diff --git a/.gitignore b/.gitignore index b5748ae..b334e0b 100644 --- a/.gitignore +++ b/.gitignore @@ -31,4 +31,4 @@ override.tf.json .terraformrc terraform.rc -**/examples/event-driven-pipeline/input/* +**/tests/event-driven-pipeline/input/* diff --git a/README.md b/README.md index 983e597..dee6ab9 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,9 @@ module "eks_ack_addons" { ecrpublic_token = "" # Controllers to enable + enable_networkfirewall = true + enable_cloudwatchlogs = true + enable_kinesis = true enable_secretsmanager = true enable_route53resolver = true enable_route53 = true @@ -59,11 +62,11 @@ module "eks_ack_addons" { } ``` -## Examples +## Tests -Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws-eks-ack-addons) are intended to give users references for how to use the module as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you! +Tests codified under the [`tests`](https://github.com/aws-ia/terraform-aws-eks-ack-addons) are intended to give users references for how to use the module as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant tests to allow maintainers to test your changes and to keep the tests up to date for users. Thank you! -- [Complete](https://github.com/aws-ia/terraform-aws-eks-ack-addons/tree/main/examples/complete) +- [Complete](https://github.com/aws-ia/terraform-aws-eks-ack-addons/tree/main/tests/complete) ## Requirements @@ -91,6 +94,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cloudfront](#module\_cloudfront) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [cloudtrail](#module\_cloudtrail) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [cloudwatch](#module\_cloudwatch) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [cloudwatchlogs](#module\_cloudwatchlogs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ec2](#module\_ec2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ecr](#module\_ecr) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -103,10 +107,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#module\_iam) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kafka](#module\_kafka) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [keyspaces](#module\_keyspaces) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [kinesis](#module\_kinesis) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kms](#module\_kms) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [lambda](#module\_lambda) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [memorydb](#module\_memorydb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [mq](#module\_mq) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [networkfirewall](#module\_networkfirewall) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [opensearchservice](#module\_opensearchservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [organizations](#module\_organizations) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [prometheusservice](#module\_prometheusservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -124,22 +130,17 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| -| [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatchlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.networkfirewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -155,6 +156,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cloudfront](#input\_cloudfront) | ACK cloudfront Helm Chart config | `any` | `{}` | no | | [cloudtrail](#input\_cloudtrail) | ACK Cloudtrail Helm Chart config | `any` | `{}` | no | | [cloudwatch](#input\_cloudwatch) | ACK CloudWatch Helm Chart config | `any` | `{}` | no | +| [cloudwatchlogs](#input\_cloudwatchlogs) | ACK CloudWatch Logs Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for your Kubernetes API server | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no | @@ -176,6 +178,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_cloudfront](#input\_enable\_cloudfront) | Enable ACK Cloudfront add-on | `bool` | `false` | no | | [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable ACK Cloudtrail add-on | `bool` | `false` | no | | [enable\_cloudwatch](#input\_enable\_cloudwatch) | Enable ACK CloudWatch add-on | `bool` | `false` | no | +| [enable\_cloudwatchlogs](#input\_enable\_cloudwatchlogs) | Enable ACK CloudWatch Logs add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | | [enable\_ec2](#input\_enable\_ec2) | Enable ACK ec2 add-on | `bool` | `false` | no | | [enable\_ecr](#input\_enable\_ecr) | Enable ACK ECR add-on | `bool` | `false` | no | @@ -188,10 +191,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_iam](#input\_enable\_iam) | Enable ACK iam add-on | `bool` | `false` | no | | [enable\_kafka](#input\_enable\_kafka) | Enable ACK Kafka add-on | `bool` | `false` | no | | [enable\_keyspaces](#input\_enable\_keyspaces) | Enable ACK Keyspaces add-on | `bool` | `false` | no | +| [enable\_kinesis](#input\_enable\_kinesis) | Enable ACK Kinesis add-on | `bool` | `false` | no | | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | | [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | | [enable\_mq](#input\_enable\_mq) | Enable ACK MQ add-on | `bool` | `false` | no | +| [enable\_networkfirewall](#input\_enable\_networkfirewall) | Enable ACK Network Firewall add-on | `bool` | `false` | no | | [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK Opensearch Service add-on | `bool` | `false` | no | | [enable\_organizations](#input\_enable\_organizations) | Enable ACK Organizations