From 7ec620d4e7a41dd5f1e01183709ee054102393a7 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Mon, 12 Aug 2024 18:08:31 -0300 Subject: [PATCH 1/3] feat: Add Kinesis, CloudWatch Logs and Network Firewall Controllers --- README.md | 18 ++ examples/complete/README.md | 102 +++++----- examples/complete/main.tf | 3 + main.tf | 390 +++++++++++++++++++++++++++++++++++- outputs.tf | 18 ++ variables.tf | 48 +++++ 6 files changed, 530 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 983e597..9824aec 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,9 @@ module "eks_ack_addons" { ecrpublic_token = "" # Controllers to enable + enable_networkfirewall = true + enable_cloudwatchlogs = true + enable_kinesis = true enable_secretsmanager = true enable_route53resolver = true enable_route53 = true @@ -91,6 +94,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cloudfront](#module\_cloudfront) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [cloudtrail](#module\_cloudtrail) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [cloudwatch](#module\_cloudwatch) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [cloudwatchlogs](#module\_cloudwatchlogs) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [dynamodb](#module\_dynamodb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ec2](#module\_ec2) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [ecr](#module\_ecr) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -103,10 +107,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#module\_iam) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kafka](#module\_kafka) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [keyspaces](#module\_keyspaces) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [kinesis](#module\_kinesis) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [kms](#module\_kms) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [lambda](#module\_lambda) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [memorydb](#module\_memorydb) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [mq](#module\_mq) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | +| [networkfirewall](#module\_networkfirewall) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [opensearchservice](#module\_opensearchservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [organizations](#module\_organizations) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | | [prometheusservice](#module\_prometheusservice) | aws-ia/eks-blueprints-addon/aws | 1.1.1 | @@ -125,21 +131,27 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| | [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.cloudwatchlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.networkfirewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudwatchlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.networkfirewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -155,6 +167,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cloudfront](#input\_cloudfront) | ACK cloudfront Helm Chart config | `any` | `{}` | no | | [cloudtrail](#input\_cloudtrail) | ACK Cloudtrail Helm Chart config | `any` | `{}` | no | | [cloudwatch](#input\_cloudwatch) | ACK CloudWatch Helm Chart config | `any` | `{}` | no | +| [cloudwatchlogs](#input\_cloudwatchlogs) | ACK CloudWatch Logs Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for your Kubernetes API server | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no | @@ -176,6 +189,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_cloudfront](#input\_enable\_cloudfront) | Enable ACK Cloudfront add-on | `bool` | `false` | no | | [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable ACK Cloudtrail add-on | `bool` | `false` | no | | [enable\_cloudwatch](#input\_enable\_cloudwatch) | Enable ACK CloudWatch add-on | `bool` | `false` | no | +| [enable\_cloudwatchlogs](#input\_enable\_cloudwatchlogs) | Enable ACK CloudWatch Logs add-on | `bool` | `false` | no | | [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no | | [enable\_ec2](#input\_enable\_ec2) | Enable ACK ec2 add-on | `bool` | `false` | no | | [enable\_ecr](#input\_enable\_ecr) | Enable ACK ECR add-on | `bool` | `false` | no | @@ -188,10 +202,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [enable\_iam](#input\_enable\_iam) | Enable ACK iam add-on | `bool` | `false` | no | | [enable\_kafka](#input\_enable\_kafka) | Enable ACK Kafka add-on | `bool` | `false` | no | | [enable\_keyspaces](#input\_enable\_keyspaces) | Enable ACK Keyspaces add-on | `bool` | `false` | no | +| [enable\_kinesis](#input\_enable\_kinesis) | Enable ACK Kinesis add-on | `bool` | `false` | no | | [enable\_kms](#input\_enable\_kms) | Enable ACK kms add-on | `bool` | `false` | no | | [enable\_lambda](#input\_enable\_lambda) | Enable ACK Lambda add-on | `bool` | `false` | no | | [enable\_memorydb](#input\_enable\_memorydb) | Enable ACK MemoryDB add-on | `bool` | `false` | no | | [enable\_mq](#input\_enable\_mq) | Enable ACK MQ add-on | `bool` | `false` | no | +| [enable\_networkfirewall](#input\_enable\_networkfirewall) | Enable ACK Network Firewall add-on | `bool` | `false` | no | | [enable\_opensearchservice](#input\_enable\_opensearchservice) | Enable ACK Opensearch Service add-on | `bool` | `false` | no | | [enable\_organizations](#input\_enable\_organizations) | Enable ACK Organizations add-on | `bool` | `false` | no | | [enable\_prometheusservice](#input\_enable\_prometheusservice) | Enable ACK prometheusservice add-on | `bool` | `false` | no | @@ -208,10 +224,12 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [iam](#input\_iam) | ACK iam Helm Chart config | `any` | `{}` | no | | [kafka](#input\_kafka) | ACK Kafka Helm Chart config | `any` | `{}` | no | | [keyspaces](#input\_keyspaces) | ACK Keyspaces Helm Chart config | `any` | `{}` | no | +| [kinesis](#input\_kinesis) | ACK Kinesis Helm Chart config | `any` | `{}` | no | | [kms](#input\_kms) | ACK kms Helm Chart config | `any` | `{}` | no | | [lambda](#input\_lambda) | ACK Lambda Helm Chart config | `any` | `{}` | no | | [memorydb](#input\_memorydb) | ACK MemoryDB Helm Chart config | `any` | `{}` | no | | [mq](#input\_mq) | ACK MQ Helm Chart config | `any` | `{}` | no | +| [networkfirewall](#input\_networkfirewall) | ACK Network Firewall Helm Chart config | `any` | `{}` | no | | [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes | | [opensearchservice](#input\_opensearchservice) | ACK Opensearch Service Helm Chart config | `any` | `{}` | no | | [organizations](#input\_organizations) | ACK