Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Sync updates from testing/validation for v5 changes #153

Merged
merged 1 commit into from
May 9, 2023
Merged

chore: Sync updates from testing/validation for v5 changes #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,16 @@ Please note: not all addons will be supported as they are today in the main EKS
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.20 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.9 |

## Modules

Expand Down Expand Up @@ -67,8 +69,12 @@ Please note: not all addons will be supported as they are today in the main EKS
| [aws_cloudwatch_log_group.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
| [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
| [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
| [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
| [aws_iam_policy_document.aws_efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand All @@ -82,8 +88,8 @@ Please note: not all addons will be supported as they are today in the main EKS
| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

Expand Down Expand Up @@ -111,6 +117,8 @@ Please note: not all addons will be supported as they are today in the main EKS
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| <a name="input_cluster_proportional_autoscaler"></a> [cluster\_proportional\_autoscaler](#input\_cluster\_proportional\_autoscaler) | Cluster Proportional Autoscaler add-on configurations | `any` | `{}` | no |
| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.24`) | `string` | n/a | yes |
| <a name="input_create_delay_dependencies"></a> [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no |
| <a name="input_create_delay_duration"></a> [create\_delay\_duration](#input\_create\_delay\_duration) | The duration to wait before creating resources | `string` | `"30s"` | no |
| <a name="input_eks_addons"></a> [eks\_addons](#input\_eks\_addons) | Map of EKS addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no |
| <a name="input_eks_addons_timeouts"></a> [eks\_addons\_timeouts](#input\_eks\_addons\_timeouts) | Create, update, and delete timeout configurations for the EKS addons | `map(string)` | `{}` | no |
| <a name="input_enable_argo_rollouts"></a> [enable\_argo\_rollouts](#input\_enable\_argo\_rollouts) | Enable Argo Rollouts add-on | `bool` | `false` | no |
Expand Down Expand Up @@ -150,7 +158,7 @@ Please note: not all addons will be supported as they are today in the main EKS
| <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
| <a name="input_karpenter"></a> [karpenter](#input\_karpenter) | Karpenter addon configuration values | `any` | `{}` | no |
| <a name="input_karpenter_enable_spot_termination"></a> [karpenter\_enable\_spot\_termination](#input\_karpenter\_enable\_spot\_termination) | Determines whether to enable native node termination handling | `bool` | `true` | no |
| <a name="input_karpenter_instance_profile"></a> [karpenter\_instance\_profile](#input\_karpenter\_instance\_profile) | Karpenter instance profile configuration values | `any` | `{}` | no |
| <a name="input_karpenter_node"></a> [karpenter\_node](#input\_karpenter\_node) | Karpenter IAM role and IAM instance profile configuration values | `any` | `{}` | no |
| <a name="input_karpenter_sqs"></a> [karpenter\_sqs](#input\_karpenter\_sqs) | Karpenter SQS queue for native node termination handling configuration values | `any` | `{}` | no |
| <a name="input_kube_prometheus_stack"></a> [kube\_prometheus\_stack](#input\_kube\_prometheus\_stack) | Kube Prometheus Stack add-on configurations | `any` | `{}` | no |
| <a name="input_metrics_server"></a> [metrics\_server](#input\_metrics\_server) | Metrics Server add-on configurations | `any` | `{}` | no |
Expand Down
151 changes: 110 additions & 41 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,32 @@ data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

# This resource is used to provide a means of mapping an implicit dependency
# between the cluster and the addons.
resource "time_sleep" "this" {
create_duration = var.create_delay_duration

triggers = {
cluster_endpoint = var.cluster_endpoint
cluster_name = var.cluster_name
custom = join(",", var.create_delay_dependencies)
oidc_provider_arn = var.oidc_provider_arn
}
}

locals {
account_id = data.aws_caller_identity.current.account_id
dns_suffix = data.aws_partition.current.dns_suffix
partition = data.aws_partition.current.partition
region = data.aws_region.current.name

# Threads the sleep resource into the module to make the dependency
cluster_endpoint = time_sleep.this.triggers["cluster_endpoint"]
cluster_name = time_sleep.this.triggers["cluster_name"]
oidc_provider_arn = time_sleep.this.triggers["oidc_provider_arn"]

iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"

