Merge branch 'main' into docs/v5-direction

aws-ia · Feb 3, 2023 · 6a74658 · 6a74658
2 parents e89a5cd + dda979f
commit 6a74658
Show file tree

Hide file tree

Showing 14 changed files with 168 additions and 125 deletions.
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ If you are interested in contributing to EKS Blueprints, see the [Contribution g
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.4.1 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | 2.4.1 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.14 |
@@ -60,7 +60,7 @@ If you are interested in contributing to EKS Blueprints, see the [Contribution g
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
 | <a name="provider_http"></a> [http](#provider\_http) | 2.4.1 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
 

diff --git a/docs/add-ons/managed-add-ons.md b/docs/add-ons/managed-add-ons.md
@@ -18,7 +18,7 @@ Note: EKS managed Add-ons can be converted to self-managed add-on with `preserve
 This option makes the add-on a self-managed add-on, rather than an Amazon EKS add-on.
 There is no downtime while deleting EKS managed Add-ons when `preserve=true`. This is a default option for `enable_amazon_eks_vpc_cni` , `enable_amazon_eks_coredns` and `enable_amazon_eks_kube_proxy`.
 
-Checkout this [doc](https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-eks-add-on) for more details.
+Checkout this [doc](https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-eks-add-on) for more details. Custom add-on configuration can be passed using [configuration_values](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) as a single JSON string while creating or updating the add-on.
 
 ```
 # EKS Addons
@@ -33,7 +33,13 @@ Checkout this [doc](https://docs.aws.amazon.com/eks/latest/userguide/managing-vp
     service_account_role_arn = ""
     preserve                 = true
     additional_iam_policies  = []
-    tags                     = {}
+    configuration_values = jsonencode({
+      env = {
+        ENABLE_PREFIX_DELEGATION = "true"
+        WARM_PREFIX_TARGET       = "1"
+      }
+    })
+    tags = {}
   }
 
   enable_amazon_eks_coredns = true # default is false
@@ -47,6 +53,7 @@ Checkout this [doc](https://docs.aws.amazon.com/eks/latest/userguide/managing-vp
     service_account_role_arn = ""
     preserve                 = true
     additional_iam_policies  = []
+    configuration_values     = ""
     tags                     = {}
   }
 
@@ -61,6 +68,7 @@ Checkout this [doc](https://docs.aws.amazon.com/eks/latest/userguide/managing-vp
     service_account_role_arn = ""
     preserve                 = true
     additional_iam_policies  = []
+    configuration_values     = ""
     tags                     = {}
   }
 
@@ -74,6 +82,7 @@ Checkout this [doc](https://docs.aws.amazon.com/eks/latest/userguide/managing-vp
     namespace                = "kube-system"
     additional_iam_policies  = []
     service_account_role_arn = ""
+    configuration_values     = ""
     tags                     = {}
   }
 ```

