defenseunicorns · ntwkninja · Apr 13, 2023 · Mar 23, 2023 · Mar 24, 2023 · Mar 24, 2023
@@ -92,7 +92,7 @@ kubectl get nodes
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.62.0 |
 | <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.0.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.5.1 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | 2.4.1 |
@@ -108,7 +108,7 @@ kubectl get nodes
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.62.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.1.0 |
 
 ## Modules
@@ -138,25 +138,27 @@ kubectl get nodes
 | <a name="input_amazon_eks_aws_ebs_csi_driver_config"></a> [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no |
 | <a name="input_amazon_eks_coredns_config"></a> [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no |
 | <a name="input_amazon_eks_kube_proxy_config"></a> [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no |
-| <a name="input_amazon_eks_vpc_cni"></a> [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.<br>enable - (Optional) Whether to enable the add-on. Defaults to false.<br>before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.<br>most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.<br>resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.<br>configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_add-on for supported values.<br>preserve - (Optional) Whether to preserve the add-on's objects when the add-on is deleted. Defaults to false. | <pre>object({<br>    enable               = bool<br>    before_compute       = bool<br>    most_recent          = bool<br>    resolve_conflicts    = string<br>    configuration_values = map(any) # hcl format later to be json encoded<br>    preserve             = bool<br>  })</pre> | <pre>{<br>  "before_compute": true,<br>  "configuration_values": {<br>    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",<br>    "ENABLE_PREFIX_DELEGATION": "true",<br>    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",<br>    "WARM_PREFIX_TARGET": "1"<br>  },<br>  "enable": false,<br>  "most_recent": true,<br>  "preserve": false,<br>  "resolve_conflicts": "OVERWRITE"<br>}</pre> | no |
 | <a name="input_assign_public_ip"></a> [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no |
 | <a name="input_aws_admin_usernames"></a> [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin | `list(string)` | `[]` | no |
 | <a name="input_aws_node_termination_handler_helm_config"></a> [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no |
 | <a name="input_bastion_instance_type"></a> [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no |
 | <a name="input_bastion_ssh_password"></a> [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no |
 | <a name="input_bastion_ssh_user"></a> [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no |
 | <a name="input_bastion_tenancy"></a> [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no |
+| <a name="input_calico_helm_config"></a> [calico\_helm\_config](#input\_calico\_helm\_config) | Calico Helm Chart config | `any` | `{}` | no |
+| <a name="input_cluster_addons"></a> [cluster\_addons](#input\_cluster\_addons) | Nested of eks native add-ons and their associated parameters.<br>See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_add-on for supported values.<br>See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/complete/main.tf#L44-L60 for upstream example.<br><br>to see available eks marketplace addons available for your cluster's version run:<br>aws eks describe-addon-versions --kubernetes-version $k8s\_cluster\_version --query 'addons[].{MarketplaceProductUrl: marketplaceInformation.productUrl, Name: addonName, Owner: owner Publisher: publisher, Type: type}' --output table | `any` | `{}` | no |
 | <a name="input_cluster_autoscaler_helm_config"></a> [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no |
+| <a name="input_create_aws_auth_configmap"></a> [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no |
 | <a name="input_create_database_subnet_group"></a> [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no |
 | <a name="input_create_database_subnet_route_table"></a> [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no |
-| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no |
 | <a name="input_eks_worker_tenancy"></a> [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no |
 | <a name="input_enable_amazon_eks_aws_ebs_csi_driver"></a> [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no |
 | <a name="input_enable_amazon_eks_coredns"></a> [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no |
 | <a name="input_enable_amazon_eks_kube_proxy"></a> [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no |
 | <a name="input_enable_aws_node_termination_handler"></a> [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no |
+| <a name="input_enable_calico"></a> [enable\_calico](#input\_enable\_calico) | Enable Calico add-on | `bool` | `true` | no |
 | <a name="input_enable_cluster_autoscaler"></a> [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no |
 | <a name="input_enable_eks_managed_nodegroups"></a> [enable\_eks\_managed\_nodegroups](#input\_enable\_eks\_managed\_nodegroups) | Enable managed node groups | `bool` | n/a | yes |
 | <a name="input_enable_metrics_server"></a> [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no |
@@ -174,6 +176,7 @@ kubectl get nodes
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The prefix to use when naming all resources | `string` | `"ex-complete"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes |
 | <a name="input_region2"></a> [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to apply to all resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes |
 | <a name="input_zarf_version"></a> [zarf\_version](#input\_zarf\_version) | The version of Zarf to use | `string` | `""` | no |
 