Organizations Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index 2f50064..8dbedf7 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,6 +1,9 @@ # Complete Example Configuration in this directory creates an AWS EKS cluster with the following ACK addons: +- Amazon Network Firewall +- Amazon CloudWatch Logs +- Amazon Kinesis - AWS Secrets Manager - Amazon Route53Resolver - Amazon Route 53 @@ -75,54 +78,57 @@ aws eks --region update-kubeconfig --name kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE -ack-system ack-acm-5697f4c5b4-z48sv 1/1 Running 0 30m -ack-system ack-apigatewayv2-76d6bbd788-pxlv9 1/1 Running 0 27m -ack-system ack-applicationautoscaling-5fd6c8bf8f-tjhhq 1/1 Running 0 28m -ack-system ack-cloudfront-544f4887c4-cn48r 1/1 Running 0 27m -ack-system ack-cloudtrail-5dc78b7576-jpjd6 1/1 Running 0 26m -ack-system ack-cloudwatch-5b844f47db-cl6ht 1/1 Running 0 28m -ack-system ack-dynamodb-7f4b47488d-kf7gd 1/1 Running 0 30m -ack-system ack-ec2-5fbf6f55d9-qrpj6 1/1 Running 0 29m -ack-system ack-ecr-5b4699f87b-27k4t 1/1 Running 0 27m -ack-system ack-ecs-74d8d67695-tw9fp 1/1 Running 0 28m -ack-system ack-efs-7b9f965b96-htcxj 1/1 Running 0 28m -ack-system ack-eks-54945d94d4-pn25c 1/1 Running 0 30m -ack-system ack-elasticache-5758ff66bd-69w79 1/1 Running 0 29m -ack-system ack-emrcontainers-74c5d7b8c-4rpkf 1/1 Running 0 29m -ack-system ack-eventbridge-b76bd85b8-cl75j 1/1 Running 0 30m -ack-system ack-iam-89dd5d6b5-4vb82 1/1 Running 0 28m -ack-system ack-kafka-7bd95bd59-25kkb 1/1 Running 0 28m -ack-system ack-keyspaces-6cc9bbc575-klxtw 1/1 Running 0 26m -ack-system ack-kms-58b89848db-wh6wq 1/1 Running 0 27m -ack-system ack-lambda-65bd7fbc8d-8qllw 1/1 Running 0 27m -ack-system ack-memorydb-76c988f6dd-dm22w 1/1 Running 0 29m -ack-system ack-mq-85b69db6c-hdwqg 1/1 Running 0 26m -ack-system ack-opensearchservice-7fd9d8c866-5l6wh 1/1 Running 0 29m -ack-system ack-organizations-784c69d659-xcm29 1/1 Running 0 27m -ack-system ack-prometheusservice-6d657cd878-q492w 1/1 Running 0 30m -ack-system ack-rds-7df84bf989-jmpzh 1/1 Running 0 26m -ack-system ack-route53-5d45dcbf66-lchwf 1/1 Running 0 27m -ack-system ack-route53resolver-696cf68868-znnsv 1/1 Running 0 26m -ack-system ack-s3-6ffc4698c6-5sfwg 1/1 Running 0 30m -ack-system ack-sagemaker-74f65d4cb9-tqcnm 1/1 Running 0 27m -ack-system ack-secretsmanager-7974695c58-8p29t 1/1 Running 0 30m -ack-system ack-sfn-6b875794cb-fnrz4 1/1 Running 0 26m -ack-system ack-sns-5c75794dbc-5vs5r 1/1 Running 0 27m -ack-system ack-sqs-55dfc46cd6-tgc68 1/1 Running 0 26m -kube-system aws-load-balancer-controller-84b5bf9c5f-wmj6s 1/1 Running 0 28m -kube-system aws-load-balancer-controller-84b5bf9c5f-xz5bd 1/1 Running 0 28m -kube-system aws-node-48drm 2/2 Running 0 26m -kube-system aws-node-7jmr4 2/2 Running 0 26m -kube-system aws-node-dc8tz 2/2 Running 0 26m -kube-system coredns-787cb67946-69dqt 1/1 Running 0 33m -kube-system coredns-787cb67946-nblvh 1/1 Running 0 33m -kube-system eks-pod-identity-agent-5vflt 1/1 Running 0 27m -kube-system eks-pod-identity-agent-ltjcq 1/1 Running 0 27m -kube-system eks-pod-identity-agent-rb8jn 1/1 Running 0 27m -kube-system kube-proxy-mz99j 1/1 Running 0 30m -kube-system kube-proxy-prj6l 1/1 Running 0 30m -kube-system kube-proxy-rsfsz 1/1 Running 0 30m -kube-system metrics-server-7577444cf8-vj4lt 1/1 Running 0 31m +ack-system ack-acm-5697f4c5b4-czd5b 1/1 Running 0 11m +ack-system ack-apigatewayv2-76d6bbd788-77t8p 1/1 Running 0 10m +ack-system ack-applicationautoscaling-5fd6c8bf8f-zqn4p 1/1 Running 0 11m +ack-system ack-cloudfront-544f4887c4-jhw5b 1/1 Running 0 12m +ack-system ack-cloudtrail-5dc78b7576-2bwds 1/1 Running 0 11m +ack-system ack-cloudwatch-5b844f47db-6fb5d 1/1 Running 0 11m +ack-system ack-cloudwatchlogs-757f9879fb-jtvhh 1/1 Running 0 11m +ack-system ack-dynamodb-7f4b47488d-btjff 1/1 Running 0 12m +ack-system ack-ec2-5fbf6f55d9-hn8jw 1/1 Running 0 11m +ack-system ack-ecr-5b4699f87b-rt5xt 1/1 Running 0 11m +ack-system ack-ecs-74d8d67695-zbv97 1/1 Running 0 10m +ack-system ack-efs-7b9f965b96-qbc6q 1/1 Running 0 13m +ack-system ack-eks-54945d94d4-mflgw 1/1 Running 0 12m +ack-system ack-elasticache-5758ff66bd-mmj27 1/1 Running 0 12m +ack-system ack-emrcontainers-74c5d7b8c-9htg9 1/1 Running 0 11m +ack-system ack-eventbridge-b76bd85b8-dtvxr 1/1 Running 0 13m +ack-system ack-iam-89dd5d6b5-wf8tm 1/1 Running 0 11m +ack-system ack-kafka-7bd95bd59-dvcf6 1/1 Running 0 10m +ack-system ack-keyspaces-6cc9bbc575-lfjwr 1/1 Running 0 11m +ack-system ack-kinesis-687bf76869-kqshn 1/1 Running 0 11m +ack-system ack-kms-58b89848db-hrf8v 1/1 Running 0 11m +ack-system ack-lambda-65bd7fbc8d-fjqfj 1/1 Running 0 11m +ack-system ack-memorydb-76c988f6dd-4v8cz 1/1 Running 0 10m +ack-system ack-mq-85b69db6c-tlt2p 1/1 Running 0 11m +ack-system ack-networkfirewall-c6676fddc-tlvzr 1/1 Running 0 12m +ack-system ack-opensearchservice-7fd9d8c866-9kkdx 1/1 Running 0 11m +ack-system ack-organizations-784c69d659-cpn2r 1/1 Running 0 13m +ack-system ack-prometheusservice-6d657cd878-7h7jw 1/1 Running 0 12m +ack-system ack-rds-7df84bf989-hh7z7 1/1 Running 0 12m +ack-system ack-route53-5d45dcbf66-9f82r 1/1 Running 0 12m +ack-system ack-route53resolver-696cf68868-k825q 1/1 Running 0 12m +ack-system ack-s3-6ffc4698c6-jtv6k 1/1 Running 0 12m +ack-system ack-sagemaker-74f65d4cb9-g9ngl 1/1 Running 0 12m +ack-system ack-secretsmanager-7974695c58-xkgbx 1/1 Running 0 13m +ack-system ack-sfn-6b875794cb-c7pcv 1/1 Running 0 11m +ack-system ack-sns-5c75794dbc-v5fgb 1/1 Running 0 11m +ack-system ack-sqs-55dfc46cd6-wtz7d 1/1 Running 0 13m +kube-system aws-load-balancer-controller-84b5bf9c5f-cd2kn 1/1 Running 0 12m +kube-system aws-load-balancer-controller-84b5bf9c5f-z5mkm 1/1 Running 0 12m +kube-system aws-node-5lv6j 2/2 Running 0 11m +kube-system aws-node-c8ncz 2/2 Running 0 11m +kube-system aws-node-d4tcw 2/2 Running 0 10m +kube-system coredns-787cb67946-82m2k 1/1 Running 0 16m +kube-system coredns-787cb67946-kf4vn 1/1 Running 0 16m +kube-system eks-pod-identity-agent-cnklq 1/1 Running 0 11m +kube-system eks-pod-identity-agent-fdjvk 1/1 Running 0 11m +kube-system eks-pod-identity-agent-jzzsb 1/1 Running 0 11m +kube-system kube-proxy-9x5js 1/1 Running 0 12m +kube-system kube-proxy-f4hk9 1/1 Running 0 12m +kube-system kube-proxy-gxcxt 1/1 Running 0 12m +kube-system metrics-server-7577444cf8-mhx97 1/1 Running 0 14m ``` ## Sample Application Deployment diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 4c9a82d..f1dd2e1 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -131,6 +131,9 @@ module "eks_ack_addons" { ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Controllers to enable + enable_networkfirewall = true + enable_cloudwatchlogs = true + enable_kinesis = true enable_secretsmanager = true enable_route53resolver = true enable_route53 = true diff --git a/main.tf b/main.tf index 935ccd9..7b36c68 100644 --- a/main.tf +++ b/main.tf @@ -33,6 +33,395 @@ locals { repository_password = var.create_kubernetes_resources ? var.ecrpublic_token : "" } +################################################################################ +# Network Firewall +################################################################################ + +locals { + networkfirewall_name = "ack-networkfirewall" +} + +module "networkfirewall" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_networkfirewall + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/networkfirewall-chart:0.0.8 + name = try(var.networkfirewall.name, local.networkfirewall_name) + description = try(var.networkfirewall.description, "Helm Chart for Network Firewall controller for ACK") + namespace = try(var.networkfirewall.namespace, "ack-system") + create_namespace = try(var.networkfirewall.create_namespace, true) + chart = "networkfirewall-chart" + chart_version = try(var.networkfirewall.chart_version, "0.0.8") + repository = try(var.networkfirewall.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.networkfirewall.values, []) + + timeout = try(var.networkfirewall.timeout, null) + repository_key_file = try(var.networkfirewall.repository_key_file, null) + repository_cert_file = try(var.networkfirewall.repository_cert_file, null) + repository_ca_file = try(var.networkfirewall.repository_ca_file, null) + repository_username = try(var.networkfirewall.repository_username, local.repository_username) + repository_password = try(var.networkfirewall.repository_password, local.repository_password) + devel = try(var.networkfirewall.devel, null) + verify = try(var.networkfirewall.verify, null) + keyring = try(var.networkfirewall.keyring, null) + disable_webhooks = try(var.networkfirewall.disable_webhooks, null) + reuse_values = try(var.networkfirewall.reuse_values, null) + reset_values = try(var.networkfirewall.reset_values, null) + force_update = try(var.networkfirewall.force_update, null) + recreate_pods = try(var.networkfirewall.recreate_pods, null) + cleanup_on_fail = try(var.networkfirewall.cleanup_on_fail, null) + max_history = try(var.networkfirewall.max_history, null) + atomic = try(var.networkfirewall.atomic, null) + skip_crds = try(var.networkfirewall.skip_crds, null) + render_subchart_notes = try(var.networkfirewall.render_subchart_notes, null) + disable_openapi_validation = try(var.networkfirewall.disable_openapi_validation, null) + wait = try(var.networkfirewall.wait, false) + wait_for_jobs = try(var.networkfirewall.wait_for_jobs, null) + dependency_update = try(var.networkfirewall.dependency_update, null) + replace = try(var.networkfirewall.replace, null) + lint = try(var.networkfirewall.lint, null) + + postrender = try(var.networkfirewall.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-networkfirewall-networkfirewall-chart-xxxxxxxxxxxxx` to `ack-networkfirewall-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-networkfirewall" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.networkfirewall_name + }], + try(var.networkfirewall.set, []) + ) + set_sensitive = try(var.networkfirewall.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.networkfirewall.create_role, true) + role_name = try(var.networkfirewall.role_name, "ack-networkfirewall") + role_name_use_prefix = try(var.networkfirewall.role_name_use_prefix, true) + role_path = try(var.networkfirewall.role_path, "/") + role_permissions_boundary_arn = lookup(var.networkfirewall, "role_permissions_boundary_arn", null) + role_description = try(var.networkfirewall.role_description, "IRSA for Network Firewall controller for ACK") + role_policies = lookup(var.networkfirewall, "role_policies", { + policy = var.enable_networkfirewall ? aws_iam_policy.networkfirewall[0].arn : null + }) + create_policy = try(var.networkfirewall.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.networkfirewall_name + } + } + + tags = var.tags +} + +# recommended networkfirewall-controller policy https://github.com/aws-controllers-k8s/networkfirewall-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "networkfirewall" { + count = var.enable_networkfirewall ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "network-firewall:CreateFirewall", + "network-firewall:CreateFirewallPolicy", + "network-firewall:DeleteFirewall", + "network-firewall:DeleteFirewallPolicy", + "network-firewall:DescribeFirewall", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:ListFirewallPolicies", + "network-firewall:ListFirewalls", + "network-firewall:UpdateLoggingConfiguration", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "networkfirewall" { + count = var.enable_networkfirewall ? 1 : 0 + + name = "NetworkFirewallController" + description = "IAM policy for Network Firewall Controller" + policy = data.aws_iam_policy_document.networkfirewall[0].json + + tags = var.tags +} + +################################################################################ +# Amazon CloudWatch Logs +################################################################################ + +locals { + cloudwatchlogs_name = "ack-cloudwatchlogs" +} + +module "cloudwatchlogs" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_cloudwatchlogs + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/cloudwatchlogs-chart:0.0.9 + name = try(var.cloudwatchlogs.name, local.cloudwatchlogs_name) + description = try(var.cloudwatchlogs.description, "Helm Chart for CloudWatch Logs controller for ACK") + namespace = try(var.cloudwatchlogs.namespace, "ack-system") + create_namespace = try(var.cloudwatchlogs.create_namespace, true) + chart = "cloudwatchlogs-chart" + chart_version = try(var.cloudwatchlogs.chart_version, "0.0.9") + repository = try(var.cloudwatchlogs.