diff --git a/README.md b/README.md index 8254c7c..55791fe 100644 --- a/README.md +++ b/README.md @@ -18,27 +18,33 @@ module "eks_ack_addons" { ecrpublic_token = "" # Controllers to enable - enable_sagemaker = true - enable_memorydb = true - enable_opensearchservice = true - enable_ecr = true - enable_sns = true - enable_sqs = true - enable_lambda = true - enable_iam = true - enable_ec2 = true - enable_eks = true - enable_kms = true - enable_acm = true - enable_apigatewayv2 = true - enable_dynamodb = true - enable_s3 = true - enable_elasticache = true - enable_rds = true - enable_prometheusservice = true - enable_emrcontainers = true - enable_sfn = true - enable_eventbridge = true + enable_kafka = true + enable_efs = true + enable_ecs = true + enable_cloudtrail = true + enable_cloudfront = true + enable_applicationautoscaling = true + enable_sagemaker = true + enable_memorydb = true + enable_opensearchservice = true + enable_ecr = true + enable_sns = true + enable_sqs = true + enable_lambda = true + enable_iam = true + enable_ec2 = true + enable_eks = true + enable_kms = true + enable_acm = true + enable_apigatewayv2 = true + enable_dynamodb = true + enable_s3 = true + enable_elasticache = true + enable_rds = true + enable_prometheusservice = true + enable_emrcontainers = true + enable_sfn = true + enable_eventbridge = true tags = { Environment = "dev" @@ -74,14 +80,20 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws |------|--------|---------| | [acm](#module\_acm) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [apigatewayv2](#module\_apigatewayv2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [applicationautoscaling](#module\_applicationautoscaling) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [cloudfront](#module\_cloudfront) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [cloudtrail](#module\_cloudtrail) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ec2](#module\_ec2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ecr](#module\_ecr) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [ecs](#module\_ecs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [efs](#module\_efs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [eks](#module\_eks) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [elasticache](#module\_elasticache) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [emrcontainers](#module\_emrcontainers) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [eventbridge](#module\_eventbridge) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [iam](#module\_iam) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [kafka](#module\_kafka) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kms](#module\_kms) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [lambda](#module\_lambda) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [memorydb](#module\_memorydb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -125,6 +137,9 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws |------|-------------|------|---------|:--------:| | [acm](#input\_acm) | ACK acm Helm Chart config | `any` | `{}` | no | | [apigatewayv2](#input\_apigatewayv2) | ACK API gateway v2 Helm Chart config | `any` | `{}` | no | +| [applicationautoscaling](#input\_applicationautoscaling) | ACK Application Autoscaling Helm Chart config | `any` | `{}` | no | +| [cloudfront](#input\_cloudfront) | ACK cloudfront Helm Chart config | `any` | `{}` | no | +| [cloudtrail](#input\_cloudtrail) | ACK Cloudtrail Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for your Kubernetes API server | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no | @@ -135,19 +150,27 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [ecr](#input\_ecr) | ACK ECR Helm Chart config | `any` | `{}` | no | | [ecrpublic\_token](#input\_ecrpublic\_token) | Password decoded from the authorization token for accessing public ECR | `string` | `""` | no | | [ecrpublic\_username](#input\_ecrpublic\_username) | User name decoded from the authorization token for accessing public ECR | `string` | `""` | no | +| [ecs](#input\_ecs) | ACK ECS Helm Chart config | `any` | `{}` | no | +| [efs](#input\_efs) | ACK EFS Helm Chart config | `any` | `{}` | no | | [eks](#input\_eks) | ACK eks Helm Chart config | `any` | `{}` | no | | [elasticache](#input\_elasticache) | ACK elasticache Helm Chart config | `any` | `{}` | no | | [emrcontainers](#input\_emrcontainers) | ACK EMR container Helm Chart config | `any` | `{}` | no | | [enable\_acm](#input\_enable\_acm) | Enable ACK acm add-on | `bool` | `false` | no | | [enable\_apigatewayv2](#input\_enable\_apigatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no | +| [enable\_applicationautoscaling](#input\_enable\_applicationautoscaling) | Enable ACK Application Autoscaling add-on | `bool` | `false` | no | +| [enable\_cloudfront](#input\_enable\_cloudfront) | Enable