@@ -5,11 +5,10 @@
 #region  = "us-east-2" # target AWS region
 #region2 = "us-east-1" # RDS backup target AWS region
 
-# default_tags = {
-#   Environment = "dev"
-#   Project     = "ci-eks"
-#   Owner       = "ci"
-# }
+tags = {
+  Environment = "dev"
+  Project     = "du-iac-cicd"
+}
 name_prefix               = "ex-complete"
 manage_aws_auth_configmap = true
 
@@ -34,7 +33,6 @@ cluster_version = "1.23"
 ############## Big Bang Dependencies ######################
 
 keycloak_enabled = true
-# other_addon_enabled = true
 
 
 #################### Keycloak ###########################
@@ -47,20 +45,40 @@ kc_db_allocated_storage     = 20
 kc_db_max_allocated_storage = 100
 kc_db_instance_class        = "db.t4g.large"
 
-#################### EKS Addon #########################
-amazon_eks_vpc_cni = {
-  enable            = true
-  before_compute    = true
-  most_recent       = true
-  resolve_conflicts = "OVERWRITE"
-  preserve          = false
-  configuration_values = {
-    # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking
-    AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true"
-    ENI_CONFIG_LABEL_DEF               = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in
-
-    # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html
-    ENABLE_PREFIX_DELEGATION = "true"
-    WARM_PREFIX_TARGET       = "1"
+# #################### EKS Addon #########################
+# add other "eks native" marketplace addons and configs to this list
+cluster_addons = {
+  vpc-cni = {
+    most_recent          = true
+    before_compute       = true
+    configuration_values = <<-JSON
+      {
+        "env": {
+          "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
+          "ENABLE_PREFIX_DELEGATION": "true",
+          "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
+          "WARM_PREFIX_TARGET": "1",
+          "ANNOTATE_POD_IP": "true"
+        }
+      }
+    JSON
   }
 }
+
+
+#################### Blueprints addons ###################
+#wait false for all addons, as it times out on teardown in the test pipeline
+enable_cluster_autoscaler      = true
+cluster_autoscaler_helm_config = { wait = false }
+
+enable_amazon_eks_aws_ebs_csi_driver = true
+amazon_eks_aws_ebs_csi_driver_config = { wait = false }
+
+enable_metrics_server      = true
+metrics_server_helm_config = { wait = false }
+
+enable_aws_node_termination_handler      = true
+aws_node_termination_handler_helm_config = { wait = false }
+
+enable_calico      = true
+calico_helm_config = { wait = false }
@@ -2,6 +2,8 @@ region                         = "us-east-2"
 region2                        = "us-east-1"
 enable_eks_managed_nodegroups  = false
 enable_self_managed_nodegroups = true
-bastion_tenancy                = "dedicated"
-eks_worker_tenancy             = "dedicated"
+bastion_tenancy                = "default"
+eks_worker_tenancy             = "default"
 cluster_endpoint_public_access = false
+
+create_aws_auth_configmap = true #secure example assumes enable_eks_managed_nodegroups = false, need to creaste the configmap ourselves
@@ -14,10 +14,12 @@ locals {
 