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.cloudwatchlogs.values, []) + + timeout = try(var.cloudwatchlogs.timeout, null) + repository_key_file = try(var.cloudwatchlogs.repository_key_file, null) + repository_cert_file = try(var.cloudwatchlogs.repository_cert_file, null) + repository_ca_file = try(var.cloudwatchlogs.repository_ca_file, null) + repository_username = try(var.cloudwatchlogs.repository_username, local.repository_username) + repository_password = try(var.cloudwatchlogs.repository_password, local.repository_password) + devel = try(var.cloudwatchlogs.devel, null) + verify = try(var.cloudwatchlogs.verify, null) + keyring = try(var.cloudwatchlogs.keyring, null) + disable_webhooks = try(var.cloudwatchlogs.disable_webhooks, null) + reuse_values = try(var.cloudwatchlogs.reuse_values, null) + reset_values = try(var.cloudwatchlogs.reset_values, null) + force_update = try(var.cloudwatchlogs.force_update, null) + recreate_pods = try(var.cloudwatchlogs.recreate_pods, null) + cleanup_on_fail = try(var.cloudwatchlogs.cleanup_on_fail, null) + max_history = try(var.cloudwatchlogs.max_history, null) + atomic = try(var.cloudwatchlogs.atomic, null) + skip_crds = try(var.cloudwatchlogs.skip_crds, null) + render_subchart_notes = try(var.cloudwatchlogs.render_subchart_notes, null) + disable_openapi_validation = try(var.cloudwatchlogs.disable_openapi_validation, null) + wait = try(var.cloudwatchlogs.wait, false) + wait_for_jobs = try(var.cloudwatchlogs.wait_for_jobs, null) + dependency_update = try(var.cloudwatchlogs.dependency_update, null) + replace = try(var.cloudwatchlogs.replace, null) + lint = try(var.cloudwatchlogs.lint, null) + + postrender = try(var.cloudwatchlogs.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-cloudwatchlogs-cloudwatchlogs-chart-xxxxxxxxxxxxx` to `ack-cloudwatchlogs-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-cloudwatchlogs" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.cloudwatchlogs_name + }], + try(var.cloudwatchlogs.set, []) + ) + set_sensitive = try(var.cloudwatchlogs.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.cloudwatchlogs.create_role, true) + role_name = try(var.cloudwatchlogs.role_name, "ack-cloudwatchlogs") + role_name_use_prefix = try(var.cloudwatchlogs.role_name_use_prefix, true) + role_path = try(var.cloudwatchlogs.role_path, "/") + role_permissions_boundary_arn = lookup(var.cloudwatchlogs, "role_permissions_boundary_arn", null) + role_description = try(var.cloudwatchlogs.role_description, "IRSA for CloudWatch Logs controller for ACK") + role_policies = lookup(var.cloudwatchlogs, "role_policies", { + policy = var.enable_cloudwatchlogs ? aws_iam_policy.cloudwatchlogs[0].arn : null + }) + create_policy = try(var.cloudwatchlogs.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.cloudwatchlogs_name + } + } + + tags = var.tags +} + +# recommended cloudwatchlogs-controller policy https://github.com/aws-controllers-k8s/cloudwatchlogs-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "cloudwatchlogs" { + count = var.enable_cloudwatchlogs ? 1 : 0 + + statement { + sid = "VisualEditor0" + effect = "Allow" + + actions = [ + "logs:TagLogGroup", + "logs:DescribeLogGroups", + "logs:UntagLogGroup", + "logs:DeleteLogGroup", + "logs:UntagResource", + "logs:TagResource", + "logs:CreateLogGroup", + "logs:ListTagsForResource", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "cloudwatchlogs" { + count = var.enable_cloudwatchlogs ? 1 : 0 + + name = "CloudWatchLogsController" + description = "IAM policy for CloudWatch Logs Controller" + policy = data.aws_iam_policy_document.cloudwatchlogs[0].json + + tags = var.tags +} + +################################################################################ +# Kinesis +################################################################################ + +locals { + kinesis_name = "ack-kinesis" +} + +module "kinesis" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_kinesis + + # Disable helm release + create_release = var.create_kubernetes_resources + + # public.ecr.aws/aws-controllers-k8s/kinesis-chart:0.0.17 + name = try(var.kinesis.name, local.kinesis_name) + description = try(var.kinesis.description, "Helm Chart for Kinesis controller for ACK") + namespace = try(var.kinesis.namespace, "ack-system") + create_namespace = try(var.kinesis.create_namespace, true) + chart = "kinesis-chart" + chart_version = try(var.kinesis.chart_version, "0.0.17") + repository = try(var.kinesis.repository, "oci://public.ecr.aws/aws-controllers-k8s") + values = try(var.kinesis.values, []) + + timeout = try(var.kinesis.timeout, null) + repository_key_file = try(var.kinesis.repository_key_file, null) + repository_cert_file = try(var.kinesis.repository_cert_file, null) + repository_ca_file = try(var.kinesis.repository_ca_file, null) + repository_username = try(var.kinesis.repository_username, local.repository_username) + repository_password = try(var.kinesis.repository_password, local.repository_password) + devel = try(var.kinesis.devel, null) + verify = try(var.kinesis.verify, null) + keyring = try(var.kinesis.keyring, null) + disable_webhooks = try(var.kinesis.disable_webhooks, null) + reuse_values = try(var.kinesis.reuse_values, null) + reset_values = try(var.kinesis.reset_values, null) + force_update = try(var.kinesis.force_update, null) + recreate_pods = try(var.kinesis.recreate_pods, null) + cleanup_on_fail = try(var.kinesis.cleanup_on_fail, null) + max_history = try(var.kinesis.max_history, null) + atomic = try(var.kinesis.atomic, null) + skip_crds = try(var.kinesis.skip_crds, null) + render_subchart_notes = try(var.kinesis.render_subchart_notes, null) + disable_openapi_validation = try(var.kinesis.disable_openapi_validation, null) + wait = try(var.kinesis.wait, false) + wait_for_jobs = try(var.kinesis.wait_for_jobs, null) + dependency_update = try(var.kinesis.dependency_update, null) + replace = try(var.kinesis.replace, null) + lint = try(var.kinesis.lint, null) + + postrender = try(var.kinesis.postrender, []) + + set = concat([ + { + # shortens pod name from `ack-kinesis-kinesis-chart-xxxxxxxxxxxxx` to `ack-kinesis-xxxxxxxxxxxxx` + name = "nameOverride" + value = "ack-kinesis" + }, + { + name = "aws.region" + value = local.region + }, + { + name = "serviceAccount.name" + value = local.kinesis_name + }], + try(var.kinesis.set, []) + ) + set_sensitive = try(var.kinesis.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"] + create_role = try(var.kinesis.create_role, true) + role_name = try(var.kinesis.role_name, "ack-kinesis") + role_name_use_prefix = try(var.kinesis.role_name_use_prefix, true) + role_path = try(var.kinesis.role_path, "/") + role_permissions_boundary_arn = lookup(var.kinesis, "role_permissions_boundary_arn", null) + role_description = try(var.kinesis.role_description, "IRSA for Kinesis controller for ACK") + role_policies = lookup(var.kinesis, "role_policies", { + policy = var.enable_kinesis ? aws_iam_policy.kinesis[0].arn : null + }) + + create_policy = try(var.kinesis.create_policy, false) + + oidc_providers = { + this = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.kinesis_name + } + } + + tags = var.tags +} + +# recommended kinesis-controller policy https://github.com/aws-controllers-k8s/kinesis-controller/blob/main/config/iam/recommended-inline-policy +data "aws_iam_policy_document" "kinesis" { + count = var.enable_kinesis ? 