From 693655d52e380a1abcda44357c2b8e7f785ea3e4 Mon Sep 17 00:00:00 2001 From: Frank Carta Date: Wed, 26 Apr 2023 19:41:40 -0700 Subject: [PATCH 1/2] Refactor csi secrets store provider addon for v5 --- README.md | 6 +- main.tf | 74 +++++++++++++++++-- .../csi-secrets-store-provider-aws/README.md | 50 ------------- .../csi-secrets-store-provider-aws/main.tf | 36 --------- .../csi-secrets-store-provider-aws/outputs.tf | 24 ------ .../variables.tf | 28 ------- .../versions.tf | 10 --- tests/complete/main.tf | 38 +++++----- variables.tf | 29 ++++---- 9 files changed, 105 insertions(+), 190 deletions(-) delete mode 100644 modules/csi-secrets-store-provider-aws/README.md delete mode 100644 modules/csi-secrets-store-provider-aws/main.tf delete mode 100644 modules/csi-secrets-store-provider-aws/outputs.tf delete mode 100644 modules/csi-secrets-store-provider-aws/variables.tf delete mode 100644 modules/csi-secrets-store-provider-aws/versions.tf diff --git a/README.md b/README.md index f036af56..e42e06ed 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Please note: not all addons will be supported as they are today in the main EKS | [cloudwatch\_metrics](#module\_cloudwatch\_metrics) | ./modules/eks-blueprints-addon | n/a | | [cluster\_autoscaler](#module\_cluster\_autoscaler) | ./modules/eks-blueprints-addon | n/a | | [cluster\_proportional\_autoscaler](#module\_cluster\_proportional\_autoscaler) | ./modules/eks-blueprints-addon | n/a | -| [csi\_secrets\_store\_provider\_aws](#module\_csi\_secrets\_store\_provider\_aws) | ./modules/csi-secrets-store-provider-aws | n/a | +| [csi\_secrets\_store\_provider\_aws](#module\_csi\_secrets\_store\_provider\_aws) | ./modules/eks-blueprints-addon | n/a | | [efs\_csi\_driver](#module\_efs\_csi\_driver) | ./modules/eks-blueprints-addon | n/a | | [external\_dns](#module\_external\_dns) | ./modules/eks-blueprints-addon | n/a | | [external\_secrets](#module\_external\_secrets) | ./modules/eks-blueprints-addon | n/a | @@ -108,7 +108,7 @@ Please note: not all addons will be supported as they are today in the main EKS | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [cluster\_proportional\_autoscaler](#input\_cluster\_proportional\_autoscaler) | Cluster Proportional Autoscaler add-on configurations | `any` | `{}` | no | | [cluster\_version](#input\_cluster\_version) | Kubernetes `.` version to use for the EKS cluster (i.e.: `1.24`) | `string` | n/a | yes | -| [csi\_secrets\_store\_provider\_aws\_helm\_config](#input\_csi\_secrets\_store\_provider\_aws\_helm\_config) | CSI Secrets Store Provider AWS Helm Configurations | `any` | `null` | no | +| [csi\_secrets\_store\_provider\_aws](#input\_csi\_secrets\_store\_provider\_aws) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no | | [efs\_csi\_driver](#input\_efs\_csi\_driver) | EFS CSI Driver addon configuration values | `any` | `{}` | no | | [eks\_addons](#input\_eks\_addons) | Map of EKS addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no | | [eks\_addons\_timeouts](#input\_eks\_addons\_timeouts) | Create, update, and delete timeout configurations for the EKS addons | `map(string)` | `{}` | no | @@ -123,6 +123,7 @@ Please note: not all addons will be supported as they are today in the main EKS | [enable\_cloudwatch\_metrics](#input\_enable\_cloudwatch\_metrics) | Enable AWS Cloudwatch Metrics add-on for Container Insights | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_cluster\_proportional\_autoscaler](#input\_enable\_cluster\_proportional\_autoscaler) | Enable Cluster Proportional Autoscaler | `bool` | `false` | no | +| [enable\_csi\_secrets\_store\_provider\_aws](#input\_enable\_csi\_secrets\_store\_provider\_aws) | Enable AWS CSI Secrets Store Provider | `bool` | `false` | no | | [enable\_efs\_csi\_driver](#input\_enable\_efs\_csi\_driver) | Enable AWS EFS CSI Driver add-on | `bool` | `false` | no | | [enable\_external\_dns](#input\_enable\_external\_dns) | Enable external-dns operator add-on | `bool` | `false` | no | | [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no | @@ -134,7 +135,6 @@ Please note: not all addons will be supported as they are today in the main EKS | [enable\_kube\_prometheus\_stack](#input\_enable\_kube\_prometheus\_stack) | Enable Kube Prometheus Stack | `bool` | `false` | no | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | | [enable\_secrets\_store\_csi\_driver](#input\_enable\_secrets\_store\_csi\_driver) | Enable CSI Secrets Store Provider | `bool` | `false` | no | -| [enable\_secrets\_store\_csi\_driver\_provider\_aws](#input\_enable\_secrets\_store\_csi\_driver\_provider\_aws) | Enable AWS CSI Secrets Store Provider | `bool` | `false` | no | | [enable\_velero](#input\_enable\_velero) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no | | [enable\_vpa](#input\_enable\_vpa) | Enable Vertical Pod Autoscaler add-on | `bool` | `false` | no | | [external\_dns](#input\_external\_dns) | external-dns addon configuration values | `any` | `{}` | no | diff --git a/main.tf b/main.tf index 