +module "aws_efs_csi_driver" { + count = var.enable_aws_efs_csi_driver ? 1 : 0 + source = "./aws-efs-csi-driver" + helm_config = var.aws_efs_csi_driver_helm_config + eks_cluster_id = var.eks_cluster_id + tags = var.tags + manage_via_gitops = var.argocd_manage_add_ons +} + module "aws_for_fluent_bit" { count = var.enable_aws_for_fluentbit ? 1 : 0 source = "./aws-for-fluentbit" diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index 37b83a8668..b8734cbf0d 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -207,6 +207,19 @@ variable "agones_helm_config" { description = "Agones GameServer Helm Chart config" } +#-----------AWS EFS CSI DRIVER ADDON------------- +variable "enable_aws_efs_csi_driver" { + type = bool + default = false + description = "Enable AWS EFS CSI driver add-on" +} + +variable "aws_efs_csi_driver_helm_config" { + type = any + description = "AWS EFS CSI driver Helm Chart config" + default = {} +} + #-----------AWS LB Ingress Controller------------- variable "enable_aws_load_balancer_controller" { type = bool From 6e14343ac594850a6af6211a2d7073a843b8423a Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 12:08:30 -0800 Subject: [PATCH 05/30] removing irsa policies and permissions boundary --- modules/kubernetes-addons/README.md | 2 -- .../kubernetes-addons/helm-addon/variables.tf | 1 + modules/kubernetes-addons/main.tf | 13 +++++-------- modules/kubernetes-addons/variables.tf | 12 ------------ modules/kubernetes-addons/vpa/README.md | 3 --- modules/kubernetes-addons/vpa/locals.tf | 4 ---- modules/kubernetes-addons/vpa/variables.tf | 18 ------------------ 7 files changed, 6 insertions(+), 47 deletions(-) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 16abd36109..68a97bf312 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -159,8 +159,6 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no | | [traefik\_helm\_config](#input\_traefik\_helm\_config) | Traefik Helm Chart config | `any` | `{}` | no | | [vpa\_helm\_config](#input\_vpa\_helm\_config) | VPA Helm Chart config | `any` | `null` | no | -| [vpa\_irsa\_permissions\_boundary](#input\_vpa\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | -| [vpa\_irsa\_policies](#input\_vpa\_irsa\_policies) | IAM policy ARNs for VPA IRSA | `list(string)` | `[]` | no | | [yunikorn\_helm\_config](#input\_yunikorn\_helm\_config) | Yunikorn Helm Chart config | `any` | `null` | no | | [yunikorn\_irsa\_permissions\_boundary](#input\_yunikorn\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | | [yunikorn\_irsa\_policies](#input\_yunikorn\_irsa\_policies) | IAM policy ARNs for Yunikorn IRSA | `list(string)` | `[]` | no | diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf index 3fd0289e56..b27ae8218a 100644 --- a/modules/kubernetes-addons/helm-addon/variables.tf +++ b/modules/kubernetes-addons/helm-addon/variables.tf @@ -37,4 +37,5 @@ variable "irsa_config" { irsa_iam_permissions_boundary = string }) description = "Input configuration for IRSA module" + default = null } diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 5b02d5e4fb..11c37d5b62 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -225,14 +225,11 @@ module "traefik" { } module "vpa" { - count = var.enable_vpa ? 1 : 0 - source = "./vpa" - eks_cluster_id = var.eks_cluster_id - helm_config = var.vpa_helm_config - irsa_policies = var.vpa_irsa_policies - irsa_permissions_boundary = var.vpa_irsa_permissions_boundary - tags = var.tags - manage_via_gitops = var.argocd_manage_add_ons + count = var.enable_vpa ? 1 : 0 + source = "./vpa" + eks_cluster_id = var.eks_cluster_id + helm_config = var.vpa_helm_config + manage_via_gitops = var.argocd_manage_add_ons } module "yunikorn" { diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index b8734cbf0d..4d9d8ec0a0 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -445,18 +445,6 @@ variable "vpa_helm_config" { description = "VPA Helm Chart config" } -variable "vpa_irsa_policies" { - type = list(string) - default = [] - description = "IAM policy ARNs for VPA IRSA" -} - -variable "vpa_irsa_permissions_boundary" { - type = string - default = "" - description = "IAM Policy ARN for IRSA IAM role permissions boundary" -} - #-----------Apache YuniKorn ADDON------------- variable "enable_yunikorn" { type = bool diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index f6a67e46e5..f421258f14 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -33,10 +33,7 @@ No resources. |------|-------------|------|---------|:--------:| | [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [helm\_config](#input\_helm\_config) | Helm provider config for VPA | `any` | `{}` | no | -| [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | -| [irsa\_policies](#input\_irsa\_policies) | IAM Policy ARN list for any IRSA policies | `list(string)` | `[]` | no | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no | -| [tags](#input\_tags) | Common Tags for AWS resources | `map(string)` | `{}` | no | ## Outputs diff --git a/modules/kubernetes-addons/vpa/locals.tf b/modules/kubernetes-addons/vpa/locals.tf index 015677a2d5..e1f51bea2a 100644 --- a/modules/kubernetes-addons/vpa/locals.tf +++ b/modules/kubernetes-addons/vpa/locals.tf @@ -27,11 +27,7 @@ locals { kubernetes_service_account = local.service_account_name create_kubernetes_namespace = true create_kubernetes_service_account = true - iam_role_path = "/" - tags = var.tags eks_cluster_id = var.eks_cluster_id - irsa_iam_policies = var.irsa_policies - irsa_iam_permissions_boundary = var.irsa_permissions_boundary } argocd_gitops_config = { diff --git a/modules/kubernetes-addons/vpa/variables.tf b/modules/kubernetes-addons/vpa/variables.tf index c2a8da803e..fc5c2f9eca 100644 --- a/modules/kubernetes-addons/vpa/variables.tf +++ b/modules/kubernetes-addons/vpa/variables.tf @@ -14,21 +14,3 @@ variable "manage_via_gitops" { default = false description = "Determines if the add-on should be managed via GitOps" } - -variable "tags" { - type = map(string) - description = "Common Tags for AWS resources" - default = {} -} - -variable "irsa_policies" { - type = list(string) - default = [] - description = "IAM Policy ARN list for any IRSA policies" -} - -variable "irsa_permissions_boundary" { - type = string - default = "" - description = "IAM Policy ARN for IRSA IAM role permissions boundary" -} \ No newline at end of file From f75584d13ebfbcf6f24e04e06dc7469ef1687a73 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 2 Mar 2022 20:09:58 +0000 Subject: [PATCH 06/30] terraform-docs: automated action --- examples/aws-efs-csi-driver/README.md | 3 ++- modules/kubernetes-addons/aws-efs-csi-driver/README.md | 1 + modules/kubernetes-addons/helm-addon/README.md | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/examples/aws-efs-csi-driver/README.md b/examples/aws-efs-csi-driver/README.md index f11828fe48..eb7f4f2dd8 100644 --- a/examples/aws-efs-csi-driver/README.md +++ b/examples/aws-efs-csi-driver/README.md @@ -130,7 +130,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.1.0 | +| [aws](#provider\_aws) | >= 3.66.0 | ## Modules @@ -161,4 +161,5 @@ No inputs. | Name | Description | |------|-------------| | [efs\_file\_system\_id](#output\_efs\_file\_system\_id) | ID of the EFS file system to use for creating a storage class | + diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/README.md b/modules/kubernetes-addons/aws-efs-csi-driver/README.md index 3059ffddc8..0ab67e309d 100644 --- a/modules/kubernetes-addons/aws-efs-csi-driver/README.md +++ b/modules/kubernetes-addons/aws-efs-csi-driver/README.md @@ -56,4 +56,5 @@ No requirements. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md index b2747f851b..fb4f68cfcc 100644 --- a/modules/kubernetes-addons/helm-addon/README.md +++ b/modules/kubernetes-addons/helm-addon/README.md @@ -37,7 +37,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [helm\_config](#input\_helm\_config) | Add-on helm chart config, provide repository and version at the minimum.
See https://registry.terraform.io/providers/hashicorp/helm/latest/docs. | `any` | n/a | yes | -| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = bool
    kubernetes_service_account        = string
    create_kubernetes_service_account = bool
    eks_cluster_id                    = string
    iam_role_path                     = string
    tags                              = map(string)
    irsa_iam_policies                 = list(string)
    irsa_iam_permissions_boundary     = string
  })
| n/a | yes | +| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = bool
    kubernetes_service_account        = string
    create_kubernetes_service_account = bool
    eks_cluster_id                    = string
    iam_role_path                     = string
    tags                              = map(string)
    irsa_iam_policies                 = list(string)
    irsa_iam_permissions_boundary     = string
  })
| `null` | no | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | | [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no | | [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no | From 56fa1d9dacd51f530c4c1003bee2d607a909bbc8 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 12:20:45 -0800 Subject: [PATCH 07/30] add default to helm-addon irsa_config --- README.md | 5 ++--- modules/kubernetes-addons/helm-addon/README.md | 3 +-- modules/kubernetes-addons/helm-addon/locals.tf | 14 ++++++++++++++ modules/kubernetes-addons/helm-addon/variables.tf | 12 ++++++------ 4 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 modules/kubernetes-addons/helm-addon/locals.tf diff --git a/README.md b/README.md index 4435dcfecc..30a46d545c 100644 --- a/README.md +++ b/README.md @@ -143,9 +143,9 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.66.0 | +| [aws](#provider\_aws) | 3.73.0 | | [http](#provider\_http) | 2.4.1 | -| [kubernetes](#provider\_kubernetes) | >= 2.7.1 | +| [kubernetes](#provider\_kubernetes) | 2.7.1 | ## Modules @@ -247,7 +247,6 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [teams](#output\_teams) | Outputs from EKS Fargate profiles groups | | [windows\_node\_group\_aws\_auth\_config\_map](#output\_windows\_node\_group\_aws\_auth\_config\_map) | Windows node groups AWS auth map | | [worker\_security\_group\_id](#output\_worker\_security\_group\_id) | EKS Worker Security group ID created by EKS module | - ## Security diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md index fb4f68cfcc..0623ca56bf 100644 --- a/modules/kubernetes-addons/helm-addon/README.md +++ b/modules/kubernetes-addons/helm-addon/README.md @@ -37,7 +37,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [helm\_config](#input\_helm\_config) | Add-on helm chart config, provide repository and version at the minimum.