diff --git a/modules/kubernetes-addons/appmesh-controller/data.tf b/modules/kubernetes-addons/appmesh-controller/data.tf
@@ -0,0 +1,115 @@
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid       = "AllowAppMesh"
+    effect    = "Allow"
+    resources = ["arn:${var.addon_context.aws_partition_id}:appmesh:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:mesh/*"]
+
+    actions = [
+      "appmesh:ListVirtualRouters",
+      "appmesh:ListVirtualServices",
+      "appmesh:ListRoutes",
+      "appmesh:ListGatewayRoutes",
+      "appmesh:ListMeshes",
+      "appmesh:ListVirtualNodes",
+      "appmesh:ListVirtualGateways",
+      "appmesh:DescribeMesh",
+      "appmesh:DescribeVirtualRouter",
+      "appmesh:DescribeRoute",
+      "appmesh:DescribeVirtualNode",
+      "appmesh:DescribeVirtualGateway",
+      "appmesh:DescribeGatewayRoute",
+      "appmesh:DescribeVirtualService",
+      "appmesh:CreateMesh",
+      "appmesh:CreateVirtualRouter",
+      "appmesh:CreateVirtualGateway",
+      "appmesh:CreateVirtualService",
+      "appmesh:CreateGatewayRoute",
+      "appmesh:CreateRoute",
+      "appmesh:CreateVirtualNode",
+      "appmesh:UpdateMesh",
+      "appmesh:UpdateRoute",
+      "appmesh:UpdateVirtualGateway",
+      "appmesh:UpdateVirtualRouter",
+      "appmesh:UpdateGatewayRoute",
+      "appmesh:UpdateVirtualService",
+      "appmesh:UpdateVirtualNode",
+      "appmesh:DeleteMesh",
+      "appmesh:DeleteRoute",
+      "appmesh:DeleteVirtualRouter",
+      "appmesh:DeleteGatewayRoute",
+      "appmesh:DeleteVirtualService",
+      "appmesh:DeleteVirtualNode",
+      "appmesh:DeleteVirtualGateway"
+    ]
+  }
+
+  statement {
+    sid       = "CreateServiceLinkedRole"
+    effect    = "Allow"
+    resources = ["arn:${var.addon_context.aws_partition_id}:iam::${var.addon_context.aws_caller_identity_account_id}:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"]
+    actions   = ["iam:CreateServiceLinkedRole"]
+
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values   = ["appmesh.${local.dns_suffix}"]
+    }
+  }
+
+  statement {
+    sid       = "AllowACMAccess"
+    effect    = "Allow"
+    resources = ["arn:${var.addon_context.aws_partition_id}:acm:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:certificate/*"]
+    actions = [
+      "acm:ListCertificates",
+      "acm:DescribeCertificate",
+    ]
+  }
+
+  statement {
+    sid       = "AllowACMPCAAccess"
+    effect    = "Allow"
+    resources = ["arn:${var.addon_context.aws_partition_id}:acm-pca:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:certificate-authority/*"]
+    actions = [
+      "acm-pca:DescribeCertificateAuthority",
+      "acm-pca:ListCertificateAuthorities"
+    ]
+  }
+
+  statement {
+    sid    = "AllowServiceDiscovery"
+    effect = "Allow"
+    resources = [
+      "arn:${var.addon_context.aws_partition_id}:servicediscovery:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:namespace/*",
+      "arn:${var.addon_context.aws_partition_id}:servicediscovery:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:service/*"
+    ]
+    actions = [
+      "servicediscovery:CreateService",
+      "servicediscovery:DeleteService",
+      "servicediscovery:GetService",
+      "servicediscovery:GetInstance",
+      "servicediscovery:RegisterInstance",
+      "servicediscovery:DeregisterInstance",
+      "servicediscovery:ListInstances",
+      "servicediscovery:ListNamespaces",
+      "servicediscovery:ListServices",
+      "servicediscovery:GetInstancesHealthStatus",
+      "servicediscovery:UpdateInstanceCustomHealthStatus",
+      "servicediscovery:GetOperation"
+    ]
+  }
+
+  statement {
+    sid    = "AllowRoute53"
+    effect = "Allow"
+    resources = [
+    "arn:${var.addon_context.aws_partition_id}:route53:::*"]
+    actions = [
+      "route53:ChangeResourceRecordSets",
+      "route53:GetHealthCheck",
+      "route53:CreateHealthCheck",
+      "route53:UpdateHealthCheck",
+      "route53:DeleteHealthCheck"
+    ]
+  }
+}
diff --git a/modules/kubernetes-addons/appmesh-controller/main.tf b/modules/kubernetes-addons/appmesh-controller/main.tf
@@ -2,7 +2,6 @@ locals {
   name      = try(var.helm_config.name, "appmesh-controller")
   namespace = try(var.helm_config.namespace, "appmesh-system")
 
-  partition  = data.aws_partition.current.partition
   dns_suffix = data.aws_partition.current.dns_suffix
 }
 
