From 7ec620d4e7a41dd5f1e01183709ee054102393a7 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Mon, 12 Aug 2024 18:08:31 -0300 Subject: [PATCH] feat: Add Kinesis, CloudWatch Logs and Network Firewall Controllers --- README.md | 18 ++ examples/complete/README.md | 102 +++++----- examples/complete/main.tf | 3 + main.tf | 390 +++++++++++++++++++++++++++++++++++- outputs.tf | 18 ++ variables.tf | 48 +++++ 6 files changed, 530 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 983e597..9824aec 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,9 @@ module "eks_ack_addons" { ecrpublic_token = "" # Controllers to enable + enable_networkfirewall = true + enable_cloudwatchlogs = true + enable_kinesis = true enable_secretsmanager = true enable_route53resolver = true enable_route53 = true @@ -91,6 +94,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cloudfront](#module\_cloudfront) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [cloudtrail](#module\_cloudtrail) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [cloudwatch](#module\_cloudwatch) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [cloudwatchlogs](#module\_cloudwatchlogs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ec2](#module\_ec2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ecr](#module\_ecr) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -103,10 +107,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#module\_iam) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kafka](#module\_kafka) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [keyspaces](#module\_keyspaces) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [kinesis](#module\_kinesis) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kms](#module\_kms) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [lambda](#module\_lambda) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [memorydb](#module\_memorydb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [mq](#module\_mq) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [networkfirewall](#module\_networkfirewall) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [opensearchservice](#module\_opensearchservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [organizations](#module\_organizations) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [prometheusservice](#module\_prometheusservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -125,21 +131,27 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| | [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.cloudwatchlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.networkfirewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatchlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.networkfirewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -155,6 +167,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cloudfront](#input\_cloudfront) | ACK cloudfront Helm Chart config | `any` | `{}` | no | | [cloudtrail](#input\_cloudtrail) | ACK Cloudtrail Helm Chart config | `any` | `{}` | no | | [cloudwatch](#input\_cloudwatch) | ACK CloudWatch Helm Chart config | `any` | `{}` | no | +| [cloudwatchlogs](#input\_cloudwatchlogs) | ACK CloudWatch Logs Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for your Kubernetes API server | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no | @@ -176,6 +189,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_cloudfront](#input\_enable\_cloudfront) | Enable ACK Cloudfront add-on | `bool` | `false` | no | | [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable ACK Cloudtrail add-on | `bool` | `false` | no | | [enable\_cloudwatch](#input\_enable\_cloudwatch) | Enable ACK CloudWatch add-on | `bool` | `false` | no | +| [enable\_cloudwatchlogs](#input\_enable\_cloudwatchlogs) | Enable ACK CloudWatch Logs add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | | [enable\_ec2](#input\_enable\_ec2) | Enable ACK ec2 add-on | `bool` | `false` | no | | [enable\_ecr](#input\_enable\_ecr) | Enable ACK ECR add-on | `bool` | `false` | no | @@ -188,10 +202,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_iam](#input\_enable\_iam) | Enable ACK iam add-on | `bool` | `false` | no | | [enable\_kafka](#input\_enable\_kafka) | Enable ACK Kafka add-on | `bool` | `false` | no | | [enable\_keyspaces](#input\_enable\_keyspaces) | Enable ACK Keyspaces add-on | `bool` | `false` | no | +| [enable\_kinesis](#input\_enable\_kinesis) | Enable ACK Kinesis add-on | `bool` | `false` | no | | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | | [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | | [enable\_mq](#input\_enable\_mq) | Enable ACK MQ add-on | `bool` | `false` | no | +| [enable\_networkfirewall](#input\_enable\_networkfirewall) | Enable ACK Network Firewall add-on | `bool` | `false` | no | | [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK Opensearch Service add-on | `bool` | `false` | no | | [enable\_organizations](#input\_enable\_organizations) | Enable ACK Organizations add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | @@ -208,10 +224,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#input\_iam) | ACK iam Helm Chart config | `any` | `{}` | no | | [kafka](#input\_kafka) | ACK Kafka Helm Chart config | `any` | `{}` | no | | [keyspaces](#input\_keyspaces) | ACK Keyspaces Helm Chart config | `any` | `{}` | no | +| [kinesis](#input\_kinesis) | ACK Kinesis Helm Chart config | `any` | `{}` | no | | [kms](#input\_kms) | ACK kms Helm Chart config | `any` | `{}` | no | | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | | [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | | [mq](#input\_mq) | ACK MQ Helm Chart config | `any` | `{}` | no | +| [networkfirewall](#input\_networkfirewall) | ACK Network Firewall Helm Chart config | `any` | `{}` | no | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | | [opensearchservice](#input\_opensearchservice) | ACK Opensearch Service Helm Chart config | `any` | `{}` | no | | [organizations](#input\_organizations) | ACK Organizations Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index 2f50064..8dbedf7 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,6 +1,9 @@ # Complete Example Configuration in this directory creates an AWS EKS cluster with the following ACK addons: +- Amazon Network Firewall +- Amazon CloudWatch Logs +- Amazon Kinesis - AWS Secrets Manager - Amazon Route53Resolver - Amazon Route 53 @@ -75,54 +78,57 @@ aws eks --region update-kubeconfig --name kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE -ack-system ack-acm-5697f4c5b4-z48sv 1/1 Running 0 30m -ack-system ack-apigatewayv2-76d6bbd788-pxlv9 1/1 Running 0 27m -ack-system ack-applicationautoscaling-5fd6c8bf8f-tjhhq 1/1 Running 0 28m -ack-system ack-cloudfront-544f4887c4-cn48r 1/1 Running 0 27m -ack-system ack-cloudtrail-5dc78b7576-jpjd6 1/1 Running 0 26m -ack-system ack-cloudwatch-5b844f47db-cl6ht 1/1 Running 0 28m -ack-system ack-dynamodb-7f4b47488d-kf7gd 1/1 Running 0 30m -ack-system ack-ec2-5fbf6f55d9-qrpj6 1/1 Running 0 29m -ack-system ack-ecr-5b4699f87b-27k4t 1/1 Running 0 27m -ack-system ack-ecs-74d8d67695-tw9fp 1/1 Running 0 28m -ack-system ack-efs-7b9f965b96-htcxj 1/1 Running 0 28m -ack-system ack-eks-54945d94d4-pn25c 1/1 Running 0 30m -ack-system ack-elasticache-5758ff66bd-69w79 1/1 Running 0 29m -ack-system ack-emrcontainers-74c5d7b8c-4rpkf 1/1 Running 0 29m -ack-system ack-eventbridge-b76bd85b8-cl75j 1/1 Running 0 30m -ack-system ack-iam-89dd5d6b5-4vb82 1/1 Running 0 28m -ack-system ack-kafka-7bd95bd59-25kkb 1/1 Running 0 28m -ack-system ack-keyspaces-6cc9bbc575-klxtw 1/1 Running 0 26m -ack-system ack-kms-58b89848db-wh6wq 1/1 Running 0 27m -ack-system ack-lambda-65bd7fbc8d-8qllw 1/1 Running 0 27m -ack-system ack-memorydb-76c988f6dd-dm22w 1/1 Running 0 29m -ack-system ack-mq-85b69db6c-hdwqg 1/1 Running 0 26m -ack-system ack-opensearchservice-7fd9d8c866-5l6wh 1/1 Running 0 29m -ack-system ack-organizations-784c69d659-xcm29 1/1 Running 0 27m -ack-system ack-prometheusservice-6d657cd878-q492w 1/1 Running 0 30m -ack-system ack-rds-7df84bf989-jmpzh 1/1 Running 0 26m -ack-system ack-route53-5d45dcbf66-lchwf 1/1 Running 0 27m -ack-system ack-route53resolver-696cf68868-znnsv 1/1 Running 0 26m -ack-system ack-s3-6ffc4698c6-5sfwg 1/1 Running 0 30m -ack-system ack-sagemaker-74f65d4cb9-tqcnm 1/1 Running 