Skip to content

Commit

Permalink
refactor: Refactor velero addon module. (#143)
Browse files Browse the repository at this point in the history
  • Loading branch information
rodrigobersa authored Apr 27, 2023
1 parent 8cfa9c5 commit accf7a4
Show file tree
Hide file tree
Showing 12 changed files with 191 additions and 421 deletions.
7 changes: 3 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| <a name="module_kube_prometheus_stack"></a> [kube\_prometheus\_stack](#module\_kube\_prometheus\_stack) | ./modules/eks-blueprints-addon | n/a |
| <a name="module_metrics_server"></a> [metrics\_server](#module\_metrics\_server) | ./modules/eks-blueprints-addon | n/a |
| <a name="module_secrets_store_csi_driver"></a> [secrets\_store\_csi\_driver](#module\_secrets\_store\_csi\_driver) | ./modules/eks-blueprints-addon | n/a |
| <a name="module_velero"></a> [velero](#module\_velero) | ./modules/velero | n/a |
| <a name="module_velero"></a> [velero](#module\_velero) | ./modules/eks-blueprints-addon | n/a |
| <a name="module_vpa"></a> [vpa](#module\_vpa) | ./modules/eks-blueprints-addon | n/a |

## Resources
Expand Down Expand Up @@ -82,6 +82,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.fsx_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
Expand Down Expand Up @@ -160,9 +161,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes |
| <a name="input_secrets_store_csi_driver"></a> [secrets\_store\_csi\_driver](#input\_secrets\_store\_csi\_driver) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| <a name="input_velero_backup_s3_bucket"></a> [velero\_backup\_s3\_bucket](#input\_velero\_backup\_s3\_bucket) | Bucket name for velero bucket | `string` | `""` | no |
| <a name="input_velero_helm_config"></a> [velero\_helm\_config](#input\_velero\_helm\_config) | Kubernetes Velero Helm Chart config | `any` | `null` | no |
| <a name="input_velero_irsa_policies"></a> [velero\_irsa\_policies](#input\_velero\_irsa\_policies) | IAM policy ARNs for velero IRSA | `list(string)` | `[]` | no |
| <a name="input_velero"></a> [velero](#input\_velero) | Velero addon configuration values | `any` | `{}` | no |
| <a name="input_vpa"></a> [vpa](#input\_vpa) | Vertical Pod Autoscaler addon configuration values | `any` | `{}` | no |

## Outputs
Expand Down
177 changes: 168 additions & 9 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2709,6 +2709,174 @@ module "vpa" {
tags = var.tags
}

################################################################################
# Velero
################################################################################
locals {
velero_name = "velero"
velero_service_account = try(var.velero.service_account_name, "${local.velero_name}-sa")
velero_backup_s3_bucket = split(":", var.velero.s3_bucket_arn)
velero_backup_s3_bucket_name = split("/", local.velero_backup_s3_bucket[5])
velero_backup_s3_bucket_prefix = split("/", var.velero.s3_bucket_arn)
}

# https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
data "aws_iam_policy_document" "velero" {
count = var.enable_velero ? 1 : 0
statement {
actions = [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot"
]
resources = [
"arn:${local.partition}:ec2:${local.region}:${local.account_id}:instance/*",
"arn:${local.partition}:ec2:${local.region}::snapshot/*",
"arn:${local.partition}:ec2:${local.region}:${local.account_id}:volume/*"
]
}

statement {
actions = [
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes"
]
resources = ["*"]
}

statement {
actions = [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
]
resources = [var.velero.s3_bucket_arn]
}

statement {
actions = ["s3:ListBucket"]
resources = [local.velero_backup_s3_bucket_prefix[0]]
}
}

module "velero" {
# source = "aws-ia/eks-blueprints-addon/aws"
source = "./modules/eks-blueprints-addon"

create = var.enable_velero

# https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/Chart.yaml
name = try(var.velero.name, local.velero_name)
description = try(var.velero.description, "A Helm chart to install the Velero")
namespace = try(var.velero.namespace, "velero")
create_namespace = try(var.velero.create_namespace, true)
chart = "velero"
chart_version = try(var.velero.chart_version, "3.1.6")
repository = try(var.velero.repository, "https://vmware-tanzu.github.io/helm-charts/")
values = try(var.velero.values, [])

timeout = try(var.velero.timeout, null)
repository_key_file = try(var.velero.repository_key_file, null)
repository_cert_file = try(var.velero.repository_cert_file, null)
repository_ca_file = try(var.velero.repository_ca_file, null)
repository_username = try(var.velero.repository_username, null)
repository_password = try(var.velero.repository_password, null)
devel = try(var.velero.devel, null)
verify = try(var.velero.verify, null)
keyring = try(var.velero.keyring, null)
disable_webhooks = try(var.velero.disable_webhooks, null)
reuse_values = try(var.velero.reuse_values, null)
reset_values = try(var.velero.reset_values, null)
force_update = try(var.velero.force_update, null)
recreate_pods = try(var.velero.recreate_pods, null)
cleanup_on_fail = try(var.velero.cleanup_on_fail, null)
max_history = try(var.velero.max_history, null)
atomic = try(var.velero.atomic, null)
skip_crds = try(var.velero.skip_crds, null)
render_subchart_notes = try(var.velero.render_subchart_notes, null)
disable_openapi_validation = try(var.velero.disable_openapi_validation, null)
wait = try(var.velero.wait, null)
wait_for_jobs = try(var.velero.wait_for_jobs, null)
dependency_update = try(var.velero.dependency_update, null)
replace = try(var.velero.replace, null)
lint = try(var.velero.lint, null)

postrender = try(var.velero.postrender, [])
set = concat([
{
name = "initContainers"
value = <<-EOT
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.7.0
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
EOT
},
{
name = "serviceAccount.name"
value = local.velero_service_account
},
{
name = "configuration.provider"
value = "aws"
},
{
name = "configuration.backupStorageLocation.prefix"
value = local.velero_backup_s3_bucket_prefix[1]
},
{
name = "configuration.backupStorageLocation.bucket"
value = local.velero_backup_s3_bucket_name[0]
},
{
name = "configuration.volumeSnapshotLocation.config.region"
value = local.region
},
{
name = "credentials.useSecret"
value = false
}],
try(var.velero.set, [])
)
set_sensitive = try(var.velero.set_sensitive, [])

# IAM role for service account (IRSA)
set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
create_role = try(var.velero.create_role, true)
role_name = try(var.velero.role_name, "velero")
role_name_use_prefix = try(var.velero.role_name_use_prefix, true)
role_path = try(var.velero.role_path, "/")
role_permissions_boundary_arn = lookup(var.velero, "role_permissions_boundary_arn", null)
role_description = try(var.velero.role_description, "IRSA for Velero")
role_policies = lookup(var.velero, "role_policies", {})

source_policy_documents = compact(concat(
data.aws_iam_policy_document.velero[*].json,
lookup(var.velero, "source_policy_documents", [])
))
override_policy_documents = lookup(var.velero, "override_policy_documents", [])
policy_statements = lookup(var.velero, "policy_statements", [])
policy_name = try(var.velero.policy_name, "velero")
policy_name_use_prefix = try(var.velero.policy_name_use_prefix, true)
policy_path = try(var.velero.policy_path, null)
policy_description = try(var.velero.policy_description, "IAM Policy for Velero")

oidc_providers = {
controller = {
provider_arn = var.oidc_provider_arn
# namespace is inherited from chart
service_account = local.velero_service_account
}
}

tags = var.tags
}

################################################################################
# Fargate Fluentbit
Expand Down Expand Up @@ -2789,12 +2957,3 @@ module "csi_secrets_store_provider_aws" {
helm_config = var.csi_secrets_store_provider_aws_helm_config
addon_context = local.addon_context
}

module "velero" {
count = var.enable_velero ? 1 : 0
source = "./modules/velero"
helm_config = var.velero_helm_config
addon_context = local.addon_context
irsa_policies = var.velero_irsa_policies
backup_s3_bucket = var.velero_backup_s3_bucket
}
183 changes: 0 additions & 183 deletions modules/velero/README.md

This file was deleted.

Loading

0 comments on commit accf7a4

Please sign in to comment.