├── .github
    └── workflows
    │   └── terraform.yml
├── .gitignore
├── .releaserc
├── README.md
├── alb-ingress.tf
├── aws-fluent-bit.tf
├── aws-node-termination-handler.tf
├── calico.tf
├── cert-manager.tf
├── cluster-autoscaler.tf
├── cni-metrics-helper.tf
├── data.tf
├── examples
    ├── terraform
    │   ├── main.tf
    │   ├── providers.tf
    │   └── variables.tf
    └── terragrunt
    │   └── README.md
├── external-dns-secondary.tf
├── external-dns.tf
├── fluentd-cloudwatch.tf
├── flux.tf
├── istio-operator.tf
├── karma.tf
├── keycloak.tf
├── kiam.tf
├── kong.tf
├── kube-prometheus.tf
├── locals.tf
├── metrics-server.tf
├── nginx-ingress.tf
├── node-problem-detector.tf
├── priority-class.tf
├── sealed-secrets.tf
├── templates
    ├── cert-manager-cluster-issuers.yaml
    └── cni-metrics-helper.yaml
├── variables.tf
└── versions.tf


/.github/workflows/terraform.yml:
--------------------------------------------------------------------------------
 1 | name: 'Terraform'
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |     - master
 7 |   pull_request:
 8 | 
 9 | jobs:
10 |   terraform:
11 |     name: 'Terraform'
12 |     runs-on: ubuntu-latest
13 |     steps:
14 |     - name: Checkout
15 |       uses: actions/checkout@v2
16 | 
17 |     - name: Setup Kubectl provider
18 |       run: |
19 |         mkdir -p ~/.terraform.d/plugins
20 |         curl -Ls https://api.github.com/repos/gavinbunney/terraform-provider-kubectl/releases/latest | jq -r ".assets[] | select(.browser_download_url | contains(\"$(uname -s | tr A-Z a-z)\")) | select(.browser_download_url | contains(\"amd64\")) | .browser_download_url" | xargs -n 1 curl -Lo ~/.terraform.d/plugins/terraform-provider-kubectl
21 |         chmod +x ~/.terraform.d/plugins/terraform-provider-kubectl
22 | 
23 |     - name: Setup Terraform
24 |       uses: hashicorp/setup-terraform@v1
25 | 
26 |     - name: Terraform Init
27 |       run: terraform init -backend=false
28 | 
29 |     - name: Terraform Format
30 |       run: terraform fmt -check
31 | 
32 |     - name: Terraform Validate
33 |       run: terraform validate
34 |       env:
35 |         AWS_REGION: eu-west-3
36 | 
37 |     - name: Semantic Release
38 |       uses: cycjimmy/semantic-release-action@v2
39 |       env:
40 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
41 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .terragrunt-cache
2 | .terraform
3 | 


--------------------------------------------------------------------------------
/.releaserc:
--------------------------------------------------------------------------------
1 | {
2 |   "plugins": [
3 |     "@semantic-release/commit-analyzer",
4 |     "@semantic-release/release-notes-generator",
5 |     "@semantic-release/github"
6 |   ]
7 | }
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # ARCHIVED
  2 | 
  3 | This repository has moved to [particule](https://github.com/particuleio/terraform-kubernetes-addons) to a more general repository supporting multiple cloud providers. It is also available on [TF registry](https://registry.terraform.io/modules/particuleio/addons/kubernetes/latest)
  4 | 
  5 | # terraform-kubernetes-addons
  6 | 
  7 | [![Build Status](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons/workflows/Terraform/badge.svg)](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons/actions?query=workflow%3ATerraform)
  8 | [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/terraform-kubernetes-addons)
  9 | 
 10 | ## About
 11 | 
 12 | Provides various addons that are often used on Kubernetes with AWS
 13 | 
 14 | ## Main features
 15 | 
 16 | * Common addons with associated IAM permissions if needed:
 17 |   * [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler): scale worker nodes based on workload.
 18 |   * [external-dns](https://github.com/kubernetes-incubator/external-dns): sync ingress and service records in route53.
 19 |   * [cert-manager](https://github.com/jetstack/cert-manager): automatically generate TLS certificates, supports ACME v2.
 20 |   * [kiam](https://github.com/uswitch/kiam): prevents pods to access EC2 metadata and enables pods to assume specific AWS IAM roles.
 21 |   * [nginx-ingress](https://github.com/kubernetes/ingress-nginx): processes *Ingress* object and acts as a HTTP/HTTPS proxy (compatible with cert-manager).
 22 |   * [metrics-server](https://github.com/kubernetes-incubator/metrics-server): enable metrics API and horizontal pod scaling (HPA).
 23 |   * [prometheus-operator](https://github.com/coreos/prometheus-operator): Monitoring / Alerting / Dashboards.
 24 |   * [karma](https://github.com/prymitive/karma): An alertmanager dashboard
 25 |   * [fluentd-cloudwatch](https://github.com/helm/charts/tree/master/incubator/fluentd-cloudwatch): forwards logs to AWS Cloudwatch.