0 27m -ack-system ack-secretsmanager-7974695c58-8p29t 1/1 Running 0 30m -ack-system ack-sfn-6b875794cb-fnrz4 1/1 Running 0 26m -ack-system ack-sns-5c75794dbc-5vs5r 1/1 Running 0 27m -ack-system ack-sqs-55dfc46cd6-tgc68 1/1 Running 0 26m -kube-system aws-load-balancer-controller-84b5bf9c5f-wmj6s 1/1 Running 0 28m -kube-system aws-load-balancer-controller-84b5bf9c5f-xz5bd 1/1 Running 0 28m -kube-system aws-node-48drm 2/2 Running 0 26m -kube-system aws-node-7jmr4 2/2 Running 0 26m -kube-system aws-node-dc8tz 2/2 Running 0 26m -kube-system coredns-787cb67946-69dqt 1/1 Running 0 33m -kube-system coredns-787cb67946-nblvh 1/1 Running 0 33m -kube-system eks-pod-identity-agent-5vflt 1/1 Running 0 27m -kube-system eks-pod-identity-agent-ltjcq 1/1 Running 0 27m -kube-system eks-pod-identity-agent-rb8jn 1/1 Running 0 27m -kube-system kube-proxy-mz99j 1/1 Running 0 30m -kube-system kube-proxy-prj6l 1/1 Running 0 30m -kube-system kube-proxy-rsfsz 1/1 Running 0 30m -kube-system metrics-server-7577444cf8-vj4lt 1/1 Running 0 31m +ack-system ack-acm-5697f4c5b4-czd5b 1/1 Running 0 11m +ack-system ack-apigatewayv2-76d6bbd788-77t8p 1/1 Running 0 10m +ack-system ack-applicationautoscaling-5fd6c8bf8f-zqn4p 1/1 Running 0 11m +ack-system ack-cloudfront-544f4887c4-jhw5b 1/1 Running 0 12m +ack-system ack-cloudtrail-5dc78b7576-2bwds 1/1 Running 0 11m +ack-system ack-cloudwatch-5b844f47db-6fb5d 1/1 Running 0 11m +ack-system ack-cloudwatchlogs-757f9879fb-jtvhh 1/1 Running 0 11m +ack-system ack-dynamodb-7f4b47488d-btjff 1/1 Running 0 12m +ack-system ack-ec2-5fbf6f55d9-hn8jw 1/1 Running 0 11m +ack-system ack-ecr-5b4699f87b-rt5xt 1/1 Running 0 11m +ack-system ack-ecs-74d8d67695-zbv97 1/1 Running 0 10m +ack-system ack-efs-7b9f965b96-qbc6q 1/1 Running 0 13m +ack-system ack-eks-54945d94d4-mflgw 1/1 Running 0 12m +ack-system ack-elasticache-5758ff66bd-mmj27 1/1 Running 0 12m +ack-system ack-emrcontainers-74c5d7b8c-9htg9 1/1 Running 0 11m +ack-system ack-eventbridge-b76bd85b8-dtvxr 1/1 Running 0 13m +ack-system ack-iam-89dd5d6b5-wf8tm 1/1 Running 0 11m +ack-system ack-kafka-7bd95bd59-dvcf6 1/1 Running 0 10m +ack-system ack-keyspaces-6cc9bbc575-lfjwr 1/1 Running 0 11m +ack-system ack-kinesis-687bf76869-kqshn 1/1 Running 0 11m +ack-system ack-kms-58b89848db-hrf8v 1/1 Running 0 11m +ack-system ack-lambda-65bd7fbc8d-fjqfj 1/1 Running 0 11m +ack-system ack-memorydb-76c988f6dd-4v8cz 1/1 Running 0 10m +ack-system ack-mq-85b69db6c-tlt2p 1/1 Running 0 11m +ack-system ack-networkfirewall-c6676fddc-tlvzr 1/1 Running 0 12m +ack-system ack-opensearchservice-7fd9d8c866-9kkdx 1/1 Running 0 11m +ack-system ack-organizations-784c69d659-cpn2r 1/1 Running 0 13m +ack-system ack-prometheusservice-6d657cd878-7h7jw 1/1 Running 0 12m +ack-system ack-rds-7df84bf989-hh7z7 1/1 Running 0 12m +ack-system ack-route53-5d45dcbf66-9f82r 1/1 Running 0 12m +ack-system ack-route53resolver-696cf68868-k825q 1/1 Running 0 12m +ack-system ack-s3-6ffc4698c6-jtv6k 1/1 Running 0 12m +ack-system ack-sagemaker-74f65d4cb9-g9ngl 1/1 Running 0 12m +ack-system ack-secretsmanager-7974695c58-xkgbx 1/1 Running 0 13m +ack-system ack-sfn-6b875794cb-c7pcv 1/1 Running 0 11m +ack-system ack-sns-5c75794dbc-v5fgb 1/1 Running 0 11m +ack-system ack-sqs-55dfc46cd6-wtz7d 1/1 Running 0 13m +kube-system aws-load-balancer-controller-84b5bf9c5f-cd2kn 1/1 Running 0 12m +kube-system aws-load-balancer-controller-84b5bf9c5f-z5mkm 1/1 Running 0 12m +kube-system aws-node-5lv6j 2/2 Running 0 11m +kube-system aws-node-c8ncz 2/2 Running 0 11m +kube-system aws-node-d4tcw 2/2 Running 0 10m +kube-system coredns-787cb67946-82m2k 1/1 Running 0 16m +kube-system coredns-787cb67946-kf4vn 1/1 Running 0 16m +kube-system eks-pod-identity-agent-cnklq 1/1 Running 0 11m +kube-system eks-pod-identity-agent-fdjvk 1/1 Running 0 11m +kube-system eks-pod-identity-agent-jzzsb 1/1 Running 0 11m +kube-system kube-proxy-9x5js 1/1 Running 0 12m +kube-system kube-proxy-f4hk9 1/1 Running 0 12m +kube-system kube-proxy-gxcxt 1/1 Running 0 12m +kube-system metrics-server-7577444cf8-mhx97 1/1 Running 0 14m ``` ## Sample Application Deployment diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 4c9a82d..f1dd2e1 