.+)$
+ Time_Key time
+ Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+ Time_Keep On
+ Decode_Field_As json message
+ EOT
)
- "filters.conf" = try(var.fargate_fluentbit.filters_conf, <<-EOT
- [FILTER]
- Name parser
- Match *
- Key_Name log
- Parser regex
- Preserve_Key True
- Reserve_Data True
- EOT
+ "filters.conf" = try(
+ var.fargate_fluentbit.filters_conf,
+ <<-EOT
+ [FILTER]
+ Name parser
+ Match *
+ Key_Name log
+ Parser regex
+ Preserve_Key True
+ Reserve_Data True
+ EOT
)
- "output.conf" = try(var.fargate_fluentbit.output_conf, <<-EOT
- [OUTPUT]
- Name cloudwatch_logs
- Match *
- region ${local.region}
- log_group_name ${try(var.fargate_fluentbit.cwlog_group, aws_cloudwatch_log_group.fargate_fluentbit[0].name)}
- log_stream_prefix ${try(var.fargate_fluentbit.cwlog_stream_prefix, "fargate-logs-")}
- auto_create_group true
- EOT
+ "output.conf" = try(
+ var.fargate_fluentbit.output_conf,
+ <<-EOT
+ [OUTPUT]
+ Name cloudwatch_logs
+ Match *
+ region ${local.region}
+ log_group_name ${try(var.fargate_fluentbit.cwlog_group, aws_cloudwatch_log_group.fargate_fluentbit[0].name)}
+ log_stream_prefix ${try(var.fargate_fluentbit.cwlog_stream_prefix, "fargate-logs-")}
+ auto_create_group true
+ EOT
)
"flb_log_cw" = try(var.fargate_fluentbit.flb_log_cw, false)
}
}
-
-#-----------------Kubernetes Add-ons----------------------
-
-module "csi_secrets_store_provider_aws" {
- count = var.enable_secrets_store_csi_driver_provider_aws ? 1 : 0
- source = "./modules/csi-secrets-store-provider-aws"
- helm_config = var.csi_secrets_store_provider_aws_helm_config
- addon_context = local.addon_context
-}
diff --git a/modules/csi-secrets-store-provider-aws/README.md b/modules/csi-secrets-store-provider-aws/README.md
deleted file mode 100644
index 34f0950c..00000000
--- a/modules/csi-secrets-store-provider-aws/README.md
+++ /dev/null
@@ -1,50 +0,0 @@
-# CSI Secrets Store Provider Helm Chart
-
-# Introduction
-
-AWS Secrets Manager and Config Provider for Secret Store CSI Driver allows you to get secret contents stored in AWS Key Management Service instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.
-
-# Helm Chart
-
-### Instructions to use the Helm Chart
-
-See the [csi-secrets-store-provider-aws](https://github.com/aws/eks-charts/tree/master/stable/csi-secrets-store-provider-aws).
-
-
-## Requirements
-
-[Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html) to be provisioned.
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | n/a |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [kubernetes_namespace.csi_secrets_store_provider_aws](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [addon\_context](#input\_addon\_context) | Input configuration for the addon | object({
aws_caller_identity_account_id = string
aws_caller_identity_arn = string
aws_eks_cluster_endpoint = string
aws_partition_id = string
aws_region_name = string
eks_cluster_id = string
eks_oidc_issuer_url = string
eks_oidc_provider_arn = string
tags = map(string)
})
| n/a | yes |
-| [helm\_config](#input\_helm\_config) | Cluster Autoscaler Helm Config | `any` | `{}` | no |
-| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD |
-
-
diff --git a/modules/csi-secrets-store-provider-aws/main.tf b/modules/csi-secrets-store-provider-aws/main.tf
deleted file mode 100644
index 3cc21a55..00000000
--- a/modules/csi-secrets-store-provider-aws/main.tf
+++ /dev/null
@@ -1,36 +0,0 @@
-locals {
- name = try(var.helm_config.name, "secrets-store-csi-driver-provider-aws")
- namespace = try(var.helm_config.namespace, "kube-system")
-}
-
-resource "kubernetes_namespace_v1" "csi_secrets_store_provider_aws" {
- count = local.namespace == "kube-system" ? 0 : 1
-
- metadata {
- name = local.namespace
- }
-}
-
-module "helm_addon" {
- source = "../helm-addon"
-
- # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml
- helm_config = merge(
- {
- name = local.name
- chart = local.name
- repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
- version = "0.3.1"
- namespace = local.namespace
- description = "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster."
