From 173df2697dcdbf9e1085121608d75f6bdc3b3961 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Fri, 9 Aug 2024 21:07:04 -0300 Subject: [PATCH] feat: Add Sagemaker, MemoryDB, Opensearch and ECR Controllers (#68) --- README.md | 42 +- examples/complete/README.md | 70 +-- examples/complete/main.tf | 4 + main.tf | 937 +++++++++++++++++++++++++----------- variables.tf | 64 +++ 5 files changed, 792 insertions(+), 325 deletions(-) diff --git a/README.md b/README.md index 497fbcb..8254c7c 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,10 @@ module "eks_ack_addons" { ecrpublic_token = "" # Controllers to enable + enable_sagemaker = true + enable_memorydb = true + enable_opensearchservice = true + enable_ecr = true enable_sns = true enable_sqs = true enable_lambda = true @@ -72,6 +76,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [apigatewayv2](#module\_apigatewayv2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ec2](#module\_ec2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [ecr](#module\_ecr) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [eks](#module\_eks) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [elasticache](#module\_elasticache) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [emrcontainers](#module\_emrcontainers) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -79,9 +84,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#module\_iam) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kms](#module\_kms) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [lambda](#module\_lambda) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [memorydb](#module\_memorydb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [opensearchservice](#module\_opensearchservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [prometheusservice](#module\_prometheusservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [rds](#module\_rds) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [s3](#module\_s3) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [sagemaker](#module\_sagemaker) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [sfn](#module\_sfn) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [sns](#module\_sns) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [sqs](#module\_sqs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -90,20 +98,24 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| -| [aws_iam_policy.acmpolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.ekspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.iampolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kmspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.lambdapolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sfnpasspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.snspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sqspolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.lambda_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sns_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.sqs_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | @@ -120,6 +132,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [create\_kubernetes\_resources](#input\_create\_kubernetes\_resources) | Create Kubernetes resource with Helm or Kubernetes provider | `bool` | `true` | no | | [dynamodb](#input\_dynamodb) | ACK dynamodb Helm Chart config | `any` | `{}` | no | | [ec2](#input\_ec2) | ACK ec2 Helm Chart config | `any` | `{}` | no | +| [ecr](#input\_ecr) | ACK ECR Helm Chart config | `any` | `{}` | no | | [ecrpublic\_token](#input\_ecrpublic\_token) | Password decoded from the authorization token for accessing public ECR | `string` | `""` | no | | [ecrpublic\_username](#input\_ecrpublic\_username) | User name decoded from the authorization token for accessing public ECR | `string` | `""` | no | | [eks](#input\_eks) | ACK eks Helm Chart config | `any` | `{}` | no | @@ -129,6 +142,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_apigatewayv2](#input\_enable\_apigatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | | [enable\_ec2](#input\_enable\_ec2) | Enable ACK ec2 add-on | `bool` | `false` | no | +| [enable\_ecr](#input\_enable\_ecr) | Enable ACK ECR add-on | `bool` | `false` | no | | [enable\_eks](#input\_enable\_eks) | Enable ACK eks add-on | `bool` | `false` | no | | [enable\_elasticache](#input\_enable\_elasticache) | Enable ACK elasticache add-on | `bool` | `false` | no | | [enable\_emrcontainers](#input\_enable\_emrcontainers) | Enable ACK EMR container add-on | `bool` | `false` | no | @@ -136,9 +150,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_iam](#input\_enable\_iam) | Enable ACK iam add-on | `bool` | `false` | no | | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | +| [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | +| [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK Opensearch Service add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | | [enable\_rds](#input\_enable\_rds) | Enable ACK rds add-on | `bool` | `false` | no | | [enable\_s3](#input\_enable\_s3) | Enable ACK s3 add-on | `bool` | `false` | no | +| [enable\_sagemaker](#input\_enable\_sagemaker) | Enable ACK Sagemaker add-on | `bool` | `false` | no | | [enable\_sfn](#input\_enable\_sfn) | Enable ACK step functions add-on | `bool` | `false` | no | | [enable\_sns](#input\_enable\_sns) | Enable ACK SNS add-on | `bool` | `false` | no | | [enable\_sqs](#input\_enable\_sqs) | Enable ACK SQS add-on | `bool` | `false` | no | @@ -146,10 +163,13 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#input\_iam) | ACK iam Helm Chart config | `any` | `{}` | no | | [kms](#input\_kms) | ACK kms Helm Chart config | `any` | `{}` | no | | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | +| [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | +| [opensearchservice](#input\_opensearchservice) | ACK Opensearch Service Helm Chart config | `any` | `{}` | no | | [prometheusservice](#input\_prometheusservice) | ACK prometheusservice Helm Chart config | `any` | `{}` | no | | [rds](#input\_rds) | ACK rds Helm Chart config | `any` | `{}` | no | | [s3](#input\_s3) | ACK s3 Helm Chart config | `any` | `{}` | no | +| [sagemaker](#input\_sagemaker) | ACK Sagemaker Helm Chart config | `any` | `{}` | no | | [sfn](#input\_sfn) | ACK step functions Helm Chart config | `any` | `{}` | no | | [sns](#input\_sns) | ACK SNS Helm Chart config | `any` | `{}` | no | | [sqs](#input\_sqs) | ACK SQS Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index f03dda3..b288436 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -6,6 +6,7 @@ Configuration in this directory creates an AWS EKS cluster with the following AC - Amazon ApiGatewayV2 Controller - Amazon DynamoDB Controller - Amazon EC2 Controller +- Amazon ECR Controller - Amazon EKS Controller - Amazon ElastiCache Controller - Amazon EMR Containers Controller @@ -13,9 +14,12 @@ Configuration in this directory creates an AWS EKS cluster with the following AC - Amazon IAM Controller - Amazon KMS Controller - AWS Lambda Controller +- Amazon