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -131,6 +131,9 @@ module "eks_ack_addons" { ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Controllers to enable + enable_networkfirewall = true + enable_cloudwatchlogs = true + enable_kinesis = true enable_secretsmanager = true enable_route53resolver = true enable_route53 = true diff --git a/main.tf b/main.tf index 935ccd9..7b36c68 100644 --- a/main.tf +++ b/main.tf @@ -33,6 +33,395 @@ locals { repository_password = var.create_kubernetes_resources ? var.ecrpublic_token : "" } +################################################################################ +# Network Firewall +################################################################################ + +locals { + networkfirewall_name = "ack-networkfirewall" +} + +module "networkfirewall" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_networkfirewall + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/networkfirewall-chart:0.0.8 + name = try(var.networkfirewall.name, local.networkfirewall_name) + description = try(var.networkfirewall.description, "Helm Chart for Network Firewall controller for ACK") + namespace = try(var.networkfirewall.namespace, "ack-system") + create_namespace = try(var.networkfirewall.create_namespace, true) + chart = "networkfirewall-chart" + chart_version = try(var.networkfirewall.chart_version, "0.0.8") + repository = try(var.networkfirewall.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.networkfirewall.values, []) + + timeout = try(var.networkfirewall.timeout, null) + repository_key_file = try(var.networkfirewall.repository_key_file, null) + repository_cert_file = try(var.networkfirewall.repository_cert_file, null) + repository_ca_file = try(var.networkfirewall.repository_ca_file, null) + repository_username = try(var.networkfirewall.repository_username, local.repository_username) + repository_password = try(var.networkfirewall.repository_password, local.repository_password) + devel = try(var.networkfirewall.devel, null) + verify = try(var.networkfirewall.verify, null) + keyring = try(var.networkfirewall.keyring, null) + disable_webhooks = try(var.networkfirewall.disable_webhooks, null) + reuse_values = try(var.networkfirewall.reuse_values, null) + reset_values = try(var.networkfirewall.reset_values, null) + force_update = try(var.networkfirewall.force_update, null) + recreate_pods = try(var.networkfirewall.recreate_pods, null) + cleanup_on_fail = try(var.networkfirewall.cleanup_on_fail, null) + max_history = try(var.networkfirewall.max_history, null) + atomic = try(var.networkfirewall.atomic, null) + skip_crds = try(var.networkfirewall.skip_crds, null) + render_subchart_notes = try(var.networkfirewall.render_subchart_notes, null) + disable_openapi_validation = try(var.networkfirewall.disable_openapi_validation, null) + wait = try(var.networkfirewall.wait, false) + wait_for_jobs = try(var.networkfirewall.wait_for_jobs, null) + dependency_update = try(var.networkfirewall.dependency_update, null) + replace = try(var.networkfirewall.replace, null) + lint = try(var.networkfirewall.lint, null) + + postrender = try(var.networkfirewall.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-networkfirewall-networkfirewall-chart-xxxxxxxxxxxxx` to `ack-networkfirewall-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-networkfirewall" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.networkfirewall_name + }], + try(var.networkfirewall.set, []) + ) + set_sensitive = try(var.networkfirewall.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.networkfirewall.create_role, true) + role_name = try(var.networkfirewall.role_name, "ack-networkfirewall") + role_name_use_prefix = try(var.networkfirewall.role_name_use_prefix, true) + role_path = try(var.networkfirewall.role_path, "/") + role_permissions_boundary_arn = lookup(var.networkfirewall, "role_permissions_boundary_arn", null) + role_description = try(var.networkfirewall.role_description, "IRSA for Network Firewall controller for ACK") + role_policies = lookup(var.networkfirewall, "role_policies", { + policy = var.enable_networkfirewall ? aws_iam_policy.networkfirewall[0].arn : null + }) + create_policy = try(var.networkfirewall.