feat(DMVP-5344): have external-dns submodule module

README.md

@@ -210,6 +210,7 @@ worker_groups = {
 | <a name="module_ebs-csi"></a> [ebs-csi](#module\_ebs-csi) | ./modules/ebs-csi | n/a |
 | <a name="module_efs-csi-driver"></a> [efs-csi-driver](#module\_efs-csi-driver) | ./modules/efs-csi | n/a |
 | <a name="module_eks-cluster"></a> [eks-cluster](#module\_eks-cluster) | ./modules/eks | n/a |
+| <a name="module_external-dns"></a> [external-dns](#module\_external-dns) | ./modules/external-dns | n/a |
 | <a name="module_external-secrets"></a> [external-secrets](#module\_external-secrets) | ./modules/external-secrets | n/a |
 | <a name="module_fluent-bit"></a> [fluent-bit](#module\_fluent-bit) | ./modules/fluent-bit | n/a |
 | <a name="module_metrics-server"></a> [metrics-server](#module\_metrics-server) | ./modules/metrics-server | n/a |
@@ -269,8 +270,9 @@ worker_groups = {
 | <a name="input_enable_portainer"></a> [enable\_portainer](#input\_enable\_portainer) | Enable Portainer provisioning or not | `bool` | `false` | no |
 | <a name="input_enable_sso_rbac"></a> [enable\_sso\_rbac](#input\_enable\_sso\_rbac) | Enable SSO RBAC integration or not | `bool` | `false` | no |
 | <a name="input_enable_waf_for_alb"></a> [enable\_waf\_for\_alb](#input\_enable\_waf\_for\_alb) | Enables WAF and WAF V2 addons for ALB | `bool` | `false` | no |
+| <a name="input_external_dns"></a> [external\_dns](#input\_external\_dns) | Allows to install external-dns helm chart and related roles, which allows to automatically create R53 records based on ingress/service domain/host configs | <pre>object({<br>    enabled = optional(bool, false)<br>    configs = optional(any, {})<br>  })</pre> | <pre>{<br>  "enabled": false<br>}</pre> | no |
 | <a name="input_external_secrets_namespace"></a> [external\_secrets\_namespace](#input\_external\_secrets\_namespace) | The namespace of external-secret operator | `string` | `"kube-system"` | no |
-| <a name="input_fluent_bit_configs"></a> [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | <pre>object({<br>    fluent_bit_name       = optional(string, "")<br>    log_group_name        = optional(string, "")<br>    system_log_group_name = optional(string, "")<br>    log_retention_days    = optional(number, 90)<br>    values_yaml           = optional(string, "")<br>    configs = optional(object({<br>      inputs                     = optional(string, "")<br>      filters                    = optional(string, "")<br>      outputs                    = optional(string, "")<br>      cloudwatch_outputs_enabled = optional(bool, true)<br>    }), {})<br>    drop_namespaces        = optional(list(string), [])<br>    log_filters            = optional(list(string), [])<br>    additional_log_filters = optional(list(string), [])<br>    kube_namespaces        = optional(list(string), [])<br>    image_pull_secrets     = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "additional_log_filters": [<br>    "ELB-HealthChecker",<br>    "Amazon-Route53-Health-Check-Service"<br>  ],<br>  "configs": {<br>    "cloudwatch_outputs_enabled": true,<br>    "filters": "",<br>    "inputs": "",<br>    "outputs": ""<br>  },<br>  "drop_namespaces": [<br>    "kube-system",<br>    "opentelemetry-operator-system",<br>    "adot",<br>    "cert-manager",<br>    "opentelemetry.*",<br>    "meta.*"<br>  ],<br>  "fluent_bit_name": "",<br>  "image_pull_secrets": [],<br>  "kube_namespaces": [<br>    "kube.*",<br>    "meta.*",<br>    "adot.*",<br>    "devops.*",<br>    "cert-manager.*",<br>    "git.*",<br>    "opentelemetry.*",<br>    "stakater.*",<br>    "renovate.*"<br>  ],<br>  "log_filters": [<br>    "kube-probe",<br>    "health",<br>    "prometheus",<br>    "liveness"<br>  ],<br>  "log_group_name": "",<br>  "log_retention_days": 90,<br>  "system_log_group_name": "",<br>  "values_yaml": ""<br>}</pre> | no |
+| <a name="input_fluent_bit_configs"></a> [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | <pre>object({<br>    enabled               = optional(string, true)<br>    fluent_bit_name       = optional(string, "")<br>    log_group_name        = optional(string, "")<br>    system_log_group_name = optional(string, "")<br>    log_retention_days    = optional(number, 90)<br>    values_yaml           = optional(string, "")<br>    configs = optional(object({<br>      inputs                     = optional(string, "")<br>      filters                    = optional(string, "")<br>      outputs                    = optional(string, "")<br>      cloudwatch_outputs_enabled = optional(bool, true)<br>    }), {})<br>    drop_namespaces        = optional(list(string), [])<br>    log_filters            = optional(list(string), [])<br>    additional_log_filters = optional(list(string), [])<br>    kube_namespaces        = optional(list(string), [])<br>    image_pull_secrets     = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "additional_log_filters": [<br>    "ELB-HealthChecker",<br>    "Amazon-Route53-Health-Check-Service"<br>  ],<br>  "configs": {<br>    "cloudwatch_outputs_enabled": true,<br>    "filters": "",<br>    "inputs": "",<br>    "outputs": ""<br>  },<br>  "drop_namespaces": [<br>    "kube-system",<br>    "opentelemetry-operator-system",<br>    "adot",<br>    "cert-manager",<br>    "opentelemetry.