MemoryDB Controller +- Amazon OpenSearch Service Controller - Amazon Prometheus Service Controller - Amazon RDS Controller - Amazon S3 Controller +- Amazon SageMaker Controller - AWS SFN Controller - Amazon SNS Controller - Amazon SQS Controller @@ -59,37 +63,41 @@ aws eks --region update-kubeconfig --name kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE -ack-system ack-acm-5ffccbd5d5-62kx9 1/1 Running 0 11m -ack-system ack-apigatewayv2-cf6cd9d67-vxhsk 1/1 Running 0 11m -ack-system ack-dynamodb-bd47f88b7-7jbgw 1/1 Running 0 10m -ack-system ack-ec2-54dfcf968-pdbs2 1/1 Running 0 10m -ack-system ack-eks-9cb44fc-95k6x 1/1 Running 0 11m -ack-system ack-elasticache-5758ff66bd-6vbgc 1/1 Running 0 11m -ack-system ack-emrcontainers-69ffb54758-78ksb 1/1 Running 0 11m -ack-system ack-eventbridge-58c7d4c8f5-vvfz5 1/1 Running 0 11m -ack-system ack-iam-7486c996c8-kbb2h 1/1 Running 0 11m -ack-system ack-kms-bb956b4fc-x69lv 1/1 Running 0 11m -ack-system ack-lambda-65bd7fbc8d-6jn8k 1/1 Running 0 11m -ack-system ack-prometheusservice-5bccddc6f-7tkl5 1/1 Running 0 11m -ack-system ack-rds-57499b447d-pg9tq 1/1 Running 0 10m -ack-system ack-s3-78b44bf586-b8qnj 1/1 Running 0 11m -ack-system ack-sfn-7494cbccf-vx6g7 1/1 Running 0 10m -ack-system ack-sns-56bb579874-h26s5 1/1 Running 0 11m -ack-system ack-sqs-5f7bc84d45-47zw4 1/1 Running 0 11m -kube-system aws-load-balancer-controller-84b5bf9c5f-45fkt 1/1 Running 0 10m -kube-system aws-load-balancer-controller-84b5bf9c5f-vtwj4 1/1 Running 0 10m -kube-system aws-node-btph9 2/2 Running 0 10m -kube-system aws-node-dqh67 2/2 Running 0 10m -kube-system aws-node-kt5mp 2/2 Running 0 10m -kube-system coredns-787cb67946-hlqfm 1/1 Running 0 14m -kube-system coredns-787cb67946-q8lzj 1/1 Running 0 14m -kube-system eks-pod-identity-agent-lhj4d 1/1 Running 0 10m -kube-system eks-pod-identity-agent-vvf46 1/1 Running 0 10m -kube-system eks-pod-identity-agent-zw2qv 1/1 Running 0 10m -kube-system kube-proxy-27k5q 1/1 Running 0 10m -kube-system kube-proxy-6q78s 1/1 Running 0 10m -kube-system kube-proxy-x5hhm 1/1 Running 0 10m -kube-system metrics-server-7577444cf8-9l7h8 1/1 Running 0 12m +ack-system ack-acm-5ffccbd5d5-6ns6v 1/1 Running 0 60s +ack-system ack-apigatewayv2-cf6cd9d67-gfw5k 1/1 Running 0 60s +ack-system ack-dynamodb-bd47f88b7-4smb5 1/1 Running 0 60s +ack-system ack-ec2-54dfcf968-2vvcf 1/1 Running 0 60s +ack-system ack-ecr-5b4699f87b-n5bfp 1/1 Running 0 60s +ack-system ack-eks-9cb44fc-vgsvf 1/1 Running 0 59s +ack-system ack-elasticache-5758ff66bd-fn7cv 1/1 Running 0 59s +ack-system ack-emrcontainers-69ffb54758-s4d25 1/1 Running 0 59s +ack-system ack-eventbridge-58c7d4c8f5-hzc7m 1/1 Running 0 59s +ack-system ack-iam-7486c996c8-qmmd6 1/1 Running 0 58s +ack-system ack-kms-bb956b4fc-vtn7x 1/1 Running 0 58s +ack-system ack-lambda-65bd7fbc8d-lql8x 1/1 Running 0 58s +ack-system ack-memorydb-76c988f6dd-zxprv 1/1 Running 0 58s +ack-system ack-opensearchservice-7fd9d8c866-xzqfh 1/1 Running 0 57s +ack-system ack-prometheusservice-5bccddc6f-clnz9 1/1 Running 0 57s +ack-system ack-rds-57499b447d-qqf7w 1/1 Running 0 57s +ack-system ack-s3-78b44bf586-4f25v 1/1 Running 0 57s +ack-system ack-sagemaker-74f65d4cb9-9r74h 1/1 Running 0 57s +ack-system ack-sfn-7494cbccf-mwq7z 1/1 Running 0 56s +ack-system ack-sns-56bb579874-hk78c 1/1 Running 0 56s +ack-system ack-sqs-5f7bc84d45-jtd5b 1/1 Running 0 56s +kube-system aws-load-balancer-controller-84b5bf9c5f-4dm9s 1/1 Running 0 34m +kube-system aws-load-balancer-controller-84b5bf9c5f-62km5 1/1 Running 0 34m +kube-system aws-node-2pfp8 2/2 Running 0 32m +kube-system aws-node-c6mdg 2/2 Running 0 32m +kube-system aws-node-d8m55 2/2 Running 0 32m +kube-system coredns-787cb67946-8psqv 1/1 Running 0 38m +kube-system coredns-787cb67946-nvtnt 1/1 Running 0 38m +kube-system eks-pod-identity-agent-2lw9f 1/1 Running 0 33m +kube-system eks-pod-identity-agent-dhdxs 1/1 Running 0 33m +kube-system eks-pod-identity-agent-zt7gz 1/1 Running 0 33m +kube-system kube-proxy-2xjzt 1/1 Running 0 33m +kube-system kube-proxy-h27hw 1/1 Running 0 34m +kube-system kube-proxy-kd57b 1/1 Running 0 33m +kube-system metrics-server-7577444cf8-7f95q 1/1 Running 0 35m ``` ## Sample Application Deployment diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 4b09b4d..7016b85 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -131,6 +131,10 @@ module "eks_ack_addons" { ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Controllers to enable + enable_sagemaker = true + enable_memorydb = true + enable_opensearchservice = true + enable_ecr = true enable_sns = true enable_sqs = true enable_lambda = true diff --git a/main.tf b/main.tf index 7917db2..98da80e 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ data "aws_partition" "current" {} data "aws_region" "current" {} +data "aws_caller_identity" "current" {} # This resource is used to provide a means of mapping an implicit dependency # between the cluster and the addons. @@ -32,6 +33,395 @@ locals { repository_password = var.create_kubernetes_resources ? var.ecrpublic_token : "" } +################################################################################ +# SageMaker +################################################################################ + +locals { + sagemaker_name = "ack-sagemaker" +} + +module "sagemaker" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_sagemaker + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/sagemaker-chart:1.2.12 + name = try(var.sagemaker.name, local.sagemaker_name) + description = try(var.sagemaker.description, "Helm Chart for Sagemaker controller for ACK") + namespace = try(var.sagemaker.namespace, "ack-system") + create_namespace = try(var.sagemaker.create_namespace, true) + chart = "sagemaker-chart" + chart_version = try(var.sagemaker.chart_version, "1.2.12") + repository = try(var.sagemaker.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.sagemaker.values, []) + + timeout = try(var.sagemaker.timeout, null) + repository_key_file = try(var.sagemaker.repository_key_file, null) + repository_cert_file = try(var.sagemaker.repository_cert_file, null) + repository_ca_file = try(var.sagemaker.repository_ca_file, null) + repository_username = try(var.sagemaker.repository_username, local.repository_username) + repository_password = try(var.sagemaker.repository_password, local.repository_password) + devel = try(var.sagemaker.devel, null) + verify = try(var.sagemaker.verify, null) + keyring = try(var.sagemaker.keyring, null) + disable_webhooks = try(var.sagemaker.disable_webhooks, null) + reuse_values = try(var.sagemaker.reuse_values, null) + reset_values = try(var.sagemaker.reset_values, null) + force_update = try(var.sagemaker.force_update, null) + recreate_pods = try(var.sagemaker.recreate_pods, null) + cleanup_on_fail = try(var.sagemaker.cleanup_on_fail, null) + max_history = try(var.sagemaker.max_history, null) + atomic = try(var.sagemaker.atomic, null) + skip_crds = try(var.sagemaker.skip_crds, null) + render_subchart_notes = try(var.sagemaker.render_subchart_notes, null) + disable_openapi_validation = try(var.sagemaker.disable_openapi_validation, null) + wait = try(var.sagemaker.wait, false) + wait_for_jobs = try(var.sagemaker.wait_for_jobs, null) + dependency_update = try(var.sagemaker.dependency_update, null) + replace = try(var.sagemaker.replace, null) + lint = try(var.sagemaker.lint, null) + + postrender = try(var.sagemaker.