- },
- var.helm_config
- )
-
- manage_via_gitops = var.manage_via_gitops
- addon_context = var.addon_context
-
- depends_on = [
- kubernetes_namespace_v1.csi_secrets_store_provider_aws,
- ]
-}
diff --git a/modules/csi-secrets-store-provider-aws/outputs.tf b/modules/csi-secrets-store-provider-aws/outputs.tf
deleted file mode 100644
index 4d3d2c65..00000000
--- a/modules/csi-secrets-store-provider-aws/outputs.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-output "argocd_gitops_config" {
- description = "Configuration used for managing the add-on with ArgoCD"
- value = var.manage_via_gitops ? { enable = true } : null
-}
-
-output "release_metadata" {
- description = "Map of attributes of the Helm release metadata"
- value = module.helm_addon.release_metadata
-}
-
-output "irsa_arn" {
- description = "IAM role ARN for the service account"
- value = module.helm_addon.irsa_arn
-}
-
-output "irsa_name" {
- description = "IAM role name for the service account"
- value = module.helm_addon.irsa_name
-}
-
-output "service_account" {
- description = "Name of Kubernetes service account"
- value = module.helm_addon.service_account
-}
diff --git a/modules/csi-secrets-store-provider-aws/variables.tf b/modules/csi-secrets-store-provider-aws/variables.tf
deleted file mode 100644
index 619698f9..00000000
--- a/modules/csi-secrets-store-provider-aws/variables.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-variable "helm_config" {
- description = "CSI Secrets Store Provider AWS Helm Configurations"
- type = any
- default = {}
-}
-
-variable "manage_via_gitops" {
- description = "Determines if the add-on should be managed via GitOps"
- type = bool
- default = false
-}
-
-variable "addon_context" {
- description = "Input configuration for the addon"
- type = object({
- aws_caller_identity_account_id = string
- aws_caller_identity_arn = string
- aws_eks_cluster_endpoint = string
- aws_partition_id = string
- aws_region_name = string
- eks_cluster_id = string
- eks_oidc_issuer_url = string
- eks_oidc_provider_arn = string
- tags = map(string)
- irsa_iam_role_path = string
- irsa_iam_permissions_boundary = string
- })
-}
diff --git a/modules/csi-secrets-store-provider-aws/versions.tf b/modules/csi-secrets-store-provider-aws/versions.tf
deleted file mode 100644
index 55fba733..00000000
--- a/modules/csi-secrets-store-provider-aws/versions.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
- required_version = ">= 1.0.0"
-
- required_providers {
- kubernetes = {
- source = "hashicorp/kubernetes"
- version = ">= 2.10"
- }
- }
-}
diff --git a/modules/helm-addon/README.md b/modules/helm-addon/README.md
deleted file mode 100644
index d5021ae5..00000000
--- a/modules/helm-addon/README.md
+++ /dev/null
@@ -1,57 +0,0 @@
-# Helm AddOn
-
-## Introduction
-
-Helm Addon module can be used to provision a generic Helm Chart as an Add-On for an EKS cluster provisioned using the EKS Blueprints. This module does the following:
-
-1. Create an IAM role for Service Accounts with the provided configuration for the [`irsa`](./../../irsa) module.
-2. If `manage_via_gitops` is set to `false`, provision the helm chart for the add-on based on the configuration provided for the `helm_config` as defined in the [helm provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) documentation.