add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | @@ -208,10 +213,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#input\_iam) | ACK iam Helm Chart config | `any` | `{}` | no | | [kafka](#input\_kafka) | ACK Kafka Helm Chart config | `any` | `{}` | no | | [keyspaces](#input\_keyspaces) | ACK Keyspaces Helm Chart config | `any` | `{}` | no | +| [kinesis](#input\_kinesis) | ACK Kinesis Helm Chart config | `any` | `{}` | no | | [kms](#input\_kms) | ACK kms Helm Chart config | `any` | `{}` | no | | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | | [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | | [mq](#input\_mq) | ACK MQ Helm Chart config | `any` | `{}` | no | +| [networkfirewall](#input\_networkfirewall) | ACK Network Firewall Helm Chart config | `any` | `{}` | no | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | | [opensearchservice](#input\_opensearchservice) | ACK Opensearch Service Helm Chart config | `any` | `{}` | no | | [organizations](#input\_organizations) | ACK Organizations Helm Chart config | `any` | `{}` | no | diff --git a/main.tf b/main.tf index 935ccd9..cac2775 100644 --- a/main.tf +++ b/main.tf @@ -33,6 +33,379 @@ locals { repository_password = var.create_kubernetes_resources ? var.ecrpublic_token : "" } +################################################################################ +# Network Firewall +################################################################################ + +locals { + networkfirewall_name = "ack-networkfirewall" +} + +module "networkfirewall" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_networkfirewall + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/networkfirewall-chart:0.0.8 + name = try(var.networkfirewall.name, local.networkfirewall_name) + description = try(var.networkfirewall.description, "Helm Chart for Network Firewall controller for ACK") + namespace = try(var.networkfirewall.namespace, "ack-system") + create_namespace = try(var.networkfirewall.create_namespace, true) + chart = "networkfirewall-chart" + chart_version = try(var.networkfirewall.chart_version, "0.0.8") + repository = try(var.networkfirewall.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.networkfirewall.values, []) + + timeout = try(var.networkfirewall.timeout, null) + repository_key_file = try(var.networkfirewall.repository_key_file, null) + repository_cert_file = try(var.networkfirewall.repository_cert_file, null) + repository_ca_file = try(var.networkfirewall.repository_ca_file, null) + repository_username = try(var.networkfirewall.repository_username, local.repository_username) + repository_password = try(var.networkfirewall.repository_password, local.repository_password) + devel = try(var.networkfirewall.devel, null) + verify = try(var.networkfirewall.verify, null) + keyring = try(var.networkfirewall.keyring, null) + disable_webhooks = try(var.networkfirewall.disable_webhooks, null) + reuse_values = try(var.networkfirewall.reuse_values, null) + reset_values = try(var.networkfirewall.reset_values, null) + force_update = try(var.networkfirewall.force_update, null) + recreate_pods = try(var.networkfirewall.recreate_pods, null) + cleanup_on_fail = try(var.networkfirewall.cleanup_on_fail, null) + max_history = try(var.networkfirewall.max_history, null) + atomic = try(var.networkfirewall.atomic, null) + skip_crds = try(var.networkfirewall.skip_crds, null) + render_subchart_notes = try(var.networkfirewall.render_subchart_notes, null) + disable_openapi_validation = try(var.networkfirewall.disable_openapi_validation, null) + wait = try(var.networkfirewall.wait, false) + wait_for_jobs = try(var.networkfirewall.wait_for_jobs, null) + dependency_update = try(var.networkfirewall.dependency_update, null) + replace = try(var.networkfirewall.replace, null) + lint = try(var.networkfirewall.lint, null) + + postrender = try(var.networkfirewall.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-networkfirewall-networkfirewall-chart-xxxxxxxxxxxxx` to `ack-networkfirewall-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-networkfirewall" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.networkfirewall_name + }], + try(var.networkfirewall.set, []) + ) + set_sensitive = try(var.networkfirewall.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.networkfirewall.create_role, true) + role_name = try(var.networkfirewall.role_name, "ack-networkfirewall") + role_name_use_prefix = try(var.networkfirewall.role_name_use_prefix, true) + role_path = try(var.networkfirewall.role_path, "/") + role_permissions_boundary_arn = lookup(var.networkfirewall, "role_permissions_boundary_arn", null) + role_description = try(var.networkfirewall.role_description, "IRSA for Network Firewall controller for ACK") + role_policies = lookup(var.networkfirewall, "role_policies", {}) + + create_policy = try(var.networkfirewall.