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.networkfirewall_name + } + } + + tags = var.tags +} + +# recommended networkfirewall-controller policy https://github.com/aws-controllers-k8s/networkfirewall-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "networkfirewall" { + count = var.enable_networkfirewall ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "network-firewall:CreateFirewall", + "network-firewall:CreateFirewallPolicy", + "network-firewall:DeleteFirewall", + "network-firewall:DeleteFirewallPolicy", + "network-firewall:DescribeFirewall", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:ListFirewallPolicies", + "network-firewall:ListFirewalls", + "network-firewall:UpdateLoggingConfiguration", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "networkfirewall" { + count = var.enable_networkfirewall ? 1 : 0 + + name = "NetworkFirewallController" + description = "IAM policy for Network Firewall Controller" + policy = data.aws_iam_policy_document.networkfirewall[0].json + + tags = var.tags +} + +################################################################################ +# Amazon CloudWatch Logs +################################################################################ + +locals { + cloudwatchlogs_name = "ack-cloudwatchlogs" +} + +module "cloudwatchlogs" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_cloudwatchlogs + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/cloudwatchlogs-chart:0.0.9 + name = try(var.cloudwatchlogs.name, local.cloudwatchlogs_name) + description = try(var.cloudwatchlogs.description, "Helm Chart for CloudWatch Logs controller for ACK") + namespace = try(var.cloudwatchlogs.namespace, "ack-system") + create_namespace = try(var.cloudwatchlogs.create_namespace, true) + chart = "cloudwatchlogs-chart" + chart_version = try(var.cloudwatchlogs.chart_version, "0.0.9") + repository = try(var.cloudwatchlogs.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.cloudwatchlogs.values, []) + + timeout = try(var.cloudwatchlogs.timeout, null) + repository_key_file = try(var.cloudwatchlogs.repository_key_file, null) + repository_cert_file = try(var.cloudwatchlogs.repository_cert_file, null) + repository_ca_file = try(var.cloudwatchlogs.repository_ca_file, null) + repository_username = try(var.cloudwatchlogs.repository_username, local.repository_username) + repository_password = try(var.cloudwatchlogs.repository_password, local.repository_password) + devel = try(var.cloudwatchlogs.devel, null) + verify = try(var.cloudwatchlogs.verify, null) + keyring = try(var.cloudwatchlogs.keyring, null) + disable_webhooks = try(var.cloudwatchlogs.disable_webhooks, null) + reuse_values = try(var.cloudwatchlogs.reuse_values, null) + reset_values = try(var.cloudwatchlogs.reset_values, null) + force_update = try(var.cloudwatchlogs.force_update, null) + recreate_pods = try(var.cloudwatchlogs.recreate_pods, null) + cleanup_on_fail = try(var.cloudwatchlogs.cleanup_on_fail, null) + max_history = try(var.cloudwatchlogs.max_history, null) + atomic = try(var.cloudwatchlogs.atomic, null) + skip_crds = try(var.cloudwatchlogs.skip_crds, null) + render_subchart_notes = try(var.cloudwatchlogs.render_subchart_notes, null) + disable_openapi_validation = try(var.cloudwatchlogs.disable_openapi_validation, null) + wait = try(var.cloudwatchlogs.wait, false) + wait_for_jobs = try(var.cloudwatchlogs.wait_for_jobs, null) + dependency_update = try(var.cloudwatchlogs.dependency_update, null) + replace = try(var.cloudwatchlogs.replace, null) + lint = try(var.cloudwatchlogs.lint, null) + + postrender = try(var.cloudwatchlogs.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-cloudwatchlogs-cloudwatchlogs-chart-xxxxxxxxxxxxx` to `ack-cloudwatchlogs-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-cloudwatchlogs" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.cloudwatchlogs_name + }], + try(var.cloudwatchlogs.set, []) + ) + set_sensitive = try(var.cloudwatchlogs.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.cloudwatchlogs.create_role, true) + role_name = try(var.cloudwatchlogs.role_name, "ack-cloudwatchlogs") + role_name_use_prefix = try(var.cloudwatchlogs.role_name_use_prefix, true) + role_path = try(var.cloudwatchlogs.role_path, "/") + role_permissions_boundary_arn = lookup(var.cloudwatchlogs, "role_permissions_boundary_arn", null) + role_description = try(var.cloudwatchlogs.role_description, "IRSA for CloudWatch Logs controller for ACK") + role_policies = lookup(var.cloudwatchlogs, "role_policies", { + policy = var.enable_cloudwatchlogs ? aws_iam_policy.cloudwatchlogs[0].arn : null + }) + create_policy = try(var.cloudwatchlogs.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.cloudwatchlogs_name + } + } + + tags = var.tags +} + +# recommended cloudwatchlogs-controller policy https://github.com/aws-controllers-k8s/cloudwatchlogs-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "cloudwatchlogs" { + count = var.enable_cloudwatchlogs ? 1 : 0 + + statement { + sid = "VisualEditor0" + effect = "Allow" + + actions = [ + "logs:TagLogGroup", + "logs:DescribeLogGroups", + "logs:UntagLogGroup", + "logs:DeleteLogGroup", + "logs:UntagResource", + "logs:TagResource", + "logs:CreateLogGroup", + "logs:ListTagsForResource", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "cloudwatchlogs" { + count = var.enable_cloudwatchlogs ? 1 : 0 + + name = "CloudWatchLogsController" + description = "IAM policy for CloudWatch Logs Controller" + policy = data.aws_iam_policy_document.cloudwatchlogs[0].json + + tags = var.tags +} + +################################################################################ +# Kinesis +################################################################################ + +locals { + kinesis_name = "ack-kinesis" +} + +module "kinesis" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_kinesis + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/kinesis-chart:0.0.17 + name = try(var.kinesis.name, local.kinesis_name) + description = try(var.kinesis.description, "Helm Chart for Kinesis controller for ACK") + namespace = try(var.kinesis.namespace, "ack-system") + create_namespace = try(var.kinesis.create_namespace, true) + chart = "kinesis-chart" + chart_version = try(var.kinesis.chart_version, "0.0.17") + repository = try(var.kinesis.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.kinesis.values, []) + + timeout = try(var.kinesis.timeout, null) + repository_key_file = try(var.kinesis.repository_key_file, null) + repository_cert_file = try(var.kinesis.repository_cert_file, null) + repository_ca_file = try(var.kinesis.repository_ca_file, null) + repository_username = try(var.kinesis.repository_username, local.repository_username) + repository_password = try(var.kinesis.repository_password, local.repository_password) + devel = try(var.kinesis.devel, null) + verify = try(var.kinesis.verify, null) + keyring = try(var.kinesis.keyring, null) + disable_webhooks = try(var.kinesis.disable_webhooks, null) + reuse_values = try(var.kinesis.reuse_values, null) + reset_values = try(var.kinesis.reset_values, null) + force_update = try(var.kinesis.force_update, null) + recreate_pods = try(var.kinesis.recreate_pods, null) + cleanup_on_fail = try(var.kinesis.cleanup_on_fail, null) + max_history = try(var.kinesis.max_history, null) + atomic = try(var.kinesis.atomic, null) + skip_crds = try(var.kinesis.skip_crds, null) + render_subchart_notes = try(var.kinesis.render_subchart_notes, null) + disable_openapi_validation = try(var.kinesis.disable_openapi_validation, null) + wait = try(var.kinesis.wait, false) + wait_for_jobs = try(var.kinesis.wait_for_jobs, null) + dependency_update = try(var.kinesis.dependency_update, null) + replace = try(var.kinesis.replace, null) + lint = try(var.kinesis.lint, null) + + postrender = try(var.kinesis.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-kinesis-kinesis-chart-xxxxxxxxxxxxx` to `ack-kinesis-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-kinesis" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.kinesis_name + }], + try(var.kinesis.set, []) + ) + set_sensitive = try(var.kinesis.