2a2e830d..fd68bc45 100644 --- a/main.tf +++ b/main.tf @@ -2108,6 +2108,73 @@ module "secrets_store_csi_driver" { tags = var.tags } + +################################################################################ +# CSI Secrets Store Provider AWS +################################################################################ + +locals { + csi_secrets_store_provider_aws_name = "secrets-store-csi-driver-provider-aws" + csi_secrets_store_provider_aws_service_account = try(var.csi_secrets_store_provider_aws.service_account_name, "${local.csi_secrets_store_provider_aws_name}-sa") +} + +module "csi_secrets_store_provider_aws" { + + # source = "aws-ia/eks-blueprints-addon/aws" + source = "./modules/eks-blueprints-addon" + + create = var.enable_csi_secrets_store_provider_aws + + # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml + name = try(var.csi_secrets_store_provider_aws.name, local.csi_secrets_store_provider_aws_name) + description = try(var.csi_secrets_store_provider_aws.description, "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster.") + namespace = try(var.csi_secrets_store_provider_aws.namespace, "kube-system") + create_namespace = try(var.csi_secrets_store_provider_aws.create_namespace, false) + chart = "secrets-store-csi-driver-provider-aws" + chart_version = try(var.csi_secrets_store_provider_aws.chart_version, "0.3.2") + repository = try(var.csi_secrets_store_provider_aws.repository, "https://aws.github.io/secrets-store-csi-driver-provider-aws") + values = try(var.csi_secrets_store_provider_aws.values, []) + + timeout = try(var.csi_secrets_store_provider_aws.timeout, null) + repository_key_file = try(var.csi_secrets_store_provider_aws.repository_key_file, null) + repository_cert_file = try(var.csi_secrets_store_provider_aws.repository_cert_file, null) + repository_ca_file = try(var.csi_secrets_store_provider_aws.repository_ca_file, null) + repository_username = try(var.csi_secrets_store_provider_aws.repository_username, null) + repository_password = try(var.csi_secrets_store_provider_aws.repository_password, null) + devel = try(var.csi_secrets_store_provider_aws.devel, null) + verify = try(var.csi_secrets_store_provider_aws.verify, null) + keyring = try(var.csi_secrets_store_provider_aws.keyring, null) + disable_webhooks = try(var.csi_secrets_store_provider_aws.disable_webhooks, null) + reuse_values = try(var.csi_secrets_store_provider_aws.reuse_values, null) + reset_values = try(var.csi_secrets_store_provider_aws.reset_values, null) + force_update = try(var.csi_secrets_store_provider_aws.force_update, null) + recreate_pods = try(var.csi_secrets_store_provider_aws.recreate_pods, null) + cleanup_on_fail = try(var.csi_secrets_store_provider_aws.cleanup_on_fail, null) + max_history = try(var.csi_secrets_store_provider_aws.max_history, null) + atomic = try(var.csi_secrets_store_provider_aws.atomic, null) + skip_crds = try(var.csi_secrets_store_provider_aws.skip_crds, null) + render_subchart_notes = try(var.csi_secrets_store_provider_aws.render_subchart_notes, null) + disable_openapi_validation = try(var.csi_secrets_store_provider_aws.disable_openapi_validation, null) + wait = try(var.csi_secrets_store_provider_aws.wait, null) + wait_for_jobs = try(var.csi_secrets_store_provider_aws.wait_for_jobs, null) + dependency_update = try(var.csi_secrets_store_provider_aws.dependency_update, null) + replace = try(var.csi_secrets_store_provider_aws.replace, null) + lint = try(var.csi_secrets_store_provider_aws.lint, null) + + postrender = try(var.csi_secrets_store_provider_aws.postrender, []) + set = concat([ + { + name = "serviceAccount.name" + value = local.csi_secrets_store_provider_aws_service_account + }], + try(var.csi_secrets_store_provider_aws.set, []) + ) + set_sensitive = try(var.csi_secrets_store_provider_aws.set_sensitive, []) + + tags = var.tags +} + + ################################################################################ # AWS for Fluent-bit ################################################################################ @@ -2783,13 +2850,6 @@ resource "kubernetes_config_map_v1" "aws_logging" { #-----------------Kubernetes Add-ons---------------------- -module "csi_secrets_store_provider_aws" { - count = var.enable_secrets_store_csi_driver_provider_aws ? 1 : 0 - source = "./modules/csi-secrets-store-provider-aws" - helm_config = var.csi_secrets_store_provider_aws_helm_config - addon_context = local.addon_context -} - module "velero" { count = var.enable_velero ? 1 : 0 source = "./modules/velero" diff --git a/modules/csi-secrets-store-provider-aws/README.md b/modules/csi-secrets-store-provider-aws/README.md deleted file mode 100644 index 34f0950c..00000000 --- a/modules/csi-secrets-store-provider-aws/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# CSI Secrets Store Provider Helm Chart - -# Introduction - -AWS Secrets Manager and Config Provider for Secret Store CSI Driver allows you to get secret contents stored in AWS Key Management Service instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. - -# Helm Chart - -### Instructions to use the Helm Chart - -See the [csi-secrets-store-provider-aws](https://github.com/aws/eks-charts/tree/master/stable/csi-secrets-store-provider-aws). - - -## Requirements - -[Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html) to be provisioned. - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | - -## Resources - -| Name | Type | -|------|------| -| [kubernetes_namespace.csi_secrets_store_provider_aws](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