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.networkfirewall[*].json + policy_statements = lookup(var.networkfirewall, "policy_statements", []) + policy_name = try(var.networkfirewall.policy_name, null) + policy_name_use_prefix = try(var.networkfirewall.policy_name_use_prefix, true) + policy_path = try(var.networkfirewall.policy_path, null) + policy_description = try(var.networkfirewall.policy_description, "IAM Policy for Network Firewall controller for ACK") + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.networkfirewall_name + } + } + + tags = var.tags +} + +# recommended networkfirewall-controller policy https://github.com/aws-controllers-k8s/networkfirewall-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "networkfirewall" { + count = var.enable_networkfirewall ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "network-firewall:CreateFirewall", + "network-firewall:CreateFirewallPolicy", + "network-firewall:DeleteFirewall", + "network-firewall:DeleteFirewallPolicy", + "network-firewall:DescribeFirewall", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:ListFirewallPolicies", + "network-firewall:ListFirewalls", + "network-firewall:UpdateLoggingConfiguration", + ] + + resources = ["*"] + } +} + +################################################################################ +# Amazon CloudWatch Logs +################################################################################ + +locals { + cloudwatchlogs_name = "ack-cloudwatchlogs" +} + +module "cloudwatchlogs" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_cloudwatchlogs + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/cloudwatchlogs-chart:0.0.9 + name = try(var.cloudwatchlogs.name, local.cloudwatchlogs_name) + description = try(var.cloudwatchlogs.description, "Helm Chart for CloudWatch Logs controller for ACK") + namespace = try(var.cloudwatchlogs.namespace, "ack-system") + create_namespace = try(var.cloudwatchlogs.create_namespace, true) + chart = "cloudwatchlogs-chart" + chart_version = try(var.cloudwatchlogs.chart_version, "0.0.9") + repository = try(var.cloudwatchlogs.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.cloudwatchlogs.values, []) + + timeout = try(var.cloudwatchlogs.timeout, null) + repository_key_file = try(var.cloudwatchlogs.repository_key_file, null) + repository_cert_file = try(var.cloudwatchlogs.repository_cert_file, null) + repository_ca_file = try(var.cloudwatchlogs.repository_ca_file, null) + repository_username = try(var.cloudwatchlogs.repository_username, local.repository_username) + repository_password = try(var.cloudwatchlogs.repository_password, local.repository_password) + devel = try(var.cloudwatchlogs.devel, null) + verify = try(var.cloudwatchlogs.verify, null) + keyring = try(var.cloudwatchlogs.keyring, null) + disable_webhooks = try(var.cloudwatchlogs.disable_webhooks, null) + reuse_values = try(var.cloudwatchlogs.reuse_values, null) + reset_values = try(var.cloudwatchlogs.reset_values, null) + force_update = try(var.cloudwatchlogs.force_update, null) + recreate_pods = try(var.cloudwatchlogs.recreate_pods, null) + cleanup_on_fail = try(var.cloudwatchlogs.cleanup_on_fail, null) + max_history = try(var.cloudwatchlogs.max_history, null) + atomic = try(var.cloudwatchlogs.atomic, null) + skip_crds = try(var.cloudwatchlogs.skip_crds, null) + render_subchart_notes = try(var.cloudwatchlogs.render_subchart_notes, null) + disable_openapi_validation = try(var.cloudwatchlogs.disable_openapi_validation, null) + wait = try(var.cloudwatchlogs.wait, false) + wait_for_jobs = try(var.cloudwatchlogs.wait_for_jobs, null) + dependency_update = try(var.cloudwatchlogs.dependency_update, null) + replace = try(var.cloudwatchlogs.replace, null) + lint = try(var.cloudwatchlogs.lint, null) + + postrender = try(var.cloudwatchlogs.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-cloudwatchlogs-cloudwatchlogs-chart-xxxxxxxxxxxxx` to `ack-cloudwatchlogs-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-cloudwatchlogs" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.cloudwatchlogs_name + }], + try(var.cloudwatchlogs.set, []) + ) + set_sensitive = try(var.cloudwatchlogs.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.cloudwatchlogs.create_role, true) + role_name = try(var.cloudwatchlogs.role_name, "ack-cloudwatchlogs") + role_name_use_prefix = try(var.cloudwatchlogs.role_name_use_prefix, true) + role_path = try(var.cloudwatchlogs.role_path, "/") + role_permissions_boundary_arn = lookup(var.cloudwatchlogs, "role_permissions_boundary_arn", null) + role_description = try(var.cloudwatchlogs.role_description, "IRSA for CloudWatch Logs controller for ACK") + role_policies = lookup(var.cloudwatchlogs, "role_policies", {}) + + create_policy = try(var.cloudwatchlogs.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.cloudwatchlogs[*].json + policy_statements = lookup(var.cloudwatchlogs, "policy_statements", []) + policy_name = try(var.cloudwatchlogs.policy_name, null) + policy_name_use_prefix = try(var.cloudwatchlogs.policy_name_use_prefix, true) + policy_path = try(var.cloudwatchlogs.policy_path, null) + policy_description = try(var.cloudwatchlogs.policy_description, "IAM Policy for Cloudwatch Logs controller for ACK") + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.cloudwatchlogs_name + } + } + + tags = var.tags +} + +# recommended cloudwatchlogs-controller policy https://github.com/aws-controllers-k8s/cloudwatchlogs-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "cloudwatchlogs" { + count = var.enable_cloudwatchlogs ? 