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-sagemaker-sagemaker-chart-xxxxxxxxxxxxx` to `ack-sagemaker-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-sagemaker" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.sagemaker_name + }], + try(var.sagemaker.set, []) + ) + set_sensitive = try(var.sagemaker.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.sagemaker.create_role, true) + role_name = try(var.sagemaker.role_name, "ack-sagemaker") + role_name_use_prefix = try(var.sagemaker.role_name_use_prefix, true) + role_path = try(var.sagemaker.role_path, "/") + role_permissions_boundary_arn = lookup(var.sagemaker, "role_permissions_boundary_arn", null) + role_description = try(var.sagemaker.role_description, "IRSA for Sagemaker controller for ACK") + role_policies = lookup(var.sagemaker, "role_policies", { + AmazonSageMakerFullAccess = "${local.iam_role_policy_prefix}/AmazonSageMakerFullAccess" + }) + + create_policy = try(var.sagemaker.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.sagemaker_name + } + } + + tags = var.tags +} + +################################################################################ +# MemoryDB +################################################################################ + +locals { + memorydb_name = "ack-memorydb" +} + +module "memorydb" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_memorydb + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/memorydb-chart:1.0.4 + name = try(var.memorydb.name, local.memorydb_name) + description = try(var.memorydb.description, "Helm Chart for MemoryDB controller for ACK") + namespace = try(var.memorydb.namespace, "ack-system") + create_namespace = try(var.memorydb.create_namespace, true) + chart = "memorydb-chart" + chart_version = try(var.memorydb.chart_version, "1.0.4") + repository = try(var.memorydb.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.memorydb.values, []) + + timeout = try(var.memorydb.timeout, null) + repository_key_file = try(var.memorydb.repository_key_file, null) + repository_cert_file = try(var.memorydb.repository_cert_file, null) + repository_ca_file = try(var.memorydb.repository_ca_file, null) + repository_username = try(var.memorydb.repository_username, local.repository_username) + repository_password = try(var.memorydb.repository_password, local.repository_password) + devel = try(var.memorydb.devel, null) + verify = try(var.memorydb.verify, null) + keyring = try(var.memorydb.keyring, null) + disable_webhooks = try(var.memorydb.disable_webhooks, null) + reuse_values = try(var.memorydb.reuse_values, null) + reset_values = try(var.memorydb.reset_values, null) + force_update = try(var.memorydb.force_update, null) + recreate_pods = try(var.memorydb.recreate_pods, null) + cleanup_on_fail = try(var.memorydb.cleanup_on_fail, null) + max_history = try(var.memorydb.max_history, null) + atomic = try(var.memorydb.atomic, null) + skip_crds = try(var.memorydb.skip_crds, null) + render_subchart_notes = try(var.memorydb.render_subchart_notes, null) + disable_openapi_validation = try(var.memorydb.disable_openapi_validation, null) + wait = try(var.memorydb.wait, false) + wait_for_jobs = try(var.memorydb.wait_for_jobs, null) + dependency_update = try(var.memorydb.dependency_update, null) + replace = try(var.memorydb.replace, null) + lint = try(var.memorydb.lint, null) + + postrender = try(var.memorydb.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-memorydb-memorydb-chart-xxxxxxxxxxxxx` to `ack-memorydb-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-memorydb" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.memorydb_name + }], + try(var.memorydb.set, []) + ) + set_sensitive = try(var.memorydb.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.memorydb.create_role, true) + role_name = try(var.memorydb.role_name, "ack-memorydb") + role_name_use_prefix = try(var.memorydb.role_name_use_prefix, true) + role_path = try(var.memorydb.role_path, "/") + role_permissions_boundary_arn = lookup(var.memorydb, "role_permissions_boundary_arn", null) + role_description = try(var.memorydb.role_description, "IRSA for MemoryDB controller for ACK") + role_policies = lookup(var.memorydb, "role_policies", { + AmazonMemoryDBFullAccess = "${local.iam_role_policy_prefix}/AmazonMemoryDBFullAccess" + }) + create_policy = try(var.memorydb.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.memorydb_name + } + } + + tags = var.tags +} + +################################################################################ +# OpenSearch Service +################################################################################ + +locals { + opensearchservice_name = "ack-opensearchservice" +} + +module "opensearchservice" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_opensearchservice + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/opensearchservice-chart:0.0.27 + name = try(var.opensearchservice.name, local.opensearchservice_name) + description = try(var.opensearchservice.description, "Helm Chart for Opensearch Service controller for ACK") + namespace = try(var.opensearchservice.namespace, "ack-system") + create_namespace = try(var.opensearchservice.create_namespace, true) + chart = "opensearchservice-chart" + chart_version = try(var.opensearchservice.chart_version, "0.0.27") + repository = try(var.opensearchservice.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.opensearchservice.values, []) + + timeout = try(var.opensearchservice.timeout, null) + repository_key_file = try(var.opensearchservice.repository_key_file, null) + repository_cert_file = try(var.opensearchservice.repository_cert_file, null) + repository_ca_file = try(var.opensearchservice.repository_ca_file, null) + repository_username = try(var.opensearchservice.repository_username, local.repository_username) + repository_password = try(var.opensearchservice.repository_password, local.repository_password) + devel = try(var.opensearchservice.devel, null) + verify = try(var.opensearchservice.verify, null) + keyring = try(var.opensearchservice.keyring, null) + disable_webhooks = try(var.opensearchservice.disable_webhooks, null) + reuse_values = try(var.opensearchservice.reuse_values, null) + reset_values = try(var.opensearchservice.reset_values, null) + force_update = try(var.opensearchservice.force_update, null) + recreate_pods = try(var.opensearchservice.recreate_pods, null) + cleanup_on_fail = try(var.opensearchservice.cleanup_on_fail, null) + max_history = try(var.opensearchservice.max_history, null) + atomic = try(var.opensearchservice.atomic, null) + skip_crds = try(var.opensearchservice.skip_crds, null) + render_subchart_notes = try(var.opensearchservice.render_subchart_notes, null) + disable_openapi_validation = try(var.opensearchservice.disable_openapi_validation, null) + wait = try(var.opensearchservice.wait, false) + wait_for_jobs = try(var.opensearchservice.wait_for_jobs, null) + dependency_update = try(var.opensearchservice.dependency_update, null) + replace = try(var.opensearchservice.replace, null) + lint = try(var.opensearchservice.lint, null) + + postrender = try(var.opensearchservice.