See https://registry.terraform.io/providers/hashicorp/helm/latest/docs. | `any` | n/a | yes | -| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = bool
    kubernetes_service_account        = string
    create_kubernetes_service_account = bool
    eks_cluster_id                    = string
    iam_role_path                     = string
    tags                              = map(string)
    irsa_iam_policies                 = list(string)
    irsa_iam_permissions_boundary     = string
  })
| `null` | no | +| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = optional(bool)
    kubernetes_service_account        = string
    create_kubernetes_service_account = optional(bool)
    eks_cluster_id                    = string
    iam_role_path                     = optional(string)
    tags                              = optional(map(string))
    irsa_iam_policies                 = optional(list(string))
    irsa_iam_permissions_boundary     = optional(string)
  })
| `null` | no | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | | [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no | | [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no | @@ -45,5 +45,4 @@ No requirements. ## Outputs No outputs. - diff --git a/modules/kubernetes-addons/helm-addon/locals.tf b/modules/kubernetes-addons/helm-addon/locals.tf new file mode 100644 index 0000000000..f7d3a0d4d9 --- /dev/null +++ b/modules/kubernetes-addons/helm-addon/locals.tf @@ -0,0 +1,14 @@ +terraform { + experiments = [module_variable_optional_attrs] +} + +locals { + irsa_config = defaults(var.irsa_config, { + create_kubernetes_namespace = true + create_kubernetes_service_account = true + iam_role_path = "/" + tags = null + irsa_iam_policies = [] + irsa_iam_permissions_boundary = "" + }) +} \ No newline at end of file diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf index b27ae8218a..1de29a64cb 100644 --- a/modules/kubernetes-addons/helm-addon/variables.tf +++ b/modules/kubernetes-addons/helm-addon/variables.tf @@ -27,14 +27,14 @@ variable "manage_via_gitops" { variable "irsa_config" { type = object({ kubernetes_namespace = string - create_kubernetes_namespace = bool + create_kubernetes_namespace = optional(bool) kubernetes_service_account = string - create_kubernetes_service_account = bool + create_kubernetes_service_account = optional(bool) eks_cluster_id = string - iam_role_path = string - tags = map(string) - irsa_iam_policies = list(string) - irsa_iam_permissions_boundary = string + iam_role_path = optional(string) + tags = optional(map(string)) + irsa_iam_policies = optional(list(string)) + irsa_iam_permissions_boundary = optional(string) }) description = "Input configuration for IRSA module" default = null From 58025ba88a6690d0e2570e7a0f2004bdeac04b18 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 2 Mar 2022 20:41:14 +0000 Subject: [PATCH 08/30] terraform-docs: automated action --- README.md | 5 +++-- examples/aws-efs-csi-driver/README.md | 5 +---- modules/kubernetes-addons/aws-efs-csi-driver/README.md | 1 + modules/kubernetes-addons/helm-addon/README.md | 1 + 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 30a46d545c..4435dcfecc 100644 --- a/README.md +++ b/README.md @@ -143,9 +143,9 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.73.0 | +| [aws](#provider\_aws) | >= 3.66.0 | | [http](#provider\_http) | 2.4.1 | -| [kubernetes](#provider\_kubernetes) | 2.7.1 | +| [kubernetes](#provider\_kubernetes) | >= 2.7.1 | ## Modules @@ -247,6 +247,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [teams](#output\_teams) | Outputs from EKS Fargate profiles groups | | [windows\_node\_group\_aws\_auth\_config\_map](#output\_windows\_node\_group\_aws\_auth\_config\_map) | Windows node groups AWS auth map | | [worker\_security\_group\_id](#output\_worker\_security\_group\_id) | EKS Worker Security group ID created by EKS module | + ## Security diff --git a/examples/aws-efs-csi-driver/README.md b/examples/aws-efs-csi-driver/README.md index 5c84a8ed51..eb7f4f2dd8 100644 --- a/examples/aws-efs-csi-driver/README.md +++ b/examples/aws-efs-csi-driver/README.md @@ -130,11 +130,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -<<<<<<< HEAD | [aws](#provider\_aws) | >= 3.66.0 | -======= -| [aws](#provider\_aws) | 4.1.0 | ->>>>>>> main ## Modules @@ -165,4 +161,5 @@ No inputs. | Name | Description | |------|-------------| | [efs\_file\_system\_id](#output\_efs\_file\_system\_id) | ID of the EFS file system to use for creating a storage class | + diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/README.md b/modules/kubernetes-addons/aws-efs-csi-driver/README.md index 3059ffddc8..0ab67e309d 100644 --- a/modules/kubernetes-addons/aws-efs-csi-driver/README.md +++ b/modules/kubernetes-addons/aws-efs-csi-driver/README.md @@ -56,4 +56,5 @@ No requirements. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md index 0623ca56bf..b56c6bf654 100644 --- a/modules/kubernetes-addons/helm-addon/README.md +++ b/modules/kubernetes-addons/helm-addon/README.md @@ -45,4 +45,5 @@ No requirements. ## Outputs No outputs. + From 8c647db2071f989a1055051da9e9e8745b4ee051 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 12:41:17 -0800 Subject: [PATCH 09/30] omit defaults for null values --- examples/aws-efs-csi-driver/README.md | 2 +- modules/kubernetes-addons/helm-addon/README.md | 2 +- modules/kubernetes-addons/helm-addon/locals.tf | 3 --- modules/kubernetes-addons/helm-addon/variables.tf | 2 +- 4 files changed, 3 insertions(+), 6 deletions(-) diff --git a/examples/aws-efs-csi-driver/README.md b/examples/aws-efs-csi-driver/README.md index eb7f4f2dd8..6e1bb8f3a4 100644 --- a/examples/aws-efs-csi-driver/README.md +++ b/examples/aws-efs-csi-driver/README.md @@ -130,7 +130,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.66.0 | +| [aws](#provider\_aws) | 4.1.0 | ## Modules diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md index b56c6bf654..0d58b5744f 100644 --- a/modules/kubernetes-addons/helm-addon/README.md +++ b/modules/kubernetes-addons/helm-addon/README.md @@ -37,7 +37,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [helm\_config](#input\_helm\_config) | Add-on helm chart config, provide repository and version at the minimum.
See https://registry.terraform.io/providers/hashicorp/helm/latest/docs. | `any` | n/a | yes | -| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = optional(bool)
    kubernetes_service_account        = string
    create_kubernetes_service_account = optional(bool)
    eks_cluster_id                    = string
    iam_role_path                     = optional(string)
    tags                              = optional(map(string))
    irsa_iam_policies                 = optional(list(string))
    irsa_iam_permissions_boundary     = optional(string)
  })
| `null` | no | +| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = optional(bool)
    kubernetes_service_account        = string
    create_kubernetes_service_account = optional(bool)
    eks_cluster_id                    = string
    iam_role_path                     = optional(string)
    tags                              = optional(map)
    irsa_iam_policies                 = optional(list(string))
    irsa_iam_permissions_boundary     = optional(string)
  })
| `null` | no | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | | [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no | | [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no | diff --git a/modules/kubernetes-addons/helm-addon/locals.tf b/modules/kubernetes-addons/helm-addon/locals.tf index f7d3a0d4d9..eb04729c0f 100644 --- a/modules/kubernetes-addons/helm-addon/locals.tf +++ b/modules/kubernetes-addons/helm-addon/locals.tf @@ -7,8 +7,5 @@ locals { create_kubernetes_namespace = true create_kubernetes_service_account = true iam_role_path = "/" - tags = null - irsa_iam_policies = [] - irsa_iam_permissions_boundary = "" }) } \ No newline at end of file diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf index 1de29a64cb..90854d91b3 100644 --- a/modules/kubernetes-addons/helm-addon/variables.tf +++ b/modules/kubernetes-addons/helm-addon/variables.tf @@ -32,7 +32,7 @@ variable "irsa_config" { create_kubernetes_service_account = optional(bool) eks_cluster_id = string iam_role_path = optional(string) - tags = optional(map(string)) + tags = optional(map) irsa_iam_policies = optional(list(string)) irsa_iam_permissions_boundary = optional(string) }) From a63333d64f8d604b6a66ba057f996b1bf1986cb5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 2 Mar 2022 20:44:09 +0000 Subject: [PATCH 10/30] terraform-docs: automated action --- examples/aws-efs-csi-driver/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/aws-efs-csi-driver/README.md b/examples/aws-efs-csi-driver/README.md index 6e1bb8f3a4..eb7f4f2dd8 100644 --- a/examples/aws-efs-csi-driver/README.md +++ b/examples/aws-efs-csi-driver/README.md @@ -130,7 +130,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.1.0 | +| [aws](#provider\_aws) | >= 3.66.0 | ## Modules From 4ce4a2ebc9345dfe77464319d23e693529fc4ce1 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 12:53:15 -0800 Subject: [PATCH 11/30] map needs a type --- modules/kubernetes-addons/helm-addon/variables.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf index 90854d91b3..f5f33d4ed5 100644 --- a/modules/kubernetes-addons/helm-addon/variables.tf +++ b/modules/kubernetes-addons/helm-addon/variables.tf @@ -32,10 +32,9 @@ variable "irsa_config" { create_kubernetes_service_account = optional(bool) eks_cluster_id = string iam_role_path = optional(string) - tags = optional(map) + tags = optional(map(string)) irsa_iam_policies = optional(list(string)) irsa_iam_permissions_boundary = optional(string) }) description = "Input configuration for IRSA module" - default = null } From aa5dd911fef4e1b1e3cafac5838a77c02ee8eda1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 2 Mar 2022 21:11:03 +0000 Subject: [PATCH 12/30] terraform-docs: automated action --- modules/kubernetes-addons/helm-addon/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md index 0d58b5744f..0064ae9344 100644 --- a/modules/kubernetes-addons/helm-addon/README.md +++ b/modules/kubernetes-addons/helm-addon/README.md @@ -37,7 +37,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [helm\_config](#input\_helm\_config) | Add-on helm chart config, provide repository and version at the minimum.