1 : 0 + + statement { + sid = "VisualEditor0" + effect = "Allow" + + actions = [ + "logs:TagLogGroup", + "logs:DescribeLogGroups", + "logs:UntagLogGroup", + "logs:DeleteLogGroup", + "logs:UntagResource", + "logs:TagResource", + "logs:CreateLogGroup", + "logs:ListTagsForResource", + ] + + resources = ["*"] + } +} + +################################################################################ +# Kinesis +################################################################################ + +locals { + kinesis_name = "ack-kinesis" +} + +module "kinesis" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_kinesis + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/kinesis-chart:0.0.17 + name = try(var.kinesis.name, local.kinesis_name) + description = try(var.kinesis.description, "Helm Chart for Kinesis controller for ACK") + namespace = try(var.kinesis.namespace, "ack-system") + create_namespace = try(var.kinesis.create_namespace, true) + chart = "kinesis-chart" + chart_version = try(var.kinesis.chart_version, "0.0.17") + repository = try(var.kinesis.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.kinesis.values, []) + + timeout = try(var.kinesis.timeout, null) + repository_key_file = try(var.kinesis.repository_key_file, null) + repository_cert_file = try(var.kinesis.repository_cert_file, null) + repository_ca_file = try(var.kinesis.repository_ca_file, null) + repository_username = try(var.kinesis.repository_username, local.repository_username) + repository_password = try(var.kinesis.repository_password, local.repository_password) + devel = try(var.kinesis.devel, null) + verify = try(var.kinesis.verify, null) + keyring = try(var.kinesis.keyring, null) + disable_webhooks = try(var.kinesis.disable_webhooks, null) + reuse_values = try(var.kinesis.reuse_values, null) + reset_values = try(var.kinesis.reset_values, null) + force_update = try(var.kinesis.force_update, null) + recreate_pods = try(var.kinesis.recreate_pods, null) + cleanup_on_fail = try(var.kinesis.cleanup_on_fail, null) + max_history = try(var.kinesis.max_history, null) + atomic = try(var.kinesis.atomic, null) + skip_crds = try(var.kinesis.skip_crds, null) + render_subchart_notes = try(var.kinesis.render_subchart_notes, null) + disable_openapi_validation = try(var.kinesis.disable_openapi_validation, null) + wait = try(var.kinesis.wait, false) + wait_for_jobs = try(var.kinesis.wait_for_jobs, null) + dependency_update = try(var.kinesis.dependency_update, null) + replace = try(var.kinesis.replace, null) + lint = try(var.kinesis.lint, null) + + postrender = try(var.kinesis.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-kinesis-kinesis-chart-xxxxxxxxxxxxx` to `ack-kinesis-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-kinesis" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.kinesis_name + }], + try(var.kinesis.set, []) + ) + set_sensitive = try(var.kinesis.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.kinesis.create_role, true) + role_name = try(var.kinesis.role_name, "ack-kinesis") + role_name_use_prefix = try(var.kinesis.role_name_use_prefix, true) + role_path = try(var.kinesis.role_path, "/") + role_permissions_boundary_arn = lookup(var.kinesis, "role_permissions_boundary_arn", null) + role_description = try(var.kinesis.role_description, "IRSA for Kinesis controller for ACK") + role_policies = lookup(var.kinesis, "role_policies", {}) + + create_policy = try(var.kinesis.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.kinesis[*].json + policy_statements = lookup(var.kinesis, "policy_statements", []) + policy_name = try(var.kinesis.policy_name, null) + policy_name_use_prefix = try(var.kinesis.policy_name_use_prefix, true) + policy_path = try(var.kinesis.policy_path, null) + policy_description = try(var.kinesis.policy_description, "IAM Policy for Kinesis controller for ACK") + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.kinesis_name + } + } + + tags = var.tags +} + +# recommended kinesis-controller policy https://github.com/aws-controllers-k8s/kinesis-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "kinesis" { + count = var.enable_kinesis ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "kinesis:ListStreams", + "kinesis:DeleteStream", + "kinesis:DescribeStreamSummary", + "kinesis:ListShards", + "kinesis:UpdateShardCount", + "kinesis:CreateStream", + "kinesis:DescribeStream", + ] + + resources = ["*"] + } +} + ################################################################################ # Secrets Manager ################################################################################ @@ -719,7 +1092,6 @@ module "keyspaces" { tags = var.tags } - ################################################################################ # Kafka ################################################################################ @@ -1972,10 +2344,16 @@ module "lambda" { role_path = try(var.lambda.role_path, "/") role_permissions_boundary_arn = lookup(var.lambda, "role_permissions_boundary_arn", null) role_description = try(var.lambda.role_description, "IRSA for Lambda controller for ACK") - role_policies = lookup(var.lambda, "role_policies", { - policy = var.enable_lambda ? aws_iam_policy.lambda[0].arn : null - }) - create_policy = try(var.lambda.create_policy, false) + role_policies = lookup(var.lambda, "role_policies", {}) + + create_policy = try(var.lambda.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.lambda[*].json + policy_statements = lookup(var.lambda, "policy_statements", []) + policy_name = try(var.lambda.policy_name, null) + policy_name_use_prefix = try(var.lambda.policy_name_use_prefix, true) + policy_path = try(var.lambda.policy_path, null) + policy_description = try(var.lambda.policy_description, "IAM Policy for Lambda controller for ACK") + oidc_providers = { this = { @@ -2018,16 +2396,6 @@ data "aws_iam_policy_document" "lambda" { } } -resource "aws_iam_policy" "lambda" { - count = var.enable_lambda ? 