@@ -52,99 +51,3 @@ resource "aws_iam_policy" "this" {
   description = "IAM Policy for App Mesh"
   policy      = data.aws_iam_policy_document.this.json
 }
-
-data "aws_iam_policy_document" "this" {
-  statement {
-    sid       = "appmesh"
-    effect    = "Allow"
-    resources = ["*"]
-
-    actions = [
-      "appmesh:ListVirtualRouters",
-      "appmesh:ListVirtualServices",
-      "appmesh:ListRoutes",
-      "appmesh:ListGatewayRoutes",
-      "appmesh:ListMeshes",
-      "appmesh:ListVirtualNodes",
-      "appmesh:ListVirtualGateways",
-      "appmesh:DescribeMesh",
-      "appmesh:DescribeVirtualRouter",
-      "appmesh:DescribeRoute",
-      "appmesh:DescribeVirtualNode",
-      "appmesh:DescribeVirtualGateway",
-      "appmesh:DescribeGatewayRoute",
-      "appmesh:DescribeVirtualService",
-      "appmesh:CreateMesh",
-      "appmesh:CreateVirtualRouter",
-      "appmesh:CreateVirtualGateway",
-      "appmesh:CreateVirtualService",
-      "appmesh:CreateGatewayRoute",
-      "appmesh:CreateRoute",
-      "appmesh:CreateVirtualNode",
-      "appmesh:UpdateMesh",
-      "appmesh:UpdateRoute",
-      "appmesh:UpdateVirtualGateway",
-      "appmesh:UpdateVirtualRouter",
-      "appmesh:UpdateGatewayRoute",
-      "appmesh:UpdateVirtualService",
-      "appmesh:UpdateVirtualNode",
-      "appmesh:DeleteMesh",
-      "appmesh:DeleteRoute",
-      "appmesh:DeleteVirtualRouter",
-      "appmesh:DeleteGatewayRoute",
-      "appmesh:DeleteVirtualService",
-      "appmesh:DeleteVirtualNode",
-      "appmesh:DeleteVirtualGateway"
-    ]
-  }
-
-  statement {
-    sid       = "CreateServiceLinkedRole"
-    effect    = "Allow"
-    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/appmesh.${local.dns_suffix}/AWSServiceRoleForAppMesh"]
-    actions   = ["iam:CreateServiceLinkedRole"]
-
-    condition {
-      test     = "StringLike"
-      variable = "iam:AWSServiceName"
-      values   = ["appmesh.${local.dns_suffix}"]
-    }
-  }
-
-  statement {
-    sid       = "ACMAccess"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "acm:ListCertificates",
-      "acm:DescribeCertificate",
-      "acm-pca:DescribeCertificateAuthority",
-      "acm-pca:ListCertificateAuthorities"
-    ]
-  }
-
-  statement {
-    sid       = "ServiceDiscovery"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "servicediscovery:CreateService",
-      "servicediscovery:DeleteService",
-      "servicediscovery:GetService",
-      "servicediscovery:GetInstance",
-      "servicediscovery:RegisterInstance",
-      "servicediscovery:DeregisterInstance",
-      "servicediscovery:ListInstances",
-      "servicediscovery:ListNamespaces",
-      "servicediscovery:ListServices",
-      "servicediscovery:GetInstancesHealthStatus",
-      "servicediscovery:UpdateInstanceCustomHealthStatus",
-      "servicediscovery:GetOperation",
-      "route53:GetHealthCheck",
-      "route53:CreateHealthCheck",
-      "route53:UpdateHealthCheck",
-      "route53:ChangeResourceRecordSets",
-      "route53:DeleteHealthCheck"
-    ]
-  }
-}
diff --git a/modules/kubernetes-addons/aws-coredns/main.tf b/modules/kubernetes-addons/aws-coredns/main.tf
@@ -18,6 +18,7 @@ resource "aws_eks_addon" "coredns" {
   resolve_conflicts        = try(var.addon_config.resolve_conflicts, "OVERWRITE")
   service_account_role_arn = try(var.addon_config.service_account_role_arn, null)
   preserve                 = try(var.addon_config.preserve, true)
+  configuration_values     = try(var.addon_config.configuration_values, null)
 
   tags = merge(
     var.addon_context.tags,

diff --git a/modules/kubernetes-addons/aws-ebs-csi-driver/main.tf b/modules/kubernetes-addons/aws-ebs-csi-driver/main.tf
@@ -21,6 +21,7 @@ resource "aws_eks_addon" "aws_ebs_csi_driver" {
   resolve_conflicts        = try(var.addon_config.resolve_conflicts, "OVERWRITE")
   service_account_role_arn = local.create_irsa ? module.irsa_addon[0].irsa_iam_role_arn : try(var.addon_config.service_account_role_arn, null)
   preserve                 = try(var.addon_config.preserve, true)
+  configuration_values     = try(var.addon_config.configuration_values, null)
 
   tags = merge(
     var.addon_context.tags,

diff --git a/modules/kubernetes-addons/aws-kube-proxy/main.tf b/modules/kubernetes-addons/aws-kube-proxy/main.tf
@@ -15,6 +15,7 @@ resource "aws_eks_addon" "kube_proxy" {
   resolve_conflicts        = try(var.addon_config.resolve_conflicts, "OVERWRITE")
   service_account_role_arn = try(var.addon_config.service_account_role_arn, null)
   preserve                 = try(var.addon_config.preserve, true)
+  configuration_values     = try(var.addon_config.configuration_values, null)
 
   tags = merge(
     var.addon_context.tags,

diff --git a/modules/kubernetes-addons/aws-node-termination-handler/data.tf b/modules/kubernetes-addons/aws-node-termination-handler/data.tf
@@ -19,13 +19,25 @@ data "aws_iam_policy_document" "aws_node_termination_handler_queue_policy_docume
 data "aws_iam_policy_document" "irsa_policy" {
   statement {
     actions = [
-      "autoscaling:CompleteLifecycleAction",
       "autoscaling:DescribeAutoScalingInstances",
       "autoscaling:DescribeTags",
       "ec2:DescribeInstances",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "autoscaling:CompleteLifecycleAction",
+    ]
+    resources = ["arn:${var.addon_context.aws_partition_id}:autoscaling:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:autoScalingGroup:*"]
+  }
+
+  statement {
+    actions = [
       "sqs:DeleteMessage",
       "sqs:ReceiveMessage",
     ]
-    resources = ["*"]
+    resources = [aws_sqs_queue.aws_node_termination_handler_queue.arn]
   }
 }
diff --git a/modules/kubernetes-addons/aws-vpc-cni/main.tf b/modules/kubernetes-addons/aws-vpc-cni/main.tf
@@ -18,6 +18,7 @@ resource "aws_eks_addon" "vpc_cni" {
   resolve_conflicts        = try(var.addon_config.resolve_conflicts, "OVERWRITE")
   service_account_role_arn = local.create_irsa ? module.irsa_addon[0].irsa_iam_role_arn : try(var.addon_config.service_account_role_arn, null)
   preserve                 = try(var.addon_config.preserve, true)
+  configuration_values     = try(var.addon_config.configuration_values, null)
 
   tags = merge(
     var.addon_context.tags,

diff --git a/modules/kubernetes-addons/external-dns/README.md b/modules/kubernetes-addons/external-dns/README.md
@@ -41,7 +41,7 @@ For complete project documentation, please visit the [ExternalDNS Github reposit
 | <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>  })</pre> | n/a | yes |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | [Deprecated - use `route53_zone_arns`] Domain name of the Route53 hosted zone to use with External DNS. | `string` | n/a | yes |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | External DNS Helm Configuration | `any` | `{}` | no |
-| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies used for the add-on service account. | `list(string)` | n/a | yes |
+| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies used for the add-on service account. | `list(string)` | `[]` | no |
 | <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
 | <a name="input_private_zone"></a> [private\_zone](#input\_private\_zone) | [Deprecated - use `route53_zone_arns`] Determines if referenced Route53 hosted zone is private. | `bool` | `false` | no |
 | <a name="input_route53_zone_arns"></a> [route53\_zone\_arns](#input\_route53\_zone\_arns) | List of Route53 zones ARNs which external-dns will have access to create/manage records | `list(string)` | `[]` | no |

diff --git a/modules/kubernetes-addons/external-dns/data.tf b/modules/kubernetes-addons/external-dns/data.tf
@@ -0,0 +1,19 @@
+data "aws_iam_policy_document" "external_dns_iam_policy_document" {
+  statement {
+    effect = "Allow"
+    resources = distinct(concat(
+      [data.aws_route53_zone.selected.arn],
+      var.route53_zone_arns
+    ))
+    actions = [
+      "route53:ChangeResourceRecordSets",
+      "route53:ListResourceRecordSets",
+    ]
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["route53:ListHostedZones"]
+  }
+}