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-opensearchservice-opensearchservice-chart-xxxxxxxxxxxxx` to `ack-opensearchservice-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-opensearchservice" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.opensearchservice_name + }], + try(var.opensearchservice.set, []) + ) + set_sensitive = try(var.opensearchservice.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.opensearchservice.create_role, true) + role_name = try(var.opensearchservice.role_name, "ack-opensearchservice") + role_name_use_prefix = try(var.opensearchservice.role_name_use_prefix, true) + role_path = try(var.opensearchservice.role_path, "/") + role_permissions_boundary_arn = lookup(var.opensearchservice, "role_permissions_boundary_arn", null) + role_description = try(var.opensearchservice.role_description, "IRSA for Opensearch Service controller for ACK") + role_policies = lookup(var.opensearchservice, "role_policies", { + AmazonOpenSearchServiceFullAccess = "${local.iam_role_policy_prefix}/AmazonOpenSearchServiceFullAccess" + }) + create_policy = try(var.opensearchservice.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.opensearchservice_name + } + } + + tags = var.tags +} + +################################################################################ +# ECR +################################################################################ + +locals { + ecr_name = "ack-ecr" +} + +module "ecr" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_ecr + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/ecr-chart:1.0.17 + name = try(var.ecr.name, local.ecr_name) + description = try(var.ecr.description, "Helm Chart for ECR controller for ACK") + namespace = try(var.ecr.namespace, "ack-system") + create_namespace = try(var.ecr.create_namespace, true) + chart = "ecr-chart" + chart_version = try(var.ecr.chart_version, "1.0.17") + repository = try(var.ecr.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.ecr.values, []) + + timeout = try(var.ecr.timeout, null) + repository_key_file = try(var.ecr.repository_key_file, null) + repository_cert_file = try(var.ecr.repository_cert_file, null) + repository_ca_file = try(var.ecr.repository_ca_file, null) + repository_username = try(var.ecr.repository_username, local.repository_username) + repository_password = try(var.ecr.repository_password, local.repository_password) + devel = try(var.ecr.devel, null) + verify = try(var.ecr.verify, null) + keyring = try(var.ecr.keyring, null) + disable_webhooks = try(var.ecr.disable_webhooks, null) + reuse_values = try(var.ecr.reuse_values, null) + reset_values = try(var.ecr.reset_values, null) + force_update = try(var.ecr.force_update, null) + recreate_pods = try(var.ecr.recreate_pods, null) + cleanup_on_fail = try(var.ecr.cleanup_on_fail, null) + max_history = try(var.ecr.max_history, null) + atomic = try(var.ecr.atomic, null) + skip_crds = try(var.ecr.skip_crds, null) + render_subchart_notes = try(var.ecr.render_subchart_notes, null) + disable_openapi_validation = try(var.ecr.disable_openapi_validation, null) + wait = try(var.ecr.wait, false) + wait_for_jobs = try(var.ecr.wait_for_jobs, null) + dependency_update = try(var.ecr.dependency_update, null) + replace = try(var.ecr.replace, null) + lint = try(var.ecr.lint, null) + + postrender = try(var.ecr.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-ecr-ecr-chart-xxxxxxxxxxxxx` to `ack-ecr-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-ecr" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.ecr_name + }], + try(var.ecr.set, []) + ) + set_sensitive = try(var.ecr.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.ecr.create_role, true) + role_name = try(var.ecr.role_name, "ack-ecr") + role_name_use_prefix = try(var.ecr.role_name_use_prefix, true) + role_path = try(var.ecr.role_path, "/") + role_permissions_boundary_arn = lookup(var.ecr, "role_permissions_boundary_arn", null) + role_description = try(var.ecr.role_description, "IRSA for ECR controller for ACK") + role_policies = lookup(var.ecr, "role_policies", { + AmazonEC2ContainerRegistryFullAccess = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryFullAccess" + }) + create_policy = try(var.ecr.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.ecr_name + } + } + + tags = var.tags +} + ################################################################################ # SNS ################################################################################ @@ -49,13 +439,13 @@ module "sns" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/sns-chart:1.0.11 + # public.ecr.aws/aws-controllers-k8s/sns-chart:1.0.12 name = try(var.sns.name, local.sns_name) description = try(var.sns.description, "Helm Chart for SNS controller for ACK") namespace = try(var.sns.namespace, "ack-system") create_namespace = try(var.sns.create_namespace, true) chart = "sns-chart" - chart_version = try(var.sns.chart_version, "1.0.11") + chart_version = try(var.sns.chart_version, "1.0.12") repository = try(var.sns.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.sns.values, []) @@ -114,7 +504,7 @@ module "sns" { role_permissions_boundary_arn = lookup(var.sns, "role_permissions_boundary_arn", null) role_description = try(var.sns.role_description, "IRSA for SNS controller for ACK") role_policies = lookup(var.sns, "role_policies", { - policy = var.enable_sns ? aws_iam_policy.snspolicy[0].arn : null + AmazonSNSFullAccess = "${local.iam_role_policy_prefix}/AmazonSNSFullAccess" }) create_policy = try(var.sns.create_policy, false) @@ -129,29 +519,6 @@ module "sns" { tags = var.tags } -# recommended iam-controller policy https://github.com/aws-controllers-k8s/sns-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "sns_controller" { - count = var.enable_sns ? 1 : 0 - - statement { - effect = "Allow" - actions = [ - "sns:*" - ] - resources = ["*"] - } -} - -resource "aws_iam_policy" "snspolicy" { - count = var.enable_sns ? 1 : 0 - - name = "SNSController" - description = "IAM policy for SNS Controller" - policy = data.aws_iam_policy_document.sns_controller[0].json - - tags = var.tags -} - ################################################################################ # SQS ################################################################################ @@ -169,13 +536,13 @@ module "sqs" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/sqs-chart:1.0.14 + # public.ecr.aws/aws-controllers-k8s/sqs-chart:1.0.15 name = try(var.sqs.name, local.sqs_name) description = try(var.sqs.description, "Helm Chart for SQS controller for ACK") namespace = try(var.sqs.namespace, "ack-system") create_namespace = try(var.sqs.create_namespace, true) chart = "sqs-chart" - chart_version = try(var.sqs.chart_version, "1.0.14") + chart_version = try(var.sqs.chart_version, "1.0.15") repository = try(var.sqs.