 26 |   * [node-problem-detector](https://github.com/kubernetes/node-problem-detector): Forwards node problems to Kubernetes events
 27 |   * [flux](https://github.com/weaveworks/flux): Continous Delivery with Gitops workflow.
 28 |   * [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets): Technology agnostic, store secrets on git.
 29 |   * [istio-operator](https://istio.io): Service mesh for Kubernetes.
 30 |   * [cni-metrics-helper](https://docs.aws.amazon.com/eks/latest/userguide/cni-metrics-helper.html): Provides cloudwatch metrics for VPC CNI plugins.
 31 |   * [kong](https://konghq.com/kong): API Gateway ingress controller.
 32 |   * [keycloak](https://www.keycloak.org/) : Identity and access management
 33 |   * [alb-ingress](https://github.com/kubernetes-sigs/aws-alb-ingress-controller): Use AWS ALB for ingress ressources.
 34 |   * [aws-calico](https://github.com/aws/eks-charts/tree/master/stable/aws-calico): Use calico for network policy
 35 |   * [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler): Manage spot instance lifecyle
 36 |   * [aws-for-fluent-bit](https://github.com/aws/aws-for-fluent-bit): Cloudwatch logging with fluent bit instead of fluentd
 37 | 
 38 | ## Requirements
 39 | 
 40 | * [Terraform](https://www.terraform.io/intro/getting-started/install.html)
 41 | * [Terragrunt](https://github.com/gruntwork-io/terragrunt#install-terragrunt)
 42 | * [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 43 | * [helm](https://helm.sh/)
 44 | * [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator)
 45 | 
 46 | ## Documentation
 47 | 
 48 | User guides, feature documentation and examples are available [here](https://clusterfrak-dynamics.github.io/teks/)
 49 | 
 50 | ## IAM permissions
 51 | 
 52 | This module can use either [IRSA](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) which is the recommanded method or [Kiam](https://github.com/uswitch/kiam).
 53 | 
 54 | ## About Kiam
 55 | 
 56 | Kiam prevents pods from accessing EC2 instances IAM role and therefore using the instances role to perform actions on AWS. It also allows pods to assume specific IAM roles if needed. To do so `kiam-agent` acts as an iptables proxy on nodes. It intercepts requests made to EC2 metadata and redirect them to a `kiam-server` that fetches IAM credentials and pass them to pods.
 57 | 
 58 | Kiam is running with an IAM user and use a secret key and a access key (AK/SK).
 59 | 
 60 | ### Addons that require specific IAM permissions
 61 | 
 62 | Some addons interface with AWS API, for example:
 63 | 
 64 | * `cluster-autoscaler`
 65 | * `external-dns`
 66 | * `cert-manager`
 67 | * `virtual-kubelet`
 68 | * `cni-metric-helper`
 69 | * `flux`
 70 | 
 71 | ## Terraform docs
 72 | 
 73 | ### Providers
 74 | 
 75 | | Name | Version |
 76 | |------|---------|
 77 | | aws | n/a |
 78 | | helm | n/a |
 79 | | http | n/a |
 80 | | kubectl | n/a |
 81 | | kubernetes | n/a |
 82 | | random | n/a |
 83 | 
 84 | ### Inputs
 85 | 
 86 | | Name | Description | Type | Default | Required |
 87 | |------|-------------|------|---------|:-----:|
 88 | | aws | AWS provider customization | `any` | `{}` | no |
 89 | | cert\_manager | Customize cert-manager chart, see `cert_manager.tf` for supported values | `any` | `{}` | no |
 90 | | cluster-name | Name of the Kubernetes cluster | `string` | `"sample-cluster"` | no |
 91 | | cluster\_autoscaler | Customize cluster-autoscaler chart, see `cluster_autoscaler.tf` for supported values | `any` | `{}` | no |
 92 | | cni\_metrics\_helper | Customize cni-metrics-helper deployment, see `cni_metrics_helper.tf` for supported values | `any` | `{}` | no |
 93 | | eks | EKS cluster inputs | `any` | `{}` | no |
 94 | | external\_dns | Customize external-dns chart, see `external_dns.tf` for supported values | `any` | `{}` | no |
 95 | | fluentd\_cloudwatch | Customize fluentd-cloudwatch chart, see `fluentd-cloudwatch.tf` for supported values | `any` | `{}` | no |
 96 | | flux | Customize fluxcd chart, see `flux.tf` for supported values | `any` | `{}` | no |
 97 | | helm\_defaults | Customize default Helm behavior | `any` | `{}` | no |
 98 | | istio\_operator | Customize istio operator deployment, see `istio_operator.tf` for supported values | `any` | `{}` | no |
 99 | | karma | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |
100 | | keycloak | Customize keycloak chart, see `keycloak.tf` for supported values | `any` | `{}` | no |
101 | | kiam | Customize kiam chart