*",<br>    "meta.*"<br>  ],<br>  "enabled": true,<br>  "fluent_bit_name": "",<br>  "image_pull_secrets": [],<br>  "kube_namespaces": [<br>    "kube.*",<br>    "meta.*",<br>    "adot.*",<br>    "devops.*",<br>    "cert-manager.*",<br>    "git.*",<br>    "opentelemetry.*",<br>    "stakater.*",<br>    "renovate.*"<br>  ],<br>  "log_filters": [<br>    "kube-probe",<br>    "health",<br>    "prometheus",<br>    "liveness"<br>  ],<br>  "log_group_name": "",<br>  "log_retention_days": 90,<br>  "system_log_group_name": "",<br>  "values_yaml": ""<br>}</pre> | no |
 | <a name="input_manage_aws_auth"></a> [manage\_aws\_auth](#input\_manage\_aws\_auth) | n/a | `bool` | `true` | no |
 | <a name="input_map_roles"></a> [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_metrics_exporter"></a> [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no |
@@ -286,7 +288,7 @@ worker_groups = {
 | <a name="input_scale_down_unneeded_time"></a> [scale\_down\_unneeded\_time](#input\_scale\_down\_unneeded\_time) | Scale down unneeded in minutes | `number` | `2` | no |
 | <a name="input_send_alb_logs_to_cloudwatch"></a> [send\_alb\_logs\_to\_cloudwatch](#input\_send\_alb\_logs\_to\_cloudwatch) | Whether send alb logs to CloudWatch or not. | `bool` | `true` | no |
 | <a name="input_users"></a> [users](#input\_users) | List of users to open eks cluster api access | `list(any)` | `[]` | no |
-| <a name="input_vpc"></a> [vpc](#input\_vpc) | VPC configuration for eks, we support both cases create new vpc(create field) and using already created one(link) | <pre>object({<br>    # for linking using existing vpc<br>    link = optional(object({<br>      id                 = string<br>      private_subnet_ids = list(string)<br>    }), { id = null, private_subnet_ids = null })<br>    # for creating new vpc<br>    create = optional(object({<br>      name                = string<br>      availability_zones  = list(string)<br>      cidr                = string<br>      private_subnets     = list(string)<br>      public_subnets      = list(string)<br>      public_subnet_tags  = optional(map(any), {})<br>      private_subnet_tags = optional(map(any), {})<br>    }), { name = null, availability_zones = null, cidr = null, private_subnets = null, public_subnets = null })<br>  })</pre> | n/a | yes |
+| <a name="input_vpc"></a> [vpc](#input\_vpc) | VPC configuration for eks, we support both cases create new vpc(create field) and using already created one(link) | <pre>object({<br>    # for linking using existing vpc<br>    link = optional(object({<br>      id                 = string<br>      private_subnet_ids = list(string) # please have the existing vpc public/private subnets(at least 2 needed) tagged with corresponding tags(look into create case subnet tags defaults)<br>    }), { id = null, private_subnet_ids = null })<br>    # for creating new vpc<br>    create = optional(object({<br>      name                = string<br>      availability_zones  = list(string)<br>      cidr                = string<br>      private_subnets     = list(string)<br>      public_subnets      = list(string)<br>      public_subnet_tags  = optional(map(any), {}) # to pass additional tags for public subnet or override default ones. The default ones are: {"kubernetes.io/cluster/${var.cluster_name}" = "shared","kubernetes.io/role/elb" = 1}<br>      private_subnet_tags = optional(map(any), {}) # to pass additional tags for public subnet or override default ones. The default ones are: {"kubernetes.io/cluster/${var.cluster_name}" = "shared","kubernetes.io/role/internal-elb" = 1}<br>    }), { name = null, availability_zones = null, cidr = null, private_subnets = null, public_subnets = null })<br>  })</pre> | n/a | yes |
 | <a name="input_weave_scope_config"></a> [weave\_scope\_config](#input\_weave\_scope\_config) | Weave scope namespace configuration variables | <pre>object({<br>    create_namespace        = bool<br>    namespace               = string<br>    annotations             = map(string)<br>    ingress_host            = string<br>    ingress_class           = string<br>    ingress_name            = string<br>    service_type            = string<br>    weave_helm_release_name = string<br>  })</pre> | <pre>{<br>  "annotations": {},<br>  "create_namespace": true,<br>  "ingress_class": "",<br>  "ingress_host": "",<br>  "ingress_name": "weave-ingress",<br>  "namespace": "meta-system",<br>  "service_type": "NodePort",<br>  "weave_helm_release_name": "weave"<br>}</pre> | no |
 | <a name="input_weave_scope_enabled"></a> [weave\_scope\_enabled](#input\_weave\_scope\_enabled) | Weather enable Weave Scope or not | `bool` | `false` | no |
 | <a name="input_worker_groups"></a> [worker\_groups](#input\_worker\_groups) | Worker groups. | `any` | `{}` | no |