   account = data.aws_caller_identity.current.account_id
 
-  tags = {
-    Blueprint  = replace(basename(path.cwd), "_", "-") # tag names based on the directory name
-    GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints"
-  }
+  tags = merge(
+    var.tags,
+    {
+      RootTFModule = replace(basename(path.cwd), "_", "-") # tag names based on the directory name
+    }
+  )
 
   eks_managed_node_groups = {
     # Managed Node groups with minimum config
@@ -93,10 +95,6 @@ locals {
 
       instance_type = "m5.xlarge"
       #capacity_type = "" # Optional Use this only for SPOT capacity as  capacity_type = "spot". Only for eks_managed_node_groups
-
-      tags = {
-        subnet_type = "private"
-      }
     }
   }
 }
@@ -168,9 +166,9 @@ module "bastion" {
   vpc_endpoints_enabled          = true
   tenancy                        = var.bastion_tenancy
   zarf_version                   = var.zarf_version
-  tags = {
-    Function = "bastion-ssm"
-  }
+  tags = merge(
+    local.tags,
+  { Function = "bastion-ssm" })
 }
 
 ###########################################################
@@ -194,6 +192,7 @@ module "eks" {
   bastion_role_name               = module.bastion.bastion_role_name
 
   # If using EKS Managed Node Groups, the aws-auth ConfigMap is created by eks itself and terraform can not create it
+  create_aws_auth_configmap = var.create_aws_auth_configmap
   manage_aws_auth_configmap = var.manage_aws_auth_configmap
 
   ######################## EKS Managed Node Group ###################################
@@ -219,26 +218,32 @@ module "eks" {
       AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
     }
     # enable discovery of autoscaling groups by cluster-autoscaler
-    autoscaling_group_tags = {
-      "k8s.io/cluster-autoscaler/enabled" : true,
-      "k8s.io/cluster-autoscaler/${local.cluster_name}" : "owned"
-    }
+    autoscaling_group_tags = merge(
+      local.tags,
+      {
+        "k8s.io/cluster-autoscaler/enabled" : true,
+        "k8s.io/cluster-autoscaler/${local.cluster_name}" : "owned"
+    })
     metadata_options = {
       #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options
       http_endpoint               = "enabled"
       http_put_response_hop_limit = 2
       http_tokens                 = "optional" # set to "enabled" to enforce IMDSv2, default for upstream terraform-aws-eks module
     }
+    tags = {
+      subnet_type = "private"
+    }
   }
 
+  tags = local.tags
+
   self_managed_node_groups = local.self_managed_node_groups
 
   #---------------------------------------------------------------
   #"native" EKS Add-Ons
   #---------------------------------------------------------------
 
-  # VPC CNI
-  amazon_eks_vpc_cni = var.amazon_eks_vpc_cni
+  cluster_addons = var.cluster_addons
 
   #---------------------------------------------------------------
   # EKS Blueprints - EKS Add-Ons
@@ -267,4 +272,8 @@ module "eks" {
   # EKS Cluster Autoscaler
   enable_cluster_autoscaler      = var.enable_cluster_autoscaler
   cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config
+
+  #Calico
+  enable_calico      = var.enable_calico
+  calico_helm_config = var.calico_helm_config
 }
@@ -7,7 +7,7 @@ terraform {
     }
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.47.0"
+      version = ">= 4.62.0"
     }
     cloudinit = {
       source  = "hashicorp/cloudinit"
@@ -51,15 +51,15 @@ terraform {
 provider "aws" {
   region = var.region
   # default_tags {
-  #   tags = var.default_tags
+  #   tags = var.tags #bug https://github.com/hashicorp/terraform-provider-aws/issues/19583#issuecomment-855773246
   # }
 }
 
 provider "aws" {
   alias  = "region2"
   region = var.region2
   # default_tags {
-  #   tags = var.default_tags
+  #   tags = var.tags #bug https://github.com/hashicorp/terraform-provider-aws/issues/19583#issuecomment-855773246
   # }
 }