1 : 0 + + statement { + effect = "Allow" + + actions = [ + "kinesis:ListStreams", + "kinesis:DeleteStream", + "kinesis:DescribeStreamSummary", + "kinesis:ListShards", + "kinesis:UpdateShardCount", + "kinesis:CreateStream", + "kinesis:DescribeStream", + ] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "kinesis" { + count = var.enable_kinesis ? 1 : 0 + + name = "KinesisController" + description = "IAM policy for Kinesis Controller" + policy = data.aws_iam_policy_document.kinesis[0].json + + tags = var.tags +} + ################################################################################ # Secrets Manager ################################################################################ @@ -719,7 +1108,6 @@ module "keyspaces" { tags = var.tags } - ################################################################################ # Kafka ################################################################################ diff --git a/outputs.tf b/outputs.tf index 06da03a..6ae9628 100644 --- a/outputs.tf +++ b/outputs.tf @@ -11,6 +11,24 @@ added or an addon is updated, and new metadata for the Helm chart is needed. output "gitops_metadata" { description = "GitOps Bridge metadata" value = merge( + { for k, v in { + iam_role_arn = module.networkfirewall.iam_role_arn + namespace = try(var.networkfirewall.namespace, "ack-system") + service_account = local.networkfirewall_name + } : "ack_iam_${k}" => v if var.enable_networkfirewall + }, + { for k, v in { + iam_role_arn = module.cloudwatchlogs.iam_role_arn + namespace = try(var.cloudwatchlogs.namespace, "ack-system") + service_account = local.cloudwatchlogs_name + } : "ack_iam_${k}" => v if var.enable_cloudwatchlogs + }, + { for k, v in { + iam_role_arn = module.kinesis.iam_role_arn + namespace = try(var.kinesis.namespace, "ack-system") + service_account = local.kinesis_name + } : "ack_iam_${k}" => v if var.enable_kinesis + }, { for k, v in { iam_role_arn = module.secretsmanager.iam_role_arn namespace = try(var.secretsmanager.namespace, "ack-system") diff --git a/variables.tf b/variables.tf index 724a124..72655d4 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,54 @@ variable "tags" { default = {} } +################################################################################ +# Amazon Network Firewall +################################################################################ + +variable "enable_networkfirewall" { + description = "Enable ACK Network Firewall add-on" + type = bool + default = false +} + +variable "networkfirewall" { + description = "ACK Network Firewall Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Amazon CloudWatch Logs +################################################################################ + +variable "enable_cloudwatchlogs" { + description = "Enable ACK CloudWatch Logs add-on" + type = bool + default = false +} + +variable "cloudwatchlogs" { + description = "ACK CloudWatch Logs Helm Chart config" + type = any + default = {} +} + +################################################################################ +# Kinesis +################################################################################ + +variable "enable_kinesis" { + description = "Enable ACK Kinesis add-on" + type = bool + default = false +} + +variable "kinesis" { + description = "ACK Kinesis Helm Chart config" + type = any + default = {} +} + ################################################################################ # Secrets Manager ################################################################################ From e2151680a74285a4f84b5449bd9ea3a66f9b6fa6 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Mon, 12 Aug 2024 22:12:47 -0300 Subject: [PATCH 2/3] fix policies to be consistent with other modules --- README.md | 11 --- main.tf | 252 +++++++++++++++++++++--------------------------------- 2 files changed, 99 insertions(+), 164 deletions(-) diff --git a/README.md b/README.md index 9824aec..50f1aea 100644 --- a/README.md +++ b/README.md @@ -130,17 +130,6 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | Name | Type | |------|------| -| [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.cloudwatchlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kinesis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.networkfirewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.prometheusservice](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/main.tf b/main.tf index 7b36c68..cac2775 100644 --- a/main.tf +++ b/main.tf @@ -114,10 +114,15 @@ module "networkfirewall" { role_path = try(var.networkfirewall.role_path, "/") role_permissions_boundary_arn = lookup(var.networkfirewall, "role_permissions_boundary_arn", null) role_description = try(var.networkfirewall.role_description, "IRSA for Network Firewall controller for ACK") - role_policies = lookup(var.networkfirewall, "role_policies", { - policy = var.enable_networkfirewall ? aws_iam_policy.networkfirewall[0].arn : null - }) - create_policy = try(var.networkfirewall.create_policy, false) + role_policies = lookup(var.networkfirewall, "role_policies", {}) + + create_policy = try(var.networkfirewall.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.networkfirewall[*].json + policy_statements = lookup(var.networkfirewall, "policy_statements", []) + policy_name = try(var.networkfirewall.policy_name, null) + policy_name_use_prefix = try(var.networkfirewall.policy_name_use_prefix, true) + policy_path = try(var.networkfirewall.policy_path, null) + policy_description = try(var.networkfirewall.policy_description, "IAM Policy for Network Firewall controller for ACK") oidc_providers = { this = { @@ -153,16 +158,6 @@ data "aws_iam_policy_document" "networkfirewall" { } } -resource "aws_iam_policy" "networkfirewall" { - count = var.enable_networkfirewall ? 