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [helm](#requirement\_helm) | >= 2.4.1 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [helm](#provider\_helm) | >= 2.4.1 |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [irsa](#module\_irsa) | ../irsa | n/a |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [helm_release.addon](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [addon\_context](#input\_addon\_context) | Input configuration for the addon | `any` | n/a | yes |
-| [helm\_config](#input\_helm\_config) | Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs | `any` | n/a | yes |
-| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | `any` | `{}` | no |
-| [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no |
-| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no |
-| [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no |
-| [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [helm\_release](#output\_helm\_release) | Map of attributes of the Helm release created without sensitive outputs |
-| [irsa\_arn](#output\_irsa\_arn) | IAM role ARN for the service account |
-| [irsa\_name](#output\_irsa\_name) | IAM role name for the service account |
-| [release\_metadata](#output\_release\_metadata) | Map of attributes of the Helm release metadata |
-| [service\_account](#output\_service\_account) | Name of Kubernetes service account |
-
diff --git a/modules/helm-addon/main.tf b/modules/helm-addon/main.tf
deleted file mode 100644
index 72be4a3a..00000000
--- a/modules/helm-addon/main.tf
+++ /dev/null
@@ -1,81 +0,0 @@
-resource "helm_release" "addon" {
- count = var.manage_via_gitops ? 0 : 1
- name = var.helm_config["name"]
- repository = try(var.helm_config["repository"], null)
- chart = var.helm_config["chart"]
- version = try(var.helm_config["version"], null)
- timeout = try(var.helm_config["timeout"], 180)
- values = try(var.helm_config["values"], null)
- create_namespace = length(var.irsa_config) > 0 ? false : try(var.helm_config["create_namespace"], false)
- namespace = var.helm_config["namespace"]
- lint = try(var.helm_config["lint"], false)
- description = try(var.helm_config["description"], "")
- repository_key_file = try(var.helm_config["repository_key_file"], "")
- repository_cert_file = try(var.helm_config["repository_cert_file"], "")
- repository_username = try(var.helm_config["repository_username"], "")
- repository_password = try(var.helm_config["repository_password"], "")
- verify = try(var.helm_config["verify"], false)
- keyring = try(var.helm_config["keyring"], "")
- disable_webhooks = try(var.helm_config["disable_webhooks"], false)
- reuse_values = try(var.helm_config["reuse_values"], false)
- reset_values = try(var.helm_config["reset_values"], false)
- force_update = try(var.helm_config["force_update"], false)
- recreate_pods = try(var.helm_config["recreate_pods"], false)
- cleanup_on_fail = try(var.helm_config["cleanup_on_fail"], false)
- max_history = try(var.helm_config["max_history"], 0)
- atomic = try(var.helm_config["atomic"], false)
- skip_crds = try(var.helm_config["skip_crds"], false)
- render_subchart_notes = try(var.helm_config["render_subchart_notes"], true)
- disable_openapi_validation = try(var.helm_config["disable_openapi_validation"], false)
- wait = try(var.helm_config["wait"], true)
- wait_for_jobs = try(var.helm_config["wait_for_jobs"], false)
- dependency_update = try(var.helm_config["dependency_update"], false)
- replace = try(var.helm_config["replace"], false)
-
- postrender {
- binary_path = try(var.helm_config["postrender"], "")
- }
-
- dynamic "set" {
- iterator = each_item
- for_each = try(var.helm_config["set"], null) != null ? distinct(concat(var.set_values, var.helm_config["set"])) : var.set_values
-
- content {
- name = each_item.value.name
- value = each_item.value.value
- type = try(each_item.value.type, null)
- }
- }
-
- dynamic "set_sensitive" {
- iterator = each_item
- for_each = try(var.helm_config["set_sensitive"], null) != null ? concat(var.helm_config["set_sensitive"], var.set_sensitive_values) : var.set_sensitive_values
-
- content {
- name = each_item.value.name
- value = each_item.value.value
- type = try(each_item.value.type, null)
- }
- }
- depends_on = [module.irsa]
-}
-
-module "irsa" {
- source = "../irsa"
-
- count = length(var.irsa_config) > 0 ? 1 : 0
-
- create_kubernetes_namespace = try(var.irsa_config.create_kubernetes_namespace, true)
