Refactor helm_release to addons repository

patterns/aws-vpc-cni-network-policy/README.md

@@ -1,10 +1,15 @@
-# Amazon EKS Cluster w/ ArgoCD
+# Amazon EKS Cluster w/ Network Policies
 
-This pattern demonstrates an EKS cluster that uses the native Network Policy support provided by the AWS VPC CNI (v1.14.0 or higher).
+This pattern demonstrates an EKS cluster that uses the native Network Policy support provided by the Amazon VPC CNI (1.14.0 or higher).
 
-- [Documentation](https://argo-cd.readthedocs.io/en/stable/)
-- [EKS Blueprints Add-ons Repo](https://github.com/aws-samples/eks-blueprints-add-ons)
-- [EKS Blueprints Workloads Repo](https://github.com/aws-samples/eks-blueprints-workloads)
+- [Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html)
+- [Launch Blog](https://aws.amazon.com/blogs/containers/amazon-vpc-cni-now-supports-kubernetes-network-policies/)
+
+## Scenario
+
+This pattern deploys an Amazon EKS Cluster with Network Policies support implemented by the Amazon VPC CNI. Further it deploys a simple demo application (distributed as a Helm Chart) and some sample Network Policies to restrict the traffic between different components of the application.
+
+For a detailed description of the demo application and the Network Policies, please refer to the Stars demo of network policy section in the official [Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html).
 
 ## Deploy
 
@@ -37,7 +42,7 @@ See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started
     kubectl get service/management-ui -n management-ui
     ```
 
-    Open the browser based on the URL obtained from the previous step to see the connection map.
+    Open the browser based on the URL obtained from the previous step to see the connection map and restrictions put in place by the Network Policies deployed.
 
 ## Destroy
 

patterns/aws-vpc-cni-network-policy/charts/demo-application/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: demo-application
+description: A Helm chart to deploy the demo-application
+type: application
+version: 1.0.0

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: client
+  labels:
+    role: client

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: management-ui 
+  labels:
+    role: management-ui

patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/stars-ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stars

patterns/aws-vpc-cni-network-policy/main.tf

@@ -68,26 +68,6 @@ module "eks" {
   cluster_name                   = local.name
   cluster_version                = "1.27" # Must be 1.25 or higher
   cluster_endpoint_public_access = true
-  cluster_ip_family              = "ipv4" # Must be ipv4 or ipv6
-
-  # EKS Addons
-  cluster_addons = {
-    coredns    = {}
-    kube-proxy = {}
-    vpc-cni = {
-      preserve    = true
-      most_recent = true
-
-      timeouts = {
-        create = "25m"
-        delete = "10m"
-      }
-
-      configuration_values = jsonencode({
-        enableNetworkPolicy : "true",
-      })
-    }
-  }
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
@@ -135,73 +115,55 @@ module "vpc" {
 }
 
 ################################################################################
-# Demo application
+# EKS Addons (demo application)
 ################################################################################
 
-resource "kubectl_manifest" "management_ui_namespace" {
-  yaml_body  = <<YAML
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: management-ui 
-  labels:
-    role: management-ui
-YAML
-  depends_on = [module.eks]
-}
-
-resource "kubectl_manifest" "client_namespace" {
-  yaml_body  = <<YAML
-apiVersion: v1
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: client
-  labels:
-    role: client
-YAML
-  depends_on = [module.eks]
-}
-
-resource "helm_release" "management_ui" {
-  name             = "management-ui"
-  chart            = "./demo-application/charts/management-ui"
-  namespace        = "management-ui"
+module "addons" {
+  source  = "aws-ia/eks-blueprints-addons/aws"
+  version = "~> 1.0"
 
-  depends_on = [module.eks, kubectl_manifest.management_ui_namespace]
-}
-
-resource "helm_release" "backend" {
-  name             = "backend"
-  chart            = "./demo-application/charts/backend"
-  namespace        = "stars"
-  create_namespace = true
+  cluster_name      = module.eks.cluster_name
+  cluster_endpoint  = module.eks.cluster_endpoint
+  cluster_version   = module.eks.cluster_version
+  oidc_provider_arn = module.eks.oidc_provider_arn
 
-  depends_on = [module.eks]
-}
+  # EKS Addons
+  eks_addons = {
+    coredns    = {}
+    kube-proxy = {}
+    vpc-cni = {
+      preserve    = true
+      most_recent = true # Must be 1.14.0 or higher
 
-resource "helm_release" "frontend" {
-  name             = "frontend"
-  chart            = "./demo-application/charts/frontend"
-  namespace        = "stars"
-  create_namespace = true
+      timeouts = {
+        create = "25m"
+        delete = "10m"
+      }
 
-  depends_on = [module.eks]
-}
+      # Must enable network policy support
+      configuration_values = jsonencode({
+        enableNetworkPolicy : "true",
+      })
+    }
+  }
 
-resource "helm_release" "client" {
-  name             = "backend"
-  chart            = "./demo-application/charts/client"
-  namespace        = "client"
+  # Deploy demo-application
+  helm_releases = {
+    demo-application = {
+      description = "A Helm chart to deploy the network policy demo application"
+      namespace   = "default"
+      chart       = "./charts/demo-application"
+    }
+  }
 
-  depends_on = [kubectl_manifest.management_ui_namespace]
+  tags = local.tags
 }
 
 ################################################################################
-# Restrict access using K8S Network Policies
+# Restrict traffic flow using Network Policies
 ################################################################################
 
-# Block all ingress and egress traffic within the stars ns
+# Block all ingress and egress traffic within the stars namespace
 resource "kubectl_manifest" "default_deny_stars" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -213,10 +175,10 @@ spec:
   podSelector:
     matchLabels: {}
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Block all ingress and egress traffic within the client ns
+# Block all ingress and egress traffic within the client namespace
 resource "kubectl_manifest" "default_deny_client" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -228,10 +190,10 @@ spec:
   podSelector:
     matchLabels: {}
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the management-ui to access the star application
+# Allow the management-ui to access the star application pods
 resource "kubectl_manifest" "allow_traffic_from_management_ui_to_application_components" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -248,10 +210,10 @@ spec:
             matchLabels:
               role: management-ui 
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the management-ui to access the client application
+# Allow the management-ui to access the client application pods
 resource "kubectl_manifest" "allow_traffic_from_management_ui_to_client" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -268,10 +230,10 @@ spec:
             matchLabels:
               role: management-ui 
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the frontend to access the backend
+# Allow the frontend pod to access the backend pod within the stars namespace
 resource "kubectl_manifest" "allow_traffic_from_frontend_to_backend" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -293,10 +255,10 @@ spec:
           port: 6379
 
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the client to access the frontend
+# Allow the client pod to access the frontend pod within the stars namespace
 resource "kubectl_manifest" "allow_traffic_from_client_to_frontend" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -317,5 +279,5 @@ spec:
         - protocol: TCP
           port: 80
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }

patterns/aws-vpc-cni-network-policy/outputs.tf

@@ -1,4 +1,4 @@
 output "configure_kubectl" {
   description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
-  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name}"
+  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --region ${local.region}"
 }