ACK Cloudfront add-on | `bool` | `false` | no | +| [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable ACK Cloudtrail add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | | [enable\_ec2](#input\_enable\_ec2) | Enable ACK ec2 add-on | `bool` | `false` | no | | [enable\_ecr](#input\_enable\_ecr) | Enable ACK ECR add-on | `bool` | `false` | no | +| [enable\_ecs](#input\_enable\_ecs) | Enable ACK ECS add-on | `bool` | `false` | no | +| [enable\_efs](#input\_enable\_efs) | Enable ACK EFS add-on | `bool` | `false` | no | | [enable\_eks](#input\_enable\_eks) | Enable ACK eks add-on | `bool` | `false` | no | | [enable\_elasticache](#input\_enable\_elasticache) | Enable ACK elasticache add-on | `bool` | `false` | no | | [enable\_emrcontainers](#input\_enable\_emrcontainers) | Enable ACK EMR container add-on | `bool` | `false` | no | | [enable\_eventbridge](#input\_enable\_eventbridge) | Enable ACK EventBridge add-on | `bool` | `false` | no | | [enable\_iam](#input\_enable\_iam) | Enable ACK iam add-on | `bool` | `false` | no | +| [enable\_kafka](#input\_enable\_kafka) | Enable ACK Kafka add-on | `bool` | `false` | no | | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | | [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | @@ -161,6 +184,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_sqs](#input\_enable\_sqs) | Enable ACK SQS add-on | `bool` | `false` | no | | [eventbridge](#input\_eventbridge) | ACK EventBridge Helm Chart config | `any` | `{}` | no | | [iam](#input\_iam) | ACK iam Helm Chart config | `any` | `{}` | no | +| [kafka](#input\_kafka) | ACK Kafka Helm Chart config | `any` | `{}` | no | | [kms](#input\_kms) | ACK kms Helm Chart config | `any` | `{}` | no | | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | | [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index b288436..d402eba 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,7 +1,12 @@ # Complete Example Configuration in this directory creates an AWS EKS cluster with the following ACK addons: - +- Amazon Kafka +- Amazon EFS +- Amazon ECS +- Amazon CloudTrail +- Amazon CloudFront +- Amazon Application Auto Scaling - Amazon ACM Controller - Amazon ApiGatewayV2 Controller - Amazon DynamoDB Controller @@ -63,41 +68,47 @@ aws eks --region update-kubeconfig --name kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE -ack-system ack-acm-5ffccbd5d5-6ns6v 1/1 Running 0 60s -ack-system ack-apigatewayv2-cf6cd9d67-gfw5k 1/1 Running 0 60s -ack-system ack-dynamodb-bd47f88b7-4smb5 1/1 Running 0 60s -ack-system ack-ec2-54dfcf968-2vvcf 1/1 Running 0 60s -ack-system ack-ecr-5b4699f87b-n5bfp 1/1 Running 0 60s -ack-system ack-eks-9cb44fc-vgsvf 1/1 Running 0 59s -ack-system ack-elasticache-5758ff66bd-fn7cv 1/1 Running 0 59s -ack-system ack-emrcontainers-69ffb54758-s4d25 1/1 Running 0 59s -ack-system ack-eventbridge-58c7d4c8f5-hzc7m 1/1 Running 0 59s -ack-system ack-iam-7486c996c8-qmmd6 1/1 Running 0 58s -ack-system ack-kms-bb956b4fc-vtn7x 1/1 Running 0 58s -ack-system ack-lambda-65bd7fbc8d-lql8x 1/1 Running 0 58s -ack-system ack-memorydb-76c988f6dd-zxprv 1/1 Running 0 58s -ack-system ack-opensearchservice-7fd9d8c866-xzqfh 1/1 Running 0 57s -ack-system ack-prometheusservice-5bccddc6f-clnz9 1/1 Running 0 57s -ack-system ack-rds-57499b447d-qqf7w 1/1 Running 0 57s -ack-system ack-s3-78b44bf586-4f25v 1/1 Running 0 57s -ack-system ack-sagemaker-74f65d4cb9-9r74h 1/1 Running 0 57s -ack-system ack-sfn-7494cbccf-mwq7z 1/1 Running 0 56s -ack-system ack-sns-56bb579874-hk78c 1/1 Running 0 56s -ack-system ack-sqs-5f7bc84d45-jtd5b 1/1 Running 0 56s -kube-system aws-load-balancer-controller-84b5bf9c5f-4dm9s 1/1 Running 0 34m -kube-system aws-load-balancer-controller-84b5bf9c5f-62km5 1/1 Running 0 34m -kube-system aws-node-2pfp8 2/2 Running 0 32m -kube-system aws-node-c6mdg 2/2 Running 0 32m -kube-system aws-node-d8m55 2/2 Running 0 32m -kube-system coredns-787cb67946-8psqv 1/1 Running 0 38m -kube-system coredns-787cb67946-nvtnt 1/1 Running 0 38m -kube-system eks-pod-identity-agent-2lw9f 1/1 Running 0 33m -kube-system eks-pod-identity-agent-dhdxs 1/1 Running 0 33m -kube-system eks-pod-identity-agent-zt7gz 1/1 Running 0 33m -kube-system kube-proxy-2xjzt 1/1 Running 0 33m -kube-system kube-proxy-h27hw 1/1 Running 0 34m -kube-system kube-proxy-kd57b 1/1 Running 0 33m -kube-system metrics-server-7577444cf8-7f95q 1/1 Running 0 35m +ack-system ack-acm-5697f4c5b4-bpkrg 1/1 Running 0 10m +ack-system ack-apigatewayv2-76d6bbd788-82m2h 1/1 Running 0 9m37s +ack-system ack-applicationautoscaling-5fd6c8bf8f-kl4gt 1/1 Running 0 8m58s +ack-system ack-cloudfront-544f4887c4-dr6ds 1/1 Running 0 8m12s +ack-system ack-cloudtrail-5dc78b7576-hnk4d 1/1 Running 0 10m +ack-system ack-dynamodb-7f4b47488d-tftpf 1/1 Running 0 8m37s +ack-system ack-ec2-5fbf6f55d9-smb4k 1/1 Running 0 9m37s +ack-system ack-ecr-5b4699f87b-j6kxq 1/1 Running 0 9m7s +ack-system ack-ecs-74d8d67695-dbpth 1/1 Running 0 10m +ack-system ack-efs-7b9f965b96-rpwts 1/1 Running 0 9m54s +ack-system ack-eks-54945d94d4-6stzs 1/1 Running 0 8m34s +ack-system ack-elasticache-5758ff66bd-dwfkh 1/1 Running 0 10m +ack-system ack-emrcontainers-74c5d7b8c-bljlk 1/1 Running 0 10m +ack-system ack-eventbridge-b76bd85b8-rxgsf 1/1 Running 0 9m46s +ack-system ack-iam-89dd5d6b5-2hzch 1/1 Running 0 8m24s +ack-system ack-kafka-7bd95bd59-pz258 1/1 Running 0 9m40s +ack-system ack-kms-58b89848db-p4w6c 1/1 Running 0 8m21s +ack-system ack-lambda-65bd7fbc8d-529d7 1/1 Running 0 10m +ack-system ack-memorydb-76c988f6dd-phbsc 1/1 Running 0 8m7s +ack-system ack-opensearchservice-7fd9d8c866-fg6h6 1/1 Running 0 8m33s +ack-system ack-prometheusservice-6d657cd878-kcdsh 1/1 Running 0 9m58s +ack-system ack-rds-7df84bf989-87j4s 1/1 Running 0 9m31s +ack-system ack-s3-6ffc4698c6-kg8vw 1/1 Running 0 8m28s +ack-system ack-sagemaker-74f65d4cb9-dzxng 1/1 Running 0 8m24s +ack-system ack-sfn-6b875794cb-k7dnb 1/1 Running 0 10m +ack-system ack-sns-5c75794dbc-6n42j 1/1 Running 0 10m +ack-system ack-sqs-55dfc46cd6-n6qb8 1/1 Running 0 10m +kube-system aws-load-balancer-controller-84b5bf9c5f-k88tj 1/1 Running 0 10m +kube-system aws-load-balancer-controller-84b5bf9c5f-xqczl 1/1 Running 0 10m +kube-system aws-node-6kswr 2/2 Running 0 8m22s +kube-system aws-node-8fkb7 2/2 Running 0 8m26s +kube-system aws-node-c482x 2/2 Running 0 8m18s +kube-system coredns-787cb67946-lsxph 1/1 Running 0 14m +kube-system coredns-787cb67946-zbq6s 1/1 Running 0 14m +kube-system eks-pod-identity-agent-6b2bc 1/1 Running 0 8m39s +kube-system eks-pod-identity-agent-b8gh8 1/1 Running 0 8m39s +kube-system eks-pod-identity-agent-cq5kr 1/1 Running 0 8m39s +kube-system kube-proxy-6jn9z 1/1 Running 0 10m +kube-system kube-proxy-6mfvr 1/1 Running 0 10m +kube-system kube-proxy-k4c6w 1/1 Running 0 10m +kube-system metrics-server-7577444cf8-f4vgk 1/1 Running 0 11m ``` ## Sample Application Deployment diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 7016b85..27b136c 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -131,27 +131,33 @@ module "eks_ack_addons" { ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Controllers to enable - enable_sagemaker = true - enable_memorydb = true - enable_opensearchservice = true - enable_ecr = true - enable_sns = true - enable_sqs = true - enable_lambda = true - enable_iam = true - enable_ec2 = true - enable_eks = true - enable_kms = true - enable_acm = true - enable_apigatewayv2 = true - enable_dynamodb = true - enable_s3 = true - enable_elasticache = true - enable_rds = true - enable_prometheusservice = true - enable_emrcontainers = true - enable_sfn = true - enable_eventbridge = true + enable_kafka = true + enable_efs = true + enable_ecs = true + enable_cloudtrail = true + enable_cloudfront = true + enable_applicationautoscaling = true + enable_sagemaker = true + enable_memorydb = true + enable_opensearchservice = true + enable_ecr = true + enable_sns = true + enable_sqs = true + enable_lambda = true + enable_iam = true + enable_ec2 = true + enable_eks = true + enable_kms = true + enable_acm = true + enable_apigatewayv2 = true + enable_dynamodb = true + enable_s3 = true + enable_elasticache = true + enable_rds = true + enable_prometheusservice = true + enable_emrcontainers = true + enable_sfn = true + enable_eventbridge = true tags = local.tags } diff --git a/main.tf b/main.tf index 98da80e..3cb3ded 100644 --- a/main.tf +++ b/main.tf @@ -33,6 +33,594 @@ locals { repository_password = var.create_kubernetes_resources ? var.ecrpublic_token : "" } +################################################################################ +# Kafka +################################################################################ + +locals { + kafka_name = "ack-kafka" +} + +module "kafka" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_kafka + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/kafka-chart:0.0.11 + name = try(var.kafka.name, local.kafka_name) + description = try(var.kafka.description, "Helm Chart for Kafka controller for ACK") + namespace = try(var.kafka.namespace, "ack-system") + create_namespace = try(var.kafka.create_namespace, true) + chart = "kafka-chart" + chart_version = try(var.kafka.chart_version, "0.0.11") + repository = try(var.kafka.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.kafka.values, []) + + timeout = try(var.kafka.timeout, null) + repository_key_file = try(var.kafka.repository_key_file, null) + repository_cert_file = try(var.kafka.repository_cert_file, null) + repository_ca_file = try(var.kafka.repository_ca_file, null) + repository_username = try(var.kafka.repository_username, local.repository_username) + repository_password = try(var.kafka.repository_password, local.repository_password) + devel = try(var.kafka.devel, null) + verify = try(var.kafka.verify, null) + keyring = try(var.kafka.keyring, null) + disable_webhooks = try(var.kafka.disable_webhooks, null) + reuse_values = try(var.kafka.reuse_values, null) + reset_values = try(var.kafka.reset_values, null) + force_update = try(var.kafka.force_update, null) + recreate_pods = try(var.kafka.recreate_pods, null) + cleanup_on_fail = try(var.kafka.cleanup_on_fail, null) + max_history = try(var.kafka.max_history, null) + atomic = try(var.kafka.atomic, null) + skip_crds = try(var.kafka.skip_crds, null) + render_subchart_notes = try(var.kafka.render_subchart_notes, null) + disable_openapi_validation = try(var.kafka.disable_openapi_validation, null) + wait = try(var.kafka.wait, false) + wait_for_jobs = try(var.kafka.wait_for_jobs, null) + dependency_update = try(var.kafka.dependency_update, null) + replace = try(var.kafka.replace, null) + lint = try(var.kafka.lint, null) + + postrender = try(var.kafka.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-kafka-kafka-chart-xxxxxxxxxxxxx` to `ack-kafka-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-kafka" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.kafka_name + }], + try(var.kafka.set, []) + ) + set_sensitive = try(var.kafka.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.kafka.create_role, true) + role_name = try(var.kafka.role_name, "ack-kafka") + role_name_use_prefix = try(var.kafka.role_name_use_prefix, true) + role_path = try(var.kafka.role_path, "/") + role_permissions_boundary_arn = lookup(var.kafka, "role_permissions_boundary_arn", null) + role_description = try(var.kafka.role_description, "IRSA for Kafka controller for ACK") + role_policies = lookup(var.kafka, "role_policies", { + AmazonMSKFullAccess = "${local.iam_role_policy_prefix}/AmazonMSKFullAccess" + }) + + create_policy = try(var.kafka.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.kafka_name + } + } + + tags = var.tags +} + +################################################################################ +# EFS +################################################################################ + +locals { + efs_name = "ack-efs" +} + +module "efs" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_efs + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/efs-chart:0.0.9 + name = try(var.efs.name, local.efs_name) + description = try(var.efs.description, "Helm Chart for EFS controller for ACK") + namespace = try(var.efs.namespace, "ack-system") + create_namespace = try(var.efs.create_namespace, true) + chart = "efs-chart" + chart_version = try(var.efs.chart_version, "0.0.9") + repository = try(var.efs.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.efs.values, []) + + timeout = try(var.efs.timeout, null) + repository_key_file = try(var.efs.repository_key_file, null) + repository_cert_file = try(var.efs.repository_cert_file, null) + repository_ca_file = try(var.efs.repository_ca_file, null) + repository_username = try(var.efs.repository_username, local.repository_username) + repository_password = try(var.efs.repository_password, local.repository_password) + devel = try(var.efs.devel, null) + verify = try(var.efs.verify, null) + keyring = try(var.efs.keyring, null) + disable_webhooks = try(var.efs.disable_webhooks, null) + reuse_values = try(var.efs.reuse_values, null) + reset_values = try(var.efs.reset_values, null) + force_update = try(var.efs.force_update, null) + recreate_pods = try(var.efs.recreate_pods, null) + cleanup_on_fail = try(var.efs.cleanup_on_fail, null) + max_history = try(var.efs.max_history, null) + atomic = try(var.efs.atomic, null) + skip_crds = try(var.efs.skip_crds, null) + render_subchart_notes = try(var.efs.render_subchart_notes, null) + disable_openapi_validation = try(var.efs.disable_openapi_validation, null) + wait = try(var.efs.wait, false) + wait_for_jobs = try(var.efs.wait_for_jobs, null) + dependency_update = try(var.efs.dependency_update, null) + replace = try(var.efs.replace, null) + lint = try(var.efs.lint, null) + + postrender = try(var.efs.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-efs-efs-chart-xxxxxxxxxxxxx` to `ack-efs-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-efs" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.efs_name + }], + try(var.efs.set, []) + ) + set_sensitive = try(var.efs.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.efs.create_role, true) + role_name = try(var.efs.role_name, "ack-efs") + role_name_use_prefix = try(var.efs.role_name_use_prefix, true) + role_path = try(var.efs.role_path, "/") + role_permissions_boundary_arn = lookup(var.efs, "role_permissions_boundary_arn", null) + role_description = try(var.efs.role_description, "IRSA for EFS controller for ACK") + role_policies = lookup(var.efs, "role_policies", { + AmazonElasticFileSystemFullAccess = "${local.iam_role_policy_prefix}/AmazonElasticFileSystemFullAccess" + }) + + create_policy = try(var.efs.