diff --git a/patterns/argocd/README.md b/patterns/argocd/README.md deleted file mode 100644 index 507c96553f..0000000000 --- a/patterns/argocd/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Amazon EKS Cluster w/ ArgoCD - -This pattern demonstrates an EKS cluster that uses ArgoCD for application deployments. - -- [Documentation](https://argo-cd.readthedocs.io/en/stable/) -- [EKS Blueprints Add-ons Repo](https://github.com/aws-samples/eks-blueprints-add-ons) -- [EKS Blueprints Workloads Repo](https://github.com/aws-samples/eks-blueprints-workloads) - -## Deploy - -See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern. - -## Validate - -1. List out the pods running currently: - - ```sh - kubectl get pods -A - ``` - - ```text - NAMESPACE NAME READY STATUS RESTARTS AGE - argo-rollouts argo-rollouts-5d47ccb8d4-854s6 1/1 Running 0 23h - argo-rollouts argo-rollouts-5d47ccb8d4-srjk9 1/1 Running 0 23h - argocd argo-cd-argocd-application-controller-0 1/1 Running 0 24h - argocd argo-cd-argocd-applicationset-controller-547f9cfd68-kp89p 1/1 Running 0 24h - argocd argo-cd-argocd-dex-server-55765f7cd7-t8r2f 1/1 Running 0 24h - argocd argo-cd-argocd-notifications-controller-657df4dbcb-p596r 1/1 Running 0 24h - argocd argo-cd-argocd-repo-server-7d4dddf886-2vmgt 1/1 Running 0 24h - argocd argo-cd-argocd-repo-server-7d4dddf886-bm7tz 1/1 Running 0 24h - argocd argo-cd-argocd-server-775ddf74b8-8jzvc 1/1 Running 0 24h - argocd argo-cd-argocd-server-775ddf74b8-z6lz6 1/1 Running 0 24h - argocd argo-cd-redis-ha-haproxy-6d7b7d4656-b8bt8 1/1 Running 0 24h - argocd argo-cd-redis-ha-haproxy-6d7b7d4656-mgjx5 1/1 Running 0 24h - argocd argo-cd-redis-ha-haproxy-6d7b7d4656-qsbgw 1/1 Running 0 24h - argocd argo-cd-redis-ha-server-0 4/4 Running 0 24h - argocd argo-cd-redis-ha-server-1 4/4 Running 0 24h - argocd argo-cd-redis-ha-server-2 4/4 Running 0 24h - cert-manager cert-manager-586ccb6656-2v8mf 1/1 Running 0 23h - cert-manager cert-manager-cainjector-99d64d795-2gwnj 1/1 Running 0 23h - cert-manager cert-manager-webhook-8d87786cb-24kww 1/1 Running 0 23h - geolocationapi geolocationapi-85599c5c74-rqqqs 2/2 Running 0 25m - geolocationapi geolocationapi-85599c5c74-whsp6 2/2 Running 0 25m - geordie downstream0-7f6ff946b6-r8sxc 1/1 Running 0 25m - geordie downstream1-64c7db6f9-rsbk5 1/1 Running 0 25m - geordie frontend-646bfb947c-wshpb 1/1 Running 0 25m - geordie redis-server-6bd7885d5d-s7rqw 1/1 Running 0 25m - geordie yelb-appserver-5d89946ffd-vkxt9 1/1 Running 0 25m - geordie yelb-db-697bd9f9d9-2t4b6 1/1 Running 0 25m - geordie yelb-ui-75ff8b96ff-fh6bw 1/1 Running 0 25m - karpenter karpenter-7b99fb785d-87k6h 1/1 Running 0 106m - karpenter karpenter-7b99fb785d-lkq9l 1/1 Running 0 106m - kube-system aws-load-balancer-controller-6cf9bdbfdf-h7bzb 1/1 Running 0 20m - kube-system aws-load-balancer-controller-6cf9bdbfdf-vfbrj 1/1 Running 0 20m - kube-system aws-node-cvjmq 1/1 Running 0 24h - kube-system aws-node-fw7zc 1/1 Running 0 24h - kube-system aws-node-l7589 1/1 Running 0 24h - kube-system aws-node-nll82 1/1 Running 0 24h - kube-system aws-node-zhz8l 1/1 Running 0 24h - kube-system coredns-7975d6fb9b-5sf7r 1/1 Running 0 24h - kube-system coredns-7975d6fb9b-k78dz 1/1 Running 0 24h - kube-system ebs-csi-controller-5cd4944c94-7jwlb 6/6 Running 0 24h - kube-system ebs-csi-controller-5cd4944c94-8tcsg 6/6 Running 0 24h - kube-system ebs-csi-node-66jmx 3/3 Running 0 24h - kube-system ebs-csi-node-b2pw4 3/3 Running 0 24h - kube-system ebs-csi-node-g4v9z 3/3 Running 0 24h - kube-system ebs-csi-node-k7nvp 3/3 Running 0 24h - kube-system ebs-csi-node-tfq9q 3/3 Running 0 24h - kube-system kube-proxy-4x8vm 1/1 Running 0 24h - kube-system kube-proxy-gtlpm 1/1 Running 0 24h - kube-system kube-proxy-vfnbf 1/1 Running 0 24h - kube-system kube-proxy-z9wdh 1/1 Running 0 24h - kube-system kube-proxy-zzx9m 1/1 Running 0 24h - kube-system metrics-server-7f4db5fd87-9n6dv 1/1 Running 0 23h - kube-system metrics-server-7f4db5fd87-t8wxg 1/1 Running 0 23h - kube-system metrics-server-7f4db5fd87-xcxlv 