streamnative · jdmaguire · Nov 17, 2022 · Sep 7, 2022 · Sep 16, 2022 · Sep 19, 2022
@@ -90,7 +90,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" {
   statement {
     actions   = ["ec2:CreateTags"]
     effect    = "Allow"
-    resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"]
+    resources = ["arn:${local.aws_partition}:ec2:*:*:security-group/*"]
     condition {
       test     = "StringEquals"
       variable = "ec2:CreateAction"
@@ -109,7 +109,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" {
       "ec2:DeleteTags"
     ]
     effect    = "Allow"
-    resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"]
+    resources = ["arn:${local.aws_partition}:ec2:*:*:security-group/*"]
     condition {
       test     = "Null"
       variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
@@ -169,9 +169,9 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" {
     ]
     effect = "Allow"
     resources = [
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*",
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*",
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
     ]
     condition {
       test     = "Null"
@@ -192,10 +192,10 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" {
     ]
     effect = "Allow"
     resources = [
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/net/*/*/*",
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/app/*/*/*",
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
-      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener/net/*/*/*",
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener/app/*/*/*",
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+      "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
     ]
   }
 
@@ -225,7 +225,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" {
       "elasticloadbalancing:DeregisterTargets"
     ]
     effect    = "Allow"
-    resources = ["arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"]
+    resources = ["arn:${local.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"]
   }
 
   statement {
@@ -249,7 +249,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_sts" {
     effect = "Allow"
     principals {
       type        = "Federated"
-      identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)]
+      identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)]
     }
     condition {
       test     = "StringLike"
@@ -260,32 +260,30 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_sts" {
 }
 
 resource "aws_iam_role" "aws_load_balancer_controller" {
-  count                = var.enable_aws_load_balancer_controller ? 1 : 0
   name                 = format("%s-lbc-role", module.eks.cluster_id)
   description          = format("Role used by IRSA and the KSA aws-load-balancer-controller on StreamNative Cloud EKS cluster %s", module.eks.cluster_id)
   assume_role_policy   = data.aws_iam_policy_document.aws_load_balancer_controller_sts.json
   path                 = "/StreamNative/"
   permissions_boundary = var.permissions_boundary_arn
-  tags                 = merge({ "Vendor" = "StreamNative" }, var.additional_tags)
+  tags                 = local.tags
 }
 
 resource "aws_iam_policy" "aws_load_balancer_controller" {
-  count       = local.create_lb_policy ? 1 : 0
+  count       = var.create_iam_policies ? 1 : 0
   name        = format("%s-AWSLoadBalancerControllerPolicy", module.eks.cluster_id)
   description = "Policy that defines the permissions for the AWS Load Balancer Controller addon service running in a StreamNative Cloud EKS cluster"
   path        = "/StreamNative/"
   policy      = data.aws_iam_policy_document.aws_load_balancer_controller.json
-  tags        = merge({ "Vendor" = "StreamNative" }, var.additional_tags)
+  tags        = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller" {
-  count      = var.enable_aws_load_balancer_controller ? 1 : 0
-  policy_arn = local.lb_policy_arn != "" ? local.lb_policy_arn : aws_iam_policy.aws_load_balancer_controller[0].arn
-  role       = aws_iam_role.aws_load_balancer_controller[0].name
+  policy_arn = var.create_iam_policies ? aws_iam_policy.aws_load_balancer_controller[0].arn : local.default_lb_policy_arn
+  role       = aws_iam_role.aws_load_balancer_controller.name
 }
 
 resource "helm_release" "aws_load_balancer_controller" {
-  count           = var.enable_aws_load_balancer_controller ? 1 : 0
+  count           = var.enable_bootstrap ? 1 : 0
   atomic          = true
   chart           = var.aws_load_balancer_controller_helm_chart_name
   cleanup_on_fail = true
@@ -299,11 +297,12 @@ resource "helm_release" "aws_load_balancer_controller" {
     defaultTags = merge(var.additional_tags, {
       "Vendor" = "StreamNative"
     })
+    replicaCount = 2
     serviceAccount = {
       create = true
       name   = "aws-load-balancer-controller"
       annotations = {
-        "eks.amazonaws.com/role-arn" = aws_iam_role.aws_load_balancer_controller[0].arn
+        "eks.amazonaws.com/role-arn" = aws_iam_role.aws_load_balancer_controller.arn
       }
     }
   })]
@@ -316,11 +315,6 @@ resource "helm_release" "aws_load_balancer_controller" {
     }
   }
 