- create_kubernetes_service_account = try(var.irsa_config.create_kubernetes_service_account, true)
- create_service_account_secret_token = try(var.irsa_config.create_service_account_secret_token, false)
- kubernetes_namespace = lookup(var.irsa_config, "kubernetes_namespace", "")
- kubernetes_service_account = lookup(var.irsa_config, "kubernetes_service_account", "")
- kubernetes_svc_image_pull_secrets = try(var.irsa_config.kubernetes_svc_image_pull_secrets, null)
- irsa_iam_policies = lookup(var.irsa_config, "irsa_iam_policies", null)
- irsa_iam_role_name = var.irsa_iam_role_name
- irsa_iam_role_path = lookup(var.addon_context, "irsa_iam_role_path", null)
- irsa_iam_permissions_boundary = lookup(var.addon_context, "irsa_iam_permissions_boundary", null)
- eks_cluster_id = var.addon_context.eks_cluster_id
- eks_oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
- tags = var.addon_context.tags
-}
diff --git a/modules/helm-addon/outputs.tf b/modules/helm-addon/outputs.tf
deleted file mode 100644
index 97124e4a..00000000
--- a/modules/helm-addon/outputs.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-output "helm_release" {
- description = "Map of attributes of the Helm release created without sensitive outputs"
- value = try({ for k, v in helm_release.addon : k => v if k != "repository_password" }, {})
-}
-
-output "release_metadata" {
- description = "Map of attributes of the Helm release metadata"
- value = try(helm_release.addon[0].metadata, null)
-}
-
-output "irsa_arn" {
- description = "IAM role ARN for the service account"
- value = try(module.irsa[0].irsa_iam_role_arn, null)
-}
-
-output "irsa_name" {
- description = "IAM role name for the service account"
- value = try(module.irsa[0].irsa_iam_role_name, null)
-}
-
-output "service_account" {
- description = "Name of Kubernetes service account"
- value = try(coalesce(try(module.irsa[0].service_account, null), lookup(var.irsa_config, "kubernetes_service_account", null)), null)
-}
diff --git a/modules/helm-addon/variables.tf b/modules/helm-addon/variables.tf
deleted file mode 100644
index d8d706e8..00000000
--- a/modules/helm-addon/variables.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-variable "helm_config" {
- description = "Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs"
- type = any
-}
-
-variable "set_values" {
- description = "Forced set values"
- type = any
- default = []
-}
-
-variable "set_sensitive_values" {
- description = "Forced set_sensitive values"
- type = any
- default = []
-}
-
-variable "manage_via_gitops" {
- description = "Determines if the add-on should be managed via GitOps"
- type = bool
- default = false
-}
-
-variable "irsa_iam_role_name" {
- description = "IAM role name for IRSA"
- type = string
- default = ""
-}
-
-variable "irsa_config" {
- description = "Input configuration for IRSA module"
- type = any
- default = {}
-}
-
-variable "addon_context" {
- description = "Input configuration for the addon"
- type = any
-}
diff --git a/modules/helm-addon/versions.tf b/modules/helm-addon/versions.tf
deleted file mode 100644
index 278a4fbb..00000000
--- a/modules/helm-addon/versions.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
- required_version = ">= 1.0.0"
-
- required_providers {
- helm = {
- source = "hashicorp/helm"
- version = ">= 2.4.1"
- }
- }
-}
diff --git a/modules/irsa/README.md b/modules/irsa/README.md
deleted file mode 100644
index f3a3d49e..00000000
--- a/modules/irsa/README.md
+++ /dev/null
@@ -1,75 +0,0 @@
-# IRSA (IAM roles for Kubernetes Service Accounts)
-
-This Terraform module creates the following resources
-
-1. Kubernetes Namespace for Kubernetes Addon
-2. Service Account for Kubernetes Addon
-3. IAM Role for Service Account with OIDC assume role policy
-4. Creates default policy required for Addon
-5. Attaches the additional IAM policies provided by consumer module
-
-## Learn more
-
-## Blogs
-
-- [Introducing fine-grained IAM roles for service accounts](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)
-- [Cross account IAM roles for Kubernetes service accounts](https://aws.amazon.com/blogs/containers/cross-account-iam-roles-for-kubernetes-service-accounts/)
-- [Enabling cross-account access to Amazon EKS cluster resources](https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/)
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 3.72 |