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.sqs.values, []) @@ -234,7 +601,7 @@ module "sqs" { role_permissions_boundary_arn = lookup(var.sqs, "role_permissions_boundary_arn", null) role_description = try(var.sqs.role_description, "IRSA for SQS controller for ACK") role_policies = lookup(var.sqs, "role_policies", { - policy = var.enable_sqs ? aws_iam_policy.sqspolicy[0].arn : null + AmazonSQSFullAccess = "${local.iam_role_policy_prefix}/AmazonSQSFullAccess" }) create_policy = try(var.sqs.create_policy, false) @@ -249,29 +616,6 @@ module "sqs" { tags = var.tags } -# recommended iam-controller policy https://github.com/aws-controllers-k8s/sqs-controller/blob/main/config/iam/recommended-policy-arn -data "aws_iam_policy_document" "sqs_controller" { - count = var.enable_sqs ? 1 : 0 - - statement { - effect = "Allow" - actions = [ - "sqs:*" - ] - resources = ["*"] - } -} - -resource "aws_iam_policy" "sqspolicy" { - count = var.enable_sqs ? 1 : 0 - - name = "SQSController" - description = "IAM policy for SQS Controller" - policy = data.aws_iam_policy_document.sqs_controller[0].json - - tags = var.tags -} - ################################################################################ # Lambda ################################################################################ @@ -354,7 +698,7 @@ module "lambda" { role_permissions_boundary_arn = lookup(var.lambda, "role_permissions_boundary_arn", null) role_description = try(var.lambda.role_description, "IRSA for Lambda controller for ACK") role_policies = lookup(var.lambda, "role_policies", { - policy = var.enable_lambda ? aws_iam_policy.lambdapolicy[0].arn : null + policy = var.enable_lambda ? aws_iam_policy.lambda[0].arn : null }) create_policy = try(var.lambda.create_policy, false) @@ -369,8 +713,8 @@ module "lambda" { tags = var.tags } -# recommended iam-controller policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy -data "aws_iam_policy_document" "lambda_controller" { +# recommended lambda-controller policy https://github.com/aws-controllers-k8s/lambda-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "lambda" { count = var.enable_lambda ? 1 : 0 statement { @@ -399,12 +743,12 @@ data "aws_iam_policy_document" "lambda_controller" { } } -resource "aws_iam_policy" "lambdapolicy" { +resource "aws_iam_policy" "lambda" { count = var.enable_lambda ? 1 : 0 name = "LambdaController" description = "IAM policy for Lambda Controller" - policy = data.aws_iam_policy_document.lambda_controller[0].json + policy = data.aws_iam_policy_document.lambda[0].json tags = var.tags } @@ -426,13 +770,13 @@ module "iam" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/iam-chart:1.3.10 + # public.ecr.aws/aws-controllers-k8s/iam-chart:1.3.11 name = try(var.iam.name, local.iam_name) description = try(var.iam.description, "Helm Chart for iam controller for ACK") namespace = try(var.iam.namespace, "ack-system") create_namespace = try(var.iam.create_namespace, true) chart = "iam-chart" - chart_version = try(var.iam.chart_version, "1.3.10") + chart_version = try(var.iam.chart_version, "1.3.11") repository = try(var.iam.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.iam.values, []) @@ -492,7 +836,7 @@ module "iam" { role_permissions_boundary_arn = lookup(var.iam, "role_permissions_boundary_arn", null) role_description = try(var.iam.role_description, "IRSA for iam controller for ACK") role_policies = lookup(var.iam, "role_policies", { - AWSIamPolicy = var.enable_iam ? aws_iam_policy.iampolicy[0].arn : null + policy = var.enable_iam ? aws_iam_policy.iam[0].arn : null }) create_policy = try(var.iam.create_policy, false) @@ -508,87 +852,84 @@ module "iam" { } # recommended iam-controller policy https://github.com/aws-controllers-k8s/iam-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "iampolicy" { +data "aws_iam_policy_document" "iam" { count = var.enable_iam ? 1 : 0 - name_prefix = format("%s-%s", local.iam_name, "controller-iam-policies") - - path = "/" - description = "ACK IAM contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "iam:GetGroup", - "iam:CreateGroup", - "iam:DeleteGroup", - "iam:UpdateGroup", - "iam:GetRole", - "iam:CreateRole", - "iam:DeleteRole", - "iam:UpdateRole", - "iam:PutRolePermissionsBoundary", - "iam:PutUserPermissionsBoundary", - "iam:GetUser", - "iam:CreateUser", - "iam:DeleteUser", - "iam:UpdateUser", - "iam:GetPolicy", - "iam:CreatePolicy", - "iam:DeletePolicy", - "iam:GetPolicyVersion", - "iam:CreatePolicyVersion", - "iam:DeletePolicyVersion", - "iam:ListPolicyVersions", - "iam:ListPolicyTags", - "iam:ListAttachedGroupPolicies", - "iam:GetGroupPolicy", - "iam:PutGroupPolicy", - "iam:AttachGroupPolicy", - "iam:DetachGroupPolicy", - "iam:DeleteGroupPolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:GetRolePolicy", - "iam:PutRolePolicy", - "iam:AttachRolePolicy", - "iam:DetachRolePolicy", - "iam:DeleteRolePolicy", - "iam:ListAttachedUserPolicies", - "iam:ListUserPolicies", - "iam:GetUserPolicy", - "iam:PutUserPolicy", - "iam:AttachUserPolicy", - "iam:DetachUserPolicy", - "iam:DeleteUserPolicy", - "iam:ListRoleTags", - "iam:ListUserTags", - "iam:TagPolicy", - "iam:UntagPolicy", - "iam:TagRole", - "iam:UntagRole", - "iam:TagUser", - "iam:UntagUser", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:ListOpenIDConnectProviderTags", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UntagOpenIDConnectProvider", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:GetOpenIDConnectProvider", - "iam:TagOpenIDConnectProvider", - "iam:CreateOpenIDConnectProvider", - "iam:UpdateAssumeRolePolicy" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + actions = [ + "iam:GetGroup", + "iam:CreateGroup", + "iam:DeleteGroup", + "iam:UpdateGroup", + "iam:GetRole", + "iam:CreateRole", + "iam:DeleteRole", + "iam:UpdateRole", + "iam:PutRolePermissionsBoundary", + "iam:PutUserPermissionsBoundary", + "iam:GetUser", + "iam:CreateUser", + "iam:DeleteUser", + "iam:UpdateUser", + "iam:GetPolicy", + "iam:CreatePolicy", + "iam:DeletePolicy", + "iam:GetPolicyVersion", + "iam:CreatePolicyVersion", + "iam:DeletePolicyVersion", + "iam:ListPolicyVersions", + "iam:ListPolicyTags", + "iam:ListAttachedGroupPolicies", + "iam:GetGroupPolicy", + "iam:PutGroupPolicy", + "iam:AttachGroupPolicy", + "iam:DetachGroupPolicy", + "iam:DeleteGroupPolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:GetRolePolicy", + "iam:PutRolePolicy", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "iam:ListAttachedUserPolicies", + "iam:ListUserPolicies", + "iam:GetUserPolicy", + "iam:PutUserPolicy", + "iam:AttachUserPolicy", + "iam:DetachUserPolicy", + "iam:DeleteUserPolicy", + "iam:ListRoleTags", + "iam:ListUserTags", + "iam:TagPolicy", + "iam:UntagPolicy", + "iam:TagRole", + "iam:UntagRole", + "iam:TagUser", + "iam:UntagUser", + "iam:RemoveClientIDFromOpenIDConnectProvider", + "iam:ListOpenIDConnectProviderTags", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:UntagOpenIDConnectProvider", + "iam:AddClientIDToOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:GetOpenIDConnectProvider", + "iam:TagOpenIDConnectProvider", + "iam:CreateOpenIDConnectProvider", + "iam:UpdateAssumeRolePolicy", ] - }) + + resources = ["*"] + } +} + +resource "aws_iam_policy" "iam" { + count = var.enable_iam ? 