# Used by Karpenter & AWS Node Termination Handler
ec2_events = {
health_event = {
Expand Down Expand Up @@ -256,14 +276,17 @@ module "aws_cloudwatch_metrics" {
lint = try(var.aws_cloudwatch_metrics.lint, null)

postrender = try(var.aws_cloudwatch_metrics.postrender, [])
set = concat([
{
name = "clusterName"
value = var.cluster_name
}, {
name = "serviceAccount.name"
value = local.aws_cloudwatch_metrics_service_account
}],
set = concat(
[
{
name = "clusterName"
value = local.cluster_name
},
{
name = "serviceAccount.name"
value = local.aws_cloudwatch_metrics_service_account
}
],
try(var.aws_cloudwatch_metrics.set, [])
)
set_sensitive = try(var.aws_cloudwatch_metrics.set_sensitive, [])
Expand All @@ -283,7 +306,7 @@ module "aws_cloudwatch_metrics" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_cloudwatch_metrics_service_account
}
Expand Down Expand Up @@ -452,12 +475,12 @@ module "aws_efs_csi_driver" {

oidc_providers = {
controller = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_efs_csi_driver_controller_service_account
}
node = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_efs_csi_driver_node_service_account
}
Expand Down Expand Up @@ -594,7 +617,7 @@ module "aws_for_fluentbit" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_for_fluentbit_service_account
}
Expand Down Expand Up @@ -744,12 +767,12 @@ module "aws_fsx_csi_driver" {

oidc_providers = {
controller = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_fsx_csi_driver_controller_service_account
}
node = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_fsx_csi_driver_node_service_account
}
Expand Down Expand Up @@ -1077,7 +1100,7 @@ module "aws_load_balancer_controller" {
value = local.aws_load_balancer_controller_service_account
}, {
name = "clusterName"
value = var.cluster_name
value = local.cluster_name
}],
try(var.aws_load_balancer_controller.set, [])
)
Expand Down Expand Up @@ -1106,7 +1129,7 @@ module "aws_load_balancer_controller" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_load_balancer_controller_service_account
}
Expand Down Expand Up @@ -1326,7 +1349,7 @@ module "aws_node_termination_handler" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_node_termination_handler_service_account
}
Expand Down Expand Up @@ -1434,7 +1457,7 @@ module "aws_privateca_issuer" {

oidc_providers = {
controller = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.aws_privateca_issuer_service_account
}
Expand Down Expand Up @@ -1550,7 +1573,7 @@ module "cert_manager" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.cert_manager_service_account
}
Expand Down Expand Up @@ -1666,7 +1689,7 @@ module "cluster_autoscaler" {
},
{
name = "autoDiscovery.clusterName"
value = var.cluster_name
value = local.cluster_name
},
{
name = "image.tag"
Expand Down Expand Up @@ -1704,7 +1727,7 @@ module "cluster_autoscaler" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.cluster_autoscaler_service_account
}
Expand Down Expand Up @@ -1781,7 +1804,7 @@ data "aws_eks_addon_version" "this" {
resource "aws_eks_addon" "this" {
for_each = var.eks_addons

cluster_name = var.cluster_name
cluster_name = local.cluster_name
addon_name = try(each.value.name, each.key)

addon_version = try(each.value.addon_version, data.aws_eks_addon_version.this[each.key].version)
Expand Down Expand Up @@ -1900,7 +1923,7 @@ module "external_dns" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.external_dns_service_account
}
Expand Down Expand Up @@ -2050,7 +2073,7 @@ module "external_secrets" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.external_secrets_service_account
}
Expand Down Expand Up @@ -2252,13 +2275,10 @@ module "ingress_nginx" {
locals {
karpenter_service_account_name = try(var.karpenter.service_account_name, "karpenter")
karpenter_enable_spot_termination = var.enable_karpenter && var.karpenter_enable_spot_termination
create_karpenter_instance_profile = try(var.karpenter_instance_profile.create, true)
karpenter_instance_profile_name = try(aws_iam_instance_profile.karpenter[0].name, var.karpenter_instance_profile.name, "")
}

data "aws_iam_role" "karpenter" {
count = var.enable_karpenter ? 1 : 0
name = var.karpenter_instance_profile.iam_role_name
create_karpenter_node_iam_role = var.enable_karpenter && try(var.karpenter_node.create_iam_role, true)
karpenter_node_iam_role_arn = try(aws_iam_role.karpenter[0].arn, var.karpenter_node.iam_role_arn, "")
karpenter_node_iam_role_name = try(var.karpenter_node.iam_role_name, "karpenter-${var.cluster_name}")
}