-  set {
-    name  = "defaultTags.Vendor"
-    value = "StreamNative"
-  }
-
   depends_on = [
     module.eks
   ]

@@ -18,6 +18,7 @@
 #
 
 resource "helm_release" "node_termination_handler" {
+  count           = var.enable_bootstrap ? 1 : 0
   atomic          = true
   chart           = var.node_termination_handler_helm_chart_name
   cleanup_on_fail = true

@@ -24,7 +24,7 @@ data "aws_iam_policy_document" "cert_manager" {
       "route53:GetChange"
     ]
     resources = [
-      "arn:${var.aws_partition}:route53:::change/*"
+      "arn:${local.aws_partition}:route53:::change/*"
     ]
     effect = "Allow"
   }
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "cert_manager" {
       "route53:ListResourceRecordSets"
     ]
     resources = [
-      "arn:${var.aws_partition}:route53:::hostedzone/${var.hosted_zone_id}"
+      "arn:${local.aws_partition}:route53:::hostedzone/${var.hosted_zone_id}"
     ]
     effect = "Allow"
   }
@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "cert_manager_sts" {
     effect = "Allow"
     principals {
       type        = "Federated"
-      identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)]
+      identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)]
     }
     condition {
       test     = "StringLike"
@@ -72,32 +72,30 @@ data "aws_iam_policy_document" "cert_manager_sts" {
 }
 
 resource "aws_iam_role" "cert_manager" {
-  count                = var.enable_cert_manager ? 1 : 0
   name                 = format("%s-cm-role", module.eks.cluster_id)
   description          = format("Role assumed by IRSA and the KSA cert-manager on StreamNative Cloud EKS cluster %s", module.eks.cluster_id)
   assume_role_policy   = data.aws_iam_policy_document.cert_manager_sts.json
   path                 = "/StreamNative/"
   permissions_boundary = var.permissions_boundary_arn
-  tags                 = merge({ "Vendor" = "StreamNative" }, var.additional_tags)
+  tags                 = local.tags
 }
 
 resource "aws_iam_policy" "cert_manager" {
-  count       = local.create_cert_man_policy ? 1 : 0
+  count       = var.create_iam_policies ? 1 : 0
   name        = format("%s-CertManagerPolicy", module.eks.cluster_id)
   description = "Policy that defines the permissions for the Cert-Manager addon service running in a StreamNative Cloud EKS cluster"
   path        = "/StreamNative/"
   policy      = data.aws_iam_policy_document.cert_manager.json
-  tags        = merge({ "Vendor" = "StreamNative" }, var.additional_tags)
+  tags        = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "cert_manager" {
-  count      = var.enable_cert_manager ? 1 : 0
-  policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.cert_manager[0].arn
-  role       = aws_iam_role.cert_manager[0].name
+  policy_arn = var.create_iam_policies ? aws_iam_policy.cert_manager[0].arn : local.default_service_policy_arn
+  role       = aws_iam_role.cert_manager.name
 }
 
 resource "helm_release" "cert_manager" {
-  count           = var.enable_cert_manager ? 1 : 0
+  count           = var.enable_bootstrap ? 1 : 0
   atomic          = true
   chart           = var.cert_manager_helm_chart_name
   cleanup_on_fail = true
@@ -114,15 +112,14 @@ resource "helm_release" "cert_manager" {
       ]
       serviceAccount = {
         annotations = {
-          "eks.amazonaws.com/role-arn" = aws_iam_role.cert_manager[0].arn
+          "eks.amazonaws.com/role-arn" = aws_iam_role.cert_manager.arn
         }
       }
       podSecurityContext = {
         fsGroup = 65534
       }
     }
     kubeVersion = var.cluster_version
-
   })]
 
   dynamic "set" {
@@ -139,23 +136,19 @@ resource "helm_release" "cert_manager" {
 }
 