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.kinesis.create_role, true) + role_name = try(var.kinesis.role_name, "ack-kinesis") + role_name_use_prefix = try(var.kinesis.role_name_use_prefix, true) + role_path = try(var.kinesis.role_path, "/") + role_permissions_boundary_arn = lookup(var.kinesis, "role_permissions_boundary_arn", null) + role_description = try(var.kinesis.role_description, "IRSA for Kinesis controller for ACK") + role_policies = lookup(var.kinesis, "role_policies", { + policy = var.enable_kinesis ? aws_iam_policy.kinesis[0].arn : null + }) + + create_policy = try(var.kinesis.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.kinesis_name + } + } + + tags = var.tags +} + +# recommended kinesis-controller policy https://github.com/aws-controllers-k8s/kinesis-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "kinesis" { + count = var.enable_kinesis ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "kinesis:ListStreams", + "kinesis:DeleteStream", + "kinesis:DescribeStreamSummary", + "kinesis:ListShards", + "kinesis:UpdateShardCount", + "kinesis:CreateStream", + "kinesis:DescribeStream", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "kinesis" { + count = var.enable_kinesis ? 1 : 0 + + name = "KinesisController" + description = "IAM policy for Kinesis Controller" + policy = data.aws_iam_policy_document.kinesis[0].json + + tags = var.tags +} + ################################################################################ # Secrets Manager ################################################################################ @@ -719,7 +1108,6 @@ module "keyspaces" { tags = var.tags } - ################################################################################ # Kafka ################################################################################ diff --git a/outputs.tf b/outputs.tf index 06da03a..6ae9628 100644 --- a/outputs.tf +++ b/outputs.tf @@ -11,6 +11,24 @@ added or an addon is updated, and new metadata for the Helm chart is needed. output "gitops_metadata" { description = "GitOps Bridge metadata" value = merge( + { for k, v in { + iam_role_arn = module.networkfirewall.iam_role_arn + namespace = try(var.networkfirewall.namespace, "ack-system") + service_account = local.networkfirewall_name + } : "ack_iam_${k}" => v if var.enable_networkfirewall + }, + { for k, v in { + iam_role_arn = module.cloudwatchlogs.iam_role_arn + namespace = try(var.cloudwatchlogs.namespace, "ack-system") + service_account = local.cloudwatchlogs_name + } : "ack_iam_${k}" => v if var.enable_cloudwatchlogs + }, + { for k, v in { + iam_role_arn = module.kinesis.iam_role_arn + namespace = try(var.kinesis.namespace, "ack-system") + service_account = local.kinesis_name + } : "ack_iam_${k}" => v if var.enable_kinesis + }, { for k, v in { iam_role_arn = module.secretsmanager.iam_role_arn namespace = try(var.secretsmanager.namespace, "ack-system") diff --git a/variables.tf b/variables.tf index 724a124..72655d4 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,54 @@ variable "tags" { default = {} } +################################################################################ +# Amazon Network Firewall +################################################################################ + +variable "enable_networkfirewall" { + description = "Enable ACK Network Firewall add-on" + type = bool + default = false +} + +variable "networkfirewall" { + description = "ACK Network Firewall Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Amazon CloudWatch Logs +################################################################################ + +variable "enable_cloudwatchlogs" { + description = "Enable ACK CloudWatch Logs add-on" + type = bool + default = false +} + +variable "cloudwatchlogs" { + description = "ACK CloudWatch Logs Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Kinesis +################################################################################ + +variable "enable_kinesis" { + description = "Enable ACK Kinesis add-on" + type = bool + default = false +} + +variable "kinesis" { + description = "ACK Kinesis Helm Chart config" + type = any + default = {} +} + ################################################################################ # Secrets Manager ################################################################################