1 : 0 - - name = "NetworkFirewallController" - description = "IAM policy for Network Firewall Controller" - policy = data.aws_iam_policy_document.networkfirewall[0].json - - tags = var.tags -} - ################################################################################ # Amazon CloudWatch Logs ################################################################################ @@ -244,10 +239,15 @@ module "cloudwatchlogs" { role_path = try(var.cloudwatchlogs.role_path, "/") role_permissions_boundary_arn = lookup(var.cloudwatchlogs, "role_permissions_boundary_arn", null) role_description = try(var.cloudwatchlogs.role_description, "IRSA for CloudWatch Logs controller for ACK") - role_policies = lookup(var.cloudwatchlogs, "role_policies", { - policy = var.enable_cloudwatchlogs ? aws_iam_policy.cloudwatchlogs[0].arn : null - }) - create_policy = try(var.cloudwatchlogs.create_policy, false) + role_policies = lookup(var.cloudwatchlogs, "role_policies", {}) + + create_policy = try(var.cloudwatchlogs.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.cloudwatchlogs[*].json + policy_statements = lookup(var.cloudwatchlogs, "policy_statements", []) + policy_name = try(var.cloudwatchlogs.policy_name, null) + policy_name_use_prefix = try(var.cloudwatchlogs.policy_name_use_prefix, true) + policy_path = try(var.cloudwatchlogs.policy_path, null) + policy_description = try(var.cloudwatchlogs.policy_description, "IAM Policy for Cloudwatch Logs controller for ACK") oidc_providers = { this = { @@ -283,16 +283,6 @@ data "aws_iam_policy_document" "cloudwatchlogs" { } } -resource "aws_iam_policy" "cloudwatchlogs" { - count = var.enable_cloudwatchlogs ? 1 : 0 - - name = "CloudWatchLogsController" - description = "IAM policy for CloudWatch Logs Controller" - policy = data.aws_iam_policy_document.cloudwatchlogs[0].json - - tags = var.tags -} - ################################################################################ # Kinesis ################################################################################ @@ -374,11 +364,15 @@ module "kinesis" { role_path = try(var.kinesis.role_path, "/") role_permissions_boundary_arn = lookup(var.kinesis, "role_permissions_boundary_arn", null) role_description = try(var.kinesis.role_description, "IRSA for Kinesis controller for ACK") - role_policies = lookup(var.kinesis, "role_policies", { - policy = var.enable_kinesis ? aws_iam_policy.kinesis[0].arn : null - }) + role_policies = lookup(var.kinesis, "role_policies", {}) - create_policy = try(var.kinesis.create_policy, false) + create_policy = try(var.kinesis.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.kinesis[*].json + policy_statements = lookup(var.kinesis, "policy_statements", []) + policy_name = try(var.kinesis.policy_name, null) + policy_name_use_prefix = try(var.kinesis.policy_name_use_prefix, true) + policy_path = try(var.kinesis.policy_path, null) + policy_description = try(var.kinesis.policy_description, "IAM Policy for Kinesis controller for ACK") oidc_providers = { this = { @@ -412,16 +406,6 @@ data "aws_iam_policy_document" "kinesis" { } } -resource "aws_iam_policy" "kinesis" { - count = var.enable_kinesis ? 1 : 0 - - name = "KinesisController" - description = "IAM policy for Kinesis Controller" - policy = data.aws_iam_policy_document.kinesis[0].json - - tags = var.tags -} - ################################################################################ # Secrets Manager ################################################################################ @@ -2360,10 +2344,16 @@ module "lambda" { role_path = try(var.lambda.role_path, "/") role_permissions_boundary_arn = lookup(var.lambda, "role_permissions_boundary_arn", null) role_description = try(var.lambda.role_description, "IRSA for Lambda controller for ACK") - role_policies = lookup(var.lambda, "role_policies", { - policy = var.enable_lambda ? aws_iam_policy.lambda[0].arn : null - }) - create_policy = try(var.lambda.create_policy, false) + role_policies = lookup(var.lambda, "role_policies", {}) + + create_policy = try(var.lambda.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.lambda[*].json + policy_statements = lookup(var.lambda, "policy_statements", []) + policy_name = try(var.lambda.policy_name, null) + policy_name_use_prefix = try(var.lambda.policy_name_use_prefix, true) + policy_path = try(var.lambda.policy_path, null) + policy_description = try(var.lambda.policy_description, "IAM Policy for Lambda controller for ACK") + oidc_providers = { this = { @@ -2406,16 +2396,6 @@ data "aws_iam_policy_document" "lambda" { } } -resource "aws_iam_policy" "lambda" { - count = var.enable_lambda ? 1 : 0 - - name = "LambdaController" - description = "IAM policy for Lambda Controller" - policy = data.aws_iam_policy_document.lambda[0].json - - tags = var.tags -} - ################################################################################ # IAM ################################################################################ @@ -2498,10 +2478,15 @@ module "iam" { role_path = try(var.iam.role_path, "/") role_permissions_boundary_arn = lookup(var.iam, "role_permissions_boundary_arn", null) role_description = try(var.iam.role_description, "IRSA for iam controller for ACK") - role_policies = lookup(var.iam, "role_policies", { - policy = var.enable_iam ? aws_iam_policy.iam[0].arn : null - }) - create_policy = try(var.iam.create_policy, false) + role_policies = lookup(var.iam, "role_policies", {}) + + create_policy = try(var.iam.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.iam[*].json + policy_statements = lookup(var.iam, "policy_statements", []) + policy_name = try(var.iam.policy_name, null) + policy_name_use_prefix = try(var.iam.policy_name_use_prefix, true) + policy_path = try(var.iam.policy_path, null) + policy_description = try(var.iam.policy_description, "IAM Policy for IAM controller for ACK") oidc_providers = { this = { @@ -2587,16 +2572,6 @@ data "aws_iam_policy_document" "iam" { } } -resource "aws_iam_policy" "iam" { - count = var.enable_iam ? 1 : 0 - - name = "IAMController" - description = "IAM policy for IAM Controller" - policy = data.aws_iam_policy_document.iam[0].json - - tags = var.tags -} - ################################################################################ # EC2 ################################################################################ @@ -2777,10 +2752,15 @@ module "eks" { role_path = try(var.eks.role_path, "/") role_permissions_boundary_arn = lookup(var.eks, "role_permissions_boundary_arn", null) role_description = try(var.eks.role_description, "IRSA for eks controller for ACK") - role_policies = lookup(var.eks, "role_policies", { - policy = var.enable_eks ? aws_iam_policy.eks[0].arn : null - }) - create_policy = try(var.eks.create_policy, false) + role_policies = lookup(var.eks, "role_policies", {}) + + create_policy = try(var.eks.