See https://registry.terraform.io/providers/hashicorp/helm/latest/docs. | `any` | n/a | yes | -| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = optional(bool)
    kubernetes_service_account        = string
    create_kubernetes_service_account = optional(bool)
    eks_cluster_id                    = string
    iam_role_path                     = optional(string)
    tags                              = optional(map)
    irsa_iam_policies                 = optional(list(string))
    irsa_iam_permissions_boundary     = optional(string)
  })
| `null` | no | +| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | 
object({
    kubernetes_namespace              = string
    create_kubernetes_namespace       = optional(bool)
    kubernetes_service_account        = string
    create_kubernetes_service_account = optional(bool)
    eks_cluster_id                    = string
    iam_role_path                     = optional(string)
    tags                              = optional(map(string))
    irsa_iam_policies                 = optional(list(string))
    irsa_iam_permissions_boundary     = optional(string)
  })
| n/a | yes | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | | [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no | | [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no | From 3a6a32001895474cda365fc90a72d6d5b03497ec Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 14:25:57 -0800 Subject: [PATCH 13/30] default value for irsa_iam_policies --- modules/irsa/README.md | 3 +-- modules/irsa/variables.tf | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/irsa/README.md b/modules/irsa/README.md index 54282be17d..2546f6ebb7 100644 --- a/modules/irsa/README.md +++ b/modules/irsa/README.md @@ -62,7 +62,7 @@ No modules. | [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [iam\_role\_path](#input\_iam\_role\_path) | IAM Role path | `string` | `"/"` | no | | [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | -| [irsa\_iam\_policies](#input\_irsa\_iam\_policies) | IAM Policies for IRSA IAM role | `list(string)` | n/a | yes | +| [irsa\_iam\_policies](#input\_irsa\_iam\_policies) | IAM Policies for IRSA IAM role | `list(string)` | `[]` | no | | [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes Namespace name | `string` | n/a | yes | | [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes Service Account Name | `string` | n/a | yes | | [tags](#input\_tags) | Common tags for AWS resources | `map(string)` | `null` | no | @@ -73,7 +73,6 @@ No modules. |------|-------------| | [irsa\_iam\_role\_arn](#output\_irsa\_iam\_role\_arn) | IAM role ARN for your service account | | [irsa\_iam\_role\_name](#output\_irsa\_iam\_role\_name) | IAM role name for your service account | - ## Learn more diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf index fecbdc1290..427397a592 100644 --- a/modules/irsa/variables.tf +++ b/modules/irsa/variables.tf @@ -58,6 +58,7 @@ variable "tags" { variable "irsa_iam_policies" { type = list(string) description = "IAM Policies for IRSA IAM role" + default = [] } variable "irsa_iam_permissions_boundary" { From bcabe0ecfdd88429508d6266a7e5cd797bc1bf5f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 2 Mar 2022 22:27:28 +0000 Subject: [PATCH 14/30] terraform-docs: automated action --- modules/irsa/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/irsa/README.md b/modules/irsa/README.md index 2546f6ebb7..e27c706237 100644 --- a/modules/irsa/README.md +++ b/modules/irsa/README.md @@ -73,6 +73,7 @@ No modules. |------|-------------| | [irsa\_iam\_role\_arn](#output\_irsa\_iam\_role\_arn) | IAM role ARN for your service account | | [irsa\_iam\_role\_name](#output\_irsa\_iam\_role\_name) | IAM role name for your service account | + ## Learn more From 9dfe8d20d1161eed5abd693e2818dd789ea1a6d8 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 14:42:07 -0800 Subject: [PATCH 15/30] default value for irsa_iam_policies #2 --- modules/kubernetes-addons/helm-addon/locals.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/kubernetes-addons/helm-addon/locals.tf b/modules/kubernetes-addons/helm-addon/locals.tf index eb04729c0f..f8bf09b911 100644 --- a/modules/kubernetes-addons/helm-addon/locals.tf +++ b/modules/kubernetes-addons/helm-addon/locals.tf @@ -7,5 +7,6 @@ locals { create_kubernetes_namespace = true create_kubernetes_service_account = true iam_role_path = "/" + irsa_iam_policies = [] }) } \ No newline at end of file From 8da74850aebae05bd9d7970ea89c47eec97dbd77 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 15:35:58 -0800 Subject: [PATCH 16/30] use empty string as default value that gets applied in the list --- modules/kubernetes-addons/helm-addon/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/kubernetes-addons/helm-addon/locals.tf b/modules/kubernetes-addons/helm-addon/locals.tf index f8bf09b911..0cb10c4273 100644 --- a/modules/kubernetes-addons/helm-addon/locals.tf +++ b/modules/kubernetes-addons/helm-addon/locals.tf @@ -7,6 +7,6 @@ locals { create_kubernetes_namespace = true create_kubernetes_service_account = true iam_role_path = "/" - irsa_iam_policies = [] + irsa_iam_policies = "" }) } \ No newline at end of file