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.efs_name + } + } + + tags = var.tags +} + +################################################################################ +# ECS +################################################################################ + +locals { + ecs_name = "ack-ecs" +} + +module "ecs" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_ecs + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/ecs-chart:0.0.8 + name = try(var.ecs.name, local.ecs_name) + description = try(var.ecs.description, "Helm Chart for ECS controller for ACK") + namespace = try(var.ecs.namespace, "ack-system") + create_namespace = try(var.ecs.create_namespace, true) + chart = "ecs-chart" + chart_version = try(var.ecs.chart_version, "0.0.8") + repository = try(var.ecs.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.ecs.values, []) + + timeout = try(var.ecs.timeout, null) + repository_key_file = try(var.ecs.repository_key_file, null) + repository_cert_file = try(var.ecs.repository_cert_file, null) + repository_ca_file = try(var.ecs.repository_ca_file, null) + repository_username = try(var.ecs.repository_username, local.repository_username) + repository_password = try(var.ecs.repository_password, local.repository_password) + devel = try(var.ecs.devel, null) + verify = try(var.ecs.verify, null) + keyring = try(var.ecs.keyring, null) + disable_webhooks = try(var.ecs.disable_webhooks, null) + reuse_values = try(var.ecs.reuse_values, null) + reset_values = try(var.ecs.reset_values, null) + force_update = try(var.ecs.force_update, null) + recreate_pods = try(var.ecs.recreate_pods, null) + cleanup_on_fail = try(var.ecs.cleanup_on_fail, null) + max_history = try(var.ecs.max_history, null) + atomic = try(var.ecs.atomic, null) + skip_crds = try(var.ecs.skip_crds, null) + render_subchart_notes = try(var.ecs.render_subchart_notes, null) + disable_openapi_validation = try(var.ecs.disable_openapi_validation, null) + wait = try(var.ecs.wait, false) + wait_for_jobs = try(var.ecs.wait_for_jobs, null) + dependency_update = try(var.ecs.dependency_update, null) + replace = try(var.ecs.replace, null) + lint = try(var.ecs.lint, null) + + postrender = try(var.ecs.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-ecs-ecs-chart-xxxxxxxxxxxxx` to `ack-ecs-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-ecs" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.ecs_name + }], + try(var.ecs.set, []) + ) + set_sensitive = try(var.ecs.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.ecs.create_role, true) + role_name = try(var.ecs.role_name, "ack-ecs") + role_name_use_prefix = try(var.ecs.role_name_use_prefix, true) + role_path = try(var.ecs.role_path, "/") + role_permissions_boundary_arn = lookup(var.ecs, "role_permissions_boundary_arn", null) + role_description = try(var.ecs.role_description, "IRSA for ECS controller for ACK") + role_policies = lookup(var.ecs, "role_policies", { + AmazonECS_FullAccess = "${local.iam_role_policy_prefix}/AmazonECS_FullAccess" + }) + + create_policy = try(var.ecs.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.ecs_name + } + } + + tags = var.tags +} + +################################################################################ +# Cloudtrail +################################################################################ + +locals { + cloudtrail_name = "ack-cloudtrail" +} + +module "cloudtrail" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_cloudtrail + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/cloudtrail-chart:1.0.13 + name = try(var.cloudtrail.name, local.cloudtrail_name) + description = try(var.cloudtrail.description, "Helm Chart for Cloudtrail controller for ACK") + namespace = try(var.cloudtrail.namespace, "ack-system") + create_namespace = try(var.cloudtrail.create_namespace, true) + chart = "cloudtrail-chart" + chart_version = try(var.cloudtrail.chart_version, "1.0.13") + repository = try(var.cloudtrail.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.cloudtrail.values, []) + + timeout = try(var.cloudtrail.timeout, null) + repository_key_file = try(var.cloudtrail.repository_key_file, null) + repository_cert_file = try(var.cloudtrail.repository_cert_file, null) + repository_ca_file = try(var.cloudtrail.repository_ca_file, null) + repository_username = try(var.cloudtrail.repository_username, local.repository_username) + repository_password = try(var.cloudtrail.repository_password, local.repository_password) + devel = try(var.cloudtrail.devel, null) + verify = try(var.cloudtrail.verify, null) + keyring = try(var.cloudtrail.keyring, null) + disable_webhooks = try(var.cloudtrail.disable_webhooks, null) + reuse_values = try(var.cloudtrail.reuse_values, null) + reset_values = try(var.cloudtrail.reset_values, null) + force_update = try(var.cloudtrail.force_update, null) + recreate_pods = try(var.cloudtrail.recreate_pods, null) + cleanup_on_fail = try(var.cloudtrail.cleanup_on_fail, null) + max_history = try(var.cloudtrail.max_history, null) + atomic = try(var.cloudtrail.atomic, null) + skip_crds = try(var.cloudtrail.skip_crds, null) + render_subchart_notes = try(var.cloudtrail.render_subchart_notes, null) + disable_openapi_validation = try(var.cloudtrail.disable_openapi_validation, null) + wait = try(var.cloudtrail.wait, false) + wait_for_jobs = try(var.cloudtrail.wait_for_jobs, null) + dependency_update = try(var.cloudtrail.dependency_update, null) + replace = try(var.cloudtrail.replace, null) + lint = try(var.cloudtrail.lint, null) + + postrender = try(var.cloudtrail.