1/1 Running 0 23h - team-burnham burnham-66fccc4fb5-k4qtm 1/1 Running 0 25m - team-burnham burnham-66fccc4fb5-rrf4j 1/1 Running 0 25m - team-burnham burnham-66fccc4fb5-s9kbr 1/1 Running 0 25m - team-burnham nginx-7d47cfdff7-lzdjb 1/1 Running 0 25m - team-riker deployment-2048-6f7c78f959-h76rx 1/1 Running 0 25m - team-riker deployment-2048-6f7c78f959-skmrr 1/1 Running 0 25m - team-riker deployment-2048-6f7c78f959-tn9dw 1/1 Running 0 25m - team-riker guestbook-ui-c86c478bd-zg2z4 1/1 Running 0 25m - ``` - -2. Access the ArgoCD UI by running the following command: - - ```sh - kubectl port-forward svc/argo-cd-argocd-server 8080:443 -n argocd - ``` - - Then, open your browser and navigate to `https://localhost:8080/` - Username should be `admin`. - - The password will be the generated password by `random_password` resource, stored in AWS Secrets Manager. - You can easily retrieve the password by running the following command: - - ```sh - aws secretsmanager get-secret-value --secret-id --region - ``` - - Replace `` with the name of the secret name, if you haven't changed it then it should be `argocd`, also, make sure to replace `` with the region you are using. - - Pickup the the secret from the `SecretString`. - -## Destroy - -First, we need to ensure that the ArgoCD applications are properly cleaned up from the cluster, this can be achieved in multiple ways: - -- Disabling the `argocd_applications` configuration and running `terraform apply` again -- Deleting the apps using `argocd` [cli](https://argo-cd.readthedocs.io/en/stable/user-guide/app_deletion/#deletion-using-argocd) -- Deleting the apps using `kubectl` following [ArgoCD guidance](https://argo-cd.readthedocs.io/en/stable/user-guide/app_deletion/#deletion-using-kubectl) - -{% - include-markdown "../../docs/_partials/destroy.md" -%} diff --git a/patterns/argocd/gitops-bridge/README.md b/patterns/argocd/gitops-bridge/README.md new file mode 100644 index 0000000000..ab3e22f209 --- /dev/null +++ b/patterns/argocd/gitops-bridge/README.md @@ -0,0 +1,20 @@ +# ArgoCD on Amazon EKS + +This example shows how to deploy Amazon EKS with addons configured via ArgoCD + +Deploy EKS Cluster +```shell +terraform init +terraform apply +``` + +Access Terraform output to configure `kubectl` and `argocd` +```shell +terraform output +``` + +Destroy EKS Cluster +```shell +cd hub +./destroy.sh +``` diff --git a/patterns/argocd/gitops-bridge/bootstrap/addons.yaml b/patterns/argocd/gitops-bridge/bootstrap/addons.yaml new file mode 100644 index 0000000000..025359235a --- /dev/null +++ b/patterns/argocd/gitops-bridge/bootstrap/addons.yaml @@ -0,0 +1,32 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: bootstrap-addons + namespace: argocd +spec: + syncPolicy: + preserveResourcesOnDeletion: true + generators: + - clusters: + selector: + matchExpressions: + - key: akuity.io/argo-cd-cluster-name + operator: NotIn + values: [in-cluster] + template: + metadata: + name: 'bootstrap-addons' + spec: + project: default + source: + repoURL: '{{metadata.annotations.addons_repo_url}}' + path: '{{metadata.annotations.addons_repo_basepath}}{{metadata.annotations.addons_repo_path}}' + targetRevision: '{{metadata.annotations.addons_repo_revision}}' + directory: + recurse: true + exclude: exclude/* + destination: + namespace: 'argocd' + name: '{{name}}' + syncPolicy: + automated: {} diff --git a/patterns/argocd/gitops-bridge/bootstrap/workloads.yaml b/patterns/argocd/gitops-bridge/bootstrap/workloads.yaml new file mode 100644 index 0000000000..60293af458 --- /dev/null +++ b/patterns/argocd/gitops-bridge/bootstrap/workloads.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bootstrap-workloads + namespace: 'argocd' + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + server: https://kubernetes.default.svc + namespace: 'guestbook' + project: default + source: + path: helm-guestbook + repoURL: https://github.com/argoproj/argocd-example-apps + targetRevision: HEAD + syncPolicy: + automated: {} + syncOptions: + - CreateNamespace=true diff --git a/patterns/argocd/gitops-bridge/destroy.sh b/patterns/argocd/gitops-bridge/destroy.sh new file mode 100755 index 0000000000..195f9885a5 --- /dev/null +++ b/patterns/argocd/gitops-bridge/destroy.