From 74dd8567d33ec801734d6e8ec357229641b1c224 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 15:46:35 -0800 Subject: [PATCH 17/30] add conditional in irsa --- modules/irsa/main.tf | 3 ++- modules/kubernetes-addons/helm-addon/locals.tf | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index f557faacfb..3096c85e9c 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -59,7 +59,8 @@ resource "aws_iam_role" "irsa" { } resource "aws_iam_role_policy_attachment" "irsa" { - count = length(var.irsa_iam_policies) + count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0 + policy_arn = var.irsa_iam_policies[count.index] role = aws_iam_role.irsa.name } diff --git a/modules/kubernetes-addons/helm-addon/locals.tf b/modules/kubernetes-addons/helm-addon/locals.tf index 0cb10c4273..eb04729c0f 100644 --- a/modules/kubernetes-addons/helm-addon/locals.tf +++ b/modules/kubernetes-addons/helm-addon/locals.tf @@ -7,6 +7,5 @@ locals { create_kubernetes_namespace = true create_kubernetes_service_account = true iam_role_path = "/" - irsa_iam_policies = "" }) } \ No newline at end of file From a64837aea27acb254ae41bcd85503ff1f6190350 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 2 Mar 2022 15:59:07 -0800 Subject: [PATCH 18/30] fix formatting --- modules/irsa/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index 3096c85e9c..034e5fe0eb 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -59,7 +59,7 @@ resource "aws_iam_role" "irsa" { } resource "aws_iam_role_policy_attachment" "irsa" { - count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0 + count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0 policy_arn = var.irsa_iam_policies[count.index] role = aws_iam_role.irsa.name From 32625d7c093bae2ae5e71caaf1e66758317c2850 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 09:47:54 -0800 Subject: [PATCH 19/30] add conditional in irsa role --- modules/irsa/main.tf | 4 +++- modules/irsa/outputs.tf | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index 034e5fe0eb..43ad327a50 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -42,6 +42,8 @@ resource "kubernetes_service_account_v1" "irsa" { } resource "aws_iam_role" "irsa" { + count = var.irsa_iam_policies != null ? 1 : 0 + name = format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa") description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}." assume_role_policy = join("", data.aws_iam_policy_document.irsa_with_oidc.*.json) @@ -62,5 +64,5 @@ resource "aws_iam_role_policy_attachment" "irsa" { count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0 policy_arn = var.irsa_iam_policies[count.index] - role = aws_iam_role.irsa.name + role = aws_iam_role.irsa[0].name } diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf index 1c926bd68d..0ecc59b8d6 100644 --- a/modules/irsa/outputs.tf +++ b/modules/irsa/outputs.tf @@ -18,10 +18,10 @@ output "irsa_iam_role_arn" { description = "IAM role ARN for your service account" - value = aws_iam_role.irsa.arn + value = aws_iam_role.irsa[0].arn } output "irsa_iam_role_name" { description = "IAM role name for your service account" - value = aws_iam_role.irsa.name + value = aws_iam_role.irsa[0].name } From d3ac50769b9424568d6a7ff25c551d7f7c79f868 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 14:26:13 -0800 Subject: [PATCH 20/30] fix annotations --- modules/irsa/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index 43ad327a50..3f57275ee8 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -32,7 +32,7 @@ resource "kubernetes_service_account_v1" "irsa" { metadata { name = var.kubernetes_service_account namespace = var.kubernetes_namespace - annotations = { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa.arn } + annotations = { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } labels = { "app.kubernetes.io/managed-by" = "terraform-ssp-amazon-eks" } From 0cc236d09e946a80941f65d96043578871e0ba87 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 14:33:54 -0800 Subject: [PATCH 21/30] fix pr-test error --- modules/irsa/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index 3f57275ee8..234d77d8cf 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -32,7 +32,7 @@ resource "kubernetes_service_account_v1" "irsa" { metadata { name = var.kubernetes_service_account namespace = var.kubernetes_namespace - annotations = { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } + annotations = length(aws_iam_role.irsa > 0) ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null labels = { "app.kubernetes.io/managed-by" = "terraform-ssp-amazon-eks" } From ce827a0c25eb43e0c0c92994339310ca3bd332cb Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 14:37:58 -0800 Subject: [PATCH 22/30] change the conditional --- modules/irsa/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf index 234d77d8cf..b2901167d4 100644 --- a/modules/irsa/main.tf +++ b/modules/irsa/main.tf @@ -32,7 +32,7 @@ resource "kubernetes_service_account_v1" "irsa" { metadata { name = var.kubernetes_service_account namespace = var.kubernetes_namespace - annotations = length(aws_iam_role.irsa > 0) ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null + annotations = var.irsa_iam_policies != null ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null labels = { "app.kubernetes.io/managed-by" = "terraform-ssp-amazon-eks" } From 06d0ebc0af9ba192567a194c3b2157164adecd5b Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 14:43:06 -0800 Subject: [PATCH 23/30] conditional outputs --- modules/irsa/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf index 0ecc59b8d6..efdf7e29f9 100644 --- a/modules/irsa/outputs.tf +++ b/modules/irsa/outputs.tf @@ -18,10 +18,10 @@ output "irsa_iam_role_arn" { description = "IAM role ARN for your service account" - value = aws_iam_role.irsa[0].arn + value = var.irsa_iam_policies != null ? aws_iam_role.irsa[0].arn : null } output "irsa_iam_role_name" { description = "IAM role name for your service account" - value = aws_iam_role.irsa[0].name + value = var.irsa_iam_policies != null ? aws_iam_role.irsa[0].name : null } From 82bac756a56f11526c2fe80cc41e638d017236ae Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 15:49:39 -0800 Subject: [PATCH 24/30] update for addon_context --- modules/kubernetes-addons/README.md | 3 +-- modules/kubernetes-addons/main.tf | 7 +++---- modules/kubernetes-addons/vpa/README.md | 2 +- modules/kubernetes-addons/vpa/locals.tf | 2 +- modules/kubernetes-addons/vpa/main.tf | 1 + modules/kubernetes-addons/vpa/variables.tf | 15 +++++++++++++++ 6 files changed, 22 insertions(+), 8 deletions(-) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 3010852062..1df8ba23ca 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -56,7 +56,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [ingress\_nginx](#module\_ingress\_nginx) | ./ingress-nginx | n/a | | [karpenter](#module\_karpenter) | ./karpenter | n/a | | [keda](#module\_keda) | ./keda | n/a | -| [kube\_state\_metrics](#module\_kube\_state\_metrics) | askulkarni2/kube-state-metrics-addon/eksblueprints | 0.0.2 | +| [kube\_state\_metrics](#module\_kube\_state\_metrics) | askulkarni2/kube-state-metrics-addon/eksblueprints | 0.0.3 | | [kubernetes\_dashboard](#module\_kubernetes\_dashboard) | ./kubernetes-dashboard | n/a | | [metrics\_server](#module\_metrics\_server) | ./metrics-server | n/a | | [prometheus](#module\_prometheus) | ./prometheus | n/a | @@ -167,5 +167,4 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## Outputs No outputs. - diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index dc146b1d08..521de77012 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -211,9 +211,9 @@ module "traefik" { module "vpa" { count = var.enable_vpa ? 1 : 0 source = "./vpa" - eks_cluster_id = var.eks_cluster_id helm_config = var.vpa_helm_config manage_via_gitops = var.argocd_manage_add_ons + addon_context = local.addon_context } module "yunikorn" { @@ -230,13 +230,12 @@ module "yunikorn" { module "kube_state_metrics" { count = var.enable_kube_state_metrics ? 1 : 0 source = "askulkarni2/kube-state-metrics-addon/eksblueprints" - version = "0.0.2" - eks_cluster_id = var.eks_cluster_id + version = "0.0.3" helm_config = var.kube_state_metrics_helm_config irsa_policies = var.kube_state_metrics_irsa_policies irsa_permissions_boundary = var.kube_state_metrics_irsa_permissions_boundary - tags = var.tags manage_via_gitops = var.argocd_manage_add_ons + addon_context = local.addon_context } module "kubernetes_dashboard" { diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index f421258f14..fe1a5a30f5 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -31,6 +31,7 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
  })
| n/a | yes | | [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [helm\_config](#input\_helm\_config) | Helm provider config for VPA | `any` | `{}` | no | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no | @@ -40,5 +41,4 @@ No resources. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | - diff --git a/modules/kubernetes-addons/vpa/locals.tf b/modules/kubernetes-addons/vpa/locals.tf index e1f51bea2a..7994d5dd15 100644 --- a/modules/kubernetes-addons/vpa/locals.tf +++ b/modules/kubernetes-addons/vpa/locals.tf @@ -27,7 +27,7 @@ locals { kubernetes_service_account = local.service_account_name create_kubernetes_namespace = true create_kubernetes_service_account = true - eks_cluster_id = var.eks_cluster_id + eks_cluster_id = var.addon_context.eks_cluster_id } argocd_gitops_config = { diff --git a/modules/kubernetes-addons/vpa/main.tf b/modules/kubernetes-addons/vpa/main.tf index 91ec36fbe4..6cb354d90e 100644 --- a/modules/kubernetes-addons/vpa/main.tf +++ b/modules/kubernetes-addons/vpa/main.tf @@ -3,4 +3,5 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops helm_config = local.helm_config irsa_config = local.irsa_config + addon_context = var.addon_context } diff --git a/modules/kubernetes-addons/vpa/variables.tf b/modules/kubernetes-addons/vpa/variables.tf index fc5c2f9eca..d974a36127 100644 --- a/modules/kubernetes-addons/vpa/variables.tf +++ b/modules/kubernetes-addons/vpa/variables.tf @@ -14,3 +14,18 @@ variable "manage_via_gitops" { default = false description = "Determines if the add-on should be managed via GitOps" } + +variable "addon_context" { + type = object({ + aws_caller_identity_account_id = string + aws_caller_identity_arn = string + aws_eks_cluster_endpoint = string + aws_partition_id = string + aws_region_name = string + eks_cluster_id = string + eks_oidc_issuer_url = string + eks_oidc_provider_arn = string + tags = map(string) + }) + description = "Input configuration for the addon" +} From 3f8cf5c75dfd6f6d1b2629aba125cb5bd0683206 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 3 Mar 2022 23:55:20 +0000 Subject: [PATCH 25/30] terraform-docs: automated action --- modules/kubernetes-addons/README.md | 1 + modules/kubernetes-addons/vpa/README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 1df8ba23ca..7e7c5f0e26 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -167,4 +167,5 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## Outputs No outputs. + diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index fe1a5a30f5..d88902ba65 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -41,4 +41,5 @@ No resources. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + From 13c036a06b9edd109fc3af4713a045fb03de5922 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 16:00:04 -0800 Subject: [PATCH 26/30] bumping up kube-state-metrics --- modules/kubernetes-addons/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 521de77012..061885f164 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -230,7 +230,7 @@ module "yunikorn" { module "kube_state_metrics" { count = var.enable_kube_state_metrics ? 1 : 0 source = "askulkarni2/kube-state-metrics-addon/eksblueprints" - version = "0.0.3" + version = "0.0.4" helm_config = var.kube_state_metrics_helm_config irsa_policies = var.kube_state_metrics_irsa_policies irsa_permissions_boundary = var.kube_state_metrics_irsa_permissions_boundary From 64efa165c65cf16f9a6d5a4b34e79099e05a572d Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 16:04:06 -0800 Subject: [PATCH 27/30] update readme --- modules/kubernetes-addons/README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 7e7c5f0e26..2d93676004 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -1,5 +1,3 @@ -# kubernetes-addons module - Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 @@ -56,7 +54,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | [ingress\_nginx](#module\_ingress\_nginx) | ./ingress-nginx | n/a | | [karpenter](#module\_karpenter) | ./karpenter | n/a | | [keda](#module\_keda) | ./keda | n/a | -| [kube\_state\_metrics](#module\_kube\_state\_metrics) | askulkarni2/kube-state-metrics-addon/eksblueprints | 0.0.3 | +| [kube\_state\_metrics](#module\_kube\_state\_metrics) | askulkarni2/kube-state-metrics-addon/eksblueprints | 0.0.4 | | [kubernetes\_dashboard](#module\_kubernetes\_dashboard) | ./kubernetes-dashboard | n/a | | [metrics\_server](#module\_metrics\_server) | ./metrics-server | n/a | | [prometheus](#module\_prometheus) | ./prometheus | n/a | @@ -167,5 +165,4 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## Outputs No outputs. - From d2eee60a92505ce87182c1bf4dea8696b66eb926 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 4 Mar 2022 00:42:49 +0000 Subject: [PATCH 28/30] terraform-docs: automated action --- modules/kubernetes-addons/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 2d93676004..7004c89516 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -165,4 +165,5 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ## Outputs No outputs. + From fc133e88960f408ea33dfd2f7e6dc29ac6c29bf4 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 3 Mar 2022 16:49:18 -0800 Subject: [PATCH 29/30] update vpa variables to remove cluster-id --- modules/kubernetes-addons/vpa/README.md | 2 -- modules/kubernetes-addons/vpa/variables.tf | 5 ----- 2 files changed, 7 deletions(-) diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index d88902ba65..6c5a6ee954 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -32,7 +32,6 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
  })
| n/a | yes | -| [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [helm\_config](#input\_helm\_config) | Helm provider config for VPA | `any` | `{}` | no | | [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no | @@ -41,5 +40,4 @@ No resources. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | - diff --git a/modules/kubernetes-addons/vpa/variables.tf b/modules/kubernetes-addons/vpa/variables.tf index d974a36127..e568718bf5 100644 --- a/modules/kubernetes-addons/vpa/variables.tf +++ b/modules/kubernetes-addons/vpa/variables.tf @@ -4,11 +4,6 @@ variable "helm_config" { default = {} } -variable "eks_cluster_id" { - type = string - description = "EKS Cluster Id" -} - variable "manage_via_gitops" { type = bool default = false From 05349bef4ec29f711012fe1914a8c5454120e80c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 4 Mar 2022 00:50:29 +0000 Subject: [PATCH 30/30] terraform-docs: automated action --- modules/kubernetes-addons/vpa/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/kubernetes-addons/vpa/README.md b/modules/kubernetes-addons/vpa/README.md index 6c5a6ee954..93a722726a 100644 --- a/modules/kubernetes-addons/vpa/README.md +++ b/modules/kubernetes-addons/vpa/README.md @@ -40,4 +40,5 @@ No resources. | Name | Description | |------|-------------| | [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | +