From d5d683b0d1922cb60ee02f2d56e32d35961b9034 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Mon, 3 Jun 2024 22:11:23 +0200 Subject: [PATCH 1/7] feat: rework codebase using universal addon --- .github/RELEASE_DRAFTER.yml | 18 +- .github/workflows/pre-commit.yaml | 21 + .github/workflows/pre-commit.yml | 43 -- ...lease-drafter.yml => release-drafter.yaml} | 4 +- .github/workflows/template-sync.yaml | 30 ++ .github/workflows/validate.yaml | 27 +- .gitignore | 2 - .pre-commit-config.yaml | 29 +- .secrets.baseline | 14 +- .templatesyncignore | 6 + .terraform-docs.yml | 34 ++ .terraform.lock.hcl | 87 ++++ .tflint.hcl | 12 + .tool-versions | 6 + README.md | 237 +++++----- addon.tf | 90 ++++ argo.tf | 85 ---- docs/.content.md | 31 ++ docs/.footer.md | 37 ++ docs/.inputs.md | 2 + examples/basic/.terraform.lock.hcl | 147 ++++++ examples/basic/README.md | 52 --- examples/basic/base.tf | 33 ++ examples/basic/main.tf | 83 +--- examples/basic/providers.tf | 16 +- examples/basic/versions.tf | 18 + helm.tf | 64 --- helm/argocd-application/.helmignore | 23 - helm/argocd-application/Chart.yaml | 18 - .../argocd-application/templates/_helpers.tpl | 51 --- .../templates/application.yaml | 19 - helm/argocd-application/values.yaml | 2 - iam.tf | 102 +++-- ll-logo.png | Bin 12095 -> 0 bytes main.tf | 48 ++ outputs.tf | 22 +- values.tf | 19 - variables-addon.tf | 428 ++++++++++++++++++ variables.tf | 359 +++------------ versions.tf | 7 +- 40 files changed, 1389 insertions(+), 937 deletions(-) create mode 100644 .github/workflows/pre-commit.yaml delete mode 100644 .github/workflows/pre-commit.yml rename .github/workflows/{release-drafter.yml => release-drafter.yaml} (88%) create mode 100644 .github/workflows/template-sync.yaml create mode 100644 .templatesyncignore create mode 100644 .terraform-docs.yml create mode 100644 .terraform.lock.hcl create mode 100644 .tflint.hcl create mode 100644 .tool-versions create mode 100644 addon.tf delete mode 100644 argo.tf create mode 100644 docs/.content.md create mode 100644 docs/.footer.md create mode 100644 docs/.inputs.md create mode 100644 examples/basic/.terraform.lock.hcl delete mode 100644 examples/basic/README.md create mode 100644 examples/basic/base.tf create mode 100644 examples/basic/versions.tf delete mode 100644 helm.tf delete mode 100644 helm/argocd-application/.helmignore delete mode 100644 helm/argocd-application/Chart.yaml delete mode 100644 helm/argocd-application/templates/_helpers.tpl delete mode 100644 helm/argocd-application/templates/application.yaml delete mode 100644 helm/argocd-application/values.yaml delete mode 100644 ll-logo.png create mode 100644 main.tf delete mode 100644 values.tf create mode 100644 variables-addon.tf diff --git a/.github/RELEASE_DRAFTER.yml b/.github/RELEASE_DRAFTER.yml index 1ae725f..c6af0a0 100644 --- a/.github/RELEASE_DRAFTER.yml +++ b/.github/RELEASE_DRAFTER.yml @@ -7,11 +7,25 @@ categories: - 'enhancement' - title: 'Bug Fixes' labels: - - 'fix' - - 'bugfix' - 'bug' - title: 'Documentation' label: 'documentation' + - title: 'CI' + label: 'ci' +version-resolver: + major: + labels: + - 'major' + minor: + labels: + - 'feature' + - 'enhancement' + patch: + labels: + - 'ci' + - 'bug' + - 'documentation' + default: patch change-template: '- $TITLE, by @$AUTHOR (#$NUMBER)' template: | # What's changed diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..7572e7c --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,21 @@ +name: pre-commit + +permissions: + contents: read + +on: + workflow_dispatch: + pull_request: + branches: + - main + - master + +jobs: + pre-commit: + runs-on: ubuntu-22.04 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - uses: actions/checkout@v4 + - uses: asdf-vm/actions/install@v3 + - uses: pre-commit/action@v3.0.1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml deleted file mode 100644 index 7c0b1ec..0000000 --- a/.github/workflows/pre-commit.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: pre-commit - -on: - workflow_dispatch: - pull_request: - branches: - - main - - master - -env: - TERRAFORM_DOCS_VERSION: "v0.16.0" - TFLINT_VERSION: "v0.36.2" - -jobs: - pre-commit: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 - - - name: Install additional pre-commit hooks - shell: bash - run: | - echo "########### Install Checkov ####################" - pip install checkov - - echo "########### Install Terraform-docs #############" - wget https://github.com/terraform-docs/terraform-docs/releases/download/${{ env.TERRAFORM_DOCS_VERSION }}/terraform-docs-${{ env.TERRAFORM_DOCS_VERSION }}-linux-amd64.tar.gz - tar xvzf terraform-docs-${{ env.TERRAFORM_DOCS_VERSION }}-linux-amd64.tar.gz - mkdir -p ~/terraform-docs/bin/ - install terraform-docs ~/terraform-docs/bin/ - echo '~/terraform-docs/bin/' >> $GITHUB_PATH - - echo "########### Install Terraform-linters ##########" - wget https://github.com/terraform-linters/tflint/releases/download/${{ env.TFLINT_VERSION }}/tflint_linux_amd64.zip - unzip tflint_linux_amd64.zip - mkdir -p ~/tflint/bin/ - echo '~/tflint/bin/' >> $GITHUB_PATH - install tflint ~/tflint/bin/ - ~/tflint/bin/tflint --init - - - name: Run pre-commit - uses: pre-commit/action@v2.0.3 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yaml similarity index 88% rename from .github/workflows/release-drafter.yml rename to .github/workflows/release-drafter.yaml index 7cae11f..68e8791 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yaml @@ -1,4 +1,4 @@ -name: Release Drafter +name: Release drafter permissions: contents: write @@ -15,7 +15,7 @@ on: jobs: update_release_draft: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: release-drafter/release-drafter@v5 with: diff --git a/.github/workflows/template-sync.yaml b/.github/workflows/template-sync.yaml new file mode 100644 index 0000000..d17df05 --- /dev/null +++ b/.github/workflows/template-sync.yaml @@ -0,0 +1,30 @@ +name: Template sync + +on: + schedule: + - cron: '0 0 * * *' # every day at midnight + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + universal-addon: + if: github.repository != 'lablabs/terraform-aws-eks-universal-addon' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.TEST_TOKEN }} + + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v2 + with: + github_token: ${{ secrets.TEST_TOKEN }} + source_repo_path: lablabs/terraform-aws-eks-universal-addon + upstream_branch: main + pr_labels: kind/sync + pr_branch_name_prefix: "feat/universal-addon-sync" + pr_title: "feat(sync): sync universal-addon changes" + pr_commit_msg: "feat(sync): sync universal-addon changes" diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index daa5212..2b9e3e7 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -1,5 +1,8 @@ name: Terraform validate +permissions: + contents: read + on: workflow_dispatch: pull_request: @@ -10,11 +13,11 @@ on: jobs: versionExtract: name: Extract min/max Terraform versions - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Extract Terraform min/max versions id: minMax @@ -26,7 +29,7 @@ jobs: maxVersion: ${{ steps.minMax.outputs.maxVersion }} terraform-validate: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: versionExtract strategy: matrix: @@ -35,17 +38,15 @@ jobs: - ${{ needs.versionExtract.outputs.maxVersion }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ matrix.tf_ver }} - - name: Validate module - run: | - terraform init - terraform validate - - name: Validate example - run: | - cd examples/basic - terraform init - terraform validate + - name: Terraform Init + id: init + run: terraform init + + - name: Terraform Validate + id: validate + run: terraform validate diff --git a/.gitignore b/.gitignore index dd32dc8..18221f8 100644 --- a/.gitignore +++ b/.gitignore @@ -32,5 +32,3 @@ override.tf.json # Ignore CLI configuration files .terraformrc terraform.rc - -.terraform.lock.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b105c2c..cd0b04c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.2.0 + rev: v4.5.0 hooks: - id: trailing-whitespace - id: check-merge-conflict @@ -10,23 +10,22 @@ repos: - id: end-of-file-fixer - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.71.0 + rev: v1.88.2 hooks: - - id: terraform_fmt - - id: terraform_tflint - - id: terraform_validate - - id: terraform_checkov - - id: terraform_docs - args: - - '--args=--hide providers --sort-by required' - - - repo: https://github.com/pecigonzalo/pre-commit-terraform-vars - rev: v1.0.0 - hooks: - - id: terraform-vars + - id: terraform_fmt + - id: terraform_tflint + args: + - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl + - id: terraform_validate + - id: terraform_checkov + args: + - '--args=--skip-check CKV_TF_1' #CKV_TF_1: "Ensure Terraform module sources use a commit hash" + - id: terraform_docs + args: + - '--args=--config=.terraform-docs.yml' - repo: https://github.com/Yelp/detect-secrets - rev: v1.2.0 + rev: v1.4.0 hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] diff --git a/.secrets.baseline b/.secrets.baseline index c78b758..eaf7047 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -1,5 +1,5 @@ { - "version": "1.1.0", + "version": "1.3.0", "plugins_used": [ { "name": "ArtifactoryDetector" @@ -20,6 +20,9 @@ { "name": "CloudantDetector" }, + { + "name": "GitHubTokenDetector" + }, { "name": "HexHighEntropyString", "limit": 3.0 @@ -46,6 +49,9 @@ { "name": "PrivateKeyDetector" }, + { + "name": "SendGridDetector" + }, { "name": "SlackDetector" }, @@ -66,6 +72,10 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -99,5 +109,5 @@ } ], "results": {}, - "generated_at": "2021-12-09T12:48:22Z" + "generated_at": "2022-07-28T10:50:47Z" } diff --git a/.templatesyncignore b/.templatesyncignore new file mode 100644 index 0000000..6192e4e --- /dev/null +++ b/.templatesyncignore @@ -0,0 +1,6 @@ +modules +examples/basic/main.tf +main.tf +variables.tf +README.md +.secrets.baseline diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..56c83d9 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,34 @@ +formatter: markdown table + +header-from: main.tf +footer-from: docs/.footer.md + +content: |- + {{ .Header }} + {{ include "docs/.content.md" }} + {{ .Requirements }} + {{ .Providers }} + {{ .Modules }} + {{ .Resources }} + {{ include "docs/.inputs.md" }} + {{ .Inputs }} + {{ .Outputs }} + {{ .Footer }} + +output: + file: README.md + mode: replace + template: |- + {{ .Content }} + {{- printf "\n" -}} + +sections: + hide: + - providers + +sort: + by: required + +settings: + default: false + required: false diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..f9bceba --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,87 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cloudposse/utils" { + version = "1.19.2" + constraints = ">= 0.17.0" + hashes = [ + "h1:yy3kB4scsoyM81yyyUMPxuJXeFvexBL5KMrCKrjrUkE=", + "zh:1002d1c3f458b569119b31eb2f732c093922b7f86aa59d999d77c3f3ca297f53", + "zh:367ca0d95bf24db1ff6632da94affe1ac0b51679e00f6ca3f1b8f927b9724c3b", + "zh:3e48ef23e276d18a88405926f39b476d40fb543859f2fcfc316f70501071c1ed", + "zh:3fe9d58ee267423e65c9c52cb486dda1eb59973f42eea9d84fe4c842108fdb73", + "zh:5e9ee6099ee56c30c3dfec935f749b3cef9ad2d4c6d8ad2cf39ee87587fc496d", + "zh:6babf986f8af41c739f1e441a4c0512262ff8bc36892f9506839b126138fce25", + "zh:6d9e659f1e18e409149ed8090ced8894317f37cdf234b34fe86b5aba354d559b", + "zh:828109b900c0fa9240bd48358423034817ab3a81d706b29d84a0e10401766ae4", + "zh:aff0d59c6ba5713a09e11a4f14dad048d787569e92ed4d6aa4b7778d39f52d31", + "zh:b7f469e47d1f94b276590809388ac216f59e1f4fb2d6b950c3f9fcbe9e4e2161", + "zh:b9003915fcbdd74c9e02ba11935daa6110516bf434bfee58f738ae3f2a595c2b", + "zh:dea118d95fe434b9089321e6db7573a882bd8b36d89fe2527e9adefa538561e1", + "zh:e18ef6d2be2cee7b8d0ac03c5eec362fd132c8f2b48da3999a280a4d778ec6ea", + "zh:f317eb941a57e6a899afa44ed6dc12a5c51228fcdf1b3043823346f3887facc9", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.42.0" + constraints = "~> 5.0" + hashes = [ + "h1:Yxsj34z606m8wssYDHyleuBlQ9i+94MHwRs38thQPZU=", + "zh:0fb12bd56a3ad777b29f957c56dd2119776dbc01b6074458f597990e368c82de", + "zh:16e99c13bef6e3777f67c240c916f57c01c9c142254cfb2720e08281ff906447", + "zh:218268f5fe73bcb19e9a996f781ab66df0da9e333d1c60612e3c51ad28a5105f", + "zh:220b17f7053d11548f35136669687d30ef1f1036e15393275325fd2b9654c715", + "zh:2256cfd74988ce05eada76b42efffc6fe2bf4d60b61f57e4db4fcf65ced4c666", + "zh:52da19f531e0cb9828f73bca620e30264e63a494bd7f9ce826aabcf010d3a241", + "zh:56069ce08d720280ba39aaf2fdd40c4357ffb54262c80e4d39c4e540a38e76af", + "zh:82c81398e68324029167f813fbb7c54fa3d233e99fa05001d85cbce8bdd08bb3", + "zh:82d6eaa87f5ab318959064e6c89adc2baabaf70b13f2f7de866f62416de05352", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:ade8490cfdd8de8b9a82986588595b67e0ad1048d9e2d3a6f5164320179c2cd0", + "zh:b094ef56ae9bfffd586f46d4f7fb0097798738df758a8f3c51578ee163495c7e", + "zh:bd5e68e1e454bae0f8d73cff8448e814a35855a561c33b745e1b8b525fb06c9f", + "zh:c111c6a854bf121facca1642d528bfa80fb4214554ac6c33e4a59c86bc605b71", + "zh:e04df69a557adbcdf8efc77eb45be748f0acbe800ccede1e0895393c87722a0f", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.12.1" + constraints = ">= 2.6.0" + hashes = [ + "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", + "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", + "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", + "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", + "zh:4fd06af3091a382b3f0d8f0a60880f59640d2b6d9d6a31f9a873c6f1bde1ec50", + "zh:6816976b1830f5629ae279569175e88b497abbbac30ee809948a1f923c67a80d", + "zh:7d82c4150cdbf48cfeec867be94c7b9bd7682474d4df0ebb7e24e148f964844f", + "zh:83f062049eea2513118a4c6054fb06c8600bac96196f25aed2cc21898ec86e93", + "zh:a79eec0cf4c08fca79e44033ec6e470f25ff23c3e2c7f9bc707ed7771c1072c0", + "zh:b2b2d904b2821a6e579910320605bc478bbef063579a23fbfdd6fcb5871b81f8", + "zh:e91177ca06a15487fc570cb81ecef6359aa399459ea2aa7c4f7367ba86f6fcad", + "zh:e976bcb82996fc4968f8382bbcb6673efb1f586bf92074058a232028d97825b1", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.27.0" + constraints = ">= 2.20.0" + hashes = [ + "h1:GzU0FzYAT/+IgAhnSBcFH3bT+4I5N6oSga6iZgNJAus=", + "zh:3bdba30ae67c55dc7e9a317ac0da3b208ea7926fe9c2f0ae6587ee88dcc58d1f", + "zh:3f35138a831c00b188d2ffee27111dd0cf59afad2dd5653ed9e67d59646de12c", + "zh:64066d18f6ae9a316c2bc840ef3e641d7ab94e1ea3a41d12523e77345ad442ef", + "zh:653063d44b44881af3a480f7f8eaa94fa300e0229df2072d30f606bddcc9f025", + "zh:87f306e37efb61d13efa6da53a1e45e97e5996ebc0568b1caf8c3c5e54c05809", + "zh:8c428b9708f9634391e52300218771eab3fe942bb1295d8c0ad50ca4b33db3d9", + "zh:a44e87119a0337ded15479851786a13f412b413d9a463ba550d1210249206b0f", + "zh:aa2c4d110b0de6ef997c0d45f3f23f8a98f5530753095d6eff439a6d91a8ea31", + "zh:eb15ed8781ac6a0dec2f7d03cf090e23cfa05e3225806c6231ff2c574662fd63", + "zh:eb81c563f93bd3303f9620d11cd49f21f3f89ac3475c6d3e821b239feb9c217d", + "zh:f1a344a7f16131123577e4ec994d04a34ea458ec16c1ccac53fe7946bd817b18", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..81011f8 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,12 @@ +plugin "terraform" { + enabled = true + version = "0.6.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" + preset = "recommended" +} + +plugin "aws" { + enabled = true + version = "0.30.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 0000000..7ba6b3c --- /dev/null +++ b/.tool-versions @@ -0,0 +1,6 @@ +terraform 1.5.7 +terraform-docs 0.17.0 +tflint 0.50.3 +checkov 3.2.37 +awscli 2.15.29 +pre-commit 3.6.2 diff --git a/README.md b/README.md index 4d87458..ea63700 100644 --- a/README.md +++ b/README.md @@ -1,154 +1,170 @@ -# AWS EKS keda Terraform module +# AWS EKS KEDA Controller Terraform module -[![labyrinth labs logo](ll-logo.png)](https://lablabs.io/) +A Terraform module to deploy the [KEDA](https://github.com/kedacore/keda) on Amazon EKS cluster. -We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at +[![Terraform validate](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/validate.yaml) +[![pre-commit](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/pre-commit.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/pre-commit.yaml) --- -[![Terraform validate](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/validate.yaml) -[![pre-commit](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/pre-commit.yml) +## Related Projects -## Description +Check out other [Terraform Kubernetes addons](https://github.com/orgs/lablabs/repositories?q=terraform-aws-eks&type=public&language=&sort=). -A terraform module to deploy the AWS keda on Amazon EKS cluster. +[](https://lablabs.io/) -## Related Projects - -Check out other [terraform kubernetes addons](https://github.com/orgs/lablabs/repositories?q=terraform-aws-eks&type=public&language=&sort=). +We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at . ## Deployment methods ### Helm -Deploy helm chart by helm (default method, set `enabled = true`) - -### Argo kubernetes -Deploy helm chart as argo application by kubernetes manifest (set `enabled = true` and `argo_enabled = true`) - -### Argo helm -When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run. +Deploy Helm chart via Helm resource (default method, set `enabled = true`) -To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the `argo_helm_enabled` variable to `true`. +### Argo Kubernetes +Deploy Helm chart as ArgoCD Application via Kubernetes manifest resource (set `enabled = true` and `argo_enabled = true`) -Create helm release resource and deploy it as argo application (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) +> **Warning** +> +> When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run. +> +> To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the `argo_helm_enabled` variable to `true`. -## AWS IAM resources - -To disable of creation IRSA role and IRSA policy, set `irsa_role_create = false` and `irsa_policy_enabled = false`, respectively +### Argo Helm +Deploy Helm chart as ArgoCD Application via Helm resource (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) ## Examples See [Basic example](examples/basic/README.md) for further information. - - ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.19.0 | +| [terraform](#requirement\_terraform) | >= 1.5.0 | +| [aws](#requirement\_aws) | ~> 5 | | [helm](#requirement\_helm) | >= 2.6.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.11.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.20.0 | | [utils](#requirement\_utils) | >= 0.17.0 | ## Modules -No modules. - +| Name | Source | Version | +|------|--------|---------| +| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.2 | ## Resources | Name | Type | |------|------| | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [helm_release.argo_application](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_manifest.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_role_policy_attachment.this_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [utils_deep_merge_yaml.argo_helm_values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | +| [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [utils_deep_merge_yaml.values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | - +> [!IMPORTANT] +> Variables defined in [variables-addon.tf](variables-addon.tf) defaults to `null` to have them overridable by the addon configuration defined though the [`local.addon.*`](main.tf) local variable with some default values defined in [addon.tf](addon.tf). ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [cluster\_identity\_oidc\_issuer](#input\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster | `string` | n/a | yes | -| [cluster\_identity\_oidc\_issuer\_arn](#input\_cluster\_identity\_oidc\_issuer\_arn) | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account | `string` | n/a | yes | -| [argo\_apiversion](#input\_argo\_apiversion) | ArgoCD Appliction apiVersion | `string` | `"argoproj.io/v1alpha1"` | no | -| [argo\_destination\_server](#input\_argo\_destination\_server) | Destination server for ArgoCD Application | `string` | `"https://kubernetes.default.svc"` | no | -| [argo\_enabled](#input\_argo\_enabled) | If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release | `bool` | `false` | no | -| [argo\_helm\_enabled](#input\_argo\_helm\_enabled) | If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info | `bool` | `false` | no | -| [argo\_helm\_values](#input\_argo\_helm\_values) | Value overrides to use when deploying argo application object with helm | `string` | `""` | no | -| [argo\_info](#input\_argo\_info) | ArgoCD info manifest parameter | `list` | 
[
  {
    "name": "terraform",
    "value": "true"
  }
]
| no | -| [argo\_kubernetes\_manifest\_computed\_fields](#input\_argo\_kubernetes\_manifest\_computed\_fields) | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. | `list(string)` | 
[
  "metadata.labels",
  "metadata.annotations"
]
| no | -| [argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts](#input\_argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts) | Forcibly override any field manager conflicts when applying the kubernetes manifest resource | `bool` | `false` | no | -| [argo\_kubernetes\_manifest\_field\_manager\_name](#input\_argo\_kubernetes\_manifest\_field\_manager\_name) | The name of the field manager to use when applying the kubernetes manifest resource. Defaults to Terraform | `string` | `"Terraform"` | no | -| [argo\_kubernetes\_manifest\_wait\_fields](#input\_argo\_kubernetes\_manifest\_wait\_fields) | A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. | `map(string)` | `{}` | no | -| [argo\_metadata](#input\_argo\_metadata) | ArgoCD Application metadata configuration. Override or create additional metadata parameters | `map` | 
{
  "finalizers": [
    "resources-finalizer.argocd.argoproj.io"
  ]
}
| no | -| [argo\_namespace](#input\_argo\_namespace) | Namespace to deploy ArgoCD application CRD to | `string` | `"argo"` | no | -| [argo\_project](#input\_argo\_project) | ArgoCD Application project | `string` | `"default"` | no | -| [argo\_spec](#input\_argo\_spec) | ArgoCD Application spec configuration. Override or create additional spec parameters | `map` | `{}` | no | -| [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter | `map` | `{}` | no | -| [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no | -| [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no | -| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"keda"` | no | -| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `"2.7.2"` | no | -| [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no | -| [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist | `bool` | `true` | no | -| [helm\_dependency\_update](#input\_helm\_dependency\_update) | Runs helm dependency update before installing the chart | `bool` | `false` | no | -| [helm\_description](#input\_helm\_description) | Set helm release description attribute (visible in the history) | `string` | `""` | no | -| [helm\_devel](#input\_helm\_devel) | Use helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored | `bool` | `false` | no | -| [helm\_disable\_openapi\_validation](#input\_helm\_disable\_openapi\_validation) | If set, the installation process will not validate rendered helm templates against the Kubernetes OpenAPI Schema | `bool` | `false` | no | -| [helm\_disable\_webhooks](#input\_helm\_disable\_webhooks) | Prevent helm chart hooks from running | `bool` | `false` | no | -| [helm\_force\_update](#input\_helm\_force\_update) | Force helm resource update through delete/recreate if needed | `bool` | `false` | no | -| [helm\_keyring](#input\_helm\_keyring) | Location of public keys used for verification. Used only if helm\_package\_verify is true | `string` | `"~/.gnupg/pubring.gpg"` | no | -| [helm\_lint](#input\_helm\_lint) | Run the helm chart linter during the plan | `bool` | `false` | no | -| [helm\_package\_verify](#input\_helm\_package\_verify) | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | `bool` | `false` | no | -| [helm\_postrender](#input\_helm\_postrender) | Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents | `map(any)` | `{}` | no | -| [helm\_recreate\_pods](#input\_helm\_recreate\_pods) | Perform pods restart during helm upgrade/rollback | `bool` | `false` | no | -| [helm\_release\_max\_history](#input\_helm\_release\_max\_history) | Maximum number of release versions stored per release | `number` | `0` | no | -| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"keda-controller"` | no | -| [helm\_render\_subchart\_notes](#input\_helm\_render\_subchart\_notes) | If set, render helm subchart notes along with the parent | `bool` | `true` | no | -| [helm\_replace](#input\_helm\_replace) | Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production | `bool` | `false` | no | -| [helm\_repo\_ca\_file](#input\_helm\_repo\_ca\_file) | Helm repositories cert file | `string` | `""` | no | -| [helm\_repo\_cert\_file](#input\_helm\_repo\_cert\_file) | Helm repositories cert file | `string` | `""` | no | -| [helm\_repo\_key\_file](#input\_helm\_repo\_key\_file) | Helm repositories cert key file | `string` | `""` | no | -| [helm\_repo\_password](#input\_helm\_repo\_password) | Password for HTTP basic authentication against the helm repository | `string` | `""` | no | -| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `"https://kedacore.github.io/charts"` | no | -| [helm\_repo\_username](#input\_helm\_repo\_username) | Username for HTTP basic authentication against the helm repository | `string` | `""` | no | -| [helm\_reset\_values](#input\_helm\_reset\_values) | When upgrading, reset the values to the ones built into the helm chart | `bool` | `false` | no | -| [helm\_reuse\_values](#input\_helm\_reuse\_values) | When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm\_reset\_values' is specified, this is ignored | `bool` | `false` | no | -| [helm\_set\_sensitive](#input\_helm\_set\_sensitive) | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff | `map(any)` | `{}` | no | -| [helm\_skip\_crds](#input\_helm\_skip\_crds) | If set, no CRDs will be installed before helm release | `bool` | `false` | no | -| [helm\_timeout](#input\_helm\_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks) | `number` | `300` | no | -| [helm\_wait](#input\_helm\_wait) | Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no | -| [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no | -| [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbiraty id and value is policy arn. | `map(string)` | `{}` | no | -| [irsa\_policy\_allow\_assume\_roles](#input\_irsa\_policy\_allow\_assume\_roles) | Allow assume specified roles. IRSA policy must be enabled to take effect. Default to all roles under source AWS account ("arn:aws:iam::{account\_id}:role/*"). | `list(string)` | `[]` | no | -| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy for keda controller, see https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/v2.4.0/docs/install/iam_policy.json | `bool` | `true` | no | -| [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no | -| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for keda controller | `string` | `"keda-controller"` | no | -| [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no | -| [namespace](#input\_namespace) | The K8s namespace in which the keda controller controller will be created | `string` | `"keda-controller"` | no | -| [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account | `bool` | `true` | no | -| [service\_account\_name](#input\_service\_account\_name) | The k8s keda controller service account name | `string` | `"keda-operator"` | no | -| [settings](#input\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/kedacore/charts/tree/main/keda | `map(any)` | `{}` | no | -| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/kedacore/charts/tree/main/keda | `string` | `""` | no | - +| Name | Description | Type | +|------|-------------|------| +| [argo\_apiversion](#input\_argo\_apiversion) | ArgoCD Application apiVersion. Defaults to `"argoproj.io/v1alpha1"`. | `string` | +| [argo\_destination\_server](#input\_argo\_destination\_server) | Destination server for ArgoCD Application. Defaults to `"https://kubernetes.default.svc"`. | `string` | +| [argo\_enabled](#input\_argo\_enabled) | If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release. Defaults to `false`. | `bool` | +| [argo\_helm\_enabled](#input\_argo\_helm\_enabled) | If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See README for more info. Defaults to `false`. | `bool` | +| [argo\_helm\_values](#input\_argo\_helm\_values) | Value overrides to use when deploying ArgoCD Application object with Helm. Defaults to `""`. | `string` | +| [argo\_helm\_wait\_backoff\_limit](#input\_argo\_helm\_wait\_backoff\_limit) | Backoff limit for ArgoCD Application Helm release wait job. Defaults to `6`. | `number` | +| [argo\_helm\_wait\_node\_selector](#input\_argo\_helm\_wait\_node\_selector) | Node selector for ArgoCD Application Helm release wait job. Defaults to `{}`. | `map(string)` | +| [argo\_helm\_wait\_timeout](#input\_argo\_helm\_wait\_timeout) | Timeout for ArgoCD Application Helm release wait job. Defaults to `"10m"`. | `string` | +| [argo\_helm\_wait\_tolerations](#input\_argo\_helm\_wait\_tolerations) | Tolerations for ArgoCD Application Helm release wait job. Defaults to `[]`. | `list(any)` | +| [argo\_info](#input\_argo\_info) | ArgoCD info manifest parameter. Defaults to `[{name="terraform",value=true}]`. | 
list(object({
    name  = string
    value = string
  }))
| +| [argo\_kubernetes\_manifest\_computed\_fields](#input\_argo\_kubernetes\_manifest\_computed\_fields) | List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply. Defaults to `["metadata.labels", "metadata.annotations", "metadata.finalizers"]`. | `list(string)` | +| [argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts](#input\_argo\_kubernetes\_manifest\_field\_manager\_force\_conflicts) | Forcibly override any field manager conflicts when applying the kubernetes manifest resource. Defaults to `false`. | `bool` | +| [argo\_kubernetes\_manifest\_field\_manager\_name](#input\_argo\_kubernetes\_manifest\_field\_manager\_name) | The name of the field manager to use when applying the Kubernetes manifest resource. Defaults to `"Terraform"`. | `string` | +| [argo\_kubernetes\_manifest\_wait\_fields](#input\_argo\_kubernetes\_manifest\_wait\_fields) | A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. Defaults to `{}`. | `map(string)` | +| [argo\_metadata](#input\_argo\_metadata) | ArgoCD Application metadata configuration. Override or create additional metadata parameters. Defaults to `{finalizers=["resources-finalizer.argocd.argoproj.io"]}`. | `any` | +| [argo\_namespace](#input\_argo\_namespace) | Namespace to deploy ArgoCD application CRD to. Defaults to `"argo"`. | `string` | +| [argo\_project](#input\_argo\_project) | ArgoCD Application project. Defaults to `default`. | `string` | +| [argo\_spec](#input\_argo\_spec) | ArgoCD Application spec configuration. Override or create additional spec parameters. Defaults to `{}`. | `any` | +| [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter. Defaults to `{}`. | `any` | +| [cluster\_identity\_oidc\_issuer](#input\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster. Defaults to `""`. | `string` | +| [cluster\_identity\_oidc\_issuer\_arn](#input\_cluster\_identity\_oidc\_issuer\_arn) | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account. Defaults to `""`. | `string` | +| [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | +| [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to `false`. | `bool` | +| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed. Defaults to `local.addon.name` (required). | `string` | +| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart. Defaults to `local.addon.helm_chart_version` (required). | `string` | +| [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this Helm upgrade when upgrade fails. Defaults to `false`. | `bool` | +| [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist. Defaults to `true`. | `bool` | +| [helm\_dependency\_update](#input\_helm\_dependency\_update) | Runs Helm dependency update before installing the chart. Defaults to `false`. | `bool` | +| [helm\_description](#input\_helm\_description) | Set Helm release description attribute (visible in the history). Defaults to `""`. | `string` | +| [helm\_devel](#input\_helm\_devel) | Use Helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored. Defaults to `false`. | `bool` | +| [helm\_disable\_openapi\_validation](#input\_helm\_disable\_openapi\_validation) | If set, the installation process will not validate rendered Helm templates against the Kubernetes OpenAPI Schema. Defaults to `false`. | `bool` | +| [helm\_disable\_webhooks](#input\_helm\_disable\_webhooks) | Prevent Helm chart hooks from running. Defaults to `false`. | `bool` | +| [helm\_force\_update](#input\_helm\_force\_update) | Force Helm resource update through delete/recreate if needed. Defaults to `false`. | `bool` | +| [helm\_keyring](#input\_helm\_keyring) | Location of public keys used for verification. Used only if `helm_package_verify` is `true`. Defaults to `"~/.gnupg/pubring.gpg"`. | `string` | +| [helm\_lint](#input\_helm\_lint) | Run the Helm chart linter during the plan. Defaults to `false`. | `bool` | +| [helm\_package\_verify](#input\_helm\_package\_verify) | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart. Defaults to `false`. | `bool` | +| [helm\_postrender](#input\_helm\_postrender) | Value block with a path to a binary file to run after Helm renders the manifest which can alter the manifest contents. Defaults to `{}`. | `map(any)` | +| [helm\_recreate\_pods](#input\_helm\_recreate\_pods) | Perform pods restart during Helm upgrade/rollback. Defaults to `false`. | `bool` | +| [helm\_release\_max\_history](#input\_helm\_release\_max\_history) | Maximum number of release versions stored per release. Defaults to `0`. | `number` | +| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name. Defaults to `local.addon.name` (required). | `string` | +| [helm\_render\_subchart\_notes](#input\_helm\_render\_subchart\_notes) | If set, render Helm subchart notes along with the parent. Defaults to `true`. | `bool` | +| [helm\_replace](#input\_helm\_replace) | Re-use the given name of Helm release, only if that name is a deleted release which remains in the history. This is unsafe in production. Defaults to `false`. | `bool` | +| [helm\_repo\_ca\_file](#input\_helm\_repo\_ca\_file) | Helm repositories CA cert file. Defaults to `""`. | `string` | +| [helm\_repo\_cert\_file](#input\_helm\_repo\_cert\_file) | Helm repositories cert file. Defaults to `""`. | `string` | +| [helm\_repo\_key\_file](#input\_helm\_repo\_key\_file) | Helm repositories cert key file. Defaults to `""`. | `string` | +| [helm\_repo\_password](#input\_helm\_repo\_password) | Password for HTTP basic authentication against the Helm repository. Defaults to `""`. | `string` | +| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository. Defaults to `local.addon.helm_repo_url` (required). | `string` | +| [helm\_repo\_username](#input\_helm\_repo\_username) | Username for HTTP basic authentication against the Helm repository. Defaults to `""`. | `string` | +| [helm\_reset\_values](#input\_helm\_reset\_values) | When upgrading, reset the values to the ones built into the Helm chart. Defaults to `false`. | `bool` | +| [helm\_reuse\_values](#input\_helm\_reuse\_values) | When upgrading, reuse the last Helm release's values and merge in any overrides. If 'helm\_reset\_values' is specified, this is ignored. Defaults to `false`. | `bool` | +| [helm\_set\_sensitive](#input\_helm\_set\_sensitive) | Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff. Defaults to `{}`. | `map(any)` | +| [helm\_skip\_crds](#input\_helm\_skip\_crds) | If set, no CRDs will be installed before Helm release. Defaults to `false`. | `bool` | +| [helm\_timeout](#input\_helm\_timeout) | Time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks). Defaults to `300`. | `number` | +| [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | +| [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | +| [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | +| [irsa\_assume\_role\_arn](#input\_irsa\_assume\_role\_arn) | Assume role ARN. Assume role must be enabled. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `string` | +| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` | +| [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` | +| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy to allow AWS operations. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` | +| [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` | +| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to `"${local.addon.name}-irsa"`. | `string` | +| [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags. Defaults to `{}`. | `map(string)` | +| [keda\_metric\_server\_irsa\_additional\_policies](#input\_keda\_metric\_server\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA metrics server. Where key is arbitrary id and value is policy ARN. | `map(string)` | +| [keda\_metric\_server\_irsa\_assume\_role\_arns](#input\_keda\_metric\_server\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`. | `list(string)` | +| [keda\_metric\_server\_irsa\_assume\_role\_enabled](#input\_keda\_metric\_server\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA metrics server is allowed to assume role defined by `keda_metric_server_irsa_assume_role_arn`. Mutually exclusive with `keda_metric_server_irsa_policy_enabled`. | `bool` | +| [keda\_metric\_server\_irsa\_policy](#input\_keda\_metric\_server\_irsa\_policy) | Policy to be attached to the default role of the KEDA metrics server. Applied only if `keda_metric_server_irsa_policy_enabled` is `true`. | `string` | +| [keda\_metric\_server\_irsa\_policy\_enabled](#input\_keda\_metric\_server\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_metric_server_irsa_policy` for the KEDA metrics server. Mutually exclusive with `keda_metric_server_irsa_assume_role_enabled`. | `bool` | +| [keda\_metric\_server\_irsa\_role\_create](#input\_keda\_metric\_server\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA metrics server. | `bool` | +| [keda\_metric\_server\_service\_account\_create](#input\_keda\_metric\_server\_service\_account\_create) | Whether to create the Service Account for the KEDA metrics server. | `bool` | +| [keda\_metric\_server\_service\_account\_name](#input\_keda\_metric\_server\_service\_account\_name) | The name of the Service Account for the KEDA metrics server. | `string` | +| [keda\_operator\_irsa\_additional\_policies](#input\_keda\_operator\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA operator. Where key is arbitrary id and value is policy ARN. | `map(string)` | +| [keda\_operator\_irsa\_assume\_role\_arns](#input\_keda\_operator\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA operator. Applied only if `keda_operator_irsa_assume_role_enabled` is `true`. | `list(string)` | +| [keda\_operator\_irsa\_assume\_role\_enabled](#input\_keda\_operator\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA operator is allowed to assume role defined by `keda_operator_irsa_assume_role_arn`. Mutually exclusive with `keda_operator_irsa_policy_enabled`. | `bool` | +| [keda\_operator\_irsa\_policy](#input\_keda\_operator\_irsa\_policy) | Policy to be attached to the default role of the KEDA operator. Applied only if `keda_operator_irsa_policy_enabled` is `true`. | `string` | +| [keda\_operator\_irsa\_policy\_enabled](#input\_keda\_operator\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_operator_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_operator_irsa_assume_role_enabled`. | `bool` | +| [keda\_operator\_irsa\_role\_create](#input\_keda\_operator\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA operator. | `bool` | +| [keda\_operator\_service\_account\_create](#input\_keda\_operator\_service\_account\_create) | Whether to create the Service Account for the KEDA operator. | `bool` | +| [keda\_operator\_service\_account\_name](#input\_keda\_operator\_service\_account\_name) | The name of the Service Account for the KEDA operator. | `string` | +| [keda\_webhooks\_irsa\_additional\_policies](#input\_keda\_webhooks\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA webhooks. Where key is arbitrary id and value is policy ARN. | `map(string)` | +| [keda\_webhooks\_irsa\_assume\_role\_arns](#input\_keda\_webhooks\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA webhooks. Applied only if `keda_webhooks_irsa_assume_role_enabled` is `true`. | `list(string)` | +| [keda\_webhooks\_irsa\_assume\_role\_enabled](#input\_keda\_webhooks\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA webhooks is allowed to assume role defined by `keda_webhooks_irsa_assume_role_arn`. Mutually exclusive with `keda_webhooks_irsa_policy_enabled`. | `bool` | +| [keda\_webhooks\_irsa\_policy](#input\_keda\_webhooks\_irsa\_policy) | Policy to be attached to the default role of the KEDA webhooks. Applied only if `keda_webhooks_irsa_policy_enabled` is `true`. | `string` | +| [keda\_webhooks\_irsa\_policy\_enabled](#input\_keda\_webhooks\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_webhooks_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_webhooks_irsa_assume_role_enabled`. | `bool` | +| [keda\_webhooks\_irsa\_role\_create](#input\_keda\_webhooks\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA webhooks. | `bool` | +| [keda\_webhooks\_service\_account\_create](#input\_keda\_webhooks\_service\_account\_create) | Whether to create the Service Account for the KEDA webhooks. | `bool` | +| [keda\_webhooks\_service\_account\_name](#input\_keda\_webhooks\_service\_account\_name) | The name of the Service Account for the KEDA webhooks. | `string` | +| [namespace](#input\_namespace) | The Kubernetes Namespace in which the Helm chart will be installed. Defaults to `local.addon.name` (required). | `string` | +| [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources. Defaults to `true`. | `bool` | +| [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account. Defaults to `true`. | `bool` | +| [service\_account\_name](#input\_service\_account\_name) | The Kubernetes Service Account name. Defaults to `local.addon.name` (required). | `string` | +| [settings](#input\_settings) | Additional Helm sets which will be passed to the Helm chart values. Defaults to `{}`. | `map(any)` | +| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart. Defaults to `""`. | `string` | ## Outputs | Name | Description | |------|-------------| -| [helm\_release\_application\_metadata](#output\_helm\_release\_application\_metadata) | Argo application helm release attributes | -| [helm\_release\_metadata](#output\_helm\_release\_metadata) | Helm release attributes | -| [iam\_role\_attributes](#output\_iam\_role\_attributes) | IAM role atributes | -| [kubernetes\_application\_attributes](#output\_kubernetes\_application\_attributes) | Argo kubernetes manifest attributes | - - +| [addon](#output\_addon) | The addon module outputs | ## Contributing and reporting issues Feel free to create an issue in this repository if you have questions, suggestions or feature requests. @@ -157,14 +173,13 @@ Feel free to create an issue in this repository if you have questions, suggestio We want to provide high quality code and modules. For this reason we are using several [pre-commit hooks](.pre-commit-config.yaml) and -[GitHub Actions workflow](.github/workflows/main.yml). A pull-request to the -master branch will trigger these validations and lints automatically. Please +[GitHub Actions workflows](.github/workflows/). A pull-request to the +main branch will trigger these validations and lints automatically. Please check your code before you will create pull-requests. See [pre-commit documentation](https://pre-commit.com/) and [GitHub Actions documentation](https://docs.github.com/en/actions) for further details. - ## License [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) diff --git a/addon.tf b/addon.tf new file mode 100644 index 0000000..481b1ad --- /dev/null +++ b/addon.tf @@ -0,0 +1,90 @@ +# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. +module "addon" { + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.2" + + enabled = var.enabled + + # variable priority var.* (provided by the module user) > local.addon.* (universal addon default override) > default (universal addon default) + namespace = var.namespace != null ? var.namespace : try(local.addon.namespace, local.addon.name) + + helm_release_name = var.helm_release_name != null ? var.helm_release_name : try(local.addon.helm_release_name, local.addon.name) + helm_chart_name = var.helm_chart_name != null ? var.helm_chart_name : try(local.addon.helm_chart_name, local.addon.name) + helm_chart_version = var.helm_chart_version != null ? var.helm_chart_version : local.addon.helm_chart_version + helm_atomic = var.helm_atomic != null ? var.helm_atomic : try(local.addon.helm_atomic, false) + helm_cleanup_on_fail = var.helm_cleanup_on_fail != null ? var.helm_cleanup_on_fail : try(local.addon.helm_cleanup_on_fail, false) + helm_create_namespace = var.helm_create_namespace != null ? var.helm_create_namespace : try(local.addon.helm_create_namespace, true) + helm_dependency_update = var.helm_dependency_update != null ? var.helm_dependency_update : try(local.addon.helm_dependency_update, false) + helm_description = var.helm_description != null ? var.helm_description : try(local.addon.helm_description, "") + helm_devel = var.helm_devel != null ? var.helm_devel : try(local.addon.helm_devel, false) + helm_disable_openapi_validation = var.helm_disable_openapi_validation != null ? var.helm_disable_openapi_validation : try(local.addon.helm_disable_openapi_validation, false) + helm_disable_webhooks = var.helm_disable_webhooks != null ? var.helm_disable_webhooks : try(local.addon.helm_disable_webhooks, false) + helm_force_update = var.helm_force_update != null ? var.helm_force_update : try(local.addon.helm_force_update, false) + helm_keyring = var.helm_keyring != null ? var.helm_keyring : try(local.addon.helm_keyring, "~/.gnupg/pubring.gpg") + helm_lint = var.helm_lint != null ? var.helm_lint : try(local.addon.helm_lint, false) + helm_package_verify = var.helm_package_verify != null ? var.helm_package_verify : try(local.addon.helm_package_verify, false) + helm_postrender = var.helm_postrender != null ? var.helm_postrender : try(local.addon.helm_postrender, {}) + helm_recreate_pods = var.helm_recreate_pods != null ? var.helm_recreate_pods : try(local.addon.helm_recreate_pods, false) + helm_release_max_history = var.helm_release_max_history != null ? var.helm_release_max_history : try(local.addon.helm_release_max_history, 0) + helm_render_subchart_notes = var.helm_render_subchart_notes != null ? var.helm_render_subchart_notes : try(local.addon.helm_render_subchart_notes, true) + helm_replace = var.helm_replace != null ? var.helm_replace : try(local.addon.helm_replace, false) + helm_repo_ca_file = var.helm_repo_ca_file != null ? var.helm_repo_ca_file : try(local.addon.helm_repo_ca_file, "") + helm_repo_cert_file = var.helm_repo_cert_file != null ? var.helm_repo_cert_file : try(local.addon.helm_repo_cert_file, "") + helm_repo_key_file = var.helm_repo_key_file != null ? var.helm_repo_key_file : try(local.addon.helm_repo_key_file, "") + helm_repo_password = var.helm_repo_password != null ? var.helm_repo_password : try(local.addon.helm_repo_password, "") + helm_repo_url = var.helm_repo_url != null ? var.helm_repo_url : local.addon.helm_repo_url + helm_repo_username = var.helm_repo_username != null ? var.helm_repo_username : try(local.addon.helm_repo_username, "") + helm_reset_values = var.helm_reset_values != null ? var.helm_reset_values : try(local.addon.helm_reset_values, false) + helm_reuse_values = var.helm_reuse_values != null ? var.helm_reuse_values : try(local.addon.helm_reuse_values, false) + helm_set_sensitive = var.helm_set_sensitive != null ? var.helm_set_sensitive : try(local.addon.helm_set_sensitive, {}) + helm_skip_crds = var.helm_skip_crds != null ? var.helm_skip_crds : try(local.addon.helm_skip_crds, false) + helm_timeout = var.helm_timeout != null ? var.helm_timeout : try(local.addon.helm_timeout, 300) + helm_wait = var.helm_wait != null ? var.helm_wait : try(local.addon.helm_wait, false) + helm_wait_for_jobs = var.helm_wait_for_jobs != null ? var.helm_wait_for_jobs : try(local.addon.helm_wait_for_jobs, false) + + argo_apiversion = var.argo_apiversion != null ? var.argo_apiversion : try(local.addon.argo_apiversion, "argoproj.io/v1alpha1") + argo_destination_server = var.argo_destination_server != null ? var.argo_destination_server : try(local.addon.argo_destination_server, "https://kubernetes.default.svc") + argo_enabled = var.argo_enabled != null ? var.argo_enabled : try(local.addon.argo_enabled, false) + argo_helm_enabled = var.argo_helm_enabled != null ? var.argo_helm_enabled : try(local.addon.argo_helm_enabled, false) + argo_helm_values = var.argo_helm_values != null ? var.argo_helm_values : try(local.addon.argo_helm_values, "") + argo_helm_wait_backoff_limit = var.argo_helm_wait_backoff_limit != null ? var.argo_helm_wait_backoff_limit : try(local.addon.argo_helm_wait_backoff_limit, 6) + argo_helm_wait_node_selector = var.argo_helm_wait_node_selector != null ? var.argo_helm_wait_node_selector : try(local.addon.argo_helm_wait_node_selector, var.argo_helm_wait_node_selector) + argo_helm_wait_timeout = var.argo_helm_wait_timeout != null ? var.argo_helm_wait_timeout : try(local.addon.argo_helm_wait_timeout, "10m") + argo_helm_wait_tolerations = var.argo_helm_wait_tolerations != null ? var.argo_helm_wait_tolerations : try(local.addon.argo_helm_wait_tolerations, tolist([])) + argo_info = var.argo_info != null ? var.argo_info : try(local.addon.argo_info, [{ name = "terraform", value = "true" }]) + argo_kubernetes_manifest_computed_fields = var.argo_kubernetes_manifest_computed_fields != null ? var.argo_kubernetes_manifest_computed_fields : try(local.addon.argo_kubernetes_manifest_computed_fields, ["metadata.labels", "metadata.annotations", "metadata.finalizers"]) + argo_kubernetes_manifest_field_manager_force_conflicts = var.argo_kubernetes_manifest_field_manager_force_conflicts != null ? var.argo_kubernetes_manifest_field_manager_force_conflicts : try(local.addon.argo_kubernetes_manifest_field_manager_force_conflicts, false) + argo_kubernetes_manifest_field_manager_name = var.argo_kubernetes_manifest_field_manager_name != null ? var.argo_kubernetes_manifest_field_manager_name : try(local.addon.argo_kubernetes_manifest_field_manager_name, "Terraform") + argo_kubernetes_manifest_wait_fields = var.argo_kubernetes_manifest_wait_fields != null ? var.argo_kubernetes_manifest_wait_fields : try(local.addon.argo_kubernetes_manifest_wait_fields, tomap({})) + argo_metadata = var.argo_metadata != null ? var.argo_metadata : try(local.addon.argo_metadata, { finalizers = ["resources-finalizer.argocd.argoproj.io"] }) + argo_namespace = var.argo_namespace != null ? var.argo_namespace : try(local.addon.argo_namespace, "argo") + argo_project = var.argo_project != null ? var.argo_project : try(local.addon.argo_project, "default") + argo_spec = var.argo_spec != null ? var.argo_spec : try(local.addon.argo_spec, tomap({})) + argo_sync_policy = var.argo_sync_policy != null ? var.argo_sync_policy : try(local.addon.argo_sync_policy, tomap({})) + + cluster_identity_oidc_issuer = var.cluster_identity_oidc_issuer != null ? var.cluster_identity_oidc_issuer : try(local.addon.cluster_identity_oidc_issuer, "") + cluster_identity_oidc_issuer_arn = var.cluster_identity_oidc_issuer_arn != null ? var.cluster_identity_oidc_issuer_arn : try(local.addon.cluster_identity_oidc_issuer_arn, "") + irsa_role_create = var.irsa_role_create != null ? var.irsa_role_create : try(local.addon.irsa_role_create, true) + irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(local.addon.irsa_additional_policies, tomap({})) + irsa_assume_role_arn = var.irsa_assume_role_arn != null ? var.irsa_assume_role_arn : try(local.addon.irsa_assume_role_arn, "") + irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(local.addon.irsa_assume_role_enabled, false) + irsa_policy = var.irsa_policy != null ? var.irsa_policy : try(local.addon.irsa_policy, "") + irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(local.addon.irsa_policy_enabled, false) + irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : try(local.addon.irsa_role_name_prefix, "${local.addon.name}-irsa") + irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(local.addon.irsa_tags, tomap({})) + + rbac_create = var.rbac_create != null ? var.rbac_create : try(local.addon.rbac_create, true) + service_account_create = var.service_account_create != null ? var.service_account_create : try(local.addon.service_account_create, true) + service_account_name = var.service_account_name != null ? var.service_account_name : try(local.addon.service_account_name, local.addon.name) + + settings = var.settings != null ? var.settings : try(local.addon.settings, tomap({})) + values = one(data.utils_deep_merge_yaml.values[*].output) +} + +data "utils_deep_merge_yaml" "values" { + count = var.enabled == true ? 1 : 0 + + input = compact([ + try(local.addon.values, ""), + var.values + ]) +} diff --git a/argo.tf b/argo.tf deleted file mode 100644 index 1ba614a..0000000 --- a/argo.tf +++ /dev/null @@ -1,85 +0,0 @@ -locals { - argo_application_metadata = { - "labels" : try(var.argo_metadata.labels, {}), - "annotations" : try(var.argo_metadata.annotations, {}), - "finalizers" : try(var.argo_metadata.finalizers, []) - } - argo_application_values = { - "project" : var.argo_project - "source" : { - "repoURL" : var.helm_repo_url - "chart" : var.helm_chart_name - "targetRevision" : var.helm_chart_version - "helm" : { - "releaseName" : var.helm_release_name - "parameters" : [for k, v in var.settings : tomap({ "forceString" : true, "name" : k, "value" : v })] - "values" : var.enabled ? data.utils_deep_merge_yaml.values[0].output : "" - } - } - "destination" : { - "server" : var.argo_destination_server - "namespace" : var.namespace - } - "syncPolicy" : var.argo_sync_policy - "info" : var.argo_info - } -} - -data "utils_deep_merge_yaml" "argo_helm_values" { - count = var.enabled && var.argo_enabled && var.argo_helm_enabled ? 1 : 0 - input = compact([ - yamlencode({ - "apiVersion" : var.argo_apiversion - }), - yamlencode({ - "spec" : local.argo_application_values - }), - yamlencode({ - "spec" : var.argo_spec - }), - yamlencode( - local.argo_application_metadata - ) - ]) -} - -resource "helm_release" "argo_application" { - count = var.enabled && var.argo_enabled && var.argo_helm_enabled ? 1 : 0 - - chart = "${path.module}/helm/argocd-application" - name = var.helm_release_name - namespace = var.argo_namespace - - values = [ - data.utils_deep_merge_yaml.argo_helm_values[0].output, - var.argo_helm_values - ] -} - -resource "kubernetes_manifest" "this" { - count = var.enabled && var.argo_enabled && !var.argo_helm_enabled ? 1 : 0 - manifest = { - "apiVersion" = var.argo_apiversion - "kind" = "Application" - "metadata" = merge( - local.argo_application_metadata, - { "name" = var.helm_release_name }, - { "namespace" = var.argo_namespace }, - ) - "spec" = merge( - local.argo_application_values, - var.argo_spec - ) - } - - computed_fields = var.argo_kubernetes_manifest_computed_fields - - field_manager { - name = var.argo_kubernetes_manifest_field_manager_name - force_conflicts = var.argo_kubernetes_manifest_field_manager_force_conflicts - } - - wait { - fields = var.argo_kubernetes_manifest_wait_fields - } -} diff --git a/docs/.content.md b/docs/.content.md new file mode 100644 index 0000000..f0a08b2 --- /dev/null +++ b/docs/.content.md @@ -0,0 +1,31 @@ + +--- + +## Related Projects + +Check out other [Terraform Kubernetes addons](https://github.com/orgs/lablabs/repositories?q=terraform-aws-eks&type=public&language=&sort=). + +[](https://lablabs.io/) + +We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at . + +## Deployment methods + +### Helm +Deploy Helm chart via Helm resource (default method, set `enabled = true`) + +### Argo Kubernetes +Deploy Helm chart as ArgoCD Application via Kubernetes manifest resource (set `enabled = true` and `argo_enabled = true`) + +> **Warning** +> +> When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run. +> +> To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the `argo_helm_enabled` variable to `true`. + +### Argo Helm +Deploy Helm chart as ArgoCD Application via Helm resource (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) + +## Examples + +See [Basic example](examples/basic/README.md) for further information. diff --git a/docs/.footer.md b/docs/.footer.md new file mode 100644 index 0000000..971db04 --- /dev/null +++ b/docs/.footer.md @@ -0,0 +1,37 @@ +## Contributing and reporting issues + +Feel free to create an issue in this repository if you have questions, suggestions or feature requests. + +### Validation, linters and pull-requests + +We want to provide high quality code and modules. For this reason we are using +several [pre-commit hooks](.pre-commit-config.yaml) and +[GitHub Actions workflows](.github/workflows/). A pull-request to the +main branch will trigger these validations and lints automatically. Please +check your code before you will create pull-requests. See +[pre-commit documentation](https://pre-commit.com/) and +[GitHub Actions documentation](https://docs.github.com/en/actions) for further +details. + +## License + +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + +See [LICENSE](LICENSE) for full details. + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. diff --git a/docs/.inputs.md b/docs/.inputs.md new file mode 100644 index 0000000..87dfcdf --- /dev/null +++ b/docs/.inputs.md @@ -0,0 +1,2 @@ +> [!IMPORTANT] +> Variables defined in [variables-addon.tf](variables-addon.tf) defaults to `null` to have them overridable by the addon configuration defined though the [`local.addon.*`](main.tf) local variable with some default values defined in [addon.tf](addon.tf). diff --git a/examples/basic/.terraform.lock.hcl b/examples/basic/.terraform.lock.hcl new file mode 100644 index 0000000..3c1279a --- /dev/null +++ b/examples/basic/.terraform.lock.hcl @@ -0,0 +1,147 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cloudposse/utils" { + version = "1.18.0" + constraints = ">= 0.17.0" + hashes = [ + "h1:UdRh991C59aDB5nrpBN1PZzyZucsmbgvoDHq4uHKiE0=", + "zh:1a6a1f1c354a2e1f92369fd331e1578ee8942600406c83629278b1d88e857421", + "zh:35847cc6575844c05e2cbbe199e9d1190c01ed1b91dfe05b897bb6c83825debe", + "zh:3b4f263c7c4b9ab08f59577c133f7112b380487dacc1d75b2802488a53dcb23d", + "zh:42d375186f222f42274eb2343c66301ea33cc3d6220cf36ccd19caceec8c749e", + "zh:59c4444032b29bb22df5236bf768d76d280b9fb52642579c99752e5ce1c7664c", + "zh:646d85575752b76d48fd33a7528f2af02c85270ea24981008d3fb2e9eb446e3b", + "zh:888586850d55e6270d7f8f86f48488c8eb75a595f57d2b0c33ffe786b67cc7a4", + "zh:8acf6aea1cc78256187fd27d3f2935e561e4ae487123347cffcf2bd567f31693", + "zh:8f42211e88b08ed54cb7a608770533fd11e20387830c111def54efd6a24c4b90", + "zh:a0d5670d6d17267b0ef8342fde2cbaa034fa9bb79921ab0ee378df4661ef2076", + "zh:c8a940014de1d1a23bb23dbaeb909d2644f0e1379858b398b8ad173f892a9022", + "zh:d4555331bfe6a6601ece25740a2cbac240ddb72f5ebdbf26778e40e8608afc44", + "zh:f0781a219a72b93282f82bcc75a0ef5e2c2e7e4da48e0d339acc0f28d07446a6", + "zh:f9b1455886ab9716b3d243367bc26e9ac836e281894024aa1d1b7f16f886ca0b", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.41.0" + constraints = ">= 3.0.0, >= 3.38.0, >= 3.56.0, >= 4.35.0, ~> 5.0" + hashes = [ + "h1:DiX7N35G2NUQRyRGy90+gyePnhP4w77f8LrJUronotE=", + "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", + "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", + "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", + "zh:34bc482ea04cf30d4d216afa55eecf66854e1acf93892cb28a6b5af91d43c9b7", + "zh:39d7eb15832fe339bf46e3bab9852280762a1817bf1afc459eecd430e20e3ad5", + "zh:39fb07429c51556b05170ec2b6bd55e2487adfe1606761eaf1f2a43c4bb20e47", + "zh:71d7cd3013e2f3fa0f65194af29ee6f5fa905e0df2b72b723761dc953f4512ea", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9b271ae12394e7e2ce6da568b42226a146e90fd705e02a670fcb93618c4aa19f", + "zh:a884dd978859d001709681f9513ba0fbb0753d1d459a7f3434ecc5f1b8699c49", + "zh:b8c3c7dc10ae4f6143168042dcf8dee63527b103cc37abc238ea06150af38b6e", + "zh:ba94ffe0893ad60c0b70c402e163b4df2cf417e93474a9cc1a37535bba18f22d", + "zh:d5ba851d971ff8d796afd9a100acf55eaac0c197c6ab779787797ce66f419f0e", + "zh:e8c090d0c4f730c4a610dc4f0c22b177a0376d6f78679fc3f1d557b469e656f4", + "zh:ed7623acde26834672969dcb5befdb62900d9f216d32e7478a095d2b040a0ea7", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.12.1" + constraints = ">= 2.6.0" + hashes = [ + "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", + "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", + "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", + "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", + "zh:4fd06af3091a382b3f0d8f0a60880f59640d2b6d9d6a31f9a873c6f1bde1ec50", + "zh:6816976b1830f5629ae279569175e88b497abbbac30ee809948a1f923c67a80d", + "zh:7d82c4150cdbf48cfeec867be94c7b9bd7682474d4df0ebb7e24e148f964844f", + "zh:83f062049eea2513118a4c6054fb06c8600bac96196f25aed2cc21898ec86e93", + "zh:a79eec0cf4c08fca79e44033ec6e470f25ff23c3e2c7f9bc707ed7771c1072c0", + "zh:b2b2d904b2821a6e579910320605bc478bbef063579a23fbfdd6fcb5871b81f8", + "zh:e91177ca06a15487fc570cb81ecef6359aa399459ea2aa7c4f7367ba86f6fcad", + "zh:e976bcb82996fc4968f8382bbcb6673efb1f586bf92074058a232028d97825b1", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.27.0" + constraints = ">= 2.7.1, >= 2.20.0" + hashes = [ + "h1:GzU0FzYAT/+IgAhnSBcFH3bT+4I5N6oSga6iZgNJAus=", + "zh:3bdba30ae67c55dc7e9a317ac0da3b208ea7926fe9c2f0ae6587ee88dcc58d1f", + "zh:3f35138a831c00b188d2ffee27111dd0cf59afad2dd5653ed9e67d59646de12c", + "zh:64066d18f6ae9a316c2bc840ef3e641d7ab94e1ea3a41d12523e77345ad442ef", + "zh:653063d44b44881af3a480f7f8eaa94fa300e0229df2072d30f606bddcc9f025", + "zh:87f306e37efb61d13efa6da53a1e45e97e5996ebc0568b1caf8c3c5e54c05809", + "zh:8c428b9708f9634391e52300218771eab3fe942bb1295d8c0ad50ca4b33db3d9", + "zh:a44e87119a0337ded15479851786a13f412b413d9a463ba550d1210249206b0f", + "zh:aa2c4d110b0de6ef997c0d45f3f23f8a98f5530753095d6eff439a6d91a8ea31", + "zh:eb15ed8781ac6a0dec2f7d03cf090e23cfa05e3225806c6231ff2c574662fd63", + "zh:eb81c563f93bd3303f9620d11cd49f21f3f89ac3475c6d3e821b239feb9c217d", + "zh:f1a344a7f16131123577e4ec994d04a34ea458ec16c1ccac53fe7946bd817b18", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = ">= 2.0.0" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=", + "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", + "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", + "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", + "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", + "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", + "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", + "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", + "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", + "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", + "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.5" + constraints = ">= 3.1.0" + hashes = [ + "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", + "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", + "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", + "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", + "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", + "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", + "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", + "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", + "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", + "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", + "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", + "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/examples/basic/README.md b/examples/basic/README.md deleted file mode 100644 index 877e0f2..0000000 --- a/examples/basic/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# Basic example - -The code in this example shows how to use the module with basic configuration and minimal set of other resources. - -## Deployment methods - -### Helm -Deploy helm chart by helm (default method, set `enabled = true`) - -### Argo kubernetes -Deploy helm chart as argo application by kubernetes manifest (set `enabled = true` and `argo_enabled = true`) - -### Argo helm -Create helm release resource and deploy it as argo application (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) - -## AWS IAM resources - -To disable of creation IRSA role and IRSA policy, set `irsa_role_create = false` and `irsa_policy_enabled = false`, respectively - - - -## Requirements - -No requirements. - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 0.45.0 | -| [eks\_node\_group](#module\_eks\_node\_group) | cloudposse/eks-node-group/aws | 0.28.0 | -| [keda\_argo\_helm](#module\_keda\_argo\_helm) | ../../ | n/a | -| [keda\_argo\_kubernetes](#module\_keda\_argo\_kubernetes) | ../../ | n/a | -| [keda\_disabled](#module\_keda\_disabled) | ../../ | n/a | -| [keda\_helm](#module\_keda\_helm) | ../../ | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.13.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | - -## Inputs - -No inputs. - -## Outputs - -No outputs. - diff --git a/examples/basic/base.tf b/examples/basic/base.tf new file mode 100644 index 0000000..3067b2a --- /dev/null +++ b/examples/basic/base.tf @@ -0,0 +1,33 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.6.0" + + name = "vpc" + cidr = "10.0.0.0/16" + azs = ["eu-central-1a", "eu-central-1b"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] + enable_nat_gateway = true +} + +module "eks_cluster" { + source = "cloudposse/eks-cluster/aws" + version = "4.0.0" + + name = "eks" + region = data.aws_region.this.name + subnet_ids = module.vpc.public_subnets +} + +module "eks_node_group" { + source = "cloudposse/eks-node-group/aws" + version = "2.12.0" + + cluster_name = module.eks_cluster.eks_cluster_id + instance_types = ["t3.medium"] + subnet_ids = module.vpc.public_subnets + min_size = 1 + desired_size = 1 + max_size = 2 + depends_on = [module.eks_cluster.kubernetes_config_map_id] +} diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 82b49a4..2d19b9f 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -1,104 +1,49 @@ -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.13.0" - - name = "keda-vpc" - cidr = "10.0.0.0/16" - azs = ["eu-central-1a", "eu-central-1b"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] - enable_nat_gateway = true -} - -module "eks_cluster" { - source = "cloudposse/eks-cluster/aws" - version = "0.45.0" - - region = "eu-central-1" - subnet_ids = module.vpc.public_subnets - vpc_id = module.vpc.vpc_id - name = "keda" -} - -module "eks_node_group" { - source = "cloudposse/eks-node-group/aws" - version = "0.28.0" - - cluster_name = "keda" - instance_types = ["t3.medium"] - subnet_ids = module.vpc.public_subnets - min_size = 1 - desired_size = 1 - max_size = 2 - depends_on = [module.eks_cluster.kubernetes_config_map_id] -} - -module "keda_disabled" { +module "addon_installation_disabled" { source = "../../" enabled = false - - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn } -module "keda_helm" { +module "addon_installation_helm" { source = "../../" enabled = true argo_enabled = false argo_helm_enabled = false - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - - helm_release_name = "aws-keda-helm" - namespace = "aws-keda-helm" - values = yamlencode({ - "podLabels" : { - "app" : "aws-keda-helm" - } + # insert sample values here }) - - helm_timeout = 240 - helm_wait = true } -module "keda_argo_kubernetes" { +# Please, see README.md and Argo Kubernetes deployment method for implications of using Kubernetes installation method +module "addon_installation_argo_kubernetes" { source = "../../" enabled = true argo_enabled = true argo_helm_enabled = false - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - - helm_release_name = "aws-keda-argo-kubernetes" - namespace = "aws-keda-argo-kubernetes" + values = yamlencode({ + # insert sample values here + }) argo_sync_policy = { - "automated" : {} - "syncOptions" = ["CreateNamespace=true"] + automated = {} + syncOptions = ["CreateNamespace=true"] } } -module "keda_argo_helm" { + +module "addon_installation_argo_helm" { source = "../../" enabled = true argo_enabled = true argo_helm_enabled = true - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - - helm_release_name = "aws-keda-argo-helm" - namespace = "aws-keda-argo-helm" - - argo_namespace = "argo" argo_sync_policy = { - "automated" : {} - "syncOptions" = ["CreateNamespace=true"] + automated = {} + syncOptions = ["CreateNamespace=true"] } } diff --git a/examples/basic/providers.tf b/examples/basic/providers.tf index e8369d1..2458d7e 100644 --- a/examples/basic/providers.tf +++ b/examples/basic/providers.tf @@ -1,6 +1,4 @@ -provider "aws" { - region = "eu-central-1" -} +data "aws_region" "this" {} data "aws_eks_cluster" "this" { name = module.eks_cluster.eks_cluster_id @@ -10,10 +8,20 @@ data "aws_eks_cluster_auth" "this" { name = module.eks_cluster.eks_cluster_id } +provider "aws" { + region = "eu-central-1" +} + +provider "kubernetes" { + host = data.aws_eks_cluster.this.endpoint + token = data.aws_eks_cluster_auth.this.token + cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data) +} + provider "helm" { kubernetes { host = data.aws_eks_cluster.this.endpoint token = data.aws_eks_cluster_auth.this.token - cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority.0.data) + cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data) } } diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf new file mode 100644 index 0000000..ccd47b8 --- /dev/null +++ b/examples/basic/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.20.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.6.0" + } + } +} diff --git a/helm.tf b/helm.tf deleted file mode 100644 index 22c250b..0000000 --- a/helm.tf +++ /dev/null @@ -1,64 +0,0 @@ -resource "helm_release" "this" { - count = var.enabled && !var.argo_enabled ? 1 : 0 - chart = var.helm_chart_name - create_namespace = var.helm_create_namespace - namespace = var.namespace - name = var.helm_release_name - version = var.helm_chart_version - repository = var.helm_repo_url - - repository_key_file = var.helm_repo_key_file - repository_cert_file = var.helm_repo_cert_file - repository_ca_file = var.helm_repo_ca_file - repository_username = var.helm_repo_username - repository_password = var.helm_repo_password - devel = var.helm_devel - verify = var.helm_package_verify - keyring = var.helm_keyring - timeout = var.helm_timeout - disable_webhooks = var.helm_disable_webhooks - reset_values = var.helm_reset_values - reuse_values = var.helm_reuse_values - force_update = var.helm_force_update - recreate_pods = var.helm_recreate_pods - cleanup_on_fail = var.helm_cleanup_on_fail - max_history = var.helm_release_max_history - atomic = var.helm_atomic - wait = var.helm_wait - wait_for_jobs = var.helm_wait_for_jobs - skip_crds = var.helm_skip_crds - render_subchart_notes = var.helm_render_subchart_notes - disable_openapi_validation = var.helm_disable_openapi_validation - dependency_update = var.helm_dependency_update - replace = var.helm_replace - description = var.helm_description - lint = var.helm_lint - - values = [ - data.utils_deep_merge_yaml.values[0].output - ] - - dynamic "set" { - for_each = var.settings - content { - name = set.key - value = set.value - } - } - - dynamic "set_sensitive" { - for_each = var.helm_set_sensitive - content { - name = set_sensitive.key - value = set_sensitive.value - } - } - - dynamic "postrender" { - for_each = var.helm_postrender - content { - binary_path = postrender.value - } - } - -} diff --git a/helm/argocd-application/.helmignore b/helm/argocd-application/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/helm/argocd-application/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/helm/argocd-application/Chart.yaml b/helm/argocd-application/Chart.yaml deleted file mode 100644 index b450f61..0000000 --- a/helm/argocd-application/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v2 -name: argocd-application -description: Helm wrapper for deploying ArgoCD application object - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 diff --git a/helm/argocd-application/templates/_helpers.tpl b/helm/argocd-application/templates/_helpers.tpl deleted file mode 100644 index 6dac3de..0000000 --- a/helm/argocd-application/templates/_helpers.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "argocd_application.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "argocd_application.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "argocd_application.chart" -}} -{{- printf "%s" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "argocd_application.labels" -}} -helm.sh/chart: {{ include "argocd_application.chart" . }} -{{ include "argocd_application.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "argocd_application.selectorLabels" -}} -app.kubernetes.io/name: {{ include "argocd_application.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/helm/argocd-application/templates/application.yaml b/helm/argocd-application/templates/application.yaml deleted file mode 100644 index 3117c37..0000000 --- a/helm/argocd-application/templates/application.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: {{ .Values.apiVersion }} -kind: Application -metadata: - name: {{ include "argocd_application.fullname" . }} - labels: - {{- include "argocd_application.labels" . | nindent 4 }} - {{- if .Values.labels }} - {{ toYaml .Values.labels | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.annotations }} - {{ toYaml .Values.annotations | indent 4 }} - {{- end }} - finalizers: - {{- if .Values.finalizers }} - {{ toYaml .Values.finalizers | indent 4 }} - {{- end }} -spec: - {{ toYaml .Values.spec | nindent 2 }} diff --git a/helm/argocd-application/values.yaml b/helm/argocd-application/values.yaml deleted file mode 100644 index 552d6da..0000000 --- a/helm/argocd-application/values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -nameOverride: "" -fullnameOverride: "" diff --git a/iam.tf b/iam.tf index 9c233b8..4e0cae9 100644 --- a/iam.tf +++ b/iam.tf @@ -1,36 +1,79 @@ locals { - irsa_role_create = var.enabled && var.service_account_create && var.irsa_role_create - irsa_policy_allow_assume_roles = length(var.irsa_policy_allow_assume_roles) > 0 ? var.irsa_policy_allow_assume_roles : ["arn:aws:iam::${data.aws_caller_identity.this.id}:role/*"] + irsa_role_create = var.enabled == true && var.rbac_create == true + irsa_role_name_prefix = try(coalesce(var.irsa_role_name_prefix, var.helm_release_name), "") + irsa_role_name = try(trim("${local.irsa_role_name_prefix}-${var.helm_chart_name}", "-"), "") + + irsa_components = { + operator = { + irsa_role_create = local.irsa_role_create && var.keda_operator_service_account_create == true && var.keda_operator_irsa_role_create == true + irsa_role_name_prefix = "${local.irsa_role_name_prefix}-operator" + irsa_role_name = "${local.irsa_role_name}-operator" + irsa_policy_enabled = var.keda_operator_irsa_policy_enabled == true && try(length(var.keda_operator_irsa_policy) > 0, false) + irsa_policy = var.keda_operator_irsa_policy + irsa_assume_role_enabled = var.keda_operator_irsa_assume_role_enabled == true && try(length(var.keda_operator_irsa_assume_role_arns) > 0, false) + irsa_assume_role_arns = var.keda_operator_irsa_assume_role_arns + irsa_additional_policies = var.keda_operator_irsa_additional_policies + service_account_name = var.keda_operator_service_account_name + } + metricServer = { + irsa_role_create = local.irsa_role_create && var.keda_metric_server_service_account_create == true && var.keda_metric_server_irsa_role_create == true + irsa_role_name_prefix = "${local.irsa_role_name_prefix}-metrics-server" + irsa_role_name = "${local.irsa_role_name}-metrics-server" + irsa_policy_enabled = var.keda_metric_server_irsa_policy_enabled == true && try(length(var.keda_metric_server_irsa_policy) > 0, false) + irsa_policy = var.keda_metric_server_irsa_policy + irsa_assume_role_enabled = var.keda_metric_server_irsa_assume_role_enabled == true && try(length(var.keda_metric_server_irsa_assume_role_arns) > 0, false) + irsa_assume_role_arns = var.keda_metric_server_irsa_assume_role_arns + irsa_additional_policies = var.keda_metric_server_irsa_additional_policies + service_account_name = var.keda_metric_server_service_account_name + } + webhooks = { + irsa_role_create = local.irsa_role_create && var.keda_webhooks_service_account_create == true && var.keda_webhooks_irsa_role_create == true + irsa_role_name_prefix = "${local.irsa_role_name_prefix}-webhooks" + irsa_role_name = "${local.irsa_role_name}-webhooks" + irsa_policy_enabled = var.keda_webhooks_irsa_policy_enabled == true && try(length(var.keda_webhooks_irsa_policy) > 0, false) + irsa_policy = var.keda_webhooks_irsa_policy + irsa_assume_role_enabled = var.keda_webhooks_irsa_assume_role_enabled == true && try(length(var.keda_webhooks_irsa_assume_role_arns) > 0, false) + irsa_assume_role_arns = var.keda_webhooks_irsa_assume_role_arns + irsa_additional_policies = var.keda_webhooks_irsa_additional_policies + service_account_name = var.keda_webhooks_service_account_name + } + } } -data "aws_caller_identity" "this" {} - -data "aws_iam_policy_document" "this" { - count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0 +data "aws_iam_policy_document" "this_assume" { + for_each = { + for k, v in local.irsa_components : k => v if v.irsa_role_create && v.irsa_assume_role_enabled + } statement { effect = "Allow" actions = [ "sts:AssumeRole" ] - resources = local.irsa_policy_allow_assume_roles + resources = each.value.irsa_assume_role_arns } } resource "aws_iam_policy" "this" { - count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0 - name = "${var.irsa_role_name_prefix}-${var.helm_release_name}" + for_each = { + for k, v in local.irsa_components : k => v if v.irsa_role_create && (v.irsa_policy_enabled || v.irsa_assume_role_enabled) + } + + name = each.value.irsa_role_name # tflint-ignore: aws_iam_policy_invalid_name path = "/" - description = "Policy for keda service" + description = "Policy for ${var.helm_release_name} ${each.key} component" + policy = each.value.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[each.key].json : each.value.irsa_policy - policy = data.aws_iam_policy_document.this[0].json - tags = var.irsa_tags + tags = var.irsa_tags } -data "aws_iam_policy_document" "this_assume" { - count = local.irsa_role_create ? 1 : 0 +data "aws_iam_policy_document" "this_irsa" { + for_each = { + for k, v in local.irsa_components : k => v if v.irsa_role_create + } statement { + effect = "Allow" actions = ["sts:AssumeRoleWithWebIdentity"] principals { @@ -43,33 +86,36 @@ data "aws_iam_policy_document" "this_assume" { variable = "${replace(var.cluster_identity_oidc_issuer, "https://", "")}:sub" values = [ - "system:serviceaccount:${var.namespace}:${var.service_account_name}", + "system:serviceaccount:${var.namespace}:${each.value.service_account_name}", ] } - - effect = "Allow" } } resource "aws_iam_role" "this" { - count = local.irsa_role_create ? 1 : 0 - - name = "${var.irsa_role_name_prefix}-${var.helm_release_name}" - assume_role_policy = data.aws_iam_policy_document.this_assume[0].json + for_each = { + for k, v in local.irsa_components : k => v if v.irsa_role_create + } - tags = var.irsa_tags + name = each.value.irsa_role_name # tflint-ignore: aws_iam_role_invalid_name + assume_role_policy = data.aws_iam_policy_document.this_irsa[each.key].json + tags = var.irsa_tags } resource "aws_iam_role_policy_attachment" "this" { - count = local.irsa_role_create ? 1 : 0 + for_each = { + for k, v in local.irsa_components : k => v if v.irsa_role_create && (v.irsa_policy_enabled || v.irsa_assume_role_enabled) + } - role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.this[0].arn + role = aws_iam_role.this[each.key].name + policy_arn = aws_iam_policy.this[each.key].arn } -resource "aws_iam_role_policy_attachment" "additional" { - for_each = local.irsa_role_create ? var.irsa_additional_policies : {} +resource "aws_iam_role_policy_attachment" "this_additional" { + for_each = merge([ + for k, v in local.irsa_components : { k = v.irsa_additional_policies } if v.irsa_role_create + ]...) - role = aws_iam_role.this[0].name + role = aws_iam_role.this[each.value].name policy_arn = each.value } diff --git a/ll-logo.png b/ll-logo.png deleted file mode 100644 index 8aa2c6a4997fbdcf7009e089b2d07ad4a89218a6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12095 zcmbVxWl$YF(C)##xVsmJ;!xbRc#FHcyL)l>!ol6$DeiFK;O_3Ox9^Yp^WOR9o6KgC zooqIf+0E?pBvMIH3I&k>5dZ+7$ViK;000nr|He`9kpKGPNi$Ob04>c+?U##+p*xv_ zlf9XxjVYOnr-Lb(sfVQ*0N}9#&d_eAEOQFm#19PzK%=n|kr^;e_x3;HN~@QgxU~3s zE&Dl?H5cZ{QYSb*vz$46>~7jWaet)D%YIe&CajY9NKuyj(|LS-Yu|Z@HSX>AdGg#X z*F%cx>)VseOVv4c_%kPWk%L$7^E#B&y72z>dZs6L@1twxF_;t=OP}|4$PXoP_u2V- z%4O)#bEjp&X$`RY&2xPdQ~&E`ZpUqh-up((CyAecQZl2aDf#HLbmG&WS6ayDH+etA zX&KnV>tlY3K-`3fn2?Y+H*X<5<2O!`9_r`ej;rZq`}^sn+`~uY=MtS}`&f_L64Jt# z!%=^_4^zWueC3aKsB-5|2Y#VMpQ=r7L3eIB%7XJ%Wwy7Gsqqg^klvne)wPlz{pGy? zY#fRCTJqXXY}BwKrD?g782uX|9doAC#*QofhctHuGFy47 z=^fHjdeOC@2gZ9pRcI&Sl2LEUHPjI;ZA^OGopZvX1oBRFWt@V$bh93KG z84X{h+c(?6X|UK}p3I)6tezSfI5URK*^t9&X04%S(w(Er*?E%b)vz{FRLwGf z-fX1sSCQI_lw3);S&EibRh88_FqSW?5oBepkQKb9Hk+@WRqjU2*Kr53w%7H(ESOFR z4+wN^1Qx`x9ZVS3&+KU>-O@^F=+%#vS1{@N#&B|z;cmbgn?}_G-*Z?LrIZKg!LfoL|+?*hBx!eU&FYoLGYrV!OE$@_iR-ol&kjrK#GD z_R%^k9!@mNaE>KDy+6C3q*6iSv58$#$*5OIrl+8YM`x=^T2(MA(I@u}1x{^QP>$!F z&={(^^MMvMzj>88H#w$hW#A(&5s<}rF|laqyh5%x%VZm!BZDQH)Q^*!LG2aSoP_5l z*1ZarR)2+azhL3d3AN~VUy5-SS;-XL2$krmt{=J~D!wm7N`^Qt-x$!G39c5Ix&wvg zz9{jile*4wKnwmnKBpp$|9%@3iBq)#d#;x5IC;O{aAJ24KdXOWnbINJq*-0O8g^dj zZFby&P$m>r^bMuiTZ=)nie;Wezo-}q*al?dvz_n}BdWs9YKRZiA+JryT-u5jn4)Vb zs^a#hOd9?b<4w!MAYAWu19l>&P9veZ-~=s2mQNV3A~UJBu(a2xAB5cCgbAqvof|4w z!mCn8A$sdFrAvMZBzvMeCe>PVl9t-sr6sOd>$`u?b;9ILA^vr=&Rn7p0H2h`FQt#%+!3Vt@?3S zjaHs!0T4z=EHa?3R;2Km4G!}Sj=jj5^qu&U|tA;3QaC8ST=Yj4l1;9EVZ zYWi4N_o{}SB0^&ndS+*uFTdzeoYWZY&@c4uia09vn z5bJzf-DH6|f5K~LwL-!>-Q{U zxcIl}qy%|itvpNDh?B1q&Ag3fe&dDkFaZ7&XiTq`r2MjZW9XAwo(Y*ho?;FGH#k#; zNPX-eq+7_F%<^$(FX--rkK=JfwiX7sgl$hKRP^{31s)MqvFW5e;R_M9Erq^A)dHHR zF9&(*P!6L*c8iBUlQYbB@~he*IBlR$unV;WrwJ^C?L5yOLdG>UROR%44^r-ZCv_)4Nsi0m&-s>1p=yQ(Qni>6%&a$wBl7oGj^PgJY~hWGo=f z<^6!ip0H){8jT)JDtSRmaS#Q;rgi2VCP2cN1rd3Lj)cH`5mC}`-YpWoE-34=7=*Y| zJaM|kb&e4g^8Jb~%c3~|LGlpgTGQC^QsA;^15-|?ea0RkI&kX~aR1|x-)L$PPmn>L z(4FvjQ#a0;XT><-$S9&uzTS{#9=?y6TgGJAMP7}LjT!Mg@^|BIZ4i<;!WORD91$zK zm^3Xv9I*#V0QSLhIuSfmQxu;gzl4brH?M#e_inrfW3$Mv$1Huw^UZIQB4dj%GB~ni zC`kxc`rgxt`BlOVfow=SVH;{Ij%rl0bkNp!=ZNdJ5anN2-zYc$77|5h2k+IL>%G&U z9L`ZaH4HyTrSR*MwbfQX^t}}u7O|jM3yd)V>}8v%3o9mfMEGN`=htmK{A)r5vNoQ5 z*WU@u&=GIMU+kl!4sGDR~4W4{u^oXe6PSEEdh?s44aR37|^z9tv)3dgx*V?=>_)052fxdzNECs zQluxtF@o(!s{Tuo9Gf^BxJKF49=Q++d&EG+FB#xS<{E+SCB~XxcSUAN>J#cf%epBH z1DYH{jQT6OEw0xKnHM40#l#9f)M(9!$pyh+QGvv=9cCvnoa3ueQh?5Yuzos78746o ztP^&GSB=I!*Q0^^rr~Wgq5bxh&Z_t;Fb1*8LF_%El)5@Y*J1FNHc)_u?oUJ(zY?W2 z@lZ;_sb9m<%?m6>gd{E#GNCRi|1EDmx`X&KL#+e)W$Eo6EXwb2GWKjmZWAwEYy(m# z^gz2cnG5m?+I<(}5%M4_YcXhT7fGLb8U@Eu z0woAJ3SPZYsJE#vb_wY`lh24!N%flU7Xn#Ni4a08^set;CS`iaykj~lXUO!~)QlGy zep3kim3M0ihj_qn<_@Mr_#7PJtgCbLZ%(R9TgdyA#ZMJ5+-L)`&oF&q_=4rzW5sjv!2LwwpavBY7EXE^l&tRa*h{gsrx$kC& z`-3l@#3MVkk(n0>M`5r87F!WtYRQhcmvY5qhux8U zlMx}OJjU;j2xYZEe@(w3qnwrZ>6+er!p+4|;S?)KQ9wWPWB@zBWSGzhtznJOf7m!%6&B-;JYB|_R~>cnHs-p7`@KI5;8kf+ zHsrmAcn{(}x=*wLAm`RF6Ro<5C0+9ou7`^sSL4pa%)lihDKQB-4maSRgg!`~b=Zq2 z4GBYR0bUTDl25ZB4VeBa#NkJT9n8Q)Lb+{iO2p+Xk){0QNOI62kEbI<>T47Yw(DuT z??+B4j*=N%-_wRY6hFsa;)aDksdnMu9O{F39pPzt_$G^VNR$Qzmq!Up#oi!lg!V1W z3uv|Yp4?{8C8wiBj=P3Eg0|%}jx6*NH5&Snkv%LJBPmKko;U(16Eho} zGgY~GUBMNBAtp9q2>Dy-`Q3rlaT226+@Xc?koB5yMAuz{d017>yHg@9%@3( zQSy2cusOilN{rt&;e zTF*NG5sS67n>gx9M8(E^w2=sp4VQUV6PX2eViqje{npE(#PbAovPDGp*I^ROM@$ic z5L^Q2>>y`CcE$&AJ`oEz9yJ~CjiZ1Z?O`NZBA#3cZ83Jl!%;S!yrH2ZYGG{$m1Y^N zp8c@2pT&5nPGJTZQu%B)4MZEbsj3(pPoPZ{uBrtST6Fn#bYNeIzd8NsQelHq=r#4x zPfIJik^yt8#_^2cI3wHSHITYwU+0UBzhg9B{_d{TpGp42;H(1;E^~XrV`w5pnvejf zmT$OxJTnk=eHtKZX*hN#mxP8N33^v;c=AvEts_cB;strXWKdCr01H-s<%J^=5dkP6 z?;lku7H({_n9Ofxtoxgd99EXSpK#bsBFEzF8zNxVv6-MNC+L>%p>N8cV!ws+o#i4x zI0Rc-yQF`Oxfq;D7UG0cRdacxSlZhnjC zHV(BLu7gsYnXyfvZ$8bk-`^$(IXVDOhCK?k+xk4!f5vXAS?%M;gSb!1>TX_(xVc>*tD!wpJ zwez(i25rGbBo!p(M&HB!8Z>Ncrv#pn zf?<43Gfp|A68=)8l8J-_!P1xh6^+)&!NSB}`Qh~>MbsnC9IAuO>cp4_i&DP}_Zhso zo;i3-$4!?G{i0{{YK(le3A3WG`XShS{(!LM4_kd#-Ln9Rkz2^!p>+ojZwrOHsH?CH z#q1uiUD9qd61!JIhZWWPitnpR0>23vY;9+sf`24Tsb(JLj(;zrVYdQk}%#{BLgh!E(+dn0oi;RK< z+#WP08Whz#b=x5TK$IaPE~4hKa-QR^qq_Jy{DX@e8sjgC;U&ri%vZZp;dh)Wt)`}G zt5d6-CcpEV=H{k_m2%tr(^7Bk3fFBt#sq4N-rD{@nkH+Tq)O6uVfo5X-!IerJ*K;| zy`6^+vv0GV|A_UnB0~TGrD7pe|ISeOZx{~?00{uIAZecSZ-cBm;D$Y3o0>w*G_=(U}v&3gL!xREB9bPq; zLG$KbBuD*)ajta_O=i4WtPv{*w2S0w8Z16q>i)pI9my_fYbs8}{cu!gw}%0W>`EXP z0rp(+7habagkyd7@e=1(z9lgdS8vPKTlqXG+#MTDOy3-x+{G|7G^bhvo?oo_0z`<` zgg;DhiE-vFeVz0uF1aBQokJ4M#h;$rHoNaUMMaB6%Um3rqav=tIgT$t@hU29RGj*! zRetg>`AY6T7@}f_Morn%9_~r?b$jmr(VUWX2T;zK9#XK%>%2HhBhhfQQraa5&GBEz zP~gecR9JK}vP&WwH$Uw9M$^qgzLT;PPwfL@nh!$P$1GWInO zl``}*Z@%&~y=VMlESMe9sdn{9cQ*(~(_tQ;P>~ZB(syTPR~1m^< zzrkcp!lPWnqdqn?8&wFVrlim&NUMwe?Qd$?%gAU`v22k2j6owg2uGu5WMrr*wL{`E zo_T-Mn*0qDYTDK&(bR-uCO;Hm=!-5YApt4kslM8;hDc2{P;!1F|n6#^Ym|Y(dFgP)@eoAu>qx5WCM?M zAsKf=RrfrWrlgLgS%3g@z{zm zJ^mii5)L%@MSH5MRS#LEGC??(tpt_GZY_SFn*nkxS?jXheH-&$@I8we0Fa{p`Oq&D&M&ciz z?vI-0aPM$U(zTZI^P8i(C!rrEO}c(fZqO_(N4KuDr&)VES>V=flGB9=i;6lQzvJX( z??zNL^9oIB_9U*;#IXAMa(%aKL3f!d`;NmIW1QQyg-J)Km+-DLembFRP_XwfbL)qd*Mc8v@A9)J6Xrf=qn=nd{UeFPXoN-A1 zo{GvTQ|7aDcQ^X=lhm~~m7wu{h2-AG^rzIkMYUg(@52v;lX{%Fhkz8h_h$FEn1cz4 z$38So&42GcTZE`4xn(mqmb(?$9K1n2k`@MX;3eKj z&MvMjaGoD+;~!W&jSg<;th#o`W^Qj5-4;28I?^OaGio;3*}LiW6MFB~IWP0OfC2n;)tkztYldBrPw@taVhgkOie04_3oNsqcPNUm{DWVW?ui0ea z{d}~AqLGtmQk!0HB8=Tmgelxkd14Q);e~3O=&vqmn6&oV#nZnKC+u8L*ktTU(KjpX zD(|u1RKVJTqztMoRzSof-hGgzRR2b9*SXm^3h}T&)2iKbA>)&rxqkDB-v3&negS)Zg({^>nztc_m^+8O#Avw)35ro}?dsAn2jZhme*q@Oi8Ns{vJj25pZ>4w z3C?M^d<3^Qad7fkeEEYUbuZ4#`wXapx~^LHfx+Rs{i6SpmgGXwINUqCWB%i}FWgQ+ zfz~jREOql~+<3V^9)STq(cb%xK1C}1a%I}u>fa{rcQa!hgFM<$(W!|E?d}smPhl5> z@+K7nBZh~k6D7slGrka+tu;vduYSBK(#x=7M19jfJhb{Ns?OVazzQ16y`!Fs+K+fx zD70Lb8Dt%-9mNH0A+`{e-wZ$YQuV5^ckE^(L)xmj`UQxq@Mye@4CXAOe2Es#aCZ2< z;G2TCC7a<-EWh-K_%gol9z2Q#tup+nVlv+iTP_MBO#+qceP7{a|9d!a2` zEQyL0Nmaq!yoxlfGojm1A2`V+1>eQ*8DGw^CWCe50i&nK3=jP8g_)NHj~x1;iFrYU z>UQ{CnhPHxwWEtAaOieH4q#FBtFMq|)DZKQ)3ksw*wo+cemvCI^WiDs0qW$tJ8Cg-d6pOcie0{hYSp>CPd0i+epk>HhL22H zT6nveO;fGD`hD-NT(EYYQ|2+*rKx6VQo<& z$g!(+GMIVT2qhb$VUBen>r*~+z8NS0@f3iyz ze#pn~>1ciV71n)@*OgPniOJVf+*hh1!yOr zSgul`W`s&osN3-;BuZpD+mtXE7T*jZpsQ;?YXV7?Z+(egc`-T68vAKu@mF=X;|I%V zXZ{ziW9=Jg%^(6@_o~Sw-}I-619ieQj@Gu)A{jG{goR=H3cjs#SXFvL!Y1TllW)%% zNWA6bI0xslhNE2i*L5qM{TE%=oAw>m1mE6;L^2f^x~KDdby~l`%4Bn&y(dXi1aWk_ zoeZe_@$!y9y8+vpj$qAaSKG{Fauo1R{Ib4PQaxwLX(_(OZZ{vwKU;dj1#{r5i!QH} zb4Gi|6{@Rk4So?jy32@F*wXJwD8zp{Qf`*7PSt3YnClO}S2=ww`iV4XmD7r_`y%uR zE-+q;9xJdH3$DFgC}94Ik|N3!C6?_nZJ;~PmBzLj>Fj9|#{vgaMS%A7dKKa8>#NK0 zvKkkXxF(z9X3UMV0UWR5+f9V^7jkdP7pAIwb+XshHP(*MspfIq8T&BCC;shroY~MS z<007N0>+h66Z;Fvm@}_{L2@xw5O$;^gN|;3jkoo@_On6LzCqj0D9BzE17kI*y0f#` z8C<~3#g z7}UD-ed?jB`|$OCO^_ZS(wmLrzrY0h-&f)*XVOGlsur;5%-Qv2JZ>w2i4}$-iyy;1 zMhf8Jmg2mY|x&2|98$D9_uOqpQhs`H_B}u#pO;xIU?AX#0!b zYnYI}rjvJZeo|2l46nvy+*YFFP8lkD-+$rw2pTra`hj=s`C?RUwWXi7>Mpsrj|=nU z?UL#>4+Do~6tipw8(KNc8i<5op8o5&w9AhGHcI=R@8=48BQHD`7j2hYvqp!1&OOcM z(Sb?3;X5+Dy4=o8X>uDW@&dB{ccI^gvX@w_iO)<0<3obs(6|5yG6Tig|$`{ zk&8PUhqZT--Oq#&MW+FEkJim&v0DM%##JL$WTv;gpKwE~95-*8d?k3{5>Aij9|NPx zCG068P)+gzUpxbOq>7ojmFB7R4?dr;p{ z;m>J6Y5uw{!Je$CljHv7kKd$Gh3l+@R@h^{)SR!fRud7^IPI%L9(=V&jdm%J(@)g2 zpBk$sbq0!9@3xnM(3T$Kd+OlN^vuUvWyt5*LN&iE?dEX(y1$#ep!Gk}N6hP%h@n0% zm*M5)e@Ld3NZM;S4Dj5xEoaky{3fSWD@$e&l-nIfw8D|}$a4Qv)Kn9cR8aNj{)_Nq zB5a#z8zr5&za@%Eu!f>K2iC^e($c1W&p7XUVc~a~X&e2Dag%RG!&3NHl=hpR$)A}0zub4PI(IU#r|p*&^YZ#g{r7*oQatn$$PvKNsg;yIxLAbr zU;^@HUO@jsM4Os1%Fz1g-Jv8i@F^*{nLr+4$kUarWj`?L|9<3lZ4vQd zW%Ac(#ZCUX6?2XAvS*a>R)NJNMc6v`b(j)r7_QZAI?@*sLV`#0k_3ZmSu#qjTpx+v znf^4d6H-@`p!y(nPv-i|3gq!Tv2tH^>cRSVp$UuRBHy=v@Hw;PL;BEI$sn+r9>plb z$DDa%I};|dwJxrvhz{ijid>uq9ry7ern&dhu3e91j4^nbC@*S-ATf%8fkUUN5@Cz4 z>+INA7XvY}wXx(erlPFX?k{yW*;Ny-$n-ReqTIBCoPU_1EMh1I-WCSd(ec5-(hM0R zW@(Pz{{C_0Cb710(pO$y2L28uCA}y#C%5J=h%TsKZWb;-Dmy#*m~ztk8LBHQrQkC% zW_>$}eLHo#I$NP3&kB!DKn_jt{^D9Z!CW(wBuze!4&O**3#|0I6h!HFw(=*k=@G7>fL>jRYe3q&I&s~AfuES&D zuyxm!2&XwGHJ@%EYQxAR!|$wa2{BwPUWe~c|KJ<%J-7Y!VF|~7@XHB_U^BPpb7tG$ zf!~slFqA>#0#uCj$wk`|C8e;InwLNGD0surz zn^nN&8hB3bly~LbMw7>K3ygm=pQPK9t1f`o9f~G2K4TCbvX@WW#^MjnkRhJ_6dU)8 zk^l9_ztm>+U%n2%?$*$-35oy3xO}&Z0`AcMu=jCMgAM}{>Gh4dhCdBf<EVk4-b0)^pWyc)VUc&he~2$1`~eRE2y z`W~-8zn$dDRY`!uFW5f#yn|~^@Y!WRyC_)BG=Ak_GZ5?EfQXVz#FoxP!G7N5;4Dd( zMYi4KYdKemH3Zi_7DrojnAD|5;e3=77aw08yEzX9_CJ=C ze=it2xJ2z{FOO?z$jQl3SIT>AQ#}RZx%gTF_>hZvL)g;ydG-@l4C%*l@A`?k!vBkT z?Jg>(xrHniJlYh|`L%8dnxx_`ZZ&lRkGG-UV+4fOaya8_VPX}fcAMXw?&Ke4*_YwT zF(O$lqkl-(YFk94rKKTF=yxBR9iMj#_J|;R=D|(wy6GIlX0H)woK}E2lMWyjM1j!c;zcUmzn)_kO0f{nj+W2BgeJT@*?F-BV2SI)CDVr6n5~6Ay-aD*qErTp36K$NG!mZ z5%!zZodygnc+AYYmJ|Jl2mbgj>VKaKnIDUe)|tG5L!EOZXG~qu;Pd9M7)>&2{=AdX z0JSVm)hx9*51mjeS1Vc(%6u$+qRC1uCc_eB+*J$sjgDQceT$Tb;02DB5xt3$;Y1!8 zwN9298d}kM3HYhJu3nm(erqddws}9caPk^%^j9yFEO`XC@ChYqF(v0tqRph-zNY*{@QxhXY z#fJZthODHkRKX;J#czW9bMq*;P-yQFlN&hH+_SZ;5O1@IBSEImHb-{L?fL@H!9#Oj zU*KHJ5BPueIBT?iUUTTc3dX~Mo315%{h`O~)A#$PiGL`}kLXrOieV%U$4UakDf4~u z%Hk(KRClN-uu==1|2|ltJn%6Q`Y}Mp`yY5Gqv5r*@F*yx+`6QOATw>*TN{IzK5Z1lYcz74#`i`v}o zj68Ky8XKAj zSECh5l%;ECbHv*7%$AM2twxl%j3rn|`@2I;t@58S3!Nmo3N_~$St_k%>1zb2O6Ts` z&G{V<9`8J%GJ*_$sk`Q=0LhZ*h^8va8>AU+OYOy>2h22Q^gN1ErKv0}EGW>>0)_V+ zeo&#kz&nO)5&kp+34n{xh|#0m85om`bJ}I{XM9Z!6+QqR*UV#OO%Mf{o4)z$a4lX7y$qQ9RL2wK>tJ< r3IHHO`5!C(w|4)z`hWYg&;5k^G7wQ_5aKEP-$EG)Me%A;gP{KdKD|Ap diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..1a992e6 --- /dev/null +++ b/main.tf @@ -0,0 +1,48 @@ +/** + * # AWS EKS KEDA Controller Terraform module + * + * A Terraform module to deploy the [KEDA](https://github.com/kedacore/keda) on Amazon EKS cluster. + * + * [![Terraform validate](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/validate.yaml) + * [![pre-commit](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/pre-commit.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-keda/actions/workflows/pre-commit.yaml) + */ +locals { + addon = { + name = "keda-controller" + + helm_chart_name = "keda" + helm_chart_version = "2.14.2" + helm_repo_url = "https://kedacore.github.io/charts" + + irsa_role_create = false # we are handling IRSA locally + + values = yamlencode({ + rbac = { + create = var.rbac_create != null ? var.rbac_create : true + } + serviceAccount = { + operator = { + create = var.keda_operator_service_account_create + name = var.keda_operator_service_account_name + annotations = local.irsa_components["operator"].irsa_role_create ? { + "eks.amazonaws.com/role-arn" = aws_iam_role.this["operator"].arn + } : tomap({}) + } + metricServer = { + create = var.keda_metric_server_service_account_create + name = var.keda_metric_server_service_account_name + annotations = local.irsa_components["metricServer"].irsa_role_create ? { + "eks.amazonaws.com/role-arn" = aws_iam_role.this["metricServer"].arn + } : tomap({}) + } + webhooks = { + create = var.keda_webhooks_service_account_create + name = var.keda_webhooks_service_account_name + annotations = local.irsa_components["webhooks"].irsa_role_create ? { + "eks.amazonaws.com/role-arn" = aws_iam_role.this["webhooks"].arn + } : tomap({}) + } + } + }) + } +} diff --git a/outputs.tf b/outputs.tf index 7a4f97c..f31e55c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,19 +1,5 @@ -output "helm_release_metadata" { - description = "Helm release attributes" - value = try(helm_release.this[0].metadata, {}) -} - -output "helm_release_application_metadata" { - description = "Argo application helm release attributes" - value = try(helm_release.argo_application[0].metadata, {}) -} - -output "kubernetes_application_attributes" { - description = "Argo kubernetes manifest attributes" - value = try(kubernetes_manifest.this[0], {}) -} - -output "iam_role_attributes" { - description = "IAM role atributes" - value = try(aws_iam_role.this[0], {}) +# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. +output "addon" { + description = "The addon module outputs" + value = module.addon } diff --git a/values.tf b/values.tf deleted file mode 100644 index 8368696..0000000 --- a/values.tf +++ /dev/null @@ -1,19 +0,0 @@ -locals { - values = yamlencode({ - "serviceAccount" : { - "create" : var.service_account_create - "name" : var.service_account_name - "annotations" : { - "eks.amazonaws.com/role-arn" : local.irsa_role_create ? aws_iam_role.this[0].arn : "" - } - } - }) -} - -data "utils_deep_merge_yaml" "values" { - count = var.enabled ? 1 : 0 - input = compact([ - local.values, - var.values - ]) -} diff --git a/variables-addon.tf b/variables-addon.tf new file mode 100644 index 0000000..5cd5575 --- /dev/null +++ b/variables-addon.tf @@ -0,0 +1,428 @@ +# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. +variable "enabled" { + type = bool + default = true + description = "Variable indicating whether deployment is enabled" +} + +# ================ common variables (required) ================ + +variable "helm_chart_name" { + type = string + default = null + description = "Helm chart name to be installed. Defaults to `local.addon.name` (required)." +} + +variable "helm_chart_version" { + type = string + default = null + description = "Version of the Helm chart. Defaults to `local.addon.helm_chart_version` (required)." +} + +variable "helm_release_name" { + type = string + default = null + description = "Helm release name. Defaults to `local.addon.name` (required)." +} + +variable "helm_repo_url" { + type = string + default = null + description = "Helm repository. Defaults to `local.addon.helm_repo_url` (required)." +} + +variable "helm_create_namespace" { + type = bool + default = null + description = "Create the namespace if it does not yet exist. Defaults to `true`." +} + +variable "namespace" { + type = string + default = null + description = "The Kubernetes Namespace in which the Helm chart will be installed. Defaults to `local.addon.name` (required)." +} + +variable "settings" { + type = map(any) + default = null + description = "Additional Helm sets which will be passed to the Helm chart values. Defaults to `{}`." +} + +variable "values" { + type = string + default = null + description = "Additional yaml encoded values which will be passed to the Helm chart. Defaults to `\"\"`." +} + +# ================ IRSA variables (optional) ================ + + +variable "cluster_identity_oidc_issuer" { + type = string + default = null + description = "The OIDC Identity issuer for the cluster. Defaults to `\"\"`." +} + +variable "cluster_identity_oidc_issuer_arn" { + type = string + default = null + description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account. Defaults to `\"\"`." +} + +variable "rbac_create" { + type = bool + default = null + description = "Whether to create and use RBAC resources. Defaults to `true`." +} + +variable "service_account_create" { + type = bool + default = null + description = "Whether to create Service Account. Defaults to `true`." +} + +variable "service_account_name" { + type = string + default = null + description = "The Kubernetes Service Account name. Defaults to `local.addon.name` (required)." +} + +variable "irsa_role_create" { + type = bool + default = null + description = "Whether to create IRSA role and annotate Service Account. Defaults to `true`." +} + +variable "irsa_policy_enabled" { + type = bool + default = null + description = "Whether to create opinionated policy to allow AWS operations. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`." +} + +variable "irsa_policy" { + type = string + default = null + description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`." +} + +variable "irsa_assume_role_enabled" { + type = bool + default = null + description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`." +} + +variable "irsa_assume_role_arn" { + type = string + default = null + description = "Assume role ARN. Assume role must be enabled. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`." +} + +variable "irsa_additional_policies" { + type = map(string) + default = null + description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." +} + +variable "irsa_role_name_prefix" { + type = string + default = null + description = "IRSA role name prefix. Defaults to `\"$${local.addon.name}-irsa\"`." +} + +variable "irsa_tags" { + type = map(string) + default = null + description = "IRSA resources tags. Defaults to `{}`." +} + +# ================ argo variables (required) ================ + +variable "argo_namespace" { + type = string + default = null + description = "Namespace to deploy ArgoCD application CRD to. Defaults to `\"argo\"`." +} + +variable "argo_enabled" { + type = bool + default = null + description = "If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release. Defaults to `false`." +} + +variable "argo_helm_enabled" { + type = bool + default = null + description = "If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See README for more info. Defaults to `false`." +} + +variable "argo_helm_wait_timeout" { + type = string + default = null + description = "Timeout for ArgoCD Application Helm release wait job. Defaults to `\"10m\"`." +} + +variable "argo_helm_wait_node_selector" { + type = map(string) + default = null + description = "Node selector for ArgoCD Application Helm release wait job. Defaults to `{}`." +} + +variable "argo_helm_wait_tolerations" { + type = list(any) + default = null + description = "Tolerations for ArgoCD Application Helm release wait job. Defaults to `[]`." +} + +variable "argo_helm_wait_backoff_limit" { + type = number + default = null + description = "Backoff limit for ArgoCD Application Helm release wait job. Defaults to `6`." +} + +variable "argo_destination_server" { + type = string + default = null + description = "Destination server for ArgoCD Application. Defaults to `\"https://kubernetes.default.svc\"`." +} + +variable "argo_project" { + type = string + default = null + description = "ArgoCD Application project. Defaults to `default`." +} + +variable "argo_info" { + type = list(object({ + name = string + value = string + })) + default = null + description = "ArgoCD info manifest parameter. Defaults to `[{name=\"terraform\",value=true}]`." +} + +variable "argo_sync_policy" { + type = any + default = null + description = "ArgoCD syncPolicy manifest parameter. Defaults to `{}`." +} + +variable "argo_metadata" { + type = any + default = null + description = "ArgoCD Application metadata configuration. Override or create additional metadata parameters. Defaults to `{finalizers=[\"resources-finalizer.argocd.argoproj.io\"]}`." +} + +variable "argo_apiversion" { + type = string + default = null + description = "ArgoCD Application apiVersion. Defaults to `\"argoproj.io/v1alpha1\"`." +} + +variable "argo_spec" { + type = any + default = null + description = "ArgoCD Application spec configuration. Override or create additional spec parameters. Defaults to `{}`." +} + +variable "argo_helm_values" { + type = string + default = null + description = "Value overrides to use when deploying ArgoCD Application object with Helm. Defaults to `\"\"`." +} + +# ================ argo kubernetes manifest variables (required) ================ + +variable "argo_kubernetes_manifest_computed_fields" { + type = list(string) + default = null + description = "List of paths of fields to be handled as \"computed\". The user-configured value for the field will be overridden by any different value returned by the API after apply. Defaults to `[\"metadata.labels\", \"metadata.annotations\", \"metadata.finalizers\"]`." +} + +variable "argo_kubernetes_manifest_field_manager_name" { + type = string + default = null + description = "The name of the field manager to use when applying the Kubernetes manifest resource. Defaults to `\"Terraform\"`." +} + +variable "argo_kubernetes_manifest_field_manager_force_conflicts" { + type = bool + default = null + description = "Forcibly override any field manager conflicts when applying the kubernetes manifest resource. Defaults to `false`." +} + +variable "argo_kubernetes_manifest_wait_fields" { + type = map(string) + default = null + description = "A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value. Defaults to `{}`." +} + +# ================ Helm release variables (required) ================ + +variable "helm_repo_key_file" { + type = string + default = null + description = "Helm repositories cert key file. Defaults to `\"\"`." +} + +variable "helm_repo_cert_file" { + type = string + default = null + description = "Helm repositories cert file. Defaults to `\"\"`." +} + +variable "helm_repo_ca_file" { + type = string + default = null + description = "Helm repositories CA cert file. Defaults to `\"\"`." +} + +variable "helm_repo_username" { + type = string + default = null + description = "Username for HTTP basic authentication against the Helm repository. Defaults to `\"\"`." +} + +variable "helm_repo_password" { + type = string + default = null + description = "Password for HTTP basic authentication against the Helm repository. Defaults to `\"\"`." +} + +variable "helm_devel" { + type = bool + default = null + description = "Use Helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored. Defaults to `false`." +} + +variable "helm_package_verify" { + type = bool + default = null + description = "Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart. Defaults to `false`." +} + +variable "helm_keyring" { + type = string + default = null + description = "Location of public keys used for verification. Used only if `helm_package_verify` is `true`. Defaults to `\"~/.gnupg/pubring.gpg\"`." +} + +variable "helm_timeout" { + type = number + default = null + description = "Time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks). Defaults to `300`." +} + +variable "helm_disable_webhooks" { + type = bool + default = null + description = "Prevent Helm chart hooks from running. Defaults to `false`." +} + +variable "helm_reset_values" { + type = bool + default = null + description = "When upgrading, reset the values to the ones built into the Helm chart. Defaults to `false`." +} + +variable "helm_reuse_values" { + type = bool + default = null + description = "When upgrading, reuse the last Helm release's values and merge in any overrides. If 'helm_reset_values' is specified, this is ignored. Defaults to `false`." +} + +variable "helm_force_update" { + type = bool + default = null + description = "Force Helm resource update through delete/recreate if needed. Defaults to `false`." +} + +variable "helm_recreate_pods" { + type = bool + default = null + description = "Perform pods restart during Helm upgrade/rollback. Defaults to `false`." +} + +variable "helm_cleanup_on_fail" { + type = bool + default = null + description = "Allow deletion of new resources created in this Helm upgrade when upgrade fails. Defaults to `false`." +} + +variable "helm_release_max_history" { + type = number + default = null + description = "Maximum number of release versions stored per release. Defaults to `0`." +} + +variable "helm_atomic" { + type = bool + default = null + description = "If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to `false`." +} + +variable "helm_wait" { + type = bool + default = null + description = "Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`." +} + +variable "helm_wait_for_jobs" { + type = bool + default = null + description = "If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`." +} + +variable "helm_skip_crds" { + type = bool + default = null + description = "If set, no CRDs will be installed before Helm release. Defaults to `false`." +} + +variable "helm_render_subchart_notes" { + type = bool + default = null + description = "If set, render Helm subchart notes along with the parent. Defaults to `true`." +} + +variable "helm_disable_openapi_validation" { + type = bool + default = null + description = "If set, the installation process will not validate rendered Helm templates against the Kubernetes OpenAPI Schema. Defaults to `false`." +} + +variable "helm_dependency_update" { + type = bool + default = null + description = "Runs Helm dependency update before installing the chart. Defaults to `false`." +} + +variable "helm_replace" { + type = bool + default = null + description = "Re-use the given name of Helm release, only if that name is a deleted release which remains in the history. This is unsafe in production. Defaults to `false`." +} + +variable "helm_description" { + type = string + default = null + description = "Set Helm release description attribute (visible in the history). Defaults to `\"\"`." +} + +variable "helm_lint" { + type = bool + default = null + description = "Run the Helm chart linter during the plan. Defaults to `false`." +} + +variable "helm_set_sensitive" { + type = map(any) + default = null + description = "Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff. Defaults to `{}`." +} + +variable "helm_postrender" { + type = map(any) + default = null + description = "Value block with a path to a binary file to run after Helm renders the manifest which can alter the manifest contents. Defaults to `{}`." +} diff --git a/variables.tf b/variables.tf index 95405ff..a287436 100644 --- a/variables.tf +++ b/variables.tf @@ -1,369 +1,144 @@ -variable "enabled" { +# IMPORTANT: Add addon specific variables here +variable "keda_operator_service_account_create" { type = bool default = true - description = "Variable indicating whether deployment is enabled" + description = "Whether to create the Service Account for the KEDA operator." } -variable "cluster_identity_oidc_issuer" { +variable "keda_operator_service_account_name" { type = string - description = "The OIDC Identity issuer for the cluster" -} - -variable "cluster_identity_oidc_issuer_arn" { - type = string - description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account" -} - -variable "helm_chart_name" { - type = string - default = "keda" - description = "Helm chart name to be installed" -} - -variable "helm_chart_version" { - type = string - default = "2.7.2" - description = "Version of the Helm chart" -} - -variable "helm_release_name" { - type = string - default = "keda-controller" - description = "Helm release name" -} -variable "helm_repo_url" { - type = string - default = "https://kedacore.github.io/charts" - description = "Helm repository" -} - -variable "namespace" { - type = string - default = "keda-controller" - description = "The K8s namespace in which the keda controller controller will be created" -} - -variable "service_account_create" { - type = bool - default = true - description = "Whether to create Service Account" -} - -variable "service_account_name" { default = "keda-operator" - description = "The k8s keda controller service account name" + description = "The name of the Service Account for the KEDA operator." } -variable "irsa_role_create" { +variable "keda_operator_irsa_role_create" { type = bool - default = true - description = "Whether to create IRSA role and annotate service account" -} - -variable "irsa_role_name_prefix" { - type = string - default = "keda-controller" - description = "The IRSA role name prefix for keda controller" + default = false + description = "Whether to create the IRSA role for the KEDA operator." } -variable "irsa_policy_enabled" { +variable "keda_operator_irsa_policy_enabled" { type = bool - default = true - description = "Whether to create opinionated policy for keda controller, see https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/v2.4.0/docs/install/iam_policy.json" -} - -variable "irsa_policy_allow_assume_roles" { - type = list(string) - default = [] - description = "Allow assume specified roles. IRSA policy must be enabled to take effect. Default to all roles under source AWS account (\"arn:aws:iam::{account_id}:role/*\")." -} - -variable "irsa_additional_policies" { - type = map(string) - default = {} - description = "Map of the additional policies to be attached to default role. Where key is arbiraty id and value is policy arn." -} - -variable "irsa_tags" { - type = map(string) - default = {} - description = "IRSA resources tags" -} - -variable "settings" { - type = map(any) - default = {} - description = "Additional settings which will be passed to the Helm chart values, see https://github.com/kedacore/charts/tree/main/keda" + default = false + description = "Whether to create IAM policy specified by `keda_operator_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_operator_irsa_assume_role_enabled`." } -variable "values" { +variable "keda_operator_irsa_policy" { type = string default = "" - description = "Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/kedacore/charts/tree/main/keda" + description = "Policy to be attached to the default role of the KEDA operator. Applied only if `keda_operator_irsa_policy_enabled` is `true`." } -variable "argo_enabled" { +variable "keda_operator_irsa_assume_role_enabled" { type = bool default = false - description = "If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release" -} - -variable "argo_namespace" { - type = string - default = "argo" - description = "Namespace to deploy ArgoCD application CRD to" -} - -variable "argo_destination_server" { - type = string - default = "https://kubernetes.default.svc" - description = "Destination server for ArgoCD Application" -} - -variable "argo_project" { - type = string - default = "default" - description = "ArgoCD Application project" -} - -variable "argo_info" { - default = [{ - "name" = "terraform" - "value" = "true" - }] - description = "ArgoCD info manifest parameter" -} - -variable "argo_sync_policy" { - default = {} - description = "ArgoCD syncPolicy manifest parameter" + description = "Whether IRSA for the KEDA operator is allowed to assume role defined by `keda_operator_irsa_assume_role_arn`. Mutually exclusive with `keda_operator_irsa_policy_enabled`." } -variable "argo_metadata" { - default = { - "finalizers" : [ - "resources-finalizer.argocd.argoproj.io" - ] - } - description = "ArgoCD Application metadata configuration. Override or create additional metadata parameters" -} - -variable "argo_spec" { - default = {} - description = "ArgoCD Application spec configuration. Override or create additional spec parameters" -} - -variable "argo_apiversion" { - default = "argoproj.io/v1alpha1" - description = "ArgoCD Appliction apiVersion" -} - -variable "argo_kubernetes_manifest_computed_fields" { +variable "keda_operator_irsa_assume_role_arns" { type = list(string) - default = ["metadata.labels", "metadata.annotations"] - description = "List of paths of fields to be handled as \"computed\". The user-configured value for the field will be overridden by any different value returned by the API after apply." -} - -variable "argo_kubernetes_manifest_field_manager_name" { - default = "Terraform" - description = "The name of the field manager to use when applying the kubernetes manifest resource. Defaults to Terraform" -} - -variable "argo_kubernetes_manifest_field_manager_force_conflicts" { - type = bool - default = false - description = "Forcibly override any field manager conflicts when applying the kubernetes manifest resource" + default = [] + description = "Assume role ARNs for the KEDA operator. Applied only if `keda_operator_irsa_assume_role_enabled` is `true`." } -variable "argo_kubernetes_manifest_wait_fields" { +variable "keda_operator_irsa_additional_policies" { type = map(string) default = {} - description = "A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value." + description = "Map of the additional policies to be attached to default role of the KEDA operator. Where key is arbitrary id and value is policy ARN." } -variable "argo_helm_enabled" { - type = bool - default = false - description = "If set to true, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See Readme for more info" -} - -variable "argo_helm_values" { - type = string - default = "" - description = "Value overrides to use when deploying argo application object with helm" -} - -variable "helm_create_namespace" { +variable "keda_metric_server_service_account_create" { type = bool default = true - description = "Create the namespace if it does not yet exist" -} - -variable "helm_repo_key_file" { - type = string - default = "" - description = "Helm repositories cert key file" -} - -variable "helm_repo_cert_file" { - type = string - default = "" - description = "Helm repositories cert file" -} - -variable "helm_repo_ca_file" { - type = string - default = "" - description = "Helm repositories cert file" + description = "Whether to create the Service Account for the KEDA metrics server." } -variable "helm_repo_username" { +variable "keda_metric_server_service_account_name" { type = string - default = "" - description = "Username for HTTP basic authentication against the helm repository" -} - -variable "helm_repo_password" { - type = string - default = "" - description = "Password for HTTP basic authentication against the helm repository" + default = "keda-metrics-server" + description = "The name of the Service Account for the KEDA metrics server." } -variable "helm_devel" { +variable "keda_metric_server_irsa_role_create" { type = bool - default = false - description = "Use helm chart development versions, too. Equivalent to version '>0.0.0-0'. If version is set, this is ignored" + default = true + description = "Whether to create the IRSA role for the KEDA metrics server." } -variable "helm_package_verify" { +variable "keda_metric_server_irsa_policy_enabled" { type = bool default = false - description = "Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart" + description = "Whether to create IAM policy specified by `keda_metric_server_irsa_policy` for the KEDA metrics server. Mutually exclusive with `keda_metric_server_irsa_assume_role_enabled`." } -variable "helm_keyring" { +variable "keda_metric_server_irsa_policy" { type = string - default = "~/.gnupg/pubring.gpg" - description = "Location of public keys used for verification. Used only if helm_package_verify is true" -} - -variable "helm_timeout" { - type = number - default = 300 - description = "Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks)" -} - -variable "helm_disable_webhooks" { - type = bool - default = false - description = "Prevent helm chart hooks from running" -} - -variable "helm_reset_values" { - type = bool - default = false - description = "When upgrading, reset the values to the ones built into the helm chart" -} - -variable "helm_reuse_values" { - type = bool - default = false - description = "When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm_reset_values' is specified, this is ignored" -} - -variable "helm_force_update" { - type = bool - default = false - description = "Force helm resource update through delete/recreate if needed" -} - -variable "helm_recreate_pods" { - type = bool - default = false - description = "Perform pods restart during helm upgrade/rollback" + default = "" + description = "Policy to be attached to the default role of the KEDA metrics server. Applied only if `keda_metric_server_irsa_policy_enabled` is `true`." } -variable "helm_cleanup_on_fail" { +variable "keda_metric_server_irsa_assume_role_enabled" { type = bool default = false - description = "Allow deletion of new resources created in this helm upgrade when upgrade fails" + description = "Whether IRSA for the KEDA metrics server is allowed to assume role defined by `keda_metric_server_irsa_assume_role_arn`. Mutually exclusive with `keda_metric_server_irsa_policy_enabled`." } -variable "helm_release_max_history" { - type = number - default = 0 - description = "Maximum number of release versions stored per release" +variable "keda_metric_server_irsa_assume_role_arns" { + type = list(string) + default = [] + description = "Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`." } -variable "helm_atomic" { - type = bool - default = false - description = "If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used" +variable "keda_metric_server_irsa_additional_policies" { + type = map(string) + default = {} + description = "Map of the additional policies to be attached to default role of the KEDA metrics server. Where key is arbitrary id and value is policy ARN." } -variable "helm_wait" { +variable "keda_webhooks_service_account_create" { type = bool - default = false - description = "Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout" + default = true + description = "Whether to create the Service Account for the KEDA webhooks." } -variable "helm_wait_for_jobs" { - type = bool - default = false - description = "If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout" +variable "keda_webhooks_service_account_name" { + type = string + default = "keda-webhook" + description = "The name of the Service Account for the KEDA webhooks." } - -variable "helm_skip_crds" { +variable "keda_webhooks_irsa_role_create" { type = bool default = false - description = "If set, no CRDs will be installed before helm release" -} - -variable "helm_render_subchart_notes" { - type = bool - default = true - description = "If set, render helm subchart notes along with the parent" + description = "Whether to create the IRSA role for the KEDA webhooks." } -variable "helm_disable_openapi_validation" { +variable "keda_webhooks_irsa_policy_enabled" { type = bool default = false - description = "If set, the installation process will not validate rendered helm templates against the Kubernetes OpenAPI Schema" -} - -variable "helm_set_sensitive" { - type = map(any) - default = {} - description = "Value block with custom sensitive values to be merged with the values yaml that won't be exposed in the plan's diff" + description = "Whether to create IAM policy specified by `keda_webhooks_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_webhooks_irsa_assume_role_enabled`." } -variable "helm_dependency_update" { - type = bool - default = false - description = "Runs helm dependency update before installing the chart" +variable "keda_webhooks_irsa_policy" { + type = string + default = "" + description = "Policy to be attached to the default role of the KEDA webhooks. Applied only if `keda_webhooks_irsa_policy_enabled` is `true`." } -variable "helm_replace" { +variable "keda_webhooks_irsa_assume_role_enabled" { type = bool default = false - description = "Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production" + description = "Whether IRSA for the KEDA webhooks is allowed to assume role defined by `keda_webhooks_irsa_assume_role_arn`. Mutually exclusive with `keda_webhooks_irsa_policy_enabled`." } -variable "helm_description" { - type = string - default = "" - description = "Set helm release description attribute (visible in the history)" +variable "keda_webhooks_irsa_assume_role_arns" { + type = list(string) + default = [] + description = "Assume role ARNs for the KEDA webhooks. Applied only if `keda_webhooks_irsa_assume_role_enabled` is `true`." } -variable "helm_postrender" { - type = map(any) +variable "keda_webhooks_irsa_additional_policies" { + type = map(string) default = {} - description = "Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents" -} - -variable "helm_lint" { - type = bool - default = false - description = "Run the helm chart linter during the plan" + description = "Map of the additional policies to be attached to default role of the KEDA webhooks. Where key is arbitrary id and value is policy ARN." } diff --git a/versions.tf b/versions.tf index ea8c3a1..58a9f12 100644 --- a/versions.tf +++ b/versions.tf @@ -1,14 +1,15 @@ +# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. terraform { - required_version = ">= 1.0" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.19.0" + version = "~> 5" } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.11.0" + version = ">= 2.20.0" } helm = { source = "hashicorp/helm" From 3cace1f2a297ed6802646bbb5274020528a6afb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Mon, 10 Jun 2024 22:07:08 +0200 Subject: [PATCH 2/7] feat: add irsa module --- .terraform-docs.yml | 2 +- README.md | 27 ++++--- addon-irsa.tf | 29 ++++++++ addon.tf | 31 +++----- docs/{.content.md => .addon.md} | 0 iam.tf | 121 -------------------------------- main.tf | 90 ++++++++++++++++-------- variables-addon-irsa.tf | 93 ++++++++++++++++++++++++ variables-addon.tf | 86 ----------------------- variables.tf | 6 ++ 10 files changed, 214 insertions(+), 271 deletions(-) create mode 100644 addon-irsa.tf rename docs/{.content.md => .addon.md} (100%) delete mode 100644 iam.tf create mode 100644 variables-addon-irsa.tf diff --git a/.terraform-docs.yml b/.terraform-docs.yml index 56c83d9..f67937f 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -5,7 +5,7 @@ footer-from: docs/.footer.md content: |- {{ .Header }} - {{ include "docs/.content.md" }} + {{ include "docs/.addon.md" }} {{ .Requirements }} {{ .Providers }} {{ .Modules }} diff --git a/README.md b/README.md index ea63700..835ab4c 100644 --- a/README.md +++ b/README.md @@ -49,17 +49,12 @@ See [Basic example](examples/basic/README.md) for further information. | Name | Source | Version | |------|--------|---------| -| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.2 | +| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.3 | +| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.3 | ## Resources | Name | Type | |------|------| -| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.this_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [utils_deep_merge_yaml.values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | > [!IMPORTANT] > Variables defined in [variables-addon.tf](variables-addon.tf) defaults to `null` to have them overridable by the addon configuration defined though the [`local.addon.*`](main.tf) local variable with some default values defined in [addon.tf](addon.tf). @@ -86,9 +81,9 @@ See [Basic example](examples/basic/README.md) for further information. | [argo\_project](#input\_argo\_project) | ArgoCD Application project. Defaults to `default`. | `string` | | [argo\_spec](#input\_argo\_spec) | ArgoCD Application spec configuration. Override or create additional spec parameters. Defaults to `{}`. | `any` | | [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter. Defaults to `{}`. | `any` | -| [cluster\_identity\_oidc\_issuer](#input\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster. Defaults to `""`. | `string` | -| [cluster\_identity\_oidc\_issuer\_arn](#input\_cluster\_identity\_oidc\_issuer\_arn) | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account. Defaults to `""`. | `string` | -| [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | +| [cluster\_identity\_oidc\_issuer](#input\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster (required). | `string` | +| [cluster\_identity\_oidc\_issuer\_arn](#input\_cluster\_identity\_oidc\_issuer\_arn) | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account (required). | `string` | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources. | `bool` | | [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. Defaults to `false`. | `bool` | | [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed. Defaults to `local.addon.name` (required). | `string` | | [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart. Defaults to `local.addon.helm_chart_version` (required). | `string` | @@ -123,12 +118,13 @@ See [Basic example](examples/basic/README.md) for further information. | [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | | [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | | [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | -| [irsa\_assume\_role\_arn](#input\_irsa\_assume\_role\_arn) | Assume role ARN. Assume role must be enabled. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `string` | -| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` | +| [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `list(string)` | +| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` | | [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` | -| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy to allow AWS operations. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` | +| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` | | [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` | -| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to `"${local.addon.name}-irsa"`. | `string` | +| [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name. | `string` | +| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` | | [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags. Defaults to `{}`. | `map(string)` | | [keda\_metric\_server\_irsa\_additional\_policies](#input\_keda\_metric\_server\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA metrics server. Where key is arbitrary id and value is policy ARN. | `map(string)` | | [keda\_metric\_server\_irsa\_assume\_role\_arns](#input\_keda\_metric\_server\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`. | `list(string)` | @@ -157,7 +153,8 @@ See [Basic example](examples/basic/README.md) for further information. | [namespace](#input\_namespace) | The Kubernetes Namespace in which the Helm chart will be installed. Defaults to `local.addon.name` (required). | `string` | | [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources. Defaults to `true`. | `bool` | | [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account. Defaults to `true`. | `bool` | -| [service\_account\_name](#input\_service\_account\_name) | The Kubernetes Service Account name. Defaults to `local.addon.name` (required). | `string` | +| [service\_account\_name](#input\_service\_account\_name) | The Kubernetes Service Account name. Defaults to addon name. | `string` | +| [service\_account\_namespace](#input\_service\_account\_namespace) | The Kubernetes Service Account namespace. Defaults to addon namespace. | `string` | | [settings](#input\_settings) | Additional Helm sets which will be passed to the Helm chart values. Defaults to `{}`. | `map(any)` | | [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart. Defaults to `""`. | `string` | ## Outputs diff --git a/addon-irsa.tf b/addon-irsa.tf new file mode 100644 index 0000000..7d0d845 --- /dev/null +++ b/addon-irsa.tf @@ -0,0 +1,29 @@ +# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. +module "addon-irsa" { + for_each = local.addon_irsa + + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.3" + + enabled = var.enabled + + cluster_identity_oidc_issuer = var.cluster_identity_oidc_issuer != null ? var.cluster_identity_oidc_issuer : try(each.value.cluster_identity_oidc_issuer, "") + cluster_identity_oidc_issuer_arn = var.cluster_identity_oidc_issuer_arn != null ? var.cluster_identity_oidc_issuer_arn : try(each.value.cluster_identity_oidc_issuer_arn, "") + + rbac_create = var.rbac_create != null ? var.rbac_create : try(each.value.rbac_create, true) + service_account_create = var.service_account_create != null ? var.service_account_create : try(each.value.service_account_create, true) + service_account_name = var.service_account_name != null ? var.service_account_name : try(each.value.service_account_name, each.key) + service_account_namespace = var.service_account_namespace != null ? var.service_account_namespace : try(each.value.service_account_namespace, local.addon_namespace) + + irsa_role_create = var.irsa_role_create != null ? var.irsa_role_create : try(each.value.irsa_role_create, true) + irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : try(each.value.irsa_role_name_prefix, "${each.key}-irsa") + irsa_role_name = var.irsa_role_name != null ? var.irsa_role_name : try(each.value.irsa_role_name, local.addon_helm_chart_name) + + irsa_assume_role_arns = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, "") + irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false) + + irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(each.value.irsa_policy_enabled, false) + irsa_policy = var.irsa_policy != null ? var.irsa_policy : try(each.value.irsa_policy, "") + + irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({})) + irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({})) +} diff --git a/addon.tf b/addon.tf index 481b1ad..7a3cf5e 100644 --- a/addon.tf +++ b/addon.tf @@ -1,14 +1,20 @@ # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. +locals { + addon_namespace = var.namespace != null ? var.namespace : try(local.addon.namespace, local.addon.name) + addon_helm_release_name = var.helm_release_name != null ? var.helm_release_name : try(local.addon.helm_release_name, local.addon.name) + addon_helm_chart_name = var.helm_chart_name != null ? var.helm_chart_name : try(local.addon.helm_chart_name, local.addon.name) +} + module "addon" { - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.2" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.3" enabled = var.enabled # variable priority var.* (provided by the module user) > local.addon.* (universal addon default override) > default (universal addon default) - namespace = var.namespace != null ? var.namespace : try(local.addon.namespace, local.addon.name) + namespace = local.addon_namespace - helm_release_name = var.helm_release_name != null ? var.helm_release_name : try(local.addon.helm_release_name, local.addon.name) - helm_chart_name = var.helm_chart_name != null ? var.helm_chart_name : try(local.addon.helm_chart_name, local.addon.name) + helm_release_name = local.addon_helm_release_name + helm_chart_name = local.addon_helm_chart_name helm_chart_version = var.helm_chart_version != null ? var.helm_chart_version : local.addon.helm_chart_version helm_atomic = var.helm_atomic != null ? var.helm_atomic : try(local.addon.helm_atomic, false) helm_cleanup_on_fail = var.helm_cleanup_on_fail != null ? var.helm_cleanup_on_fail : try(local.addon.helm_cleanup_on_fail, false) @@ -61,21 +67,6 @@ module "addon" { argo_spec = var.argo_spec != null ? var.argo_spec : try(local.addon.argo_spec, tomap({})) argo_sync_policy = var.argo_sync_policy != null ? var.argo_sync_policy : try(local.addon.argo_sync_policy, tomap({})) - cluster_identity_oidc_issuer = var.cluster_identity_oidc_issuer != null ? var.cluster_identity_oidc_issuer : try(local.addon.cluster_identity_oidc_issuer, "") - cluster_identity_oidc_issuer_arn = var.cluster_identity_oidc_issuer_arn != null ? var.cluster_identity_oidc_issuer_arn : try(local.addon.cluster_identity_oidc_issuer_arn, "") - irsa_role_create = var.irsa_role_create != null ? var.irsa_role_create : try(local.addon.irsa_role_create, true) - irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(local.addon.irsa_additional_policies, tomap({})) - irsa_assume_role_arn = var.irsa_assume_role_arn != null ? var.irsa_assume_role_arn : try(local.addon.irsa_assume_role_arn, "") - irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(local.addon.irsa_assume_role_enabled, false) - irsa_policy = var.irsa_policy != null ? var.irsa_policy : try(local.addon.irsa_policy, "") - irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(local.addon.irsa_policy_enabled, false) - irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : try(local.addon.irsa_role_name_prefix, "${local.addon.name}-irsa") - irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(local.addon.irsa_tags, tomap({})) - - rbac_create = var.rbac_create != null ? var.rbac_create : try(local.addon.rbac_create, true) - service_account_create = var.service_account_create != null ? var.service_account_create : try(local.addon.service_account_create, true) - service_account_name = var.service_account_name != null ? var.service_account_name : try(local.addon.service_account_name, local.addon.name) - settings = var.settings != null ? var.settings : try(local.addon.settings, tomap({})) values = one(data.utils_deep_merge_yaml.values[*].output) } @@ -84,7 +75,7 @@ data "utils_deep_merge_yaml" "values" { count = var.enabled == true ? 1 : 0 input = compact([ - try(local.addon.values, ""), + try(local.addon_values, ""), var.values ]) } diff --git a/docs/.content.md b/docs/.addon.md similarity index 100% rename from docs/.content.md rename to docs/.addon.md diff --git a/iam.tf b/iam.tf deleted file mode 100644 index 4e0cae9..0000000 --- a/iam.tf +++ /dev/null @@ -1,121 +0,0 @@ -locals { - irsa_role_create = var.enabled == true && var.rbac_create == true - irsa_role_name_prefix = try(coalesce(var.irsa_role_name_prefix, var.helm_release_name), "") - irsa_role_name = try(trim("${local.irsa_role_name_prefix}-${var.helm_chart_name}", "-"), "") - - irsa_components = { - operator = { - irsa_role_create = local.irsa_role_create && var.keda_operator_service_account_create == true && var.keda_operator_irsa_role_create == true - irsa_role_name_prefix = "${local.irsa_role_name_prefix}-operator" - irsa_role_name = "${local.irsa_role_name}-operator" - irsa_policy_enabled = var.keda_operator_irsa_policy_enabled == true && try(length(var.keda_operator_irsa_policy) > 0, false) - irsa_policy = var.keda_operator_irsa_policy - irsa_assume_role_enabled = var.keda_operator_irsa_assume_role_enabled == true && try(length(var.keda_operator_irsa_assume_role_arns) > 0, false) - irsa_assume_role_arns = var.keda_operator_irsa_assume_role_arns - irsa_additional_policies = var.keda_operator_irsa_additional_policies - service_account_name = var.keda_operator_service_account_name - } - metricServer = { - irsa_role_create = local.irsa_role_create && var.keda_metric_server_service_account_create == true && var.keda_metric_server_irsa_role_create == true - irsa_role_name_prefix = "${local.irsa_role_name_prefix}-metrics-server" - irsa_role_name = "${local.irsa_role_name}-metrics-server" - irsa_policy_enabled = var.keda_metric_server_irsa_policy_enabled == true && try(length(var.keda_metric_server_irsa_policy) > 0, false) - irsa_policy = var.keda_metric_server_irsa_policy - irsa_assume_role_enabled = var.keda_metric_server_irsa_assume_role_enabled == true && try(length(var.keda_metric_server_irsa_assume_role_arns) > 0, false) - irsa_assume_role_arns = var.keda_metric_server_irsa_assume_role_arns - irsa_additional_policies = var.keda_metric_server_irsa_additional_policies - service_account_name = var.keda_metric_server_service_account_name - } - webhooks = { - irsa_role_create = local.irsa_role_create && var.keda_webhooks_service_account_create == true && var.keda_webhooks_irsa_role_create == true - irsa_role_name_prefix = "${local.irsa_role_name_prefix}-webhooks" - irsa_role_name = "${local.irsa_role_name}-webhooks" - irsa_policy_enabled = var.keda_webhooks_irsa_policy_enabled == true && try(length(var.keda_webhooks_irsa_policy) > 0, false) - irsa_policy = var.keda_webhooks_irsa_policy - irsa_assume_role_enabled = var.keda_webhooks_irsa_assume_role_enabled == true && try(length(var.keda_webhooks_irsa_assume_role_arns) > 0, false) - irsa_assume_role_arns = var.keda_webhooks_irsa_assume_role_arns - irsa_additional_policies = var.keda_webhooks_irsa_additional_policies - service_account_name = var.keda_webhooks_service_account_name - } - } -} - -data "aws_iam_policy_document" "this_assume" { - for_each = { - for k, v in local.irsa_components : k => v if v.irsa_role_create && v.irsa_assume_role_enabled - } - - statement { - effect = "Allow" - actions = [ - "sts:AssumeRole" - ] - resources = each.value.irsa_assume_role_arns - } -} - -resource "aws_iam_policy" "this" { - for_each = { - for k, v in local.irsa_components : k => v if v.irsa_role_create && (v.irsa_policy_enabled || v.irsa_assume_role_enabled) - } - - name = each.value.irsa_role_name # tflint-ignore: aws_iam_policy_invalid_name - path = "/" - description = "Policy for ${var.helm_release_name} ${each.key} component" - policy = each.value.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[each.key].json : each.value.irsa_policy - - tags = var.irsa_tags -} - -data "aws_iam_policy_document" "this_irsa" { - for_each = { - for k, v in local.irsa_components : k => v if v.irsa_role_create - } - - statement { - effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] - - principals { - type = "Federated" - identifiers = [var.cluster_identity_oidc_issuer_arn] - } - - condition { - test = "StringEquals" - variable = "${replace(var.cluster_identity_oidc_issuer, "https://", "")}:sub" - - values = [ - "system:serviceaccount:${var.namespace}:${each.value.service_account_name}", - ] - } - } -} - -resource "aws_iam_role" "this" { - for_each = { - for k, v in local.irsa_components : k => v if v.irsa_role_create - } - - name = each.value.irsa_role_name # tflint-ignore: aws_iam_role_invalid_name - assume_role_policy = data.aws_iam_policy_document.this_irsa[each.key].json - tags = var.irsa_tags -} - -resource "aws_iam_role_policy_attachment" "this" { - for_each = { - for k, v in local.irsa_components : k => v if v.irsa_role_create && (v.irsa_policy_enabled || v.irsa_assume_role_enabled) - } - - role = aws_iam_role.this[each.key].name - policy_arn = aws_iam_policy.this[each.key].arn -} - -resource "aws_iam_role_policy_attachment" "this_additional" { - for_each = merge([ - for k, v in local.irsa_components : { k = v.irsa_additional_policies } if v.irsa_role_create - ]...) - - role = aws_iam_role.this[each.value].name - policy_arn = each.value -} diff --git a/main.tf b/main.tf index 1a992e6..bd548a7 100644 --- a/main.tf +++ b/main.tf @@ -13,36 +13,70 @@ locals { helm_chart_name = "keda" helm_chart_version = "2.14.2" helm_repo_url = "https://kedacore.github.io/charts" + } + + addon_irsa = { + operator = { + service_account_create = var.keda_operator_service_account_create + service_account_name = var.keda_operator_service_account_name - irsa_role_create = false # we are handling IRSA locally + irsa_role_create = var.keda_operator_irsa_role_create + irsa_policy_enabled = var.keda_operator_irsa_policy_enabled + irsa_policy = var.keda_operator_irsa_policy + irsa_assume_role_enabled = var.keda_operator_irsa_assume_role_enabled + irsa_assume_role_arns = var.keda_operator_irsa_assume_role_arns + irsa_additional_policies = var.keda_operator_irsa_additional_policies + } + metricServer = { + service_account_create = var.keda_metric_server_service_account_create + service_account_name = var.keda_metric_server_service_account_name - values = yamlencode({ - rbac = { - create = var.rbac_create != null ? var.rbac_create : true + irsa_role_create = var.keda_metric_server_irsa_role_create + irsa_policy_enabled = var.keda_metric_server_irsa_policy_enabled + irsa_policy = var.keda_metric_server_irsa_policy + irsa_assume_role_enabled = var.keda_metric_server_irsa_assume_role_enabled + irsa_assume_role_arns = var.keda_metric_server_irsa_assume_role_arns + irsa_additional_policies = var.keda_metric_server_irsa_additional_policies + } + webhooks = { + service_account_create = var.keda_webhooks_service_account_create + service_account_name = var.keda_webhooks_service_account_name + + irsa_role_create = var.keda_webhooks_irsa_role_create + irsa_policy_enabled = var.keda_webhooks_irsa_policy_enabled + irsa_policy = var.keda_webhooks_irsa_policy + irsa_assume_role_enabled = var.keda_webhooks_irsa_assume_role_enabled + irsa_assume_role_arns = var.keda_webhooks_irsa_assume_role_arns + irsa_additional_policies = var.keda_webhooks_irsa_additional_policies + } + } + + addon_values = yamlencode({ + rbac = { + create = var.rbac_create != null ? var.rbac_create : true + } + serviceAccount = { + operator = { + create = var.keda_operator_service_account_create + name = var.keda_operator_service_account_name + annotations = length(module.addon-irsa["operator"].iam_role_attributes) > 0 ? { + "eks.amazonaws.com/role-arn" = module.addon-irsa["operator"].iam_role_attributes.arn + } : tomap({}) } - serviceAccount = { - operator = { - create = var.keda_operator_service_account_create - name = var.keda_operator_service_account_name - annotations = local.irsa_components["operator"].irsa_role_create ? { - "eks.amazonaws.com/role-arn" = aws_iam_role.this["operator"].arn - } : tomap({}) - } - metricServer = { - create = var.keda_metric_server_service_account_create - name = var.keda_metric_server_service_account_name - annotations = local.irsa_components["metricServer"].irsa_role_create ? { - "eks.amazonaws.com/role-arn" = aws_iam_role.this["metricServer"].arn - } : tomap({}) - } - webhooks = { - create = var.keda_webhooks_service_account_create - name = var.keda_webhooks_service_account_name - annotations = local.irsa_components["webhooks"].irsa_role_create ? { - "eks.amazonaws.com/role-arn" = aws_iam_role.this["webhooks"].arn - } : tomap({}) - } + metricServer = { + create = var.keda_metric_server_service_account_create + name = var.keda_metric_server_service_account_name + annotations = length(module.addon-irsa["metricServer"].iam_role_attributes) > 0 ? { + "eks.amazonaws.com/role-arn" = module.addon-irsa["metricServer"].iam_role_attributes.arn + } : tomap({}) } - }) - } + webhooks = { + create = var.keda_webhooks_service_account_create + name = var.keda_webhooks_service_account_name + annotations = length(module.addon-irsa["webhooks"].iam_role_attributes) > 0 ? { + "eks.amazonaws.com/role-arn" = module.addon-irsa["webhooks"].iam_role_attributes.arn + } : tomap({}) + } + } + }) } diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf new file mode 100644 index 0000000..79d31cc --- /dev/null +++ b/variables-addon-irsa.tf @@ -0,0 +1,93 @@ +# IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. + +# ================ IRSA variables (optional) ================ + +variable "cluster_identity_oidc_issuer" { + type = string + default = null + description = "The OIDC Identity issuer for the cluster (required)." +} + +variable "cluster_identity_oidc_issuer_arn" { + type = string + default = null + description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account (required)." +} + +variable "rbac_create" { + type = bool + default = null + description = "Whether to create and use RBAC resources. Defaults to `true`." +} + +variable "service_account_create" { + type = bool + default = null + description = "Whether to create Service Account. Defaults to `true`." +} + +variable "service_account_name" { + type = string + default = null + description = "The Kubernetes Service Account name. Defaults to addon name." +} + +variable "service_account_namespace" { + type = string + default = null + description = "The Kubernetes Service Account namespace. Defaults to addon namespace." +} + +variable "irsa_role_create" { + type = bool + default = null + description = "Whether to create IRSA role and annotate Service Account. Defaults to `true`." +} + +variable "irsa_role_name_prefix" { + type = string + default = null + description = "IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix." +} + +variable "irsa_role_name" { + type = string + default = null + description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name." +} + +variable "irsa_policy_enabled" { + type = bool + default = null + description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`." +} + +variable "irsa_policy" { + type = string + default = null + description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`." +} + +variable "irsa_assume_role_enabled" { + type = bool + default = null + description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`." +} + +variable "irsa_assume_role_arns" { + type = list(string) + default = null + description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`." +} + +variable "irsa_additional_policies" { + type = map(string) + default = null + description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." +} + +variable "irsa_tags" { + type = map(string) + default = null + description = "IRSA resources tags. Defaults to `{}`." +} diff --git a/variables-addon.tf b/variables-addon.tf index 5cd5575..338090f 100644 --- a/variables-addon.tf +++ b/variables-addon.tf @@ -1,9 +1,4 @@ # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. -variable "enabled" { - type = bool - default = true - description = "Variable indicating whether deployment is enabled" -} # ================ common variables (required) ================ @@ -55,87 +50,6 @@ variable "values" { description = "Additional yaml encoded values which will be passed to the Helm chart. Defaults to `\"\"`." } -# ================ IRSA variables (optional) ================ - - -variable "cluster_identity_oidc_issuer" { - type = string - default = null - description = "The OIDC Identity issuer for the cluster. Defaults to `\"\"`." -} - -variable "cluster_identity_oidc_issuer_arn" { - type = string - default = null - description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account. Defaults to `\"\"`." -} - -variable "rbac_create" { - type = bool - default = null - description = "Whether to create and use RBAC resources. Defaults to `true`." -} - -variable "service_account_create" { - type = bool - default = null - description = "Whether to create Service Account. Defaults to `true`." -} - -variable "service_account_name" { - type = string - default = null - description = "The Kubernetes Service Account name. Defaults to `local.addon.name` (required)." -} - -variable "irsa_role_create" { - type = bool - default = null - description = "Whether to create IRSA role and annotate Service Account. Defaults to `true`." -} - -variable "irsa_policy_enabled" { - type = bool - default = null - description = "Whether to create opinionated policy to allow AWS operations. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`." -} - -variable "irsa_policy" { - type = string - default = null - description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`." -} - -variable "irsa_assume_role_enabled" { - type = bool - default = null - description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`." -} - -variable "irsa_assume_role_arn" { - type = string - default = null - description = "Assume role ARN. Assume role must be enabled. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`." -} - -variable "irsa_additional_policies" { - type = map(string) - default = null - description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." -} - -variable "irsa_role_name_prefix" { - type = string - default = null - description = "IRSA role name prefix. Defaults to `\"$${local.addon.name}-irsa\"`." -} - -variable "irsa_tags" { - type = map(string) - default = null - description = "IRSA resources tags. Defaults to `{}`." -} - # ================ argo variables (required) ================ variable "argo_namespace" { diff --git a/variables.tf b/variables.tf index a287436..28371a6 100644 --- a/variables.tf +++ b/variables.tf @@ -1,4 +1,10 @@ # IMPORTANT: Add addon specific variables here +variable "enabled" { + type = bool + default = true + description = "Set to false to prevent the module from creating any resources." +} + variable "keda_operator_service_account_create" { type = bool default = true From ddee442ad6cb15697a8df07c1deb1dd795a816b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Wed, 26 Jun 2024 16:48:15 +0200 Subject: [PATCH 3/7] feat: update irsa module --- README.md | 11 +++++------ addon-irsa.tf | 9 ++++----- addon.tf | 2 +- main.tf | 6 +++--- variables-addon-irsa.tf | 22 ++++++++-------------- 5 files changed, 21 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 835ab4c..6ceeb3c 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,8 @@ See [Basic example](examples/basic/README.md) for further information. | Name | Source | Version | |------|--------|---------| -| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.3 | -| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.3 | +| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.4 | +| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.4 | ## Resources | Name | Type | @@ -117,11 +117,10 @@ See [Basic example](examples/basic/README.md) for further information. | [helm\_timeout](#input\_helm\_timeout) | Time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks). Defaults to `300`. | `number` | | [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | | [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | -| [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | +| [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | | [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `list(string)` | -| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` | -| [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` | -| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` | +| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`. | `bool` | +| [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` | | [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` | | [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name. | `string` | | [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` | diff --git a/addon-irsa.tf b/addon-irsa.tf index 7d0d845..39cf9bf 100644 --- a/addon-irsa.tf +++ b/addon-irsa.tf @@ -2,7 +2,7 @@ module "addon-irsa" { for_each = local.addon_irsa - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.3" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.4" enabled = var.enabled @@ -21,9 +21,8 @@ module "addon-irsa" { irsa_assume_role_arns = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, "") irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false) - irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(each.value.irsa_policy_enabled, false) - irsa_policy = var.irsa_policy != null ? var.irsa_policy : try(each.value.irsa_policy, "") + irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, null) + irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({})) - irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({})) - irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({})) + irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({})) } diff --git a/addon.tf b/addon.tf index 7a3cf5e..0da1f20 100644 --- a/addon.tf +++ b/addon.tf @@ -6,7 +6,7 @@ locals { } module "addon" { - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.3" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.4" enabled = var.enabled diff --git a/main.tf b/main.tf index bd548a7..ea41e1b 100644 --- a/main.tf +++ b/main.tf @@ -59,21 +59,21 @@ locals { operator = { create = var.keda_operator_service_account_create name = var.keda_operator_service_account_name - annotations = length(module.addon-irsa["operator"].iam_role_attributes) > 0 ? { + annotations = module.addon-irsa["operator"].irsa_role_enabled ? { "eks.amazonaws.com/role-arn" = module.addon-irsa["operator"].iam_role_attributes.arn } : tomap({}) } metricServer = { create = var.keda_metric_server_service_account_create name = var.keda_metric_server_service_account_name - annotations = length(module.addon-irsa["metricServer"].iam_role_attributes) > 0 ? { + annotations = module.addon-irsa["metricServer"].irsa_role_enabled ? { "eks.amazonaws.com/role-arn" = module.addon-irsa["metricServer"].iam_role_attributes.arn } : tomap({}) } webhooks = { create = var.keda_webhooks_service_account_create name = var.keda_webhooks_service_account_name - annotations = length(module.addon-irsa["webhooks"].iam_role_attributes) > 0 ? { + annotations = module.addon-irsa["webhooks"].irsa_role_enabled ? { "eks.amazonaws.com/role-arn" = module.addon-irsa["webhooks"].iam_role_attributes.arn } : tomap({}) } diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf index 79d31cc..9fc5d01 100644 --- a/variables-addon-irsa.tf +++ b/variables-addon-irsa.tf @@ -56,22 +56,10 @@ variable "irsa_role_name" { description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name." } -variable "irsa_policy_enabled" { - type = bool - default = null - description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`." -} - -variable "irsa_policy" { - type = string - default = null - description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`." -} - variable "irsa_assume_role_enabled" { type = bool default = null - description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`." + description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`." } variable "irsa_assume_role_arns" { @@ -80,10 +68,16 @@ variable "irsa_assume_role_arns" { description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`." } +variable "irsa_permissions_boundary" { + type = string + default = null + description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`." +} + variable "irsa_additional_policies" { type = map(string) default = null - description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." + description = "Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." } variable "irsa_tags" { From ed313a46b9ce3a660d4a4f3814ea8ee7f0c144ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Thu, 27 Jun 2024 15:28:47 +0200 Subject: [PATCH 4/7] feat: add irsa permissions boundary --- README.md | 14 ++++++++++---- addon-irsa.tf | 16 +++++++++++----- addon.tf | 2 +- main.tf | 39 +++++++++++++++++++++------------------ variables-addon-irsa.tf | 18 +++++++++++++++--- variables.tf | 18 ++++++++++++++++++ 6 files changed, 76 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 6ceeb3c..8c937ce 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ See [Basic example](examples/basic/README.md) for further information. | Name | Source | Version | |------|--------|---------| | [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.4 | -| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.4 | +| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.5 | ## Resources | Name | Type | @@ -118,9 +118,11 @@ See [Basic example](examples/basic/README.md) for further information. | [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | | [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` | | [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | -| [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `list(string)` | -| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`. | `bool` | -| [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` | +| [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. | `list(string)` | +| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` | +| [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `""`. | `string` | +| [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`. | `string` | +| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` | | [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` | | [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name. | `string` | | [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` | @@ -128,6 +130,7 @@ See [Basic example](examples/basic/README.md) for further information. | [keda\_metric\_server\_irsa\_additional\_policies](#input\_keda\_metric\_server\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA metrics server. Where key is arbitrary id and value is policy ARN. | `map(string)` | | [keda\_metric\_server\_irsa\_assume\_role\_arns](#input\_keda\_metric\_server\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`. | `list(string)` | | [keda\_metric\_server\_irsa\_assume\_role\_enabled](#input\_keda\_metric\_server\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA metrics server is allowed to assume role defined by `keda_metric_server_irsa_assume_role_arn`. Mutually exclusive with `keda_metric_server_irsa_policy_enabled`. | `bool` | +| [keda\_metric\_server\_irsa\_permissions\_boundary](#input\_keda\_metric\_server\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA metrics server. Defaults to `""`. | `string` | | [keda\_metric\_server\_irsa\_policy](#input\_keda\_metric\_server\_irsa\_policy) | Policy to be attached to the default role of the KEDA metrics server. Applied only if `keda_metric_server_irsa_policy_enabled` is `true`. | `string` | | [keda\_metric\_server\_irsa\_policy\_enabled](#input\_keda\_metric\_server\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_metric_server_irsa_policy` for the KEDA metrics server. Mutually exclusive with `keda_metric_server_irsa_assume_role_enabled`. | `bool` | | [keda\_metric\_server\_irsa\_role\_create](#input\_keda\_metric\_server\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA metrics server. | `bool` | @@ -136,6 +139,7 @@ See [Basic example](examples/basic/README.md) for further information. | [keda\_operator\_irsa\_additional\_policies](#input\_keda\_operator\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA operator. Where key is arbitrary id and value is policy ARN. | `map(string)` | | [keda\_operator\_irsa\_assume\_role\_arns](#input\_keda\_operator\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA operator. Applied only if `keda_operator_irsa_assume_role_enabled` is `true`. | `list(string)` | | [keda\_operator\_irsa\_assume\_role\_enabled](#input\_keda\_operator\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA operator is allowed to assume role defined by `keda_operator_irsa_assume_role_arn`. Mutually exclusive with `keda_operator_irsa_policy_enabled`. | `bool` | +| [keda\_operator\_irsa\_permissions\_boundary](#input\_keda\_operator\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA operator. Defaults to `""`. | `string` | | [keda\_operator\_irsa\_policy](#input\_keda\_operator\_irsa\_policy) | Policy to be attached to the default role of the KEDA operator. Applied only if `keda_operator_irsa_policy_enabled` is `true`. | `string` | | [keda\_operator\_irsa\_policy\_enabled](#input\_keda\_operator\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_operator_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_operator_irsa_assume_role_enabled`. | `bool` | | [keda\_operator\_irsa\_role\_create](#input\_keda\_operator\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA operator. | `bool` | @@ -144,6 +148,7 @@ See [Basic example](examples/basic/README.md) for further information. | [keda\_webhooks\_irsa\_additional\_policies](#input\_keda\_webhooks\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role of the KEDA webhooks. Where key is arbitrary id and value is policy ARN. | `map(string)` | | [keda\_webhooks\_irsa\_assume\_role\_arns](#input\_keda\_webhooks\_irsa\_assume\_role\_arns) | Assume role ARNs for the KEDA webhooks. Applied only if `keda_webhooks_irsa_assume_role_enabled` is `true`. | `list(string)` | | [keda\_webhooks\_irsa\_assume\_role\_enabled](#input\_keda\_webhooks\_irsa\_assume\_role\_enabled) | Whether IRSA for the KEDA webhooks is allowed to assume role defined by `keda_webhooks_irsa_assume_role_arn`. Mutually exclusive with `keda_webhooks_irsa_policy_enabled`. | `bool` | +| [keda\_webhooks\_irsa\_permissions\_boundary](#input\_keda\_webhooks\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA webhooks. Defaults to `""`. | `string` | | [keda\_webhooks\_irsa\_policy](#input\_keda\_webhooks\_irsa\_policy) | Policy to be attached to the default role of the KEDA webhooks. Applied only if `keda_webhooks_irsa_policy_enabled` is `true`. | `string` | | [keda\_webhooks\_irsa\_policy\_enabled](#input\_keda\_webhooks\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `keda_webhooks_irsa_policy` for the KEDA operator. Mutually exclusive with `keda_webhooks_irsa_assume_role_enabled`. | `bool` | | [keda\_webhooks\_irsa\_role\_create](#input\_keda\_webhooks\_irsa\_role\_create) | Whether to create the IRSA role for the KEDA webhooks. | `bool` | @@ -161,6 +166,7 @@ See [Basic example](examples/basic/README.md) for further information. | Name | Description | |------|-------------| | [addon](#output\_addon) | The addon module outputs | +| [addon\_irsa](#output\_addon\_irsa) | The addon IRSA module outputs | ## Contributing and reporting issues Feel free to create an issue in this repository if you have questions, suggestions or feature requests. diff --git a/addon-irsa.tf b/addon-irsa.tf index 39cf9bf..6aa5b5e 100644 --- a/addon-irsa.tf +++ b/addon-irsa.tf @@ -2,7 +2,7 @@ module "addon-irsa" { for_each = local.addon_irsa - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.4" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.5" enabled = var.enabled @@ -18,11 +18,17 @@ module "addon-irsa" { irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : try(each.value.irsa_role_name_prefix, "${each.key}-irsa") irsa_role_name = var.irsa_role_name != null ? var.irsa_role_name : try(each.value.irsa_role_name, local.addon_helm_chart_name) - irsa_assume_role_arns = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, "") - irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false) - - irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, null) + irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(each.value.irsa_policy_enabled, false) + irsa_policy = var.irsa_policy != null ? var.irsa_policy : try(each.value.irsa_policy, "") + irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false) + irsa_assume_role_arns = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, []) + irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, "") irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({})) irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({})) } + +output "addon_irsa" { + description = "The addon IRSA module outputs" + value = module.addon-irsa +} diff --git a/addon.tf b/addon.tf index 0da1f20..542f123 100644 --- a/addon.tf +++ b/addon.tf @@ -6,7 +6,7 @@ locals { } module "addon" { - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.4" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.5" enabled = var.enabled diff --git a/main.tf b/main.tf index ea41e1b..9c96a5d 100644 --- a/main.tf +++ b/main.tf @@ -20,34 +20,37 @@ locals { service_account_create = var.keda_operator_service_account_create service_account_name = var.keda_operator_service_account_name - irsa_role_create = var.keda_operator_irsa_role_create - irsa_policy_enabled = var.keda_operator_irsa_policy_enabled - irsa_policy = var.keda_operator_irsa_policy - irsa_assume_role_enabled = var.keda_operator_irsa_assume_role_enabled - irsa_assume_role_arns = var.keda_operator_irsa_assume_role_arns - irsa_additional_policies = var.keda_operator_irsa_additional_policies + irsa_role_create = var.keda_operator_irsa_role_create + irsa_policy_enabled = var.keda_operator_irsa_policy_enabled + irsa_policy = var.keda_operator_irsa_policy + irsa_assume_role_enabled = var.keda_operator_irsa_assume_role_enabled + irsa_assume_role_arns = var.keda_operator_irsa_assume_role_arns + irsa_permissions_boundary = var.keda_operator_irsa_permissions_boundary + irsa_additional_policies = var.keda_operator_irsa_additional_policies } metricServer = { service_account_create = var.keda_metric_server_service_account_create service_account_name = var.keda_metric_server_service_account_name - irsa_role_create = var.keda_metric_server_irsa_role_create - irsa_policy_enabled = var.keda_metric_server_irsa_policy_enabled - irsa_policy = var.keda_metric_server_irsa_policy - irsa_assume_role_enabled = var.keda_metric_server_irsa_assume_role_enabled - irsa_assume_role_arns = var.keda_metric_server_irsa_assume_role_arns - irsa_additional_policies = var.keda_metric_server_irsa_additional_policies + irsa_role_create = var.keda_metric_server_irsa_role_create + irsa_policy_enabled = var.keda_metric_server_irsa_policy_enabled + irsa_policy = var.keda_metric_server_irsa_policy + irsa_assume_role_enabled = var.keda_metric_server_irsa_assume_role_enabled + irsa_assume_role_arns = var.keda_metric_server_irsa_assume_role_arns + irsa_permissions_boundary = var.keda_metric_server_irsa_permissions_boundary + irsa_additional_policies = var.keda_metric_server_irsa_additional_policies } webhooks = { service_account_create = var.keda_webhooks_service_account_create service_account_name = var.keda_webhooks_service_account_name - irsa_role_create = var.keda_webhooks_irsa_role_create - irsa_policy_enabled = var.keda_webhooks_irsa_policy_enabled - irsa_policy = var.keda_webhooks_irsa_policy - irsa_assume_role_enabled = var.keda_webhooks_irsa_assume_role_enabled - irsa_assume_role_arns = var.keda_webhooks_irsa_assume_role_arns - irsa_additional_policies = var.keda_webhooks_irsa_additional_policies + irsa_role_create = var.keda_webhooks_irsa_role_create + irsa_policy_enabled = var.keda_webhooks_irsa_policy_enabled + irsa_policy = var.keda_webhooks_irsa_policy + irsa_assume_role_enabled = var.keda_webhooks_irsa_assume_role_enabled + irsa_assume_role_arns = var.keda_webhooks_irsa_assume_role_arns + irsa_permissions_boundary = var.keda_webhooks_irsa_permissions_boundary + irsa_additional_policies = var.keda_webhooks_irsa_additional_policies } } diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf index 9fc5d01..6405409 100644 --- a/variables-addon-irsa.tf +++ b/variables-addon-irsa.tf @@ -56,22 +56,34 @@ variable "irsa_role_name" { description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name." } +variable "irsa_policy_enabled" { + type = bool + default = null + description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`." +} + +variable "irsa_policy" { + type = string + default = null + description = "Policy to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`." +} + variable "irsa_assume_role_enabled" { type = bool default = null - description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`." + description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`." } variable "irsa_assume_role_arns" { type = list(string) default = null - description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`." + description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`." } variable "irsa_permissions_boundary" { type = string default = null - description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`." + description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `\"\"`." } variable "irsa_additional_policies" { diff --git a/variables.tf b/variables.tf index 28371a6..94ebd03 100644 --- a/variables.tf +++ b/variables.tf @@ -47,6 +47,12 @@ variable "keda_operator_irsa_assume_role_arns" { description = "Assume role ARNs for the KEDA operator. Applied only if `keda_operator_irsa_assume_role_enabled` is `true`." } +variable "keda_operator_irsa_permissions_boundary" { + type = string + default = null + description = "ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA operator. Defaults to `\"\"`." +} + variable "keda_operator_irsa_additional_policies" { type = map(string) default = {} @@ -95,6 +101,12 @@ variable "keda_metric_server_irsa_assume_role_arns" { description = "Assume role ARNs for the KEDA metrics server. Applied only if `keda_metric_server_irsa_assume_role_enabled` is `true`." } +variable "keda_metric_server_irsa_permissions_boundary" { + type = string + default = null + description = "ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA metrics server. Defaults to `\"\"`." +} + variable "keda_metric_server_irsa_additional_policies" { type = map(string) default = {} @@ -143,6 +155,12 @@ variable "keda_webhooks_irsa_assume_role_arns" { description = "Assume role ARNs for the KEDA webhooks. Applied only if `keda_webhooks_irsa_assume_role_enabled` is `true`." } +variable "keda_webhooks_irsa_permissions_boundary" { + type = string + default = null + description = "ARN of the policy that is used to set the permissions boundary for the IRSA role of the KEDA webhooks. Defaults to `\"\"`." +} + variable "keda_webhooks_irsa_additional_policies" { type = map(string) default = {} From 83dfa09486bb0162aa488fd8cb0805c75acdc2ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Thu, 27 Jun 2024 17:36:50 +0200 Subject: [PATCH 5/7] ci(sync): remove token --- .github/workflows/template-sync.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/template-sync.yaml b/.github/workflows/template-sync.yaml index d17df05..91922db 100644 --- a/.github/workflows/template-sync.yaml +++ b/.github/workflows/template-sync.yaml @@ -15,13 +15,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - with: - token: ${{ secrets.TEST_TOKEN }} - name: actions-template-sync uses: AndreasAugustin/actions-template-sync@v2 with: - github_token: ${{ secrets.TEST_TOKEN }} source_repo_path: lablabs/terraform-aws-eks-universal-addon upstream_branch: main pr_labels: kind/sync From 8dd80f2332a3908137eb7d686dd864ab94e6bf96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Thu, 27 Jun 2024 17:38:26 +0200 Subject: [PATCH 6/7] docs: update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c937ce..d0c9147 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ See [Basic example](examples/basic/README.md) for further information. | Name | Source | Version | |------|--------|---------| -| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.4 | +| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.5 | | [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.5 | ## Resources From 84293bce50a6bedb5f5590a9fd9f3f8ed5bbcf3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Odstr=C4=8Dil=C3=ADk?= Date: Thu, 27 Jun 2024 17:45:29 +0200 Subject: [PATCH 7/7] chore: update lock files --- .terraform.lock.hcl | 8 ++++++++ examples/basic/.terraform.lock.hcl | 24 +++++++++++++++++++----- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index f9bceba..e70ba62 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -5,7 +5,9 @@ provider "registry.terraform.io/cloudposse/utils" { version = "1.19.2" constraints = ">= 0.17.0" hashes = [ + "h1:gqYR81ADrA9HeWCMnEOg/x9RIMce6dwOXOC/DxjsYto=", "h1:yy3kB4scsoyM81yyyUMPxuJXeFvexBL5KMrCKrjrUkE=", + "h1:zeLrxuXDYEA5+hArYpigYKZJiIB57WQ3nn7VGTc0QDc=", "zh:1002d1c3f458b569119b31eb2f732c093922b7f86aa59d999d77c3f3ca297f53", "zh:367ca0d95bf24db1ff6632da94affe1ac0b51679e00f6ca3f1b8f927b9724c3b", "zh:3e48ef23e276d18a88405926f39b476d40fb543859f2fcfc316f70501071c1ed", @@ -27,6 +29,8 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.42.0" constraints = "~> 5.0" hashes = [ + "h1:0lkSSlK45Qil9fO1kFy8RXVC/k6qfC4LDZIaCKnWcUc=", + "h1:Gwe5HXZYD/3M5j6LwKhp8amb1SraCR9p+G96d381RVc=", "h1:Yxsj34z606m8wssYDHyleuBlQ9i+94MHwRs38thQPZU=", "zh:0fb12bd56a3ad777b29f957c56dd2119776dbc01b6074458f597990e368c82de", "zh:16e99c13bef6e3777f67c240c916f57c01c9c142254cfb2720e08281ff906447", @@ -50,7 +54,9 @@ provider "registry.terraform.io/hashicorp/helm" { version = "2.12.1" constraints = ">= 2.6.0" hashes = [ + "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=", "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", + "h1:sgYI7lwGqJqPopY3NGmhb1eQ0YbH8PIXaAZAmnJrAvw=", "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", @@ -70,7 +76,9 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.27.0" constraints = ">= 2.20.0" hashes = [ + "h1:/3kLyOR2jTaWS1MKso4xAztrocGBMxi8yVadWiqSWOg=", "h1:GzU0FzYAT/+IgAhnSBcFH3bT+4I5N6oSga6iZgNJAus=", + "h1:TrlG/sofnDv8kAbzKOD5pIPeUiI5VQY61NuWH+cItDw=", "zh:3bdba30ae67c55dc7e9a317ac0da3b208ea7926fe9c2f0ae6587ee88dcc58d1f", "zh:3f35138a831c00b188d2ffee27111dd0cf59afad2dd5653ed9e67d59646de12c", "zh:64066d18f6ae9a316c2bc840ef3e641d7ab94e1ea3a41d12523e77345ad442ef", diff --git a/examples/basic/.terraform.lock.hcl b/examples/basic/.terraform.lock.hcl index 3c1279a..44bba7c 100644 --- a/examples/basic/.terraform.lock.hcl +++ b/examples/basic/.terraform.lock.hcl @@ -5,7 +5,9 @@ provider "registry.terraform.io/cloudposse/utils" { version = "1.18.0" constraints = ">= 0.17.0" hashes = [ + "h1:/vyNN6DuHSLpmrc/4d1OZVyDbkj5PckP/pGW8z3lAhE=", "h1:UdRh991C59aDB5nrpBN1PZzyZucsmbgvoDHq4uHKiE0=", + "h1:eHwxhgfHZeW3sKYICNwu9XEaKoAh6YPuj/LSVidyo7w=", "zh:1a6a1f1c354a2e1f92369fd331e1578ee8942600406c83629278b1d88e857421", "zh:35847cc6575844c05e2cbbe199e9d1190c01ed1b91dfe05b897bb6c83825debe", "zh:3b4f263c7c4b9ab08f59577c133f7112b380487dacc1d75b2802488a53dcb23d", @@ -25,9 +27,11 @@ provider "registry.terraform.io/cloudposse/utils" { provider "registry.terraform.io/hashicorp/aws" { version = "5.41.0" - constraints = ">= 3.0.0, >= 3.38.0, >= 3.56.0, >= 4.35.0, ~> 5.0" + constraints = ">= 3.0.0, >= 4.48.0, ~> 5.0, >= 5.30.0, >= 5.34.0" hashes = [ "h1:DiX7N35G2NUQRyRGy90+gyePnhP4w77f8LrJUronotE=", + "h1:SgIWBDBA1uNB/Y7CaLFeNX/Ju2xboSSQmRv35Vbi46M=", + "h1:uNln7837/ZTVgQBk+hhfgB9Y87icES6X0lMSOfK5c7g=", "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", @@ -50,7 +54,9 @@ provider "registry.terraform.io/hashicorp/helm" { version = "2.12.1" constraints = ">= 2.6.0" hashes = [ + "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=", "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", + "h1:sgYI7lwGqJqPopY3NGmhb1eQ0YbH8PIXaAZAmnJrAvw=", "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", @@ -68,9 +74,11 @@ provider "registry.terraform.io/hashicorp/helm" { provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.27.0" - constraints = ">= 2.7.1, >= 2.20.0" + constraints = ">= 2.20.0" hashes = [ + "h1:/3kLyOR2jTaWS1MKso4xAztrocGBMxi8yVadWiqSWOg=", "h1:GzU0FzYAT/+IgAhnSBcFH3bT+4I5N6oSga6iZgNJAus=", + "h1:TrlG/sofnDv8kAbzKOD5pIPeUiI5VQY61NuWH+cItDw=", "zh:3bdba30ae67c55dc7e9a317ac0da3b208ea7926fe9c2f0ae6587ee88dcc58d1f", "zh:3f35138a831c00b188d2ffee27111dd0cf59afad2dd5653ed9e67d59646de12c", "zh:64066d18f6ae9a316c2bc840ef3e641d7ab94e1ea3a41d12523e77345ad442ef", @@ -88,9 +96,11 @@ provider "registry.terraform.io/hashicorp/kubernetes" { provider "registry.terraform.io/hashicorp/null" { version = "3.2.2" - constraints = ">= 2.0.0" + constraints = ">= 3.0.0" hashes = [ "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "h1:vWAsYRd7MjYr3adj8BVKRohVfHpWQdvkIwUQ2Jf5FVM=", + "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", @@ -108,9 +118,11 @@ provider "registry.terraform.io/hashicorp/null" { provider "registry.terraform.io/hashicorp/random" { version = "3.6.0" - constraints = ">= 2.0.0" + constraints = ">= 2.0.0, >= 3.0.0" hashes = [ "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=", + "h1:R5Ucn26riKIEijcsiOMBR3uOAjuOMfI1x7XvH4P6B1w=", + "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=", "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", @@ -128,8 +140,10 @@ provider "registry.terraform.io/hashicorp/random" { provider "registry.terraform.io/hashicorp/tls" { version = "4.0.5" - constraints = ">= 3.1.0" + constraints = ">= 3.1.0, != 4.0.0" hashes = [ + "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", + "h1:yLqz+skP3+EbU3yyvw8JqzflQTKDQGsC9QyZAg+S4dg=", "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32",