 resource "helm_release" "cert_issuer" {
-  count           = var.enable_cert_manager ? 1 : 0
+  count           = var.enable_bootstrap ? 1 : 0
   atomic          = true
   chart           = "${path.module}/charts/cert-issuer"
   cleanup_on_fail = true
   name            = "cert-issuer"
   namespace       = kubernetes_namespace.sn_system.metadata[0].name
   timeout         = 300
-
-  set {
-    name  = "supportEmail"
-    value = var.cert_issuer_support_email
-  }
-
-  set {
-    name  = "dns01.region"
-    value = var.region
-  }
+  values = [yamlencode({
+    supportEmail = var.cert_issuer_support_email
+    dns01 = {
+      region = var.region
+    }
+  })]
 
   depends_on = [
     helm_release.cert_manager

@@ -59,7 +59,7 @@ data "aws_iam_policy_document" "cluster_autoscaler_sts" {
     effect = "Allow"
     principals {
       type        = "Federated"
-      identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)]
+      identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)]
     }
     condition {
       test     = "StringLike"
@@ -70,28 +70,26 @@ data "aws_iam_policy_document" "cluster_autoscaler_sts" {
 }
 
 resource "aws_iam_role" "cluster_autoscaler" {
-  count                = var.enable_cluster_autoscaler ? 1 : 0
   name                 = format("%s-ca-role", module.eks.cluster_id)
   description          = format("Role used by IRSA and the KSA cluster-autoscaler on StreamNative Cloud EKS cluster %s", module.eks.cluster_id)
   assume_role_policy   = data.aws_iam_policy_document.cluster_autoscaler_sts.json
   path                 = "/StreamNative/"
   permissions_boundary = var.permissions_boundary_arn
-  tags                 = merge({ "Vendor" = "StreamNative" }, var.additional_tags)
+  tags                 = local.tags
 }
 
 resource "aws_iam_policy" "cluster_autoscaler" {
-  count       = local.create_ca_policy ? 1 : 0
+  count       = var.create_iam_policies ? 1 : 0
   name        = format("%s-ClusterAutoscalerPolicy", module.eks.cluster_id)
   description = "Policy that defines the permissions for the Cluster Autoscaler addon service running in a StreamNative Cloud EKS cluster"
   path        = "/StreamNative/"
   policy      = data.aws_iam_policy_document.cluster_autoscaler.json
-  tags        = merge({ "Vendor" = "StreamNative" }, var.additional_tags)
+  tags        = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
-  count      = var.enable_cluster_autoscaler ? 1 : 0
-  policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.cluster_autoscaler[0].arn
-  role       = aws_iam_role.cluster_autoscaler[0].name
+  policy_arn = var.create_iam_policies ? aws_iam_policy.cluster_autoscaler[0].arn : local.default_service_policy_arn
+  role       = aws_iam_role.cluster_autoscaler.name
 }
 
 ############
@@ -113,7 +111,7 @@ locals {
 
 }
 resource "helm_release" "cluster_autoscaler" {
-  count           = var.enable_cluster_autoscaler ? 1 : 0
+  count           = var.enable_bootstrap ? 1 : 0
   atomic          = true
   chart           = var.cluster_autoscaler_helm_chart_name
   cleanup_on_fail = true
@@ -151,21 +149,21 @@ resource "helm_release" "cluster_autoscaler" {
       }
     ]
     image = {
-      tag = lookup(local.k8s_to_autoscaler_version, var.cluster_version, "v1.20.1") # image.tag defaults to the version corresponding to var.cluster_version's default value and must manually be updated
+      tag = lookup(local.k8s_to_autoscaler_version, var.cluster_version, "v1.21.1") # image.tag defaults to the version corresponding to var.cluster_version's default value and must manually be updated
     }
     rbac = {
       create     = true
       pspEnabled = true
       serviceAccount = {
         annotations = {
-          "eks.amazonaws.com/role-arn" = aws_iam_role.cluster_autoscaler[0].arn
+          "eks.amazonaws.com/role-arn" = aws_iam_role.cluster_autoscaler.arn
         },
         create                       = true
         name                         = "cluster-autoscaler"
         automountServiceAccountToken = true
       }
     }
-    replicaCount = "1"
+    replicaCount = "2"
     resources = {
       limits = {
         cpu    = "200m"