1 : 0 + + name = "IAMController" + description = "IAM policy for IAM Controller" + policy = data.aws_iam_policy_document.iam[0].json tags = var.tags } @@ -610,13 +951,13 @@ module "ec2" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/ec2-chart:1.2.15 + # public.ecr.aws/aws-controllers-k8s/ec2-chart:1.2.16 name = try(var.ec2.name, local.ec2_name) description = try(var.ec2.description, "Helm Chart for ec2 controller for ACK") namespace = try(var.ec2.namespace, "ack-system") create_namespace = try(var.ec2.create_namespace, true) chart = "ec2-chart" - chart_version = try(var.ec2.chart_version, "1.2.15") + chart_version = try(var.ec2.chart_version, "1.2.16") repository = try(var.ec2.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.ec2.values, []) @@ -708,13 +1049,13 @@ module "eks" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/eks-chart:1.4.3 + # public.ecr.aws/aws-controllers-k8s/eks-chart:1.4.4 name = try(var.eks.name, local.eks_name) description = try(var.eks.description, "Helm Chart for eks controller for ACK") namespace = try(var.eks.namespace, "ack-system") create_namespace = try(var.eks.create_namespace, true) chart = "eks-chart" - chart_version = try(var.eks.chart_version, "1.4.3") + chart_version = try(var.eks.chart_version, "1.4.4") repository = try(var.eks.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.eks.values, []) @@ -774,7 +1115,7 @@ module "eks" { role_permissions_boundary_arn = lookup(var.eks, "role_permissions_boundary_arn", null) role_description = try(var.eks.role_description, "IRSA for eks controller for ACK") role_policies = lookup(var.eks, "role_policies", { - EKSPolicy = var.enable_eks ? aws_iam_policy.ekspolicy[0].arn : null + policy = var.enable_eks ? aws_iam_policy.eks[0].arn : null }) create_policy = try(var.eks.create_policy, false) @@ -790,30 +1131,27 @@ module "eks" { } # recommended eks-controller policy https://github.com/aws-controllers-k8s/eks-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "ekspolicy" { +data "aws_iam_policy_document" "eks" { count = var.enable_eks ? 1 : 0 - name_prefix = format("%s-%s", local.eks_name, "controller-eks-policies") - - path = "/" - description = "ACK EKS contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "eks:*", - "iam:GetRole", - "iam:PassRole" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + + actions = [ + "eks:*", + "iam:GetRole", + "iam:PassRole", ] - }) + resources = ["*"] + } +} + +resource "aws_iam_policy" "eks" { + count = var.enable_eks ? 1 : 0 + + name = "EKSController" + description = "IAM policy for EKS Controller" + policy = data.aws_iam_policy_document.eks[0].json tags = var.tags } @@ -835,13 +1173,13 @@ module "kms" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/kms-chart:1.0.14 + # public.ecr.aws/aws-controllers-k8s/kms-chart:1.0.15 name = try(var.kms.name, local.kms_name) description = try(var.kms.description, "Helm Chart for kms controller for ACK") namespace = try(var.kms.namespace, "ack-system") create_namespace = try(var.kms.create_namespace, true) chart = "kms-chart" - chart_version = try(var.kms.chart_version, "1.0.14") + chart_version = try(var.kms.chart_version, "1.0.15") repository = try(var.kms.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.kms.values, []) @@ -901,7 +1239,7 @@ module "kms" { role_permissions_boundary_arn = lookup(var.kms, "role_permissions_boundary_arn", null) role_description = try(var.kms.role_description, "IRSA for kms controller for ACK") role_policies = lookup(var.kms, "role_policies", { - policy = var.enable_kms ? aws_iam_policy.kmspolicy[0].arn : null + policy = var.enable_kms ? aws_iam_policy.kms[0].arn : null }) create_policy = try(var.kms.create_policy, false) @@ -917,41 +1255,37 @@ module "kms" { } # recommended kms-controller policy https://github.com/aws-controllers-k8s/kms-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "kmspolicy" { +data "aws_iam_policy_document" "kms" { count = var.enable_kms ? 1 : 0 - name_prefix = format("%s-%s", local.kms_name, "controller-kms-policies") - - path = "/" - description = "ACK KMS contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "kms:CreateAlias", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:Describe*", - "kms:GenerateRandom", - "kms:Get*", - "kms:List*", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "iam:ListGroups", - "iam:ListRoles", - "iam:ListUsers", - "iam:CreateServiceLinkedRole" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + actions = [ + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:Describe*", + "kms:GenerateRandom", + "kms:Get*", + "kms:List*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "iam:ListGroups", + "iam:ListRoles", + "iam:ListUsers", + "iam:CreateServiceLinkedRole", ] - }) + resources = ["*"] + } +} + +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = "KMSController" + description = "IAM policy for KMS Controller" + policy = data.aws_iam_policy_document.kms[0].json tags = var.tags } @@ -973,13 +1307,13 @@ module "acm" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/acm-chart:0.0.17 + # public.ecr.aws/aws-controllers-k8s/acm-chart:0.0.18 name = try(var.acm.name, local.acm_name) description = try(var.acm.description, "Helm Chart for acm controller for ACK") namespace = try(var.acm.namespace, "ack-system") create_namespace = try(var.acm.create_namespace, true) chart = "acm-chart" - chart_version = try(var.acm.chart_version, "0.0.17") + chart_version = try(var.acm.chart_version, "0.0.18") repository = try(var.acm.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.acm.values, []) @@ -1039,7 +1373,7 @@ module "acm" { role_permissions_boundary_arn = lookup(var.acm, "role_permissions_boundary_arn", null) role_description = try(var.acm.role_description, "IRSA for acm controller for ACK") role_policies = lookup(var.acm, "role_policies", { - policy = var.enable_acm ? aws_iam_policy.acmpolicy[0].arn : null + policy = var.enable_acm ? aws_iam_policy.acm[0].arn : null }) create_policy = try(var.acm.create_policy, false) @@ -1055,34 +1389,32 @@ module "acm" { } # recommended acm-controller policy https://github.com/aws-controllers-k8s/acm-controller/blob/main/config/iam/recommended-inline-policy -resource "aws_iam_policy" "acmpolicy" { +data "aws_iam_policy_document" "acm" { count = var.enable_acm ? 