-| [kubernetes](#requirement\_kubernetes) | >= 2.10 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 3.72 |
-| [kubernetes](#provider\_kubernetes) | >= 2.10 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_role.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [kubernetes_namespace_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
-| [kubernetes_secret_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [kubernetes_service_account_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [create\_kubernetes\_namespace](#input\_create\_kubernetes\_namespace) | Should the module create the namespace | `bool` | `true` | no |
-| [create\_kubernetes\_service\_account](#input\_create\_kubernetes\_service\_account) | Should the module create the Service Account | `bool` | `true` | no |
-| [create\_service\_account\_secret\_token](#input\_create\_service\_account\_secret\_token) | Should the module create a secret for the service account (from k8s version 1.24 service account doesn't automatically create secret of the token) | `bool` | `false` | no |
-| [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster ID | `string` | n/a | yes |
-| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/ | `string` | n/a | yes |
-| [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no |
-| [irsa\_iam\_policies](#input\_irsa\_iam\_policies) | IAM Policies for IRSA IAM role | `list(string)` | `[]` | no |
-| [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no |
-| [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
-| [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes Namespace name | `string` | n/a | yes |
-| [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes Service Account Name | `string` | n/a | yes |
-| [kubernetes\_svc\_image\_pull\_secrets](#input\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no |
-| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [irsa\_iam\_role\_arn](#output\_irsa\_iam\_role\_arn) | IAM role ARN for your service account |
-| [irsa\_iam\_role\_name](#output\_irsa\_iam\_role\_name) | IAM role name for your service account |
-| [namespace](#output\_namespace) | IRSA Namespace |
-| [service\_account](#output\_service\_account) | IRSA Service Account |
-
diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf
deleted file mode 100644
index 0beafc41..00000000
--- a/modules/irsa/main.tf
+++ /dev/null
@@ -1,87 +0,0 @@
-locals {
- eks_oidc_issuer_url = replace(var.eks_oidc_provider_arn, "/^(.*provider/)/", "")
-}
-
-resource "kubernetes_namespace_v1" "irsa" {
- count = var.create_kubernetes_namespace && var.kubernetes_namespace != "kube-system" ? 1 : 0
- metadata {
- name = var.kubernetes_namespace
- }
-
- lifecycle {
- ignore_changes = [
- metadata[0].labels,
- metadata[0].annotations,
- ]
- }
-}
-
-resource "kubernetes_secret_v1" "irsa" {
- count = var.create_kubernetes_service_account && var.create_service_account_secret_token ? 1 : 0
- metadata {
- name = format("%s-token-secret", try(kubernetes_service_account_v1.irsa[0].metadata[0].name, var.kubernetes_service_account))
- namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace)
- annotations = {
- "kubernetes.io/service-account.name" = try(kubernetes_service_account_v1.irsa[0].metadata[0].name, var.kubernetes_service_account)
- "kubernetes.io/service-account.namespace" = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace)
- }
- }
-
- type = "kubernetes.io/service-account-token"
-}
-
-resource "kubernetes_service_account_v1" "irsa" {
- count = var.create_kubernetes_service_account ? 1 : 0
- metadata {
- name = var.kubernetes_service_account
- namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace)
- annotations = var.irsa_iam_policies != null ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null
- }
-
- dynamic "image_pull_secret" {
- for_each = var.kubernetes_svc_image_pull_secrets != null ? var.kubernetes_svc_image_pull_secrets : []
- content {
- name = image_pull_secret.value
- }
- }
-
- automount_service_account_token = true
-}
-
-# NOTE: Don't change the condition from StringLike to StringEquals. We are using wild characters for service account hence StringLike is required.
-resource "aws_iam_role" "irsa" {
- count = var.irsa_iam_policies != null ? 1 : 0
-
- name = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null)
- description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}."