  })
| n/a | yes | -| [helm\_config](#input\_helm\_config) | Cluster Autoscaler Helm Config | `any` | `{}` | no | -| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | - - diff --git a/modules/csi-secrets-store-provider-aws/main.tf b/modules/csi-secrets-store-provider-aws/main.tf deleted file mode 100644 index 3cc21a55..00000000 --- a/modules/csi-secrets-store-provider-aws/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - name = try(var.helm_config.name, "secrets-store-csi-driver-provider-aws") - namespace = try(var.helm_config.namespace, "kube-system") -} - -resource "kubernetes_namespace_v1" "csi_secrets_store_provider_aws" { - count = local.namespace == "kube-system" ? 0 : 1 - - metadata { - name = local.namespace - } -} - -module "helm_addon" { - source = "../helm-addon" - - # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml - helm_config = merge( - { - name = local.name - chart = local.name - repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws" - version = "0.3.1" - namespace = local.namespace - description = "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster." - }, - var.helm_config - ) - - manage_via_gitops = var.manage_via_gitops - addon_context = var.addon_context - - depends_on = [ - kubernetes_namespace_v1.csi_secrets_store_provider_aws, - ] -} diff --git a/modules/csi-secrets-store-provider-aws/outputs.tf b/modules/csi-secrets-store-provider-aws/outputs.tf deleted file mode 100644 index 4d3d2c65..00000000 --- a/modules/csi-secrets-store-provider-aws/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "argocd_gitops_config" { - description = "Configuration used for managing the add-on with ArgoCD" - value = var.manage_via_gitops ? { enable = true } : null -} - -output "release_metadata" { - description = "Map of attributes of the Helm release metadata" - value = module.helm_addon.release_metadata -} - -output "irsa_arn" { - description = "IAM role ARN for the service account" - value = module.helm_addon.irsa_arn -} - -output "irsa_name" { - description = "IAM role name for the service account" - value = module.helm_addon.irsa_name -} - -output "service_account" { - description = "Name of Kubernetes service account" - value = module.helm_addon.service_account -} diff --git a/modules/csi-secrets-store-provider-aws/variables.tf b/modules/csi-secrets-store-provider-aws/variables.tf deleted file mode 100644 index 619698f9..00000000 --- a/modules/csi-secrets-store-provider-aws/variables.tf +++ /dev/null @@ -1,28 +0,0 @@ -variable "helm_config" { - description = "CSI Secrets Store Provider AWS Helm Configurations" - type = any - default = {} -} - -variable "manage_via_gitops" { - description = "Determines if the add-on should be managed via GitOps" - type = bool - default = false -} - -variable "addon_context" { - description = "Input configuration for the addon" - type = object({ - aws_caller_identity_account_id = string - aws_caller_identity_arn = string - aws_eks_cluster_endpoint = string - aws_partition_id = string - aws_region_name = string - eks_cluster_id = string - eks_oidc_issuer_url = string - eks_oidc_provider_arn = string - tags = map(string) - irsa_iam_role_path = string - irsa_iam_permissions_boundary = string - }) -} diff --git a/modules/csi-secrets-store-provider-aws/versions.tf b/modules/csi-secrets-store-provider-aws/versions.tf deleted file mode 100644 index 55fba733..00000000 --- a/modules/csi-secrets-store-provider-aws/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0" - - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } - } -} diff --git a/tests/complete/main.tf b/tests/complete/main.tf index 61929a77..82973446 100644 --- a/tests/complete/main.tf +++ b/tests/complete/main.tf @@ -132,25 +132,25 @@ module "eks_blueprints_addons" { } } - enable_efs_csi_driver = true - enable_fsx_csi_driver = true - enable_argocd = true - enable_cloudwatch_metrics = true - enable_aws_privateca_issuer = true - enable_cert_manager = true - enable_cluster_autoscaler = true - enable_secrets_store_csi_driver = true - enable_secrets_store_csi_driver_provider_aws = true - enable_kube_prometheus_stack = true - enable_external_dns = true - enable_external_secrets = true - enable_gatekeeper = true - enable_ingress_nginx = true - enable_aws_load_balancer_controller = true - enable_metrics_server = true - enable_vpa = true - enable_aws_for_fluentbit = true - enable_fargate_fluentbit = true + enable_efs_csi_driver = true + enable_fsx_csi_driver = true + enable_argocd = true + enable_cloudwatch_metrics = true + enable_aws_privateca_issuer = true + enable_cert_manager = true + enable_cluster_autoscaler = true + enable_secrets_store_csi_driver = true + enable_csi_secrets_store_provider_aws = true + enable_kube_prometheus_stack = true + enable_external_dns = true + enable_external_secrets = true + enable_gatekeeper = true + enable_ingress_nginx = true + enable_aws_load_balancer_controller = true + enable_metrics_server = true + enable_vpa = true + enable_aws_for_fluentbit = true + enable_fargate_fluentbit = true enable_aws_node_termination_handler = true aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn] diff --git a/variables.tf b/variables.tf index 258d5caf..c6d992ad 100644 --- a/variables.tf +++ b/variables.tf @@ -281,6 +281,22 @@ variable "secrets_store_csi_driver" { default = {} } +################################################################################ +# CSI Secrets Store Provider AWS +################################################################################ + +variable "enable_csi_secrets_store_provider_aws" { + description = "Enable AWS CSI Secrets Store Provider" + type = bool + default = false +} + +variable "csi_secrets_store_provider_aws" { + description = "CSI Secrets Store Provider add-on configurations" + type = any + default = {} +} + ################################################################################ # AWS for Fluentbit ################################################################################ @@ -519,16 +535,3 @@ variable "velero_backup_s3_bucket" { type = string default = "" } - -#-----------AWS CSI Secrets Store Provider------------- -variable "enable_secrets_store_csi_driver_provider_aws" { - type = bool - default = false - description = "Enable AWS CSI Secrets Store Provider" -} - -variable "csi_secrets_store_provider_aws_helm_config" { - type = any - default = null - description = "CSI Secrets Store Provider AWS Helm Configurations" -} From ae97cc13c345b15b8b4406122d390480e6e0f2f9 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 27 Apr 2023 11:00:44 -0400 Subject: [PATCH 2/2] chore: Clean up removed references from prior v4 version --- .pre-commit-config.yaml | 2 +- README.md | 3 - locals.tf | 15 --- main.tf | 179 +++++++++++++------------------- modules/helm-addon/README.md | 57 ---------- modules/helm-addon/main.tf | 81 --------------- modules/helm-addon/outputs.tf | 24 ----- modules/helm-addon/variables.tf | 39 ------- modules/helm-addon/versions.tf | 10 -- modules/irsa/README.md | 75 ------------- modules/irsa/main.tf | 87 ---------------- modules/irsa/outputs.tf | 19 ---- modules/irsa/variables.tf | 73 ------------- modules/irsa/versions.tf | 14 --- tests/complete/main.tf | 1 - variables.tf | 23 +--- 16 files changed, 76 insertions(+), 626 deletions(-) delete mode 100644 locals.tf delete mode 100644 modules/helm-addon/README.md delete mode 100644 modules/helm-addon/main.tf delete mode 100644 modules/helm-addon/outputs.tf delete mode 100644 modules/helm-addon/variables.tf delete mode 100644 modules/helm-addon/versions.tf delete mode 100644 modules/irsa/README.md delete mode 100644 modules/irsa/main.tf delete mode 100644 modules/irsa/outputs.tf delete mode 100644 modules/irsa/variables.tf delete mode 100644 modules/irsa/versions.tf diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4fb0cb8d..e7873ee3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: - id: detect-aws-credentials args: ['--allow-missing-credentials'] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.2 + rev: v1.77.3 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index 1695480f..9800ab77 100644 --- a/README.md +++ b/README.md @@ -149,15 +149,12 @@ Please note: not all addons will be supported as they are today in the main EKS | [fsx\_csi\_driver](#input\_fsx\_csi\_driver) | FSX CSI Driver addon configuration values | `any` | `{}` | no | | [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `bool` | `false` | no | | [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no | -| [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no | -| [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no | | [karpenter](#input\_karpenter) | Karpenter addon configuration values | `any` | `{}` | no | | [karpenter\_enable\_spot\_termination](#input\_karpenter\_enable\_spot\_termination) | Determines whether to enable native node termination handling | `bool` | `true` | no | | [karpenter\_instance\_profile](#input\_karpenter\_instance\_profile) | Karpenter instance profile configuration values | `any` | `{}` | no | | [karpenter\_sqs](#input\_karpenter\_sqs) | Karpenter SQS queue for native node termination handling configuration values | `any` | `{}` | no | | [kube\_prometheus\_stack](#input\_kube\_prometheus\_stack) | Kube Prometheus Stack add-on configurations | `any` | `{}` | no | | [metrics\_server](#input\_metrics\_server) | Metrics Server add-on configurations | `any` | `{}` | no | -| [oidc\_provider](#input\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | `string` | n/a | yes | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | | [secrets\_store\_csi\_driver](#input\_secrets\_store\_csi\_driver) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | diff --git a/locals.tf b/locals.tf deleted file mode 100644 index 82c4b1dc..00000000 --- a/locals.tf +++ /dev/null @@ -1,15 +0,0 @@ -locals { - addon_context = { - aws_caller_identity_account_id = local.account_id - aws_caller_identity_arn = data.aws_caller_identity.current.arn - aws_partition_id = local.partition - aws_region_name = local.region - aws_eks_cluster_endpoint = var.cluster_endpoint - eks_cluster_id = var.cluster_name - eks_oidc_issuer_url = var.oidc_provider - eks_oidc_provider_arn = var.oidc_provider_arn - tags = var.tags - irsa_iam_role_path = var.irsa_iam_role_path - irsa_iam_permissions_boundary = var.irsa_iam_permissions_boundary - } -} diff --git a/main.tf b/main.tf index 564effb4..eea5852f 100644 --- a/main.tf +++ b/main.tf @@ -354,9 +354,6 @@ module "argo_rollouts" { ################################################################################ # ArgoCD ################################################################################ -locals { - argocd_name = "argo-cd" -} module "argocd" { # source = "aws-ia/eks-blueprints-addon/aws" @@ -366,11 +363,11 @@ module "argocd" { # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/Chart.yaml # (there is no offical helm chart for argocd) - name = try(var.argocd.name, local.argocd_name) + name = try(var.argocd.name, "argo-cd") description = try(var.argocd.description, "A Helm chart to install the ArgoCD") namespace = try(var.argocd.namespace, "argocd") create_namespace = try(var.argocd.create_namespace, true) - chart = local.argocd_name + chart = "argo-cd" chart_version = try(var.argocd.chart_version, "5.29.1") repository = try(var.argocd.repository, "https://argoproj.github.io/argo-helm") values = try(var.argocd.values, []) @@ -467,8 +464,7 @@ module "argo_workflows" { locals { cert_manager_service_account = try(var.cert_manager.service_account_name, "cert-manager") - - create_cert_manager_irsa = var.enable_cert_manager && length(var.cert_manager_route53_hosted_zone_arns) > 0 + create_cert_manager_irsa = var.enable_cert_manager && length(var.cert_manager_route53_hosted_zone_arns) > 0 } data "aws_iam_policy_document" "cert_manager" { @@ -1104,8 +1100,7 @@ module "external_dns" { ################################################################################ locals { - aws_load_balancer_controller_name = "aws-load-balancer-controller" - aws_load_balancer_controller_service_account = try(var.aws_load_balancer_controller.service_account_name, "${local.aws_load_balancer_controller_name}-sa") + aws_load_balancer_controller_service_account = try(var.aws_load_balancer_controller.service_account_name, "aws-load-balancer-controller-sa") } data "aws_iam_policy_document" "aws_load_balancer_controller" { @@ -1394,12 +1389,12 @@ module "aws_load_balancer_controller" { create = var.enable_aws_load_balancer_controller # https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/Chart.yaml - name = try(var.aws_load_balancer_controller.name, local.aws_load_balancer_controller_name) + name = try(var.aws_load_balancer_controller.name, "aws-load-balancer-controller") description = try(var.aws_load_balancer_controller.description, "A Helm chart to deploy aws-load-balancer-controller for ingress resources") namespace = try(var.aws_load_balancer_controller.namespace, "kube-system") # namespace creation is false here as kube-system already exists by default create_namespace = try(var.aws_load_balancer_controller.create_namespace, false) - chart = local.aws_load_balancer_controller_name + chart = "aws-load-balancer-controller" chart_version = try(var.aws_load_balancer_controller.chart_version, "1.4.8") repository = try(var.aws_load_balancer_controller.repository, "https://aws.github.io/eks-charts") values = try(var.aws_load_balancer_controller.values, []) @@ -1641,7 +1636,6 @@ locals { data "aws_iam_policy_document" "fsx_csi_driver" { statement { sid = "AllowCreateServiceLinkedRoles" - effect = "Allow" resources = ["arn:${local.partition}:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.${local.dns_suffix}/*"] actions = [ @@ -1653,7 +1647,6 @@ data "aws_iam_policy_document" "fsx_csi_driver" { statement { sid = "AllowCreateServiceLinkedRole" - effect = "Allow" resources = ["arn:${local.partition}:iam::${local.account_id}:role/*"] actions = ["iam:CreateServiceLinkedRole"] @@ -1666,19 +1659,14 @@ data "aws_iam_policy_document" "fsx_csi_driver" { statement { sid = "AllowListBuckets" - effect = "Allow" resources = ["arn:${local.partition}:s3:::*"] - actions = [ "s3:ListBucket" ] } statement { - sid = "" - effect = "Allow" resources = ["arn:${local.partition}:fsx:${local.region}:${local.account_id}:file-system/*"] - actions = [ "fsx:CreateFileSystem", "fsx:DeleteFileSystem", @@ -1687,10 +1675,7 @@ data "aws_iam_policy_document" "fsx_csi_driver" { } statement { - sid = "" - effect = "Allow" resources = ["arn:${local.partition}:fsx:${local.region}:${local.account_id}:*"] - actions = [ "fsx:DescribeFileSystems", "fsx:TagResource" @@ -2055,10 +2040,6 @@ module "karpenter" { # Secrets Store CSI Driver ################################################################################ -locals { - secrets_store_csi_driver_name = "secrets-store-csi-driver" -} - module "secrets_store_csi_driver" { # source = "aws-ia/eks-blueprints-addon/aws" source = "./modules/eks-blueprints-addon" @@ -2066,11 +2047,11 @@ module "secrets_store_csi_driver" { create = var.enable_secrets_store_csi_driver # https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/main/charts/secrets-store-csi-driver/Chart.yaml - name = try(var.secrets_store_csi_driver.name, local.secrets_store_csi_driver_name) + name = try(var.secrets_store_csi_driver.name, "secrets-store-csi-driver") description = try(var.secrets_store_csi_driver.description, "A Helm chart to install the Secrets Store CSI Driver") namespace = try(var.secrets_store_csi_driver.namespace, "kube-system") create_namespace = try(var.secrets_store_csi_driver.create_namespace, false) - chart = local.secrets_store_csi_driver_name + chart = "secrets-store-csi-driver" chart_version = try(var.secrets_store_csi_driver.chart_version, "1.3.2") repository = try(var.secrets_store_csi_driver.repository, "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts") values = try(var.secrets_store_csi_driver.values, []) @@ -2108,14 +2089,12 @@ module "secrets_store_csi_driver" { tags = var.tags } - ################################################################################ # CSI Secrets Store Provider AWS ################################################################################ locals { - csi_secrets_store_provider_aws_name = "secrets-store-csi-driver-provider-aws" - csi_secrets_store_provider_aws_service_account = try(var.csi_secrets_store_provider_aws.service_account_name, "${local.csi_secrets_store_provider_aws_name}-sa") + csi_secrets_store_provider_aws_service_account = try(var.csi_secrets_store_provider_aws.service_account_name, "secrets-store-csi-driver-provider-aws-sa") } module "csi_secrets_store_provider_aws" { @@ -2126,7 +2105,7 @@ module "csi_secrets_store_provider_aws" { create = var.enable_csi_secrets_store_provider_aws # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml - name = try(var.csi_secrets_store_provider_aws.name, local.csi_secrets_store_provider_aws_name) + name = try(var.csi_secrets_store_provider_aws.name, "secrets-store-csi-driver-provider-aws") description = try(var.csi_secrets_store_provider_aws.description, "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster.") namespace = try(var.csi_secrets_store_provider_aws.namespace, "kube-system") create_namespace = try(var.csi_secrets_store_provider_aws.create_namespace, false) @@ -2174,14 +2153,12 @@ module "csi_secrets_store_provider_aws" { tags = var.tags } - ################################################################################ # AWS for Fluent-bit ################################################################################ locals { - aws_for_fluentbit_name = "aws-for-fluent-bit" - aws_for_fluentbit_service_account = try(var.aws_for_fluentbit.service_account_name, "${local.aws_for_fluentbit_name}-sa") + aws_for_fluentbit_service_account = try(var.aws_for_fluentbit.service_account_name, "aws-for-fluent-bit-sa") } module "aws_for_fluentbit" { @@ -2192,7 +2169,7 @@ module "aws_for_fluentbit" { # https://github.com/aws/eks-charts/blob/master/stable/aws-for-fluent-bit/Chart.yaml - name = try(var.aws_for_fluentbit.name, local.aws_for_fluentbit_name) + name = try(var.aws_for_fluentbit.name, "aws-for-fluent-bit") description = try(var.aws_for_fluentbit.description, "A Helm chart to install the Fluent-bit Driver") namespace = try(var.aws_for_fluentbit.namespace, "kube-system") create_namespace = try(var.aws_for_fluentbit.create_namespace, false) @@ -2284,13 +2261,13 @@ resource "aws_cloudwatch_log_group" "aws_for_fluentbit" { data "aws_iam_policy_document" "aws_for_fluentbit" { count = try(var.aws_for_fluentbit_cw_log_group.create, true) && var.enable_aws_for_fluentbit ? 1 : 0 + statement { sid = "PutLogEvents" effect = "Allow" resources = [ - try("arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${var.aws_for_fluentbit_cw_log_group.name}:log-stream:*", - "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:*:log-stream:*" - )] + "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${try(var.aws_for_fluentbit_cw_log_group.name, "*")}:log-stream:*", + ] actions = [ "logs:PutLogEvents" @@ -2301,9 +2278,8 @@ data "aws_iam_policy_document" "aws_for_fluentbit" { sid = "CreateCWLogs" effect = "Allow" resources = [ - try("arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${var.aws_for_fluentbit_cw_log_group.name}", - "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:*" - )] + "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${try(var.aws_for_fluentbit_cw_log_group.name, "*")}", + ] actions = [ "logs:CreateLogGroup", @@ -2320,8 +2296,7 @@ data "aws_iam_policy_document" "aws_for_fluentbit" { ################################################################################ locals { - aws_privateca_issuer_name = "aws-privateca-issuer" - aws_privateca_issuer_service_account = try(var.aws_privateca_issuer.service_account_name, "${local.aws_privateca_issuer_name}-sa") + aws_privateca_issuer_service_account = try(var.aws_privateca_issuer.service_account_name, "aws-privateca-issuer-sa") } data "aws_iam_policy_document" "aws_privateca_issuer" { @@ -2347,7 +2322,7 @@ module "aws_privateca_issuer" { create = var.enable_aws_privateca_issuer # https://github.com/cert-manager/aws-privateca-issuer/blob/main/charts/aws-pca-issuer/Chart.yaml - name = try(var.aws_privateca_issuer.name, local.secrets_store_csi_driver_name) + name = try(var.aws_privateca_issuer.name, "aws-privateca-issuer") description = try(var.aws_privateca_issuer.description, "A Helm chart to install the AWS Private CA Issuer") namespace = try(var.aws_privateca_issuer.namespace, "kube-system") create_namespace = try(var.aws_privateca_issuer.create_namespace, false) @@ -2428,10 +2403,6 @@ module "aws_privateca_issuer" { # Metrics Server ################################################################################ -locals { - metrics_server_name = "metrics-server" -} - module "metrics_server" { # source = "aws-ia/eks-blueprints-addon/aws" source = "./modules/eks-blueprints-addon" @@ -2439,7 +2410,7 @@ module "metrics_server" { create = var.enable_metrics_server # https://github.com/kubernetes-sigs/metrics-server/blob/master/charts/metrics-server/Chart.yaml - name = try(var.metrics_server.name, local.metrics_server_name) + name = try(var.metrics_server.name, "metrics-server") description = try(var.metrics_server.description, "A Helm chart to install the Metrics Server") namespace = try(var.metrics_server.namespace, "kube-system") create_namespace = try(var.metrics_server.create_namespace, false) @@ -2485,10 +2456,6 @@ module "metrics_server" { # Ingress Nginx ################################################################################ -locals { - ingress_nginx_name = "ingress-nginx" -} - module "ingress_nginx" { # source = "aws-ia/eks-blueprints-addon/aws" source = "./modules/eks-blueprints-addon" @@ -2496,11 +2463,11 @@ module "ingress_nginx" { create = var.enable_ingress_nginx # https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml - name = try(var.ingress_nginx.name, local.ingress_nginx_name) + name = try(var.ingress_nginx.name, "ingress-nginx") description = try(var.ingress_nginx.description, "A Helm chart to install the Ingress Nginx") namespace = try(var.ingress_nginx.namespace, "ingress-nginx") create_namespace = try(var.ingress_nginx.create_namespace, true) - chart = local.ingress_nginx_name + chart = "ingress-nginx" chart_version = try(var.ingress_nginx.chart_version, "4.6.0") repository = try(var.ingress_nginx.repository, "https://kubernetes.github.io/ingress-nginx") values = try(var.ingress_nginx.values, []) @@ -2542,10 +2509,6 @@ module "ingress_nginx" { # Cluster Proportional Autoscaler ################################################################################ -locals { - cluster_proportional_autoscaler_name = "cluster-proportional-autoscaler" -} - module "cluster_proportional_autoscaler" { # source = "aws-ia/eks-blueprints-addon/aws" source = "./modules/eks-blueprints-addon" @@ -2553,11 +2516,11 @@ module "cluster_proportional_autoscaler" { create = var.enable_cluster_proportional_autoscaler # https://github.com/kubernetes-sigs/cluster-proportional-autoscaler/blob/master/charts/cluster-proportional-autoscaler/Chart.yaml - name = try(var.cluster_proportional_autoscaler.name, local.cluster_proportional_autoscaler_name) + name = try(var.cluster_proportional_autoscaler.name, "cluster-proportional-autoscaler") description = try(var.cluster_proportional_autoscaler.description, "A Helm chart to install the Cluster Proportional Autoscaler") namespace = try(var.cluster_proportional_autoscaler.namespace, "kube-system") create_namespace = try(var.cluster_proportional_autoscaler.create_namespace, false) - chart = local.cluster_proportional_autoscaler_name + chart = "cluster-proportional-autoscaler" chart_version = try(var.cluster_proportional_autoscaler.chart_version, "1.1.0") repository = try(var.cluster_proportional_autoscaler.repository, "https://kubernetes-sigs.github.io/cluster-proportional-autoscaler") values = try(var.cluster_proportional_autoscaler.values, []) @@ -2599,10 +2562,6 @@ module "cluster_proportional_autoscaler" { # Kube Prometheus stack ################################################################################ -locals { - kube_prometheus_stack_name = "kube-prometheus-stack" -} - # During destroy CRDs created by this chart are not removed by default and # should be manually cleaned up: # kubectl delete crd alertmanagerconfigs.monitoring.coreos.com @@ -2620,11 +2579,11 @@ module "kube_prometheus_stack" { create = var.enable_kube_prometheus_stack # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/Chart.yaml - name = try(var.kube_prometheus_stack.name, local.kube_prometheus_stack_name) + name = try(var.kube_prometheus_stack.name, "kube-prometheus-stack") description = try(var.kube_prometheus_stack.description, "A Helm chart to install the Kube Prometheus Stack") namespace = try(var.kube_prometheus_stack.namespace, "kube-prometheus-stack") create_namespace = try(var.kube_prometheus_stack.create_namespace, true) - chart = local.kube_prometheus_stack_name + chart = "kube-prometheus-stack" chart_version = try(var.kube_prometheus_stack.chart_version, "45.10.1") repository = try(var.kube_prometheus_stack.repository, "https://prometheus-community.github.io/helm-charts") values = try(var.kube_prometheus_stack.values, []) @@ -2666,10 +2625,6 @@ module "kube_prometheus_stack" { # Gatekeeper ################################################################################ -locals { - gatekeeper_name = "gatekeeper" -} - module "gatekeeper" { # source = "aws-ia/eks-blueprints-addon/aws" source = "./modules/eks-blueprints-addon" @@ -2677,11 +2632,11 @@ module "gatekeeper" { create = var.enable_gatekeeper # https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/Chart.yaml - name = try(var.gatekeeper.name, local.cluster_proportional_autoscaler_name) + name = try(var.gatekeeper.name, "gatekeeper") description = try(var.gatekeeper.description, "A Helm chart to install Gatekeeper") namespace = try(var.gatekeeper.namespace, "gatekeeper-system") create_namespace = try(var.gatekeeper.create_namespace, true) - chart = local.gatekeeper_name + chart = "gatekeeper" chart_version = try(var.gatekeeper.chart_version, "3.12.0") repository = try(var.gatekeeper.repository, "https://open-policy-agent.github.io/gatekeeper/charts") values = try(var.gatekeeper.values, []) @@ -2722,9 +2677,6 @@ module "gatekeeper" { ################################################################################ # Vertical Pod Autoscaler ################################################################################ -locals { - vpa_name = "vpa" -} module "vpa" { # source = "aws-ia/eks-blueprints-addon/aws" @@ -2734,11 +2686,11 @@ module "vpa" { # https://github.com/FairwindsOps/charts/blob/master/stable/vpa/Chart.yaml # (there is no offical helm chart for VPA) - name = try(var.vpa.name, local.vpa_name) + name = try(var.vpa.name, "vpa") description = try(var.vpa.description, "A Helm chart to install the Vertical Pod Autoscaler") namespace = try(var.vpa.namespace, "vpa") create_namespace = try(var.vpa.create_namespace, true) - chart = local.vpa_name + chart = "vpa" chart_version = try(var.vpa.chart_version, "1.7.2") repository = try(var.vpa.repository, "https://charts.fairwinds.com/stable") values = try(var.vpa.values, []) @@ -2779,9 +2731,9 @@ module "vpa" { ################################################################################ # Velero ################################################################################ + locals { - velero_name = "velero" - velero_service_account = try(var.velero.service_account_name, "${local.velero_name}-sa") + velero_service_account = try(var.velero.service_account_name, "velero-sa") velero_backup_s3_bucket = split(":", var.velero.s3_bucket_arn) velero_backup_s3_bucket_name = split("/", local.velero_backup_s3_bucket[5]) velero_backup_s3_bucket_prefix = split("/", var.velero.s3_bucket_arn) @@ -2837,7 +2789,7 @@ module "velero" { create = var.enable_velero # https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/Chart.yaml - name = try(var.velero.name, local.velero_name) + name = try(var.velero.name, "velero") description = try(var.velero.description, "A Helm chart to install the Velero") namespace = try(var.velero.namespace, "velero") create_namespace = try(var.velero.create_namespace, true) @@ -2948,6 +2900,7 @@ module "velero" { ################################################################################ # Fargate Fluentbit ################################################################################ + resource "aws_cloudwatch_log_group" "fargate_fluentbit" { count = try(var.fargate_fluentbit_cw_log_group.create, true) && var.enable_fargate_fluentbit ? 1 : 0 @@ -2963,6 +2916,7 @@ resource "aws_cloudwatch_log_group" "fargate_fluentbit" { # https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html resource "kubernetes_namespace_v1" "aws_observability" { count = var.enable_fargate_fluentbit ? 1 : 0 + metadata { name = "aws-observability" @@ -2975,42 +2929,49 @@ resource "kubernetes_namespace_v1" "aws_observability" { # fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging resource "kubernetes_config_map_v1" "aws_logging" { count = var.enable_fargate_fluentbit ? 1 : 0 + metadata { name = "aws-logging" namespace = kubernetes_namespace_v1.aws_observability[0].id } data = { - "parsers.conf" = try(var.fargate_fluentbit.parsers_conf, <<-EOT - [PARSER] - Name regex - Format regex - Regex ^(?