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-cloudtrail-cloudtrail-chart-xxxxxxxxxxxxx` to `ack-cloudtrail-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-cloudtrail" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.cloudtrail_name + }], + try(var.cloudtrail.set, []) + ) + set_sensitive = try(var.cloudtrail.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.cloudtrail.create_role, true) + role_name = try(var.cloudtrail.role_name, "ack-cloudtrail") + role_name_use_prefix = try(var.cloudtrail.role_name_use_prefix, true) + role_path = try(var.cloudtrail.role_path, "/") + role_permissions_boundary_arn = lookup(var.cloudtrail, "role_permissions_boundary_arn", null) + role_description = try(var.cloudtrail.role_description, "IRSA for Cloudtrail controller for ACK") + role_policies = lookup(var.cloudtrail, "role_policies", { + AWSCloudTrail_FullAccess = "${local.iam_role_policy_prefix}/AWSCloudTrail_FullAccess" + }) + + create_policy = try(var.cloudtrail.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.cloudtrail_name + } + } + + tags = var.tags +} + +################################################################################ +# Cloudfront +################################################################################ + +locals { + cloudfront_name = "ack-cloudfront" +} + +module "cloudfront" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_cloudfront + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/cloudfront-chart:0.0.14 + name = try(var.cloudfront.name, local.cloudfront_name) + description = try(var.cloudfront.description, "Helm Chart for Cloudfront controller for ACK") + namespace = try(var.cloudfront.namespace, "ack-system") + create_namespace = try(var.cloudfront.create_namespace, true) + chart = "cloudfront-chart" + chart_version = try(var.cloudfront.chart_version, "0.0.14") + repository = try(var.cloudfront.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.cloudfront.values, []) + + timeout = try(var.cloudfront.timeout, null) + repository_key_file = try(var.cloudfront.repository_key_file, null) + repository_cert_file = try(var.cloudfront.repository_cert_file, null) + repository_ca_file = try(var.cloudfront.repository_ca_file, null) + repository_username = try(var.cloudfront.repository_username, local.repository_username) + repository_password = try(var.cloudfront.repository_password, local.repository_password) + devel = try(var.cloudfront.devel, null) + verify = try(var.cloudfront.verify, null) + keyring = try(var.cloudfront.keyring, null) + disable_webhooks = try(var.cloudfront.disable_webhooks, null) + reuse_values = try(var.cloudfront.reuse_values, null) + reset_values = try(var.cloudfront.reset_values, null) + force_update = try(var.cloudfront.force_update, null) + recreate_pods = try(var.cloudfront.recreate_pods, null) + cleanup_on_fail = try(var.cloudfront.cleanup_on_fail, null) + max_history = try(var.cloudfront.max_history, null) + atomic = try(var.cloudfront.atomic, null) + skip_crds = try(var.cloudfront.skip_crds, null) + render_subchart_notes = try(var.cloudfront.render_subchart_notes, null) + disable_openapi_validation = try(var.cloudfront.disable_openapi_validation, null) + wait = try(var.cloudfront.wait, false) + wait_for_jobs = try(var.cloudfront.wait_for_jobs, null) + dependency_update = try(var.cloudfront.dependency_update, null) + replace = try(var.cloudfront.replace, null) + lint = try(var.cloudfront.lint, null) + + postrender = try(var.cloudfront.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-cloudfront-cloudfront-chart-xxxxxxxxxxxxx` to `ack-cloudfront-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-cloudfront" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.cloudfront_name + }], + try(var.cloudfront.set, []) + ) + set_sensitive = try(var.cloudfront.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.cloudfront.create_role, true) + role_name = try(var.cloudfront.role_name, "ack-cloudfront") + role_name_use_prefix = try(var.cloudfront.role_name_use_prefix, true) + role_path = try(var.cloudfront.role_path, "/") + role_permissions_boundary_arn = lookup(var.cloudfront, "role_permissions_boundary_arn", null) + role_description = try(var.cloudfront.role_description, "IRSA for Cloudfront controller for ACK") + role_policies = lookup(var.cloudfront, "role_policies", { + CloudFrontFullAccess = "${local.iam_role_policy_prefix}/CloudFrontFullAccess" + }) + + create_policy = try(var.cloudfront.