1 : 0 - name_prefix = format("%s-%s", local.acm_name, "controller-acm-policies") - - path = "/" - description = "ACK ACM contoller policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "acm:DescribeCertificate", - "acm:RequestCertificate", - "acm:UpdateCertificateOptions", - "acm:DeleteCertificate", - "acm:AddTagsToCertificate", - "acm:RemoveTagsFromCertificate", - "acm:ListTagsForCertificate" - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + + actions = [ + "acm:DescribeCertificate", + "acm:RequestCertificate", + "acm:UpdateCertificateOptions", + "acm:DeleteCertificate", + "acm:AddTagsToCertificate", + "acm:RemoveTagsFromCertificate", + "acm:ListTagsForCertificate", ] - }) + resources = ["*"] + } + +} + +resource "aws_iam_policy" "acm" { + count = var.enable_acm ? 1 : 0 + + name = "ACMController" + description = "IAM policy for ACM Controller" + policy = data.aws_iam_policy_document.acm[0].json tags = var.tags } @@ -1104,13 +1436,13 @@ module "apigatewayv2" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart:1.0.14 + # public.ecr.aws/aws-controllers-k8s/apigatewayv2-chart:1.0.15 name = try(var.apigatewayv2.name, local.apigatewayv2_name) description = try(var.apigatewayv2.description, "Helm Chart for apigatewayv2 controller for ACK") namespace = try(var.apigatewayv2.namespace, "ack-system") create_namespace = try(var.apigatewayv2.create_namespace, true) chart = "apigatewayv2-chart" - chart_version = try(var.apigatewayv2.chart_version, "1.0.14") + chart_version = try(var.apigatewayv2.chart_version, "1.0.15") repository = try(var.apigatewayv2.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.apigatewayv2.values, []) @@ -1203,13 +1535,13 @@ module "dynamodb" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/dynamodb-chart:1.2.12 + # public.ecr.aws/aws-controllers-k8s/dynamodb-chart:1.2.13 name = try(var.dynamodb.name, local.dynamodb_name) description = try(var.dynamodb.description, "Helm Chart for dynamodb controller for ACK") namespace = try(var.dynamodb.namespace, "ack-system") create_namespace = try(var.dynamodb.create_namespace, true) chart = "dynamodb-chart" - chart_version = try(var.dynamodb.chart_version, "1.2.12") + chart_version = try(var.dynamodb.chart_version, "1.2.13") repository = try(var.dynamodb.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.dynamodb.values, []) @@ -1301,13 +1633,13 @@ module "s3" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/s3-chart:1.0.13 + # public.ecr.aws/aws-controllers-k8s/s3-chart:1.0.15 name = try(var.s3.name, local.s3_name) description = try(var.s3.description, "Helm Chart for s3 controller for ACK") namespace = try(var.s3.namespace, "ack-system") create_namespace = try(var.s3.create_namespace, true) chart = "s3-chart" - chart_version = try(var.s3.chart_version, "1.0.13") + chart_version = try(var.s3.chart_version, "1.0.15") repository = try(var.s3.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.s3.values, []) @@ -1497,13 +1829,13 @@ module "rds" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/rds-chart:1.4.2 + # public.ecr.aws/aws-controllers-k8s/rds-chart:1.4.3 name = try(var.rds.name, local.rds_name) description = try(var.rds.description, "Helm Chart for rds controller for ACK") namespace = try(var.rds.namespace, "ack-system") create_namespace = try(var.rds.create_namespace, true) chart = "rds-chart" - chart_version = try(var.rds.chart_version, "1.4.2") + chart_version = try(var.rds.chart_version, "1.4.3") repository = try(var.rds.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.rds.values, []) @@ -1595,13 +1927,13 @@ module "prometheusservice" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/prometheusservice_name-chart:1.2.12 + # public.ecr.aws/aws-controllers-k8s/prometheusservice-chart:1.2.13 name = try(var.prometheusservice.name, local.prometheusservice_name) description = try(var.prometheusservice.description, "Helm Chart for prometheusservice controller for ACK") namespace = try(var.prometheusservice.namespace, "ack-system") create_namespace = try(var.prometheusservice.create_namespace, true) chart = "prometheusservice-chart" - chart_version = try(var.prometheusservice.chart_version, "1.2.12") + chart_version = try(var.prometheusservice.chart_version, "1.2.13") repository = try(var.prometheusservice.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.prometheusservice.values, []) @@ -1661,7 +1993,7 @@ module "prometheusservice" { role_permissions_boundary_arn = lookup(var.prometheusservice, "role_permissions_boundary_arn", null) role_description = try(var.prometheusservice.role_description, "IRSA for prometheusservice controller for ACK") role_policies = lookup(var.prometheusservice, "role_policies", { - AmazonPrometheusFullAccess = "${local.iam_role_policy_prefix}/AmazonPrometheusFullAccess" + policy = var.enable_prometheusservice ? aws_iam_policy.prometheusservice[0].arn : null }) create_policy = try(var.prometheusservice.create_policy, false) @@ -1676,6 +2008,35 @@ module "prometheusservice" { tags = var.tags } +# recommended prometheusservice-controller policy https://github.com/aws-controllers-k8s/prometheusservice-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "prometheusservice" { + count = var.enable_prometheusservice ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "aps:*", + "logs:CreateLogDelivery", + "logs:DescribeLogGroups", + "logs:DescribeResourcePolicies", + "logs:PutResourcePolicy", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "prometheusservice" { + count = var.enable_prometheusservice ? 1 : 0 + + name = "PrometheusServiceController" + description = "IAM policy for Prometheus Service Controller" + policy = data.aws_iam_policy_document.prometheusservice[0].json + + tags = var.tags +} + ################################################################################ # EMR Containers ################################################################################ @@ -1693,13 +2054,13 @@ module "emrcontainers" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/emrcontainers_name-chart:1.0.11 + # public.ecr.aws/aws-controllers-k8s/emrcontainers-chart:1.0.12 name = try(var.emrcontainers.name, local.emrcontainers_name) description = try(var.emrcontainers.description, "Helm Chart for emrcontainers controller for ACK") namespace = try(var.emrcontainers.namespace, "ack-system") create_namespace = try(var.emrcontainers.create_namespace, true) chart = "emrcontainers-chart" - chart_version = try(var.emrcontainers.chart_version, "1.0.11") + chart_version = try(var.emrcontainers.chart_version, "1.0.12") repository = try(var.emrcontainers.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.emrcontainers.values, []) @@ -1759,7 +2120,7 @@ module "emrcontainers" { role_permissions_boundary_arn = lookup(var.emrcontainers, "role_permissions_boundary_arn", null) role_description = try(var.emrcontainers.role_description, "IRSA for emrcontainers controller for ACK") role_policies = lookup(var.emrcontainers, "role_policies", { - AmazonEmrContainers = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null + policy = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null }) create_policy = try(var.emrcontainers.create_policy, false) @@ -1774,24 +2135,16 @@ module "emrcontainers" { tags = var.tags } -resource "aws_iam_policy" "emrcontainers" { - count = var.enable_emrcontainers ? 