data "aws_iam_policy_document" "karpenter" {
Expand Down Expand Up @@ -2295,7 +2315,7 @@ data "aws_iam_policy_document" "karpenter" {

statement {
actions = ["iam:PassRole"]
resources = [data.aws_iam_role.karpenter[0].arn]
resources = [local.karpenter_node_iam_role_arn]
}

statement {
Expand Down Expand Up @@ -2393,14 +2413,63 @@ resource "aws_cloudwatch_event_target" "karpenter" {
arn = module.karpenter_sqs.queue_arn
}

data "aws_iam_policy_document" "karpenter_assume_role" {
count = local.create_karpenter_node_iam_role ? 1 : 0

statement {
sid = "KarpenterNodeAssumeRole"
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["ec2.${local.dns_suffix}"]
}
}
}

resource "aws_iam_role" "karpenter" {
count = local.create_karpenter_node_iam_role ? 1 : 0

name = try(var.karpenter_node.iam_role_use_name_prefix, true) ? null : local.karpenter_node_iam_role_name
name_prefix = try(var.karpenter_node.iam_role_use_name_prefix, true) ? "${local.karpenter_node_iam_role_name}-" : null
path = try(var.karpenter_node.iam_role_path, null)
description = try(var.karpenter_node.iam_role_description, "Karpenter EC2 node IAM role")

assume_role_policy = try(data.aws_iam_policy_document.karpenter_assume_role[0].json, "")
max_session_duration = try(var.karpenter_node.iam_role_max_session_duration, null)
permissions_boundary = try(var.karpenter_node.iam_role_permissions_boundary, null)
force_detach_policies = true

tags = merge(var.tags, try(var.karpenter_node.iam_role_tags, {}))
}

resource "aws_iam_role_policy_attachment" "karpenter" {
for_each = { for k, v in {
AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy",
AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly",
AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
} : k => v if local.create_karpenter_node_iam_role }

policy_arn = each.value
role = aws_iam_role.karpenter[0].name
}

resource "aws_iam_role_policy_attachment" "additional" {
for_each = { for k, v in try(var.karpenter_node.iam_role_additional_policies, {}) : k => v if local.create_karpenter_node_iam_role }

policy_arn = each.value
role = aws_iam_role.karpenter[0].name
}

resource "aws_iam_instance_profile" "karpenter" {
count = var.enable_karpenter && local.create_karpenter_instance_profile ? 1 : 0
count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) ? 1 : 0

name_prefix = try(var.karpenter_instance_profile.name_prefix, "karpenter-")
path = try(var.karpenter_instance_profile.path, null)
role = var.karpenter_instance_profile.iam_role_name
name = try(var.karpenter_node.iam_role_use_name_prefix, true) ? null : local.karpenter_node_iam_role_name
name_prefix = try(var.karpenter_node.iam_role_use_name_prefix, true) ? "${local.karpenter_node_iam_role_name}-" : null
path = try(var.karpenter_node.iam_role_path, null)
role = try(aws_iam_role.karpenter[0].name, var.karpenter_node.iam_role_name, "")

tags = merge(var.tags, try(var.karpenter_instance_profile.tags, {}))
tags = merge(var.tags, try(var.karpenter_node.instance_profile_tags, {}))
}

module "karpenter" {
Expand Down Expand Up @@ -2450,15 +2519,15 @@ module "karpenter" {
[
{
name = "settings.aws.clusterName"
value = var.cluster_name
value = local.cluster_name
},
{
name = "settings.aws.clusterEndpoint"
value = var.cluster_endpoint
value = local.cluster_endpoint
},
{
name = "settings.aws.defaultInstanceProfile"
value = local.karpenter_instance_profile_name
value = try(aws_iam_instance_profile.karpenter[0].name, var.karpenter_node.instance_profile_name, "")
},
{
name = "settings.aws.interruptionQueueName"
Expand Down Expand Up @@ -2496,7 +2565,7 @@ module "karpenter" {

oidc_providers = {
this = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.karpenter_service_account_name
}
Expand Down Expand Up @@ -2905,7 +2974,7 @@ module "velero" {

oidc_providers = {
controller = {
provider_arn = var.oidc_provider_arn
provider_arn = local.oidc_provider_arn
# namespace is inherited from chart
service_account = local.velero_service_account
}
Expand Down
Loading