tests/eks-with-adot/README.md → examples/basic/README.md

@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
 
 ## Modules
 

tests/eks-fluent-bit/README.md → examples/eks-fluent-bit/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.41 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
 
 ## Modules
 

examples/external-dns-enabled/0-setup.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.41"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
+
+/**
+ * set the following env vars so that aws provider will get authenticated before apply:
+
+ export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx
+ export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx
+*/
+provider "aws" {
+  region = "eu-central-1"
+}
+
+data "aws_availability_zones" "available" {}
+data "aws_caller_identity" "current" {}

examples/external-dns-enabled/1-example.tf

@@ -0,0 +1,50 @@
+module "cluster_min" {
+  source = "../../"
+
+  cluster_name    = "test-eks-spot-instances"
+  cluster_version = "1.28"
+
+  vpc = {
+    create = {
+      name               = "test-eks-spot-instances"
+      cidr               = "10.16.0.0/16"
+      availability_zones = data.aws_availability_zones.available.names
+      private_subnets    = ["10.16.1.0/24", "10.16.2.0/24", "10.16.3.0/24"]
+      public_subnets     = ["10.16.4.0/24", "10.16.5.0/24", "10.16.6.0/24"]
+    }
+  }
+  account_id = data.aws_caller_identity.current.account_id
+
+  node_groups = {
+    example = {
+      max_capacity = 1
+      min_size     = 1
+      max_size     = 1
+      desired_size = 1
+    }
+  }
+
+  node_groups_default = {
+    instance_types = ["t3.large"]
+    capacity_type  = "SPOT"
+  }
+  // enable ebs-csi driver to be able to create pv/pvc
+  enable_ebs_driver = true
+  ebs_csi_version   = "v1.35.0-eksbuild.1"
+
+  external_dns = {
+    enabled = true
+    configs = { sources = ["service"] }
+  }
+
+  // disable some other features
+  alarms = {
+    enabled   = false
+    sns_topic = ""
+  }
+  fluent_bit_configs = {
+    enabled = false
+  }
+  metrics_exporter = "disabled"
+  autoscaling      = false
+}

examples/external-dns-enabled/README.md

@@ -0,0 +1,37 @@
+# spot-instance
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.41 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cluster_min"></a> [cluster\_min](#module\_cluster\_min) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/README.md → examples/rbac-from-external-source/README.md

@@ -1,4 +1,4 @@
-# examples
+# rbac-from-external-source
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -15,7 +15,7 @@ No providers.
 |------|--------|---------|
 | <a name="module_bindings"></a> [bindings](#module\_bindings) | from some sorce that controlled by security specialist | n/a |
 | <a name="module_roles"></a> [roles](#module\_roles) | from some sorce that controlled by security specialist | n/a |
-| <a name="module_terraform-aws-eks"></a> [terraform-aws-eks](#module\_terraform-aws-eks) | ../terraform-aws-eks | n/a |
+| <a name="module_this"></a> [this](#module\_this) | ../../ | n/a |
 
 ## Resources
 

examples/rbac-from-external-source.tf → examples/rbac-from-external-source/main.tf

@@ -6,17 +6,25 @@ module "bindings" {
   source = "from some sorce that controlled by security specialist"
 }
 
