diff --git a/docs/add-ons/aws-privateca-issuer.md b/docs/add-ons/aws-privateca-issuer.md new file mode 100644 index 0000000000..25790a9b75 --- /dev/null +++ b/docs/add-ons/aws-privateca-issuer.md @@ -0,0 +1,110 @@ +# aws-privateca-issuer + +AWS ACM Private CA is a module of the [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) that can setup and manage private CAs. `cert-manager` is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry. This module `aws-pca-issuer` is a addon for `cert-manager` that issues certificates using AWS ACM PCA. + +See the [aws-privateca-issuer documentation](https://cert-manager.github.io/aws-privateca-issuer/). + +## Usage + +aws_privateca_issuer can be deployed by enabling the add-on via the following. + +```hcl +enable_cert_manager = true +enable_aws_privateca_issuer = true +``` + +Create `AWSPCAClusterIssuer` custom resource definition (CRD). It is a Kubernetes resources that represent certificate authorities (CAs) from AWS ACM and are able to generate signed certificates by honoring certificate signing requests. For more details on external `Issuer` types, please check [aws-privateca-issuer](https://github.com/cert-manager/aws-privateca-issuer) + +```hcl +resource "kubernetes_manifest" "cluster-pca-issuer" { + manifest = { + apiVersion = "awspca.cert-manager.io/v1beta1" + kind = "AWSPCAClusterIssuer" + + metadata = { + name = "logical.name.of.this.issuer" + } + + spec = { + arn = "ARN for AWS PCA" + region: "data.aws_region.current.id OR AWS region of the AWS PCA" + + } + } +} +``` + +Create `Certificate` CRD. Certificates define a desired X.509 certificate which will be renewed and kept up to date. For more details on how to specify and request Certificate resources, please check [Certificate Resources guide](https://cert-manager.io/docs/usage/certificate/). + +A Certificate is a namespaced resource that references `AWSPCAClusterIssuer` (created in above step) that determine what will be honoring the certificate request. + +```hcl +resource "kubernetes_manifest" "example_pca_certificate" { + manifest = { + apiVersion = "cert-manager.io/v1" + kind = "Certificate" + + metadata = { + name = "name of the certificate" + namespace = "default or any namespace" + } + + spec = { + commonName = "common name for your certificate" + duration = "duration" + issuerRef = { + group = "awspca.cert-manager.io" + kind = "AWSPCAClusterIssuer" + name: "name of AWSPCAClusterIssuer created above" + } + renewBefore = "360h0m0s" + secretName = "name of the secret where certificate will be mounted" + usages = [ + "server auth", + "client auth" + ] + privateKey = { + algorithm: "RSA" + size: 2048 + } + } + } + +} +``` + +When a Certificate is created, a corresponding CertificateRequest resource is created by `cert-manager` containing the encoded X.509 certificate request, Issuer reference, and other options based upon the specification of the Certificate resource. + +This Certificate CRD will tell cert-manager to attempt to use the Issuer (as AWS ACM) to obtain a certificate key pair for the specified domains. If successful, the resulting TLS key and certificate will be stored in a kubernetes secret named , with keys of tls.key, and tls.crt respectively. This secret will live in the same namespace as the Certificate resource. + +Now, you may run `kubectl get Certificate` to view the status of Certificate Request from AWS PCA. + +``` +NAME READY SECRET AGE +example True aws001-preprod-dev-eks-clusterissuer 3h35m +``` + +If the status is `True`, that means, the `tls.crt`, `tls.key` and `ca.crt` will all be available in [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/) + +``` +aws001-preprod-dev-eks-clusterissuer +Name: aws001-preprod-dev-eks-clusterissuer +Namespace: default +Labels: +Annotations: cert-manager.io/alt-names: + cert-manager.io/certificate-name: example + cert-manager.io/common-name: example.com + cert-manager.io/ip-sans: + cert-manager.io/issuer-group: awspca.cert-manager.io + cert-manager.io/issuer-kind: AWSPCAClusterIssuer + cert-manager.io/issuer-name: aws001-preprod-dev-eks + cert-manager.io/uri-sans: + +Type: kubernetes.io/tls + +Data +==== +ca.crt: 1785 bytes +tls.crt: 1517 bytes +tls.key: 1679 bytes +``` \ No newline at end of file diff --git a/examples/tls-with-aws-pca-issuer/README.md b/examples/tls-with-aws-pca-issuer/README.md new file mode 100644 index 0000000000..da12c8b16b --- /dev/null +++ b/examples/tls-with-aws-pca-issuer/README.md @@ -0,0 +1,122 @@ +# TLS with AWS PCA Issuer +This example deploys the following +- Basic EKS Cluster with VPC + - Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets + - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets + - Enables cert-manager module + - Enables aws-privateca-issuer module +- Creates AWS Certificate Manager Private Certificate Authority, enables and activates it +- Creates the CRDs to fetch `tls.crt`, `tls.key` and `ca.crt` , which will be available as Kubernetes Secret. Now you may mount the secret in the application for end to end TLS. + +## How to Deploy +### Prerequisites: +Ensure that you have installed the following tools in your Mac or Windows Laptop before start working with this module and run Terraform Plan and Apply +1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) +3. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) + +### Deployment Steps +#### Step1: Clone the repo using the command below + +```shell script +git clone https://github.com/aws-samples/aws-eks-accelerator-for-terraform.git +``` + +#### Step2: Run Terraform INIT +Initialize a working directory with configuration files + +```shell script +cd examples/tls-with-aws-pca-issuer/ +terraform init +``` + +#### Step3: Run Terraform PLAN +Verify the resources created by this execution + +```shell script +export AWS_REGION= # Select your own region +terraform plan +``` + +#### Step4: Finally, Terraform APPLY +to create resources + +```shell script +terraform apply +``` + +Enter `yes` to apply + +### Configure `kubectl` and test cluster +EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. +This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. + +#### Step5: Run `update-kubeconfig` command + +`~/.kube/config` file gets updated with cluster details and certificate from the below command + + $ aws eks --region update-kubeconfig --name + +#### Step6: List all the worker nodes by running the command below + + $ kubectl get nodes + +#### Step7: List all the pods running in `aws-privateca-issuer` and `cert-manager` namespace + + $ kubectl get pods -n aws-privateca-issuer + $ kubectl get pods -n cert-manager + +#### Step8: View the `Certificate` status. It should be in 'Ready' state. + + $ kubectl get Certificate + +## How to Destroy +The following command destroys the resources created by `terraform apply` + +```shell script +cd examples/tls-with-aws-pca-issuer +terraform destroy --auto-approve +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.1 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [helm](#requirement\_helm) | >= 2.4.1 | +| [kubernetes](#requirement\_kubernetes) | >= 2.6.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-eks-accelerator-for-terraform](#module\_aws-eks-accelerator-for-terraform) | ../.. | n/a | +| [aws\_vpc](#module\_aws\_vpc) | terraform-aws-modules/vpc/aws | v3.2.0 | +| [kubernetes-addons](#module\_kubernetes-addons) | ../../modules/kubernetes-addons | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +No inputs. + +## Outputs + +No outputs. + + \ No newline at end of file diff --git a/examples/tls-with-aws-pca-issuer/main.tf b/examples/tls-with-aws-pca-issuer/main.tf new file mode 100644 index 0000000000..32c88988c3 --- /dev/null +++ b/examples/tls-with-aws-pca-issuer/main.tf @@ -0,0 +1,262 @@ +terraform { + required_version = ">= 1.0.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.66.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.6.1" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + } + + backend "local" { + path = "local_tf_state/terraform-main.tfstate" + } +} + +data "aws_region" "current" {} + +data "aws_availability_zones" "available" {} + +data "aws_eks_cluster" "cluster" { + name = module.eks-blueprints.eks_cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.eks-blueprints.eks_cluster_id +} + +provider "aws" { + region = data.aws_region.current.id + alias = "default" +} + +provider "kubernetes" { + experiments { + manifest_resource = true + } + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token +} + +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.cluster.endpoint + token = data.aws_eks_cluster_auth.cluster.token + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + } +} + +locals { + tenant = var.tenant # AWS account name or unique id for tenant + environment = var.environment # Environment area eg., preprod or prod + zone = var.zone # Environment with in one sub_tenant or business unit + cluster_version = var.cluster_version + certificate_name = var.certificate_name + certificate_dns = var.certificate_dns + + vpc_cidr = "10.0.0.0/16" + vpc_name = join("-", [local.tenant, local.environment, local.zone, "vpc"]) + azs = slice(data.aws_availability_zones.available.names, 0, 3) + cluster_name = join("-", [local.tenant, local.environment, local.zone, "eks"]) + + terraform_version = "Terraform v1.0.1" +} + +module "aws_vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "v3.2.0" + + name = local.vpc_name + cidr = local.vpc_cidr + azs = local.azs + + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + + enable_nat_gateway = true + create_igw = true + enable_dns_hostnames = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = "1" + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + } +} +#--------------------------------------------------------------- +# Example to consume eks-blueprints module +#--------------------------------------------------------------- +module "eks-blueprints" { + source = "../.." + + tenant = local.tenant + environment = local.environment + zone = local.zone + terraform_version = local.terraform_version + + # EKS Cluster VPC and Subnet mandatory config + vpc_id = module.aws_vpc.vpc_id + private_subnet_ids = module.aws_vpc.private_subnets + + # EKS CONTROL PLANE VARIABLES + cluster_version = local.cluster_version + + # EKS MANAGED NODE GROUPS + managed_node_groups = { + mg_4 = { + node_group_name = "managed-ondemand" + instance_types = ["m4.large"] + min_size = "2" + subnet_ids = module.aws_vpc.private_subnets + } + } +} + +module "eks-blueprints-kubernetes-addons" { + source = "../../modules/kubernetes-addons" + eks_cluster_id = module.eks-blueprints.eks_cluster_id + aws_privateca_acmca_arn = aws_acmpca_certificate_authority.example.arn + + # EKS Managed Add-ons + enable_amazon_eks_vpc_cni = true + enable_amazon_eks_coredns = true + enable_amazon_eks_kube_proxy = true + + #K8s Add-ons + enable_cert_manager = true + enable_aws_privateca_issuer = true + + depends_on = [module.eks-blueprints.managed_node_groups] +} + + +#------------------------------- +# This resource creates a AWS Certificate Manager Private Certificate Authority (ACM PCA) +#------------------------------- + +resource "aws_acmpca_certificate_authority_certificate" "example" { + certificate_authority_arn = aws_acmpca_certificate_authority.example.arn + + certificate = aws_acmpca_certificate.example.certificate + certificate_chain = aws_acmpca_certificate.example.certificate_chain +} + +#------------------------------- +# This resource sends the signing request to ACM PCA, so that it becomes active +#------------------------------- + +resource "aws_acmpca_certificate" "example" { + certificate_authority_arn = aws_acmpca_certificate_authority.example.arn + certificate_signing_request = aws_acmpca_certificate_authority.example.certificate_signing_request + signing_algorithm = "SHA512WITHRSA" + + template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1" + + validity { + type = "YEARS" + value = 10 + } +} + +#------------------------------- +# Associates a certificate with an AWS Certificate Manager Private Certificate Authority (ACM PCA Certificate Authority). +# An ACM PCA Certificate Authority is unable to issue certificates until it has a certificate associated with it. +# A root level ACM PCA Certificate Authority is able to self-sign its own root certificate. +#------------------------------- + +resource "aws_acmpca_certificate_authority" "example" { + type = "ROOT" + + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = "example.com" + } + } +} + +data "aws_partition" "current" {} + + +#------------------------------- +# This resource creates a CRD of AWSPCAClusterIssuer Kind, which then represents the ACM PCA in K8 +#------------------------------- + +resource "kubernetes_manifest" "cluster-pca-issuer" { + manifest = { + apiVersion = "awspca.cert-manager.io/v1beta1" + kind = "AWSPCAClusterIssuer" + + metadata = { + name = module.eks-blueprints.eks_cluster_id + } + + spec = { + arn = aws_acmpca_certificate_authority.example.arn + region : data.aws_region.current.id + } + } + depends_on = [module.eks-blueprints-kubernetes-addons] +} + +#------------------------------- +# This resource creates a CRD of Certificate Kind, which then represents certificate issued from ACM PCA, +# mounted as K8 secret +#------------------------------- + +resource "kubernetes_manifest" "example_pca_certificate" { + manifest = { + apiVersion = "cert-manager.io/v1" + kind = "Certificate" + + metadata = { + name = local.certificate_name + namespace = "default" + } + + spec = { + commonName = local.certificate_dns + duration = "2160h0m0s" + issuerRef = { + group = "awspca.cert-manager.io" + kind = "AWSPCAClusterIssuer" + name : module.eks-blueprints.eks_cluster_id + } + renewBefore = "360h0m0s" + secretName = join("-", [local.certificate_name, "clusterissuer"]) # This is the name with which the K8 Secret will be available + usages = [ + "server auth", + "client auth" + ] + privateKey = { + algorithm : "RSA" + size : 2048 + } + } + } + + depends_on = [module.eks-blueprints-kubernetes-addons, kubernetes_manifest.cluster-pca-issuer] +} + + + +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = module.eks-blueprints.configure_kubectl +} \ No newline at end of file diff --git a/examples/tls-with-aws-pca-issuer/variables.tf b/examples/tls-with-aws-pca-issuer/variables.tf new file mode 100644 index 0000000000..438f6df80d --- /dev/null +++ b/examples/tls-with-aws-pca-issuer/variables.tf @@ -0,0 +1,35 @@ +variable "cluster_version" { + type = string + description = "Kubernetes Version" + default = "1.21" +} + +variable "tenant" { + type = string + description = "Account Name or unique account unique id e.g., apps or management or aws007" + default = "pca001" +} + +variable "environment" { + type = string + default = "preprod" + description = "Environment area, e.g. prod or preprod " +} + +variable "zone" { + type = string + description = "zone, e.g. dev or qa or load or ops etc..." + default = "dev" +} + +variable "certificate_name" { + type = string + description = "name for the certificate" + default = "example" +} + +variable "certificate_dns" { + type = string + description = "CommonName used in the Certificate, usually DNS " + default = "example.com" +} \ No newline at end of file diff --git a/modules/kubernetes-addons/aws-privateca-issuer/README.md b/modules/kubernetes-addons/aws-privateca-issuer/README.md new file mode 100644 index 0000000000..739e0c3a2b --- /dev/null +++ b/modules/kubernetes-addons/aws-privateca-issuer/README.md @@ -0,0 +1,52 @@ +# AWS PCA issuer Helm Chart + +# Introduction + +AWS ACM Private CA is a module of the [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) that can setup and manage private CAs. `cert-manager` is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry. The current module `aws-privateca-issuer` is a addon for `cert-manager` that issues certificates using AWS ACM PCA. + +# Helm Chart + +### Instructions to use the Helm Chart + +See the [aws-pca-issuer documentation](https://cert-manager.github.io/aws-privateca-issuer/). + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.aws_pca_issuer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.aws_pca_issuer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
  })
| n/a | yes | +| [helm\_config](#input\_helm\_config) | Cluster Autoscaler Helm Config | `any` | `{}` | no | +| [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM Policy ARN for IRSA IAM role permissions boundary | `string` | `""` | no | +| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + + \ No newline at end of file diff --git a/modules/kubernetes-addons/aws-privateca-issuer/data.tf b/modules/kubernetes-addons/aws-privateca-issuer/data.tf new file mode 100644 index 0000000000..e8979326be --- /dev/null +++ b/modules/kubernetes-addons/aws-privateca-issuer/data.tf @@ -0,0 +1,12 @@ +data "aws_iam_policy_document" "aws_privateca_issuer" { + statement { + sid = "" + effect = "Allow" + resources = ["${var.aws_privateca_acmca_arn}"] + actions = [ + "acm-pca:DescribeCertificateAuthority", + "acm-pca:GetCertificate", + "acm-pca:IssueCertificate" + ] + } +} \ No newline at end of file diff --git a/modules/kubernetes-addons/aws-privateca-issuer/locals.tf b/modules/kubernetes-addons/aws-privateca-issuer/locals.tf new file mode 100644 index 0000000000..6bb3e3ccab --- /dev/null +++ b/modules/kubernetes-addons/aws-privateca-issuer/locals.tf @@ -0,0 +1,46 @@ +locals { + name = "aws-privateca-issuer" + service_account_name = "${local.name}-sa" + + default_helm_config = { + name = local.name + chart = local.name + repository = "https://cert-manager.github.io/aws-privateca-issuer" + version = "0.1.2" + namespace = local.name + description = "AWS PCA Issuer helm Chart deployment configuration." + values = local.default_helm_values + timeout = "1200" + } + + default_helm_values = [] + + helm_config = merge( + local.default_helm_config, + var.helm_config + ) + + set_values = [ + { + name = "serviceAccount.create" + value = "false" + }, + { + name = "serviceAccount.name" + value = local.service_account_name + } + ] + + irsa_config = { + create_kubernetes_namespace = true + kubernetes_namespace = local.name + create_kubernetes_service_account = true + kubernetes_service_account = local.service_account_name + irsa_iam_policies = concat([aws_iam_policy.aws_privateca_issuer.arn], var.irsa_policies) + } + + argocd_gitops_config = { + enable = true + serviceAccountName = local.service_account_name + } +} \ No newline at end of file diff --git a/modules/kubernetes-addons/aws-privateca-issuer/main.tf b/modules/kubernetes-addons/aws-privateca-issuer/main.tf new file mode 100644 index 0000000000..0bb032624b --- /dev/null +++ b/modules/kubernetes-addons/aws-privateca-issuer/main.tf @@ -0,0 +1,15 @@ +module "helm_addon" { + source = "../helm-addon" + manage_via_gitops = var.manage_via_gitops + set_values = local.set_values + helm_config = local.helm_config + irsa_config = local.irsa_config + addon_context = var.addon_context +} + +resource "aws_iam_policy" "aws_privateca_issuer" { + description = "AWS PCA issuer IAM policy" + name = "${var.addon_context.eks_cluster_id}-${local.helm_config["name"]}-irsa" + policy = data.aws_iam_policy_document.aws_privateca_issuer.json + tags = var.addon_context.tags +} \ No newline at end of file diff --git a/modules/kubernetes-addons/aws-privateca-issuer/outputs.tf b/modules/kubernetes-addons/aws-privateca-issuer/outputs.tf new file mode 100644 index 0000000000..c5df07850f --- /dev/null +++ b/modules/kubernetes-addons/aws-privateca-issuer/outputs.tf @@ -0,0 +1,4 @@ +output "argocd_gitops_config" { + description = "Configuration used for managing the add-on with ArgoCD" + value = var.manage_via_gitops ? local.argocd_gitops_config : null +} \ No newline at end of file diff --git a/modules/kubernetes-addons/aws-privateca-issuer/variables.tf b/modules/kubernetes-addons/aws-privateca-issuer/variables.tf new file mode 100644 index 0000000000..b84669e6d6 --- /dev/null +++ b/modules/kubernetes-addons/aws-privateca-issuer/variables.tf @@ -0,0 +1,39 @@ +variable "helm_config" { + type = any + default = {} + description = "AWS PCA Issuer Helm Config" +} + +variable "manage_via_gitops" { + type = bool + default = false + description = "Determines if the add-on should be managed via GitOps." +} + +variable "addon_context" { + type = object({ + aws_caller_identity_account_id = string + aws_caller_identity_arn = string + aws_eks_cluster_endpoint = string + aws_partition_id = string + aws_region_name = string + eks_cluster_id = string + eks_oidc_issuer_url = string + eks_oidc_provider_arn = string + tags = map(string) + irsa_iam_role_path = string + irsa_iam_permissions_boundary = string + }) + description = "Input configuration for the addon" +} + +variable "aws_privateca_acmca_arn" { + type = string + description = "ARN of AWS ACM PCA" +} + +variable "irsa_policies" { + type = list(string) + description = "Additional IAM policies for a IAM role for service accounts" + default = [] +} \ No newline at end of file diff --git a/modules/kubernetes-addons/cert-manager/locals.tf b/modules/kubernetes-addons/cert-manager/locals.tf index 6339e416da..85219e6544 100644 --- a/modules/kubernetes-addons/cert-manager/locals.tf +++ b/modules/kubernetes-addons/cert-manager/locals.tf @@ -1,6 +1,6 @@ locals { name = "cert-manager" - service_account_name = "${local.name}-sa" + service_account_name = "cert-manager" # AWS PrivateCA is expecting the service account name as `cert-manager` default_helm_config = { name = local.name @@ -12,7 +12,7 @@ locals { values = local.default_helm_values } - default_helm_values = [] + default_helm_values = [templatefile("${path.module}/values.yaml", {})] helm_config = merge( local.default_helm_config, diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 5fc7d6222a..9a88aa6a42 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -281,3 +281,13 @@ module "yunikorn" { manage_via_gitops = var.argocd_manage_add_ons addon_context = local.addon_context } + +module "aws_privateca_issuer" { + count = var.enable_aws_privateca_issuer ? 1 : 0 + source = "./aws-privateca-issuer" + helm_config = var.aws_privateca_issuer_helm_config + manage_via_gitops = var.argocd_manage_add_ons + addon_context = local.addon_context + aws_privateca_acmca_arn = var.aws_privateca_acmca_arn + irsa_policies = var.aws_privateca_issuer_irsa_policies +} diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index ea597643d5..b2e6d6a056 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -672,3 +672,28 @@ variable "yunikorn_irsa_policies" { default = [] description = "IAM policy ARNs for Yunikorn IRSA" } + +#-----------AWS PCA ISSUER------------- +variable "enable_aws_privateca_issuer" { + type = bool + default = false + description = "Enable PCA Issuer" +} + +variable "aws_privateca_issuer_helm_config" { + type = any + description = "PCA Issuer Helm Chart config" + default = {} +} + +variable "aws_privateca_acmca_arn" { + type = string + default = "" + description = "ARN of AWS ACM PCA" +} + +variable "aws_privateca_issuer_irsa_policies" { + type = list(string) + default = [] + description = "IAM policy ARNs for AWS ACM PCA IRSA" +} \ No newline at end of file