1 : 0 - - name = "LambdaController" - description = "IAM policy for Lambda Controller" - policy = data.aws_iam_policy_document.lambda[0].json - - tags = var.tags -} - ################################################################################ # IAM ################################################################################ @@ -2110,10 +2478,15 @@ module "iam" { role_path = try(var.iam.role_path, "/") role_permissions_boundary_arn = lookup(var.iam, "role_permissions_boundary_arn", null) role_description = try(var.iam.role_description, "IRSA for iam controller for ACK") - role_policies = lookup(var.iam, "role_policies", { - policy = var.enable_iam ? aws_iam_policy.iam[0].arn : null - }) - create_policy = try(var.iam.create_policy, false) + role_policies = lookup(var.iam, "role_policies", {}) + + create_policy = try(var.iam.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.iam[*].json + policy_statements = lookup(var.iam, "policy_statements", []) + policy_name = try(var.iam.policy_name, null) + policy_name_use_prefix = try(var.iam.policy_name_use_prefix, true) + policy_path = try(var.iam.policy_path, null) + policy_description = try(var.iam.policy_description, "IAM Policy for IAM controller for ACK") oidc_providers = { this = { @@ -2199,16 +2572,6 @@ data "aws_iam_policy_document" "iam" { } } -resource "aws_iam_policy" "iam" { - count = var.enable_iam ? 1 : 0 - - name = "IAMController" - description = "IAM policy for IAM Controller" - policy = data.aws_iam_policy_document.iam[0].json - - tags = var.tags -} - ################################################################################ # EC2 ################################################################################ @@ -2389,10 +2752,15 @@ module "eks" { role_path = try(var.eks.role_path, "/") role_permissions_boundary_arn = lookup(var.eks, "role_permissions_boundary_arn", null) role_description = try(var.eks.role_description, "IRSA for eks controller for ACK") - role_policies = lookup(var.eks, "role_policies", { - policy = var.enable_eks ? aws_iam_policy.eks[0].arn : null - }) - create_policy = try(var.eks.create_policy, false) + role_policies = lookup(var.eks, "role_policies", {}) + + create_policy = try(var.eks.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.eks[*].json + policy_statements = lookup(var.eks, "policy_statements", []) + policy_name = try(var.eks.policy_name, null) + policy_name_use_prefix = try(var.eks.policy_name_use_prefix, true) + policy_path = try(var.eks.policy_path, null) + policy_description = try(var.eks.policy_description, "IAM Policy for EKS controller for ACK") oidc_providers = { this = { @@ -2421,16 +2789,6 @@ data "aws_iam_policy_document" "eks" { } } -resource "aws_iam_policy" "eks" { - count = var.enable_eks ? 1 : 0 - - name = "EKSController" - description = "IAM policy for EKS Controller" - policy = data.aws_iam_policy_document.eks[0].json - - tags = var.tags -} - ################################################################################ # KMS ################################################################################ @@ -2513,10 +2871,15 @@ module "kms" { role_path = try(var.kms.role_path, "/") role_permissions_boundary_arn = lookup(var.kms, "role_permissions_boundary_arn", null) role_description = try(var.kms.role_description, "IRSA for kms controller for ACK") - role_policies = lookup(var.kms, "role_policies", { - policy = var.enable_kms ? aws_iam_policy.kms[0].arn : null - }) - create_policy = try(var.kms.create_policy, false) + role_policies = lookup(var.kms, "role_policies", {}) + + create_policy = try(var.kms.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.kms[*].json + policy_statements = lookup(var.kms, "policy_statements", []) + policy_name = try(var.kms.policy_name, null) + policy_name_use_prefix = try(var.kms.policy_name_use_prefix, true) + policy_path = try(var.kms.policy_path, null) + policy_description = try(var.kms.policy_description, "IAM Policy for KMS controller for ACK") oidc_providers = { this = { @@ -2555,16 +2918,6 @@ data "aws_iam_policy_document" "kms" { } } -resource "aws_iam_policy" "kms" { - count = var.enable_kms ? 1 : 0 - - name = "KMSController" - description = "IAM policy for KMS Controller" - policy = data.aws_iam_policy_document.kms[0].json - - tags = var.tags -} - ################################################################################ # ACM ################################################################################ @@ -2647,10 +3000,15 @@ module "acm" { role_path = try(var.acm.role_path, "/") role_permissions_boundary_arn = lookup(var.acm, "role_permissions_boundary_arn", null) role_description = try(var.acm.role_description, "IRSA for acm controller for ACK") - role_policies = lookup(var.acm, "role_policies", { - policy = var.enable_acm ? aws_iam_policy.acm[0].arn : null - }) - create_policy = try(var.acm.create_policy, false) + role_policies = lookup(var.acm, "role_policies", {}) + + create_policy = try(var.acm.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.acm[*].json + policy_statements = lookup(var.acm, "policy_statements", []) + policy_name = try(var.acm.policy_name, null) + policy_name_use_prefix = try(var.acm.policy_name_use_prefix, true) + policy_path = try(var.acm.policy_path, null) + policy_description = try(var.acm.policy_description, "IAM Policy for ACM controller for ACK") oidc_providers = { this = { @@ -2684,16 +3042,6 @@ data "aws_iam_policy_document" "acm" { } -resource "aws_iam_policy" "acm" { - count = var.enable_acm ? 