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.cloudfront_name + } + } + + tags = var.tags +} + +################################################################################ +# Application Autoscaling +################################################################################ + +locals { + applicationautoscaling_name = "ack-applicationautoscaling" +} + +module "applicationautoscaling" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_applicationautoscaling + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/applicationautoscaling-chart:1.0.16 + name = try(var.applicationautoscaling.name, local.applicationautoscaling_name) + description = try(var.applicationautoscaling.description, "Helm Chart for Application Autoscaling controller for ACK") + namespace = try(var.applicationautoscaling.namespace, "ack-system") + create_namespace = try(var.applicationautoscaling.create_namespace, true) + chart = "applicationautoscaling-chart" + chart_version = try(var.applicationautoscaling.chart_version, "1.0.16") + repository = try(var.applicationautoscaling.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.applicationautoscaling.values, []) + + timeout = try(var.applicationautoscaling.timeout, null) + repository_key_file = try(var.applicationautoscaling.repository_key_file, null) + repository_cert_file = try(var.applicationautoscaling.repository_cert_file, null) + repository_ca_file = try(var.applicationautoscaling.repository_ca_file, null) + repository_username = try(var.applicationautoscaling.repository_username, local.repository_username) + repository_password = try(var.applicationautoscaling.repository_password, local.repository_password) + devel = try(var.applicationautoscaling.devel, null) + verify = try(var.applicationautoscaling.verify, null) + keyring = try(var.applicationautoscaling.keyring, null) + disable_webhooks = try(var.applicationautoscaling.disable_webhooks, null) + reuse_values = try(var.applicationautoscaling.reuse_values, null) + reset_values = try(var.applicationautoscaling.reset_values, null) + force_update = try(var.applicationautoscaling.force_update, null) + recreate_pods = try(var.applicationautoscaling.recreate_pods, null) + cleanup_on_fail = try(var.applicationautoscaling.cleanup_on_fail, null) + max_history = try(var.applicationautoscaling.max_history, null) + atomic = try(var.applicationautoscaling.atomic, null) + skip_crds = try(var.applicationautoscaling.skip_crds, null) + render_subchart_notes = try(var.applicationautoscaling.render_subchart_notes, null) + disable_openapi_validation = try(var.applicationautoscaling.disable_openapi_validation, null) + wait = try(var.applicationautoscaling.wait, false) + wait_for_jobs = try(var.applicationautoscaling.wait_for_jobs, null) + dependency_update = try(var.applicationautoscaling.dependency_update, null) + replace = try(var.applicationautoscaling.replace, null) + lint = try(var.applicationautoscaling.lint, null) + + postrender = try(var.applicationautoscaling.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-applicationautoscaling-applicationautoscaling-chart-xxxxxxxxxxxxx` to `ack-applicationautoscaling-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-applicationautoscaling" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.applicationautoscaling_name + }], + try(var.applicationautoscaling.set, []) + ) + set_sensitive = try(var.applicationautoscaling.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.applicationautoscaling.create_role, true) + role_name = try(var.applicationautoscaling.role_name, "ack-applicationautoscaling") + role_name_use_prefix = try(var.applicationautoscaling.role_name_use_prefix, true) + role_path = try(var.applicationautoscaling.role_path, "/") + role_permissions_boundary_arn = lookup(var.applicationautoscaling, "role_permissions_boundary_arn", null) + role_description = try(var.applicationautoscaling.role_description, "IRSA for Application Autoscaling controller for ACK") + role_policies = lookup(var.applicationautoscaling, "role_policies", { + PowerUserAccess = "${local.iam_role_policy_prefix}/PowerUserAccess" + }) + + create_policy = try(var.applicationautoscaling.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.applicationautoscaling_name + } + } + + tags = var.tags +} + ################################################################################ # SageMaker ################################################################################ diff --git a/outputs.tf b/outputs.tf index ec9e874..51a047e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -11,6 +11,66 @@ added or an addon is updated, and new metadata for the Helm chart is needed. output "gitops_metadata" { description = "GitOps Bridge metadata" value = merge( + { for k, v in { + iam_role_arn = module.kafka.iam_role_arn + namespace = try(var.kafka.namespace, "ack-system") + service_account = local.kafka_name + } : "ack_iam_${k}" => v if var.enable_kafka + }, + { for k, v in { + iam_role_arn = module.efs.iam_role_arn + namespace = try(var.efs.namespace, "ack-system") + service_account = local.efs_name + } : "ack_iam_${k}" => v if var.enable_efs + }, + { for k, v in { + iam_role_arn = module.ecs.iam_role_arn + namespace = try(var.ecs.namespace, "ack-system") + service_account = local.ecs_name + } : "ack_iam_${k}" => v if var.enable_ecs + }, + { for k, v in { + iam_role_arn = module.cloudtrail.iam_role_arn + namespace = try(var.cloudtrail.namespace, "ack-system") + service_account = local.cloudtrail_name + } : "ack_iam_${k}" => v if var.enable_cloudtrail + }, + { for k, v in { + iam_role_arn = module.cloudfront.iam_role_arn + namespace = try(var.cloudfront.namespace, "ack-system") + service_account = local.cloudfront_name + } : "ack_iam_${k}" => v if var.enable_cloudfront + }, + { for k, v in { + iam_role_arn = module.applicationautoscaling.iam_role_arn + namespace = try(var.applicationautoscaling.namespace, "ack-system") + service_account = local.applicationautoscaling_name + } : "ack_iam_${k}" => v if var.enable_applicationautoscaling + }, + { for k, v in { + iam_role_arn = module.sagemaker.iam_role_arn + namespace = try(var.sagemaker.namespace, "ack-system") + service_account = local.sagemaker_name + } : "ack_iam_${k}" => v if var.enable_sagemaker + }, + { for k, v in { + iam_role_arn = module.memorydb.iam_role_arn + namespace = try(var.memorydb.namespace, "ack-system") + service_account = local.memorydb_name + } : "ack_iam_${k}" => v if var.enable_memorydb + }, + { for k, v in { + iam_role_arn = module.opensearchservice.iam_role_arn + namespace = try(var.opensearchservice.namespace, "ack-system") + service_account = local.opensearchservice_name + } : "ack_iam_${k}" => v if var.enable_opensearchservice + }, + { for k, v in { + iam_role_arn = module.ecr.iam_role_arn + namespace = try(var.ecr.namespace, "ack-system") + service_account = local.ecr_name + } : "ack_iam_${k}" => v if var.enable_ecr + }, { for k, v in { iam_role_arn = module.sns.iam_role_arn namespace = try(var.sns.namespace, "ack-system") diff --git a/variables.tf b/variables.tf index 16f28de..5139040 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,102 @@ variable "tags" { default = {} } +################################################################################ +# Kafka +################################################################################ + +variable "enable_kafka" { + description = "Enable ACK Kafka add-on" + type = bool + default = false +} + +variable "kafka" { + description = "ACK Kafka Helm Chart config" + type = any + default = {} +} + +################################################################################ +# EFS +################################################################################ + +variable "enable_efs" { + description = "Enable ACK EFS add-on" + type = bool + default = false +} + +variable "efs" { + description = "ACK EFS Helm Chart config" + type = any + default = {} +} + +################################################################################ +# ECS +################################################################################ + +variable "enable_ecs" { + description = "Enable ACK ECS add-on" + type = bool + default = false +} + +variable "ecs" { + description = "ACK ECS Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Cloudtrail +################################################################################ + +variable "enable_cloudtrail" { + description = "Enable ACK Cloudtrail add-on" + type = bool + default = false +} + +variable "cloudtrail" { + description = "ACK Cloudtrail Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Cloudfront +################################################################################ + +variable "enable_cloudfront" { + description = "Enable ACK Cloudfront add-on" + type = bool + default = false +} + +variable "cloudfront" { + description = "ACK cloudfront Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Application Autoscaling +################################################################################ + +variable "enable_applicationautoscaling" { + description = "Enable ACK Application Autoscaling add-on" + type = bool + default = false +} + +variable "applicationautoscaling" { + description = "ACK Application Autoscaling Helm Chart config" + type = any + default = {} +} + ################################################################################ # Sagemaker ################################################################################