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -x + +# Delete the Ingress/SVC before removing the addons +TMPFILE=$(mktemp) +terraform output -raw configure_kubectl > "$TMPFILE" +source "$TMPFILE" + +kubectl delete svc -n argocd argo-cd-argocd-server + +terraform destroy -target="module.gitops_bridge_bootstrap" -auto-approve +terraform destroy -target="module.eks_blueprints_addons" -auto-approve +terraform destroy -target="module.eks" -auto-approve +terraform destroy -target="module.vpc" -auto-approve +terraform destroy -auto-approve diff --git a/patterns/argocd/gitops-bridge/main.tf b/patterns/argocd/gitops-bridge/main.tf new file mode 100644 index 0000000000..23c18ba65d --- /dev/null +++ b/patterns/argocd/gitops-bridge/main.tf @@ -0,0 +1,231 @@ +provider "aws" { + region = local.region +} +data "aws_caller_identity" "current" {} +data "aws_availability_zones" "available" {} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", local.region] + } + } +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", local.region] + } +} + +locals { + name = "ex-${replace(basename(path.cwd), "_", "-")}" + environment = "dev" + region = "us-west-2" + cluster_version = "1.27" + gitops_addons_url = "${var.gitops_addons_org}/${var.gitops_addons_repo}" + gitops_addons_basepath = var.gitops_addons_basepath + gitops_addons_path = var.gitops_addons_path + gitops_addons_revision = var.gitops_addons_revision + + aws_addons = { + #enable_cert_manager = true + #enable_aws_efs_csi_driver = true + #enable_aws_fsx_csi_driver = true + #enable_aws_cloudwatch_metrics = true + #enable_aws_privateca_issuer = true + #enable_cluster_autoscaler = true + #enable_external_dns = true + #enable_external_secrets = true + enable_aws_load_balancer_controller = true + #enable_fargate_fluentbit = true + #enable_aws_for_fluentbit = true + #enable_aws_node_termination_handler = true + #enable_karpenter = true + #enable_velero = true + #enable_aws_gateway_api_controller = true + #enable_aws_ebs_csi_resources = true # generate gp2 and gp3 storage classes for ebs-csi + #enable_aws_secrets_store_csi_driver_provider = true + } + oss_addons = { + #enable_argo_rollouts = true + #enable_argo_events = true + #enable_argo_workflows = true + #enable_cluster_proportional_autoscaler = true + #enable_gatekeeper = true + #enable_gpu_operator = true + #enable_ingress_nginx = true + #enable_kyverno = true + #enable_kube_prometheus_stack = true + enable_metrics_server = true + #enable_prometheus_adapter = true + #enable_secrets_store_csi_driver = true + #enable_vpa = true + #enable_foo = true # you can add any addon here, make sure to update the gitops repo with the corresponding application set + } + addons = merge(local.aws_addons, local.oss_addons, { kubernetes_version = local.cluster_version }, { aws_cluster_name = module.eks.cluster_name }) + + addons_metadata = merge( + module.eks_blueprints_addons.gitops_metadata, + { + aws_cluster_name = module.eks.cluster_name + aws_region = local.region + aws_account_id = data.aws_caller_identity.current.account_id + aws_vpc_id = module.vpc.vpc_id + }, + { + addons_repo_url = local.gitops_addons_url + addons_repo_basepath = local.gitops_addons_basepath + addons_repo_path = local.gitops_addons_path + addons_repo_revision = local.gitops_addons_revision + } + ) + + argocd_apps = { + addons = file("${path.module}/bootstrap/addons.yaml") + workloads = file("${path.module}/bootstrap/workloads.yaml") + } + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + tags = { + Blueprint = local.name + GithubRepo = "github.com/csantanapr/terraform-gitops-bridge" + } +} + +################################################################################ +# GitOps Bridge: Bootstrap +################################################################################ +module "gitops_bridge_bootstrap" { + source = "github.com/gitops-bridge-dev/gitops-bridge-argocd-bootstrap-terraform?ref=v2.0.0" + + cluster = { + cluster_name = module.eks.cluster_name + environment = local.environment + metadata = local.addons_metadata + addons = local.addons + } + apps = local.argocd_apps +} + +################################################################################ +# EKS Blueprints Addons +################################################################################ +module "eks_blueprints_addons" { + source = "aws-ia/eks-blueprints-addons/aws" + version = "~> 1.0" + + cluster_name = module.eks.cluster_name + cluster_endpoint = module.eks.cluster_endpoint + cluster_version = module.eks.cluster_version + oidc_provider_arn = module.eks.oidc_provider_arn + + # Using GitOps Bridge + create_kubernetes_resources = false + + # EKS Blueprints Addons + enable_cert_manager = try(local.aws_addons.enable_cert_manager, false) + enable_aws_efs_csi_driver = try(local.aws_addons.enable_aws_efs_csi_driver, false) + enable_aws_fsx_csi_driver = try(local.aws_addons.enable_aws_fsx_csi_driver, false) + enable_aws_cloudwatch_metrics = try(local.aws_addons.enable_aws_cloudwatch_metrics, false) + enable_aws_privateca_issuer = try(local.aws_addons.enable_aws_privateca_issuer, false) + enable_cluster_autoscaler = try(local.aws_addons.enable_cluster_autoscaler, false) + enable_external_dns = try(local.aws_addons.enable_external_dns, false) + enable_external_secrets = try(local.aws_addons.enable_external_secrets, false) + enable_aws_load_balancer_controller = try(local.aws_addons.enable_aws_load_balancer_controller, false) + enable_fargate_fluentbit = try(local.aws_addons.enable_fargate_fluentbit, false) + enable_aws_for_fluentbit = try(local.aws_addons.enable_aws_for_fluentbit, false) + enable_aws_node_termination_handler = try(local.aws_addons.enable_aws_node_termination_handler, false) + enable_karpenter = try(local.aws_addons.enable_karpenter, false) + enable_velero = try(local.aws_addons.enable_velero, false) + enable_aws_gateway_api_controller = try(local.aws_addons.enable_aws_gateway_api_controller, false) + + tags = local.tags +} + +################################################################################ +# EKS Cluster +################################################################################ +#tfsec:ignore:aws-eks-enable-control-plane-logging +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.name + cluster_version = local.cluster_version + cluster_endpoint_public_access = true + + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + eks_managed_node_groups = { + initial = { + instance_types = ["t3.medium"] + + min_size = 3 + max_size = 10 + desired_size = 3 + } + } + # EKS Addons + cluster_addons = { + vpc-cni = { + # Specify the VPC CNI addon should be deployed before compute to ensure + # the addon is configured before data plane compute resources are created + # See README for further details + before_compute = true + most_recent = true # To ensure access to the latest settings provided + configuration_values = jsonencode({ + env = { + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } + }) + } + } + tags = local.tags +} + +################################################################################ +# Supporting Resources +################################################################################ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} diff --git a/patterns/argocd/gitops-bridge/outputs.tf b/patterns/argocd/gitops-bridge/outputs.tf new file mode 100644 index 0000000000..2d3b6e57a1 --- /dev/null +++ b/patterns/argocd/gitops-bridge/outputs.tf @@ -0,0 +1,33 @@ +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = <<-EOT + export KUBECONFIG="/tmp/${module.eks.cluster_name}" + aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name} + EOT +} + +output "configure_argocd" { + description = "Terminal Setup" + value = <<-EOT + export KUBECONFIG="/tmp/${module.eks.cluster_name}" + aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name} + export ARGOCD_OPTS="--port-forward --port-forward-namespace argocd --grpc-web" + kubectl config set-context --current --namespace argocd + argocd login --port-forward --username admin --password $(argocd admin initial-password | head -1) + echo "ArgoCD Username: admin" + echo "ArgoCD Password: $(kubectl get secrets argocd-initial-admin-secret -n argocd --template="{{index .data.password | base64decode}}")" + echo Port Forward: http://localhost:8080 + kubectl port-forward -n argocd svc/argo-cd-argocd-server 8080:80 + EOT +} + +output "access_argocd" { + description = "ArgoCD Access" + value = <<-EOT + export KUBECONFIG="/tmp/${module.eks.cluster_name}" + aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name} + echo "ArgoCD URL: https://$(kubectl get svc -n argocd argo-cd-argocd-server -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')" + echo "ArgoCD Username: admin" + echo "ArgoCD Password: $(kubectl get secrets argocd-initial-admin-secret -n argocd --template="{{index .data.password | base64decode}}")" + EOT +} diff --git a/patterns/argocd/gitops-bridge/variables.tf b/patterns/argocd/gitops-bridge/variables.tf new file mode 100644 index 0000000000..a74ce0645b --- /dev/null +++ b/patterns/argocd/gitops-bridge/variables.tf @@ -0,0 +1,20 @@ +variable "gitops_addons_org" { + description = "Git repository org/user contains for addons" + default = "https://github.com/aws-samples" +} +variable "gitops_addons_repo" { + description = "Git repository contains for addons" + default = "eks-blueprints-add-ons" +} +variable "gitops_addons_basepath" { + description = "Git repository base path for addons" + default = "argocd/" +} +variable "gitops_addons_path" { + description = "Git repository path for addons" + default = "bootstrap/control-plane/addons" +} +variable "gitops_addons_revision" { + description = "Git repository revision/branch/ref for addons" + default = "HEAD" +} diff --git a/patterns/argocd/versions.tf b/patterns/argocd/gitops-bridge/versions.tf similarity index 58% rename from patterns/argocd/versions.tf rename to patterns/argocd/gitops-bridge/versions.tf index aa00573a68..2de60d58ee 100644 --- a/patterns/argocd/versions.tf +++ b/patterns/argocd/gitops-bridge/versions.tf @@ -4,23 +4,15 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.47" + version = ">= 4.67.0" } helm = { source = "hashicorp/helm" - version = ">= 2.9" + version = ">= 2.10.1" } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.20" - } - random = { - source = "hashicorp/random" - version = ">= 3.5" - } - bcrypt = { - source = "viktorradnai/bcrypt" - version = ">= 0.1.2" + version = "2.22.0" } } @@ -28,6 +20,6 @@ terraform { # backend "s3" { # bucket = "terraform-ssp-github-actions-state" # region = "us-west-2" - # key = "e2e/argocd/terraform.tfstate" + # key = "e2e/ipv4-prefix-delegation/terraform.tfstate" # } } diff --git a/patterns/argocd/main.tf b/patterns/argocd/main.tf deleted file mode 100644 index 20438794d4..0000000000 --- a/patterns/argocd/main.tf +++ /dev/null @@ -1,188 +0,0 @@ -provider "aws" { - region = local.region -} - -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } -} - -provider "helm" { - kubernetes { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] - } - } -} - -provider "bcrypt" {} - -data "aws_availability_zones" "available" {} - -locals { - name = basename(path.cwd) - region = "us-west-2" - - vpc_cidr = "10.0.0.0/16" - azs = slice(data.aws_availability_zones.available.names, 0, 3) - - tags = { - Blueprint = local.name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" - } -} - -################################################################################ -# Cluster -################################################################################ - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 19.16" - - cluster_name = local.name - cluster_version = "1.27" - cluster_endpoint_public_access = true - - # EKS Addons - cluster_addons = { - coredns = {} - kube-proxy = {} - vpc-cni = {} - } - - vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets - - eks_managed_node_groups = { - initial = { - instance_types = ["m5.large"] - - min_size = 3 - max_size = 10 - desired_size = 5 - } - } - - tags = local.tags -} - -################################################################################ -# EKS Blueprints Addons -################################################################################ - -module "eks_blueprints_addons" { - # Users should pin the version to the latest available release - # tflint-ignore: terraform_module_pinned_source - source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" - - eks_cluster_id = module.eks.cluster_name - eks_cluster_endpoint = module.eks.cluster_endpoint - eks_cluster_version = module.eks.cluster_version - eks_oidc_provider = module.eks.oidc_provider - eks_oidc_provider_arn = module.eks.oidc_provider_arn - - enable_argocd = true - # This example shows how to set default ArgoCD Admin Password using SecretsManager with Helm Chart set_sensitive values. - argocd_helm_config = { - set_sensitive = [ - { - name = "configs.secret.argocdServerAdminPassword" - value = bcrypt_hash.argo.id - } - ] - } - - argocd_manage_add_ons = true # Indicates that ArgoCD is responsible for managing/deploying add-ons - argocd_applications = { - addons = { - path = "chart" - repo_url = "https://github.com/aws-samples/eks-blueprints-add-ons.git" - add_on_application = true - } - workloads = { - path = "envs/dev" - repo_url = "https://github.com/aws-samples/eks-blueprints-workloads.git" - add_on_application = false - } - } - - # Add-ons - enable_amazon_eks_aws_ebs_csi_driver = true - enable_aws_load_balancer_controller = true - enable_cert_manager = true - enable_karpenter = true - enable_metrics_server = true - enable_argo_rollouts = true - - tags = local.tags -} - -#--------------------------------------------------------------- -# ArgoCD Admin Password credentials with Secrets Manager -# Login to AWS Secrets manager with the same role as Terraform to extract the ArgoCD admin password with the secret name as "argocd" -#--------------------------------------------------------------- -resource "random_password" "argocd" { - length = 16 - special = true - override_special = "!#$%&*()-_=+[]{}<>:?" -} - -# Argo requires the password to be bcrypt, we use custom provider of bcrypt, -# as the default bcrypt function generates diff for each terraform plan -resource "bcrypt_hash" "argo" { - cleartext = random_password.argocd.result -} - -#tfsec:ignore:aws-ssm-secret-use-customer-key -resource "aws_secretsmanager_secret" "argocd" { - name = "argocd" - recovery_window_in_days = 0 # Set to zero for this example to force delete during Terraform destroy -} - -resource "aws_secretsmanager_secret_version" "argocd" { - secret_id = aws_secretsmanager_secret.argocd.id - secret_string = random_password.argocd.result -} - -################################################################################ -# Supporting Resources -################################################################################ - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" - - name = local.name - cidr = local.vpc_cidr - - azs = local.azs - private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] - public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] - - enable_nat_gateway = true - single_nat_gateway = true - - public_subnet_tags = { - "kubernetes.io/role/elb" = 1 - } - - private_subnet_tags = { - "kubernetes.io/role/internal-elb" = 1 - } - - tags = local.tags -} diff --git a/patterns/argocd/outputs.tf b/patterns/argocd/outputs.tf deleted file mode 100644 index d79912bf44..0000000000 --- a/patterns/argocd/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "configure_kubectl" { - description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" - value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name}" -} diff --git a/patterns/argocd/variables.tf b/patterns/argocd/variables.tf deleted file mode 100644 index e69de29bb2..0000000000