-module "terraform-aws-eks" {
-  source             = "../terraform-aws-eks"
-  availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
-  cidr               = "172.16.0.0/16"
-  cluster_name       = "my-cluster-sso"
-  private_subnets    = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
-  public_subnets     = ["172.16.4.0/24", "172.16.5.0/24", "172.16.6.0/24"]
+module "this" {
+  source = "../../"
+
+  cluster_name = "my-cluster-sso"
+
+  vpc = {
+    create = {
+      name               = "test-eks-spot-instances"
+      cidr               = "172.16.0.0/16"
+      availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+      private_subnets    = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
+      public_subnets     = ["172.16.4.0/24", "172.16.5.0/24", "172.16.6.0/24"]
+    }
+  }
+
   users = [{
     username = "macos"
   }]
-  vpc_name        = "eks-vpc"
+
   enable_sso_rbac = true
 
   weave_scope_config = {
@@ -36,4 +44,9 @@ module "terraform-aws-eks" {
 
   roles    = module.roles
   bindings = module.bindings
+
+  alarms = {
+    enabled   = false
+    sns_topic = ""
+  }
 }

examples/rbac-from-locals/README.md

@@ -0,0 +1,29 @@
+# rbac-from-locals
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_this"></a> [this](#module\_this) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/rbac-from-locals.tf → examples/rbac-from-locals/main.tf

@@ -1,14 +1,21 @@
-module "terraform-aws-eks" {
-  source             = "../terraform-aws-eks"
-  availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
-  cidr               = "172.16.0.0/16"
-  cluster_name       = "my-cluster-sso"
-  private_subnets    = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
-  public_subnets     = ["172.16.4.0/24", "172.16.5.0/24", "172.16.6.0/24"]
+module "this" {
+  source = "../../"
+
+  cluster_name = "eks-test-rbac-from-locals"
+
+  vpc = {
+    create = {
+      name               = "test-eks-spot-instances"
+      cidr               = "172.16.0.0/16"
+      availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+      private_subnets    = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
+      public_subnets     = ["172.16.4.0/24", "172.16.5.0/24", "172.16.6.0/24"]
+    }
+  }
+
   users = [{
     username = "macos"
   }]
-  vpc_name        = "eks-vpc"
   enable_sso_rbac = true
 
   weave_scope_config = {
@@ -29,6 +36,10 @@ module "terraform-aws-eks" {
   roles    = local.roles
   bindings = local.bindings
 
+  alarms = {
+    enabled   = false
+    sns_topic = ""
+  }
 }
 
 locals {

examples/spot-instance-vpc-link/main.tf

@@ -40,4 +40,9 @@ module "this" {
   }
   node_groups         = local.node_groups
   node_groups_default = local.node_groups_default
+
+  alarms = {
+    enabled   = false
+    sns_topic = ""
+  }
 }

fluent-bit.tf

@@ -1,7 +1,7 @@
 module "fluent-bit" {
   source = "./modules/fluent-bit"
 
-  count = var.create ? 1 : 0
+  count = var.create && var.fluent_bit_configs.enabled ? 1 : 0
 
   account_id = local.account_id
   region     = local.region

main.tf

@@ -188,13 +188,25 @@ module "vpc" {
 
   count = try(var.vpc.create.name) != null ? 1 : 0
 
-  name                = var.vpc.create.name
-  availability_zones  = var.vpc.create.availability_zones
-  cidr                = var.vpc.create.cidr
-  private_subnets     = var.vpc.create.private_subnets
-  public_subnets      = var.vpc.create.public_subnets
-  public_subnet_tags  = var.vpc.create.public_subnet_tags
-  private_subnet_tags = var.vpc.create.private_subnet_tags
+  name               = var.vpc.create.name
+  availability_zones = var.vpc.create.availability_zones
+  cidr               = var.vpc.create.cidr
+  private_subnets    = var.vpc.create.private_subnets
+  public_subnets     = var.vpc.create.public_subnets
+  public_subnet_tags = merge(
+    {
+      "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+      "kubernetes.io/role/elb"                    = 1
+    },
+    var.vpc.create.public_subnet_tags
+  )
+  private_subnet_tags = merge(
+    {
+      "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+      "kubernetes.io/role/internal-elb"           = 1
+    },
+    var.vpc.create.private_subnet_tags
+  )
 }
 
 module "eks-cluster" {
@@ -362,3 +374,17 @@ module "portainer" {
   host           = var.portainer_config.host
   enable_ingress = var.portainer_config.enable_ingress
 }
+
+module "external-dns" {
+  count = var.create && var.external_dns.enabled ? 1 : 0
+
+  source            = "./modules/external-dns"
+  cluster_name      = var.cluster_name
+  oidc_provider_arn = module.eks-cluster[0].oidc_provider_arn
+  region            = local.region
+  configs           = var.external_dns.configs
+
+  depends_on = [
+    module.eks-cluster
+  ]
+}