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.eks[*].json + policy_statements = lookup(var.eks, "policy_statements", []) + policy_name = try(var.eks.policy_name, null) + policy_name_use_prefix = try(var.eks.policy_name_use_prefix, true) + policy_path = try(var.eks.policy_path, null) + policy_description = try(var.eks.policy_description, "IAM Policy for EKS controller for ACK") oidc_providers = { this = { @@ -2809,16 +2789,6 @@ data "aws_iam_policy_document" "eks" { } } -resource "aws_iam_policy" "eks" { - count = var.enable_eks ? 1 : 0 - - name = "EKSController" - description = "IAM policy for EKS Controller" - policy = data.aws_iam_policy_document.eks[0].json - - tags = var.tags -} - ################################################################################ # KMS ################################################################################ @@ -2901,10 +2871,15 @@ module "kms" { role_path = try(var.kms.role_path, "/") role_permissions_boundary_arn = lookup(var.kms, "role_permissions_boundary_arn", null) role_description = try(var.kms.role_description, "IRSA for kms controller for ACK") - role_policies = lookup(var.kms, "role_policies", { - policy = var.enable_kms ? aws_iam_policy.kms[0].arn : null - }) - create_policy = try(var.kms.create_policy, false) + role_policies = lookup(var.kms, "role_policies", {}) + + create_policy = try(var.kms.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.kms[*].json + policy_statements = lookup(var.kms, "policy_statements", []) + policy_name = try(var.kms.policy_name, null) + policy_name_use_prefix = try(var.kms.policy_name_use_prefix, true) + policy_path = try(var.kms.policy_path, null) + policy_description = try(var.kms.policy_description, "IAM Policy for KMS controller for ACK") oidc_providers = { this = { @@ -2943,16 +2918,6 @@ data "aws_iam_policy_document" "kms" { } } -resource "aws_iam_policy" "kms" { - count = var.enable_kms ? 1 : 0 - - name = "KMSController" - description = "IAM policy for KMS Controller" - policy = data.aws_iam_policy_document.kms[0].json - - tags = var.tags -} - ################################################################################ # ACM ################################################################################ @@ -3035,10 +3000,15 @@ module "acm" { role_path = try(var.acm.role_path, "/") role_permissions_boundary_arn = lookup(var.acm, "role_permissions_boundary_arn", null) role_description = try(var.acm.role_description, "IRSA for acm controller for ACK") - role_policies = lookup(var.acm, "role_policies", { - policy = var.enable_acm ? aws_iam_policy.acm[0].arn : null - }) - create_policy = try(var.acm.create_policy, false) + role_policies = lookup(var.acm, "role_policies", {}) + + create_policy = try(var.acm.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.acm[*].json + policy_statements = lookup(var.acm, "policy_statements", []) + policy_name = try(var.acm.policy_name, null) + policy_name_use_prefix = try(var.acm.policy_name_use_prefix, true) + policy_path = try(var.acm.policy_path, null) + policy_description = try(var.acm.policy_description, "IAM Policy for ACM controller for ACK") oidc_providers = { this = { @@ -3072,16 +3042,6 @@ data "aws_iam_policy_document" "acm" { } -resource "aws_iam_policy" "acm" { - count = var.enable_acm ? 1 : 0 - - name = "ACMController" - description = "IAM policy for ACM Controller" - policy = data.aws_iam_policy_document.acm[0].json - - tags = var.tags -} - ################################################################################ # API Gateway V2 ################################################################################ @@ -3655,10 +3615,15 @@ module "prometheusservice" { role_path = try(var.prometheusservice.role_path, "/") role_permissions_boundary_arn = lookup(var.prometheusservice, "role_permissions_boundary_arn", null) role_description = try(var.prometheusservice.role_description, "IRSA for prometheusservice controller for ACK") - role_policies = lookup(var.prometheusservice, "role_policies", { - policy = var.enable_prometheusservice ? aws_iam_policy.prometheusservice[0].arn : null - }) - create_policy = try(var.prometheusservice.create_policy, false) + role_policies = lookup(var.prometheusservice, "role_policies", {}) + + create_policy = try(var.prometheusservice.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.prometheusservice[*].json + policy_statements = lookup(var.prometheusservice, "policy_statements", []) + policy_name = try(var.prometheusservice.policy_name, null) + policy_name_use_prefix = try(var.prometheusservice.policy_name_use_prefix, true) + policy_path = try(var.prometheusservice.policy_path, null) + policy_description = try(var.prometheusservice.policy_description, "IAM Policy for Prometheus Service controller for ACK") oidc_providers = { this = { @@ -3690,16 +3655,6 @@ data "aws_iam_policy_document" "prometheusservice" { } } -resource "aws_iam_policy" "prometheusservice" { - count = var.enable_prometheusservice ? 1 : 0 - - name = "PrometheusServiceController" - description = "IAM policy for Prometheus Service Controller" - policy = data.aws_iam_policy_document.prometheusservice[0].json - - tags = var.tags -} - ################################################################################ # EMR Containers ################################################################################ @@ -3782,10 +3737,15 @@ module "emrcontainers" { role_path = try(var.emrcontainers.role_path, "/") role_permissions_boundary_arn = lookup(var.emrcontainers, "role_permissions_boundary_arn", null) role_description = try(var.emrcontainers.role_description, "IRSA for emrcontainers controller for ACK") - role_policies = lookup(var.emrcontainers, "role_policies", { - policy = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null - }) - create_policy = try(var.emrcontainers.create_policy, false) + role_policies = lookup(var.emrcontainers, "role_policies", {}) + + create_policy = try(var.emrcontainers.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.emrcontainers[*].json + policy_statements = lookup(var.emrcontainers, "policy_statements", []) + policy_name = try(var.emrcontainers.policy_name, null) + policy_name_use_prefix = try(var.emrcontainers.policy_name_use_prefix, true) + policy_path = try(var.emrcontainers.policy_path, null) + policy_description = try(var.emrcontainers.policy_description, "IAM Policy for EMR Containers controller for ACK") oidc_providers = { this = { @@ -3881,16 +3841,6 @@ data "aws_iam_policy_document" "emrcontainers" { } } -resource "aws_iam_policy" "emrcontainers" { - count = var.enable_emrcontainers ? 