- assume_role_policy = jsonencode({
- "Version" : "2012-10-17",
- "Statement" : [
- {
- "Effect" : "Allow",
- "Principal" : {
- "Federated" : var.eks_oidc_provider_arn
- },
- "Action" : "sts:AssumeRoleWithWebIdentity",
- "Condition" : {
- "StringLike" : {
- "${local.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}",
- "${local.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
- }
- }
- }
- ]
- })
- path = var.irsa_iam_role_path
- force_detach_policies = true
- permissions_boundary = var.irsa_iam_permissions_boundary
-
- tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "irsa" {
- count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0
-
- policy_arn = var.irsa_iam_policies[count.index]
- role = aws_iam_role.irsa[0].name
-}
diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf
deleted file mode 100644
index 9311a6c0..00000000
--- a/modules/irsa/outputs.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-output "irsa_iam_role_arn" {
- description = "IAM role ARN for your service account"
- value = try(aws_iam_role.irsa[0].arn, null)
-}
-
-output "irsa_iam_role_name" {
- description = "IAM role name for your service account"
- value = try(aws_iam_role.irsa[0].name, null)
-}
-
-output "namespace" {
- description = "IRSA Namespace"
- value = try(kubernetes_namespace_v1.irsa[0].id, var.kubernetes_namespace)
-}
-
-output "service_account" {
- description = "IRSA Service Account"
- value = try(kubernetes_service_account_v1.irsa[0].id, var.kubernetes_service_account)
-}
diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf
deleted file mode 100644
index 60bf1fe8..00000000
--- a/modules/irsa/variables.tf
+++ /dev/null
@@ -1,73 +0,0 @@
-variable "kubernetes_namespace" {
- description = "Kubernetes Namespace name"
- type = string
-}
-
-variable "create_kubernetes_namespace" {
- description = "Should the module create the namespace"
- type = bool
- default = true
-}
-
-variable "create_kubernetes_service_account" {
- description = "Should the module create the Service Account"
- type = bool
- default = true
-}
-
-variable "create_service_account_secret_token" {
- description = "Should the module create a secret for the service account (from k8s version 1.24 service account doesn't automatically create secret of the token)"
- type = bool
- default = false
-}
-
-variable "kubernetes_service_account" {
- description = "Kubernetes Service Account Name"
- type = string
-}
-
-variable "kubernetes_svc_image_pull_secrets" {
- description = "list(string) of kubernetes imagePullSecrets"
- type = list(string)
- default = []
-}
-
-variable "irsa_iam_policies" {
- type = list(string)
- description = "IAM Policies for IRSA IAM role"
- default = []
-}
-
-variable "irsa_iam_role_name" {
- type = string
- description = "IAM role name for IRSA"
- default = ""
-}
-
-variable "irsa_iam_role_path" {
- description = "IAM role path for IRSA roles"
- type = string
- default = "/"
-}
-
-variable "irsa_iam_permissions_boundary" {
- description = "IAM permissions boundary for IRSA roles"
- type = string
- default = ""
-}
-
-variable "eks_oidc_provider_arn" {
- description = "EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/"
- type = string
-}
-
-variable "eks_cluster_id" {
- description = "EKS Cluster ID"
- type = string
-}
-
-variable "tags" {
- description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)"
- type = map(string)
- default = {}
-}
diff --git a/modules/irsa/versions.tf b/modules/irsa/versions.tf
deleted file mode 100644
index d2ddf87c..00000000
--- a/modules/irsa/versions.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-terraform {
- required_version = ">= 1.0.0"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 3.72"
- }
- kubernetes = {
- source = "hashicorp/kubernetes"
- version = ">= 2.10"
- }
- }
-}
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 2bf7ccc8..e2246faf 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -104,7 +104,6 @@ module "eks_blueprints_addons" {
cluster_name = module.eks.cluster_name
cluster_endpoint = module.eks.cluster_endpoint
cluster_version = module.eks.cluster_version
- oidc_provider = module.eks.oidc_provider
oidc_provider_arn = module.eks.oidc_provider_arn
eks_addons = {
@@ -132,25 +131,25 @@ module "eks_blueprints_addons" {
}
}
- enable_efs_csi_driver = true
- enable_fsx_csi_driver = true
- enable_argocd = true
- enable_cloudwatch_metrics = true
- enable_aws_privateca_issuer = true
- enable_cert_manager = true
- enable_cluster_autoscaler = true
- enable_secrets_store_csi_driver = true
- enable_secrets_store_csi_driver_provider_aws = true
- enable_kube_prometheus_stack = true
- enable_external_dns = true
- enable_external_secrets = true
- enable_gatekeeper = true
- enable_ingress_nginx = true
- enable_aws_load_balancer_controller = true
- enable_metrics_server = true
- enable_vpa = true
- enable_aws_for_fluentbit = true
- enable_fargate_fluentbit = true
+ enable_efs_csi_driver = true
+ enable_fsx_csi_driver = true
+ enable_argocd = true
+ enable_cloudwatch_metrics = true
+ enable_aws_privateca_issuer = true
+ enable_cert_manager = true
+ enable_cluster_autoscaler = true
+ enable_secrets_store_csi_driver = true
+ enable_csi_secrets_store_provider_aws = true
+ enable_kube_prometheus_stack = true
+ enable_external_dns = true
+ enable_external_secrets = true
+ enable_gatekeeper = true
+ enable_ingress_nginx = true
+ enable_aws_load_balancer_controller = true
+ enable_metrics_server = true
+ enable_vpa = true
+ enable_aws_for_fluentbit = true
+ enable_fargate_fluentbit = true
enable_aws_node_termination_handler = true
aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn]
diff --git a/variables.tf b/variables.tf
index d13791aa..88df6a43 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,11 +19,6 @@ variable "cluster_version" {
type = string
}
-variable "oidc_provider" {
- description = "The OpenID Connect identity provider (issuer URL without leading `https://`)"
- type = string
-}
-
variable "oidc_provider_arn" {
description = "The ARN of the cluster OIDC Provider"
type = string
@@ -281,9 +276,26 @@ variable "secrets_store_csi_driver" {
default = {}
}
+################################################################################
+# CSI Secrets Store Provider AWS
+################################################################################
+
+variable "enable_csi_secrets_store_provider_aws" {
+ description = "Enable AWS CSI Secrets Store Provider"
+ type = bool
+ default = false
+}
+
+variable "csi_secrets_store_provider_aws" {
+ description = "CSI Secrets Store Provider add-on configurations"
+ type = any
+ default = {}
+}
+
################################################################################
# AWS for Fluentbit
################################################################################
+
variable "enable_aws_for_fluentbit" {
description = "Enable AWS for FluentBit add-on"
type = bool
@@ -433,6 +445,7 @@ variable "fsx_csi_driver" {
################################################################################
# AWS Load Balancer Controller
################################################################################
+
variable "enable_aws_load_balancer_controller" {
description = "Enable AWS Load Balancer Controller add-on"
type = bool
@@ -448,6 +461,7 @@ variable "aws_load_balancer_controller" {
################################################################################
# Vertical Pod Autoscaler
################################################################################
+
variable "enable_vpa" {
description = "Enable Vertical Pod Autoscaler add-on"
type = bool
@@ -463,6 +477,7 @@ variable "vpa" {
################################################################################
# Velero
################################################################################
+
variable "enable_velero" {
description = "Enable Kubernetes Dashboard add-on"
type = bool
@@ -478,6 +493,7 @@ variable "velero" {
################################################################################
# Fargate Fluentbit
################################################################################
+
variable "enable_fargate_fluentbit" {
description = "Enable Fargate FluentBit add-on"
type = bool
@@ -495,29 +511,3 @@ variable "fargate_fluentbit" {
type = any
default = {}
}
-
-#-------------------------------------------------------------------------------
-variable "irsa_iam_role_path" {
- description = "IAM role path for IRSA roles"
- type = string
- default = "/"
-}
-
-variable "irsa_iam_permissions_boundary" {
- description = "IAM permissions boundary for IRSA roles"
- type = string
- default = ""
-}
-
-#-----------AWS CSI Secrets Store Provider-------------
-variable "enable_secrets_store_csi_driver_provider_aws" {
- type = bool
- default = false
- description = "Enable AWS CSI Secrets Store Provider"
-}
-
-variable "csi_secrets_store_provider_aws_helm_config" {
- type = any
- default = null
- description = "CSI Secrets Store Provider AWS Helm Configurations"
-}