1 : 0 - - name = "ACMController" - description = "IAM policy for ACM Controller" - policy = data.aws_iam_policy_document.acm[0].json - - tags = var.tags -} - ################################################################################ # API Gateway V2 ################################################################################ @@ -3267,10 +3615,15 @@ module "prometheusservice" { role_path = try(var.prometheusservice.role_path, "/") role_permissions_boundary_arn = lookup(var.prometheusservice, "role_permissions_boundary_arn", null) role_description = try(var.prometheusservice.role_description, "IRSA for prometheusservice controller for ACK") - role_policies = lookup(var.prometheusservice, "role_policies", { - policy = var.enable_prometheusservice ? aws_iam_policy.prometheusservice[0].arn : null - }) - create_policy = try(var.prometheusservice.create_policy, false) + role_policies = lookup(var.prometheusservice, "role_policies", {}) + + create_policy = try(var.prometheusservice.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.prometheusservice[*].json + policy_statements = lookup(var.prometheusservice, "policy_statements", []) + policy_name = try(var.prometheusservice.policy_name, null) + policy_name_use_prefix = try(var.prometheusservice.policy_name_use_prefix, true) + policy_path = try(var.prometheusservice.policy_path, null) + policy_description = try(var.prometheusservice.policy_description, "IAM Policy for Prometheus Service controller for ACK") oidc_providers = { this = { @@ -3302,16 +3655,6 @@ data "aws_iam_policy_document" "prometheusservice" { } } -resource "aws_iam_policy" "prometheusservice" { - count = var.enable_prometheusservice ? 1 : 0 - - name = "PrometheusServiceController" - description = "IAM policy for Prometheus Service Controller" - policy = data.aws_iam_policy_document.prometheusservice[0].json - - tags = var.tags -} - ################################################################################ # EMR Containers ################################################################################ @@ -3394,10 +3737,15 @@ module "emrcontainers" { role_path = try(var.emrcontainers.role_path, "/") role_permissions_boundary_arn = lookup(var.emrcontainers, "role_permissions_boundary_arn", null) role_description = try(var.emrcontainers.role_description, "IRSA for emrcontainers controller for ACK") - role_policies = lookup(var.emrcontainers, "role_policies", { - policy = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null - }) - create_policy = try(var.emrcontainers.create_policy, false) + role_policies = lookup(var.emrcontainers, "role_policies", {}) + + create_policy = try(var.emrcontainers.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.emrcontainers[*].json + policy_statements = lookup(var.emrcontainers, "policy_statements", []) + policy_name = try(var.emrcontainers.policy_name, null) + policy_name_use_prefix = try(var.emrcontainers.policy_name_use_prefix, true) + policy_path = try(var.emrcontainers.policy_path, null) + policy_description = try(var.emrcontainers.policy_description, "IAM Policy for EMR Containers controller for ACK") oidc_providers = { this = { @@ -3493,16 +3841,6 @@ data "aws_iam_policy_document" "emrcontainers" { } } -resource "aws_iam_policy" "emrcontainers" { - count = var.enable_emrcontainers ? 1 : 0 - - name = "EMRContainersController" - description = "IAM policy for EMR Containers Controller" - policy = data.aws_iam_policy_document.emrcontainers[0].json - - tags = var.tags -} - ################################################################################ # Step Functions ################################################################################ @@ -3586,10 +3924,16 @@ module "sfn" { role_permissions_boundary_arn = lookup(var.sfn, "role_permissions_boundary_arn", null) role_description = try(var.sfn.role_description, "IRSA for sfn controller for ACK") role_policies = lookup(var.sfn, "role_policies", { - AWSStepFunctionsFullAccess = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess" - AWSStepFunctionsIamPassRole = var.enable_sfn ? aws_iam_policy.sfn[0].arn : null + AWSStepFunctionsFullAccess = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess" }) - create_policy = try(var.sfn.create_policy, false) + + create_policy = try(var.sfn.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.sfn[*].json + policy_statements = lookup(var.sfn, "policy_statements", []) + policy_name = try(var.sfn.policy_name, null) + policy_name_use_prefix = try(var.sfn.policy_name_use_prefix, true) + policy_path = try(var.sfn.policy_path, null) + policy_description = try(var.sfn.policy_description, "IAM Policy for SFN controller for ACK") oidc_providers = { this = { @@ -3620,16 +3964,6 @@ data "aws_iam_policy_document" "sfn" { } -resource "aws_iam_policy" "sfn" { - count = var.enable_sfn ? 