1 : 0 - - name = "EMRContainersController" - description = "IAM policy for EMR Containers Controller" - policy = data.aws_iam_policy_document.emrcontainers[0].json - - tags = var.tags -} - ################################################################################ # Step Functions ################################################################################ @@ -3974,10 +3924,16 @@ module "sfn" { role_permissions_boundary_arn = lookup(var.sfn, "role_permissions_boundary_arn", null) role_description = try(var.sfn.role_description, "IRSA for sfn controller for ACK") role_policies = lookup(var.sfn, "role_policies", { - AWSStepFunctionsFullAccess = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess" - AWSStepFunctionsIamPassRole = var.enable_sfn ? aws_iam_policy.sfn[0].arn : null + AWSStepFunctionsFullAccess = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess" }) - create_policy = try(var.sfn.create_policy, false) + + create_policy = try(var.sfn.create_policy, true) + source_policy_documents = data.aws_iam_policy_document.sfn[*].json + policy_statements = lookup(var.sfn, "policy_statements", []) + policy_name = try(var.sfn.policy_name, null) + policy_name_use_prefix = try(var.sfn.policy_name_use_prefix, true) + policy_path = try(var.sfn.policy_path, null) + policy_description = try(var.sfn.policy_description, "IAM Policy for SFN controller for ACK") oidc_providers = { this = { @@ -4008,16 +3964,6 @@ data "aws_iam_policy_document" "sfn" { } -resource "aws_iam_policy" "sfn" { - count = var.enable_sfn ? 1 : 0 - - name = "SFNController" - description = "IAM policy for SFN Controller" - policy = data.aws_iam_policy_document.sfn[0].json - - tags = var.tags -} - ################################################################################ # EventBridge ################################################################################ From cfe66da4e12e2137d85e42562da7e74f0f25b2b6 Mon Sep 17 00:00:00 2001 From: Edgar Costa Date: Tue, 13 Aug 2024 10:52:00 -0300 Subject: [PATCH 3/3] renaming the examples folder to tests to be consistent --- .gitignore | 2 +- README.md | 6 +++--- {examples => tests}/complete/README.md | 0 .../complete/images/ACK_microservice.png | Bin {examples => tests}/complete/main.tf | 0 {examples => tests}/complete/outputs.tf | 0 .../complete/sample-app/apigwv2-httpapi.yaml | 0 {examples => tests}/complete/sample-app/app.yaml | 0 .../complete/sample-app/dynamodb-table.yaml | 0 .../complete/sample-app/elasticache.yaml | 0 {examples => tests}/complete/variables.tf | 0 {examples => tests}/complete/versions.tf | 0 12 files changed, 4 insertions(+), 4 deletions(-) rename {examples => tests}/complete/README.md (100%) rename {examples => tests}/complete/images/ACK_microservice.png (100%) rename {examples => tests}/complete/main.tf (100%) rename {examples => tests}/complete/outputs.tf (100%) rename {examples => tests}/complete/sample-app/apigwv2-httpapi.yaml (100%) rename {examples => tests}/complete/sample-app/app.yaml (100%) rename {examples => tests}/complete/sample-app/dynamodb-table.yaml (100%) rename {examples => tests}/complete/sample-app/elasticache.yaml (100%) rename {examples => tests}/complete/variables.tf (100%) rename {examples => tests}/complete/versions.tf (100%) diff --git a/.gitignore b/.gitignore index b5748ae..b334e0b 100644 --- a/.gitignore +++ b/.gitignore @@ -31,4 +31,4 @@ override.tf.json .terraformrc terraform.rc -**/examples/event-driven-pipeline/input/* +**/tests/event-driven-pipeline/input/* diff --git a/README.md b/README.md index 50f1aea..dee6ab9 100644 --- a/README.md +++ b/README.md @@ -62,11 +62,11 @@ module "eks_ack_addons" { } ``` -## Examples +## Tests -Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws-eks-ack-addons) are intended to give users references for how to use the module as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you! +Tests codified under the [`tests`](https://github.com/aws-ia/terraform-aws-eks-ack-addons) are intended to give users references for how to use the module as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant tests to allow maintainers to test your changes and to keep the tests up to date for users. Thank you! -- [Complete](https://github.com/aws-ia/terraform-aws-eks-ack-addons/tree/main/examples/complete) +- [Complete](https://github.com/aws-ia/terraform-aws-eks-ack-addons/tree/main/tests/complete) ## Requirements diff --git a/examples/complete/README.md b/tests/complete/README.md similarity index 100% rename from examples/complete/README.md rename to tests/complete/README.md diff --git a/examples/complete/images/ACK_microservice.png b/tests/complete/images/ACK_microservice.png similarity index 100% rename from examples/complete/images/ACK_microservice.png rename to tests/complete/images/ACK_microservice.png diff --git a/examples/complete/main.tf b/tests/complete/main.tf similarity index 100% rename from examples/complete/main.tf rename to tests/complete/main.tf diff --git a/examples/complete/outputs.tf b/tests/complete/outputs.tf similarity index 100% rename from examples/complete/outputs.tf rename to tests/complete/outputs.tf diff --git a/examples/complete/sample-app/apigwv2-httpapi.yaml b/tests/complete/sample-app/apigwv2-httpapi.yaml similarity index 100% rename from examples/complete/sample-app/apigwv2-httpapi.yaml rename to tests/complete/sample-app/apigwv2-httpapi.yaml diff --git a/examples/complete/sample-app/app.yaml b/tests/complete/sample-app/app.yaml similarity index 100% rename from examples/complete/sample-app/app.yaml rename to tests/complete/sample-app/app.yaml diff --git a/examples/complete/sample-app/dynamodb-table.yaml b/tests/complete/sample-app/dynamodb-table.yaml similarity index 100% rename from examples/complete/sample-app/dynamodb-table.yaml rename to tests/complete/sample-app/dynamodb-table.yaml diff --git a/examples/complete/sample-app/elasticache.yaml b/tests/complete/sample-app/elasticache.yaml similarity index 100% rename from examples/complete/sample-app/elasticache.yaml rename to tests/complete/sample-app/elasticache.yaml diff --git a/examples/complete/variables.tf b/tests/complete/variables.tf similarity index 100% rename from examples/complete/variables.tf rename to tests/complete/variables.tf diff --git a/examples/complete/versions.tf b/tests/complete/versions.tf similarity index 100% rename from examples/complete/versions.tf rename to tests/complete/versions.tf