1 : 0 - - name_prefix = format("%s-%s", local.emrcontainers_name, "controller-iam-policies") - description = "IAM policy for EMRcontainers controller" - path = "/" - policy = data.aws_iam_policy_document.emrcontainers.json - - tags = var.tags -} - -# inline policy provided by ack https://raw.githubusercontent.com/aws-controllers-k8s/emrcontainers-controller/main/config/iam/recommended-inline-policy +# recommended emrcontainers-controller policy https://github.com/aws-controllers-k8s/emrcontainers-controller/blob/main/config/iam/recommended-inline-policy data "aws_iam_policy_document" "emrcontainers" { + count = var.enable_emrcontainers ? 1 : 0 statement { effect = "Allow" + actions = [ - "iam:CreateServiceLinkedRole" + "iam:CreateServiceLinkedRole", ] + resources = ["*"] condition { @@ -1803,22 +2156,25 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "emr-containers:CreateVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeVirtualCluster", - "emr-containers:DeleteVirtualCluster" + "emr-containers:DeleteVirtualCluster", ] + resources = ["*"] } statement { effect = "Allow" + actions = [ "emr-containers:StartJobRun", "emr-containers:ListJobRuns", "emr-containers:DescribeJobRun", - "emr-containers:CancelJobRun" + "emr-containers:CancelJobRun", ] resources = ["*"] @@ -1826,12 +2182,13 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "emr-containers:DescribeJobRun", "emr-containers:TagResource", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", - "elasticmapreduce:GetPersistentAppUIPresignedURL" + "elasticmapreduce:GetPersistentAppUIPresignedURL", ] resources = ["*"] @@ -1839,9 +2196,10 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "s3:GetObject", - "s3:ListBucket" + "s3:ListBucket", ] resources = ["*"] @@ -1849,14 +2207,25 @@ data "aws_iam_policy_document" "emrcontainers" { statement { effect = "Allow" + actions = [ "logs:Get*", "logs:DescribeLogGroups", - "logs:DescribeLogStreams" + "logs:DescribeLogStreams", ] + resources = ["*"] } +} +resource "aws_iam_policy" "emrcontainers" { + count = var.enable_emrcontainers ? 1 : 0 + + name = "EMRContainersController" + description = "IAM policy for EMR Containers Controller" + policy = data.aws_iam_policy_document.emrcontainers[0].json + + tags = var.tags } ################################################################################ @@ -1876,13 +2245,13 @@ module "sfn" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/sfn_name-chart:1.0.12 + # public.ecr.aws/aws-controllers-k8s/sfn-chart:1.0.13 name = try(var.sfn.name, local.sfn_name) description = try(var.sfn.description, "Helm Chart for sfn controller for ACK") namespace = try(var.sfn.namespace, "ack-system") create_namespace = try(var.sfn.create_namespace, true) chart = "sfn-chart" - chart_version = try(var.sfn.chart_version, "1.0.12") + chart_version = try(var.sfn.chart_version, "1.0.13") repository = try(var.sfn.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.sfn.values, []) @@ -1943,7 +2312,7 @@ module "sfn" { role_description = try(var.sfn.role_description, "IRSA for sfn controller for ACK") role_policies = lookup(var.sfn, "role_policies", { AWSStepFunctionsFullAccess = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess" - AWSStepFunctionsIamPassRole = var.enable_sfn ? aws_iam_policy.sfnpasspolicy[0].arn : null + AWSStepFunctionsIamPassRole = var.enable_sfn ? aws_iam_policy.sfn[0].arn : null }) create_policy = try(var.sfn.create_policy, false) @@ -1958,28 +2327,30 @@ module "sfn" { tags = var.tags } -resource "aws_iam_policy" "sfnpasspolicy" { +# recommended sfn-controller policy https://github.com/aws-controllers-k8s/sfn-controller/blob/main/config/iam/recommended-policy-arn +data "aws_iam_policy_document" "sfn" { count = var.enable_sfn ? 1 : 0 - name_prefix = format("%s-%s", local.sfn_name, "controller-iam-policies") - - path = "/" - description = "passrole policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "iam:PassRole", - ] - Effect = "Allow" - Resource = "*" - }, + statement { + effect = "Allow" + + actions = [ + "iam:PassRole", + ] + + resources = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ack-sfn-execution-role" ] - }) + } + +} + +resource "aws_iam_policy" "sfn" { + count = var.enable_sfn ? 1 : 0 + + name = "SFNController" + description = "IAM policy for SFN Controller" + policy = data.aws_iam_policy_document.sfn[0].json tags = var.tags } @@ -2001,13 +2372,13 @@ module "eventbridge" { # Disable helm release create_release = var.create_kubernetes_resources - # public.ecr.aws/aws-controllers-k8s/eventbridge_name-chart:1.0.12 + # public.ecr.aws/aws-controllers-k8s/eventbridge-chart:1.0.13 name = try(var.eventbridge.name, local.eventbridge_name) description = try(var.eventbridge.description, "Helm Chart for eventbridge controller for ACK") namespace = try(var.eventbridge.namespace, "ack-system") create_namespace = try(var.eventbridge.create_namespace, true) chart = "eventbridge-chart" - chart_version = try(var.eventbridge.chart_version, "1.0.12") + chart_version = try(var.eventbridge.chart_version, "1.0.13") repository = try(var.eventbridge.repository, "oci://public.ecr.aws/aws-controllers-k8s") values = try(var.eventbridge.values, []) diff --git a/variables.tf b/variables.tf index 2afe618..16f28de 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,70 @@ variable "tags" { default = {} } +################################################################################ +# Sagemaker +################################################################################ + +variable "enable_sagemaker" { + description = "Enable ACK Sagemaker add-on" + type = bool + default = false +} + +variable "sagemaker" { + description = "ACK Sagemaker Helm Chart config" + type = any + default = {} +} + +################################################################################ +# MemoryDB +################################################################################ + +variable "enable_memorydb" { + description = "Enable ACK MemoryDB add-on" + type = bool + default = false +} + +variable "memorydb" { + description = "ACK MemoryDB Helm Chart config" + type = any + default = {} +} + +################################################################################ +# OpenSearch Service +################################################################################ + +variable "enable_opensearchservice" { + description = "Enable ACK Opensearch Service add-on" + type = bool + default = false +} + +variable "opensearchservice" { + description = "ACK Opensearch Service Helm Chart config" + type = any + default = {} +} + +################################################################################ +# ECR +################################################################################ + +variable "enable_ecr" { + description = "Enable ACK ECR add-on" + type = bool + default = false +} + +variable "ecr" { + description = "ACK ECR Helm Chart config" + type = any + default = {} +} + ################################################################################ # SNS ################################################################################