1 : 0 - - name = "SFNController" - description = "IAM policy for SFN Controller" - policy = data.aws_iam_policy_document.sfn[0].json - - tags = var.tags -} - ################################################################################ # EventBridge ################################################################################ diff --git a/outputs.tf b/outputs.tf index 06da03a..6ae9628 100644 --- a/outputs.tf +++ b/outputs.tf @@ -11,6 +11,24 @@ added or an addon is updated, and new metadata for the Helm chart is needed. output "gitops_metadata" { description = "GitOps Bridge metadata" value = merge( + { for k, v in { + iam_role_arn = module.networkfirewall.iam_role_arn + namespace = try(var.networkfirewall.namespace, "ack-system") + service_account = local.networkfirewall_name + } : "ack_iam_${k}" => v if var.enable_networkfirewall + }, + { for k, v in { + iam_role_arn = module.cloudwatchlogs.iam_role_arn + namespace = try(var.cloudwatchlogs.namespace, "ack-system") + service_account = local.cloudwatchlogs_name + } : "ack_iam_${k}" => v if var.enable_cloudwatchlogs + }, + { for k, v in { + iam_role_arn = module.kinesis.iam_role_arn + namespace = try(var.kinesis.namespace, "ack-system") + service_account = local.kinesis_name + } : "ack_iam_${k}" => v if var.enable_kinesis + }, { for k, v in { iam_role_arn = module.secretsmanager.iam_role_arn namespace = try(var.secretsmanager.namespace, "ack-system") diff --git a/examples/complete/README.md b/tests/complete/README.md similarity index 53% rename from examples/complete/README.md rename to tests/complete/README.md index 2f50064..8dbedf7 100644 --- a/examples/complete/README.md +++ b/tests/complete/README.md @@ -1,6 +1,9 @@ # Complete Example Configuration in this directory creates an AWS EKS cluster with the following ACK addons: +- Amazon Network Firewall +- Amazon CloudWatch Logs +- Amazon Kinesis - AWS Secrets Manager - Amazon Route53Resolver - Amazon Route 53 @@ -75,54 +78,57 @@ aws eks --region update-kubeconfig --name kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE -ack-system ack-acm-5697f4c5b4-z48sv 1/1 Running 0 30m -ack-system ack-apigatewayv2-76d6bbd788-pxlv9 1/1 Running 0 27m -ack-system ack-applicationautoscaling-5fd6c8bf8f-tjhhq 1/1 Running 0 28m -ack-system ack-cloudfront-544f4887c4-cn48r 1/1 Running 0 27m -ack-system ack-cloudtrail-5dc78b7576-jpjd6 1/1 Running 0 26m -ack-system ack-cloudwatch-5b844f47db-cl6ht 1/1 Running 0 28m -ack-system ack-dynamodb-7f4b47488d-kf7gd 1/1 Running 0 30m -ack-system ack-ec2-5fbf6f55d9-qrpj6 1/1 Running 0 29m -ack-system ack-ecr-5b4699f87b-27k4t 1/1 Running 0 27m -ack-system ack-ecs-74d8d67695-tw9fp 1/1 Running 0 28m -ack-system ack-efs-7b9f965b96-htcxj 1/1 Running 0 28m -ack-system ack-eks-54945d94d4-pn25c 1/1 Running 0 30m -ack-system ack-elasticache-5758ff66bd-69w79 1/1 Running 0 29m -ack-system ack-emrcontainers-74c5d7b8c-4rpkf 1/1 Running 0 29m -ack-system ack-eventbridge-b76bd85b8-cl75j 1/1 Running 0 30m -ack-system ack-iam-89dd5d6b5-4vb82 1/1 Running 0 28m -ack-system ack-kafka-7bd95bd59-25kkb 1/1 Running 0 28m -ack-system ack-keyspaces-6cc9bbc575-klxtw 1/1 Running 0 26m -ack-system ack-kms-58b89848db-wh6wq 1/1 Running 0 27m -ack-system ack-lambda-65bd7fbc8d-8qllw 1/1 Running 0 27m -ack-system ack-memorydb-76c988f6dd-dm22w 1/1 Running 0 29m -ack-system ack-mq-85b69db6c-hdwqg 1/1 Running 0 26m -ack-system ack-opensearchservice-7fd9d8c866-5l6wh 1/1 Running 0 29m -ack-system ack-organizations-784c69d659-xcm29 1/1 Running 0 27m -ack-system ack-prometheusservice-6d657cd878-q492w 1/1 Running 0 30m -ack-system ack-rds-7df84bf989-jmpzh 1/1 Running 0 26m -ack-system ack-route53-5d45dcbf66-lchwf 1/1 Running 0 27m -ack-system ack-route53resolver-696cf68868-znnsv 1/1 Running 0 26m -ack-system ack-s3-6ffc4698c6-5sfwg 1/1 Running 0 30m -ack-system ack-sagemaker-74f65d4cb9-tqcnm 1/1 Running 0 27m -ack-system ack-secretsmanager-7974695c58-8p29t 1/1 Running 0 30m -ack-system ack-sfn-6b875794cb-fnrz4 1/1 Running 0 26m -ack-system ack-sns-5c75794dbc-5vs5r 1/1 Running 0 27m -ack-system ack-sqs-55dfc46cd6-tgc68 1/1 Running 0 26m -kube-system aws-load-balancer-controller-84b5bf9c5f-wmj6s 1/1 Running 0 28m -kube-system aws-load-balancer-controller-84b5bf9c5f-xz5bd 1/1 Running 0 28m -kube-system aws-node-48drm 2/2 Running 0 26m -kube-system aws-node-7jmr4 2/2 Running 0 26m -kube-system aws-node-dc8tz 2/2 Running 0 26m -kube-system coredns-787cb67946-69dqt 1/1 Running 0 33m -kube-system coredns-787cb67946-nblvh 1/1 Running 0 33m -kube-system eks-pod-identity-agent-5vflt 1/1 Running 0 27m -kube-system eks-pod-identity-agent-ltjcq 1/1 Running 0 27m -kube-system eks-pod-identity-agent-rb8jn 1/1 Running 0 27m -kube-system kube-proxy-mz99j 1/1 Running 0 30m -kube-system kube-proxy-prj6l 1/1 Running 0 30m -kube-system kube-proxy-rsfsz 1/1 Running 0 30m -kube-system metrics-server-7577444cf8-vj4lt 1/1 Running 0 31m +ack-system ack-acm-5697f4c5b4-czd5b 1/1 Running 0 11m +ack-system ack-apigatewayv2-76d6bbd788-77t8p 1/1 Running 0 10m +ack-system ack-applicationautoscaling-5fd6c8bf8f-zqn4p 1/1 Running 0 11m +ack-system ack-cloudfront-544f4887c4-jhw5b 1/1 Running 0 12m +ack-system ack-cloudtrail-5dc78b7576-2bwds 1/1 Running 0 11m +ack-system ack-cloudwatch-5b844f47db-6fb5d 1/1 Running 0 11m +ack-system ack-cloudwatchlogs-757f9879fb-jtvhh 1/1 Running 0 11m +ack-system ack-dynamodb-7f4b47488d-btjff 1/1 Running 0 12m +ack-system ack-ec2-5fbf6f55d9-hn8jw 1/1 Running 0 11m +ack-system ack-ecr-5b4699f87b-rt5xt 1/1 Running 0 11m +ack-system ack-ecs-74d8d67695-zbv97 1/1 Running 0 10m +ack-system ack-efs-7b9f965b96-qbc6q 1/1 Running 0 13m +ack-system ack-eks-54945d94d4-mflgw 1/1 Running 0 12m +ack-system ack-elasticache-5758ff66bd-mmj27 1/1 Running 0 12m +ack-system ack-emrcontainers-74c5d7b8c-9htg9 1/1 Running 0 11m +ack-system ack-eventbridge-b76bd85b8-dtvxr 1/1 Running 0 13m +ack-system ack-iam-89dd5d6b5-wf8tm 1/1 Running 0 11m +ack-system ack-kafka-7bd95bd59-dvcf6 1/1 Running 0 10m +ack-system ack-keyspaces-6cc9bbc575-lfjwr 1/1 Running 0 11m +ack-system ack-kinesis-687bf76869-kqshn 1/1 Running 0 11m +ack-system ack-kms-58b89848db-hrf8v 1/1 Running 0 11m +ack-system ack-lambda-65bd7fbc8d-fjqfj 1/1 Running 0 11m +ack-system ack-memorydb-76c988f6dd-4v8cz 1/1 Running 0 10m +ack-system ack-mq-85b69db6c-tlt2p 1/1 Running 0 11m +ack-system ack-networkfirewall-c6676fddc-tlvzr 1/1 Running 0 12m +ack-system ack-opensearchservice-7fd9d8c866-9kkdx 1/1 Running 0 11m +ack-system ack-organizations-784c69d659-cpn2r 1/1 Running 0 13m +ack-system ack-prometheusservice-6d657cd878-7h7jw 1/1 Running 0 12m +ack-system ack-rds-7df84bf989-hh7z7 1/1 Running 0 12m +ack-system ack-route53-5d45dcbf66-9f82r 1/1 Running 0 12m +ack-system ack-route53resolver-696cf68868-k825q 1/1 Running 0 12m +ack-system ack-s3-6ffc4698c6-jtv6k 1/1 Running 0 12m +ack-system ack-sagemaker-74f65d4cb9-g9ngl 1/1 Running 0 12m +ack-system ack-secretsmanager-7974695c58-xkgbx 1/1 Running 0 13m +ack-system ack-sfn-6b875794cb-c7pcv 1/1 Running 0 11m +ack-system ack-sns-5c75794dbc-v5fgb 1/1 Running 0 11m +ack-system ack-sqs-55dfc46cd6-wtz7d 1/1 Running 0 13m +kube-system aws-load-balancer-controller-84b5bf9c5f-cd2kn 1/1 Running 0 12m +kube-system aws-load-balancer-controller-84b5bf9c5f-z5mkm 1/1 Running 0 12m +kube-system aws-node-5lv6j 2/2 Running 0 11m +kube-system aws-node-c8ncz 2/2 Running 0 11m +kube-system aws-node-d4tcw 2/2 Running 0 10m +kube-system coredns-787cb67946-82m2k 1/1 Running 0 16m +kube-system coredns-787cb67946-kf4vn 1/1 Running 0 16m +kube-system eks-pod-identity-agent-cnklq 1/1 Running 0 11m +kube-system eks-pod-identity-agent-fdjvk 1/1 Running 0 11m +kube-system eks-pod-identity-agent-jzzsb 1/1 Running 0 11m +kube-system kube-proxy-9x5js 1/1 Running 0 12m +kube-system kube-proxy-f4hk9 1/1 Running 0 12m +kube-system kube-proxy-gxcxt 1/1 Running 0 12m +kube-system metrics-server-7577444cf8-mhx97 1/1 Running 0 14m ``` ## Sample Application Deployment diff --git a/examples/complete/images/ACK_microservice.png b/tests/complete/images/ACK_microservice.png similarity index 100% rename from examples/complete/images/ACK_microservice.png rename to tests/complete/images/ACK_microservice.png diff --git a/examples/complete/main.tf b/tests/complete/main.tf similarity index 98% rename from examples/complete/main.tf rename to tests/complete/main.tf index 4c9a82d..f1dd2e1 100644 --- a/examples/complete/main.tf +++ b/tests/complete/main.tf @@ -131,6 +131,9 @@ module "eks_ack_addons" { ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Controllers to enable + enable_networkfirewall = true + enable_cloudwatchlogs = true + enable_kinesis = true enable_secretsmanager = true enable_route53resolver = true enable_route53 = true diff --git a/examples/complete/outputs.tf b/tests/complete/outputs.tf similarity index 100% rename from examples/complete/outputs.tf rename to tests/complete/outputs.tf diff --git a/examples/complete/sample-app/apigwv2-httpapi.yaml b/tests/complete/sample-app/apigwv2-httpapi.yaml similarity index 100% rename from examples/complete/sample-app/apigwv2-httpapi.yaml rename to tests/complete/sample-app/apigwv2-httpapi.yaml diff --git a/examples/complete/sample-app/app.yaml b/tests/complete/sample-app/app.yaml similarity index 100% rename from examples/complete/sample-app/app.yaml rename to tests/complete/sample-app/app.yaml diff --git a/examples/complete/sample-app/dynamodb-table.yaml b/tests/complete/sample-app/dynamodb-table.yaml similarity index 100% rename from examples/complete/sample-app/dynamodb-table.yaml rename to tests/complete/sample-app/dynamodb-table.yaml diff --git a/examples/complete/sample-app/elasticache.yaml b/tests/complete/sample-app/elasticache.yaml similarity index 100% rename from examples/complete/sample-app/elasticache.yaml rename to tests/complete/sample-app/elasticache.yaml diff --git a/examples/complete/variables.tf b/tests/complete/variables.tf similarity index 100% rename from examples/complete/variables.tf rename to tests/complete/variables.tf diff --git a/examples/complete/versions.tf b/tests/complete/versions.tf similarity index 100% rename from examples/complete/versions.tf rename to tests/complete/versions.tf diff --git a/variables.tf b/variables.tf index 724a124..72655d4 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,54 @@ variable "tags" { default = {} } +################################################################################ +# Amazon Network Firewall +################################################################################ + +variable "enable_networkfirewall" { + description = "Enable ACK Network Firewall add-on" + type = bool + default = false +} + +variable "networkfirewall" { + description = "ACK Network Firewall Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Amazon CloudWatch Logs +################################################################################ + +variable "enable_cloudwatchlogs" { + description = "Enable ACK CloudWatch Logs add-on" + type = bool + default = false +} + +variable "cloudwatchlogs" { + description = "ACK CloudWatch Logs Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Kinesis +################################################################################ + +variable "enable_kinesis" { + description = "Enable ACK Kinesis add-on" + type = bool + default = false +} + +variable "kinesis" { + description = "ACK Kinesis Helm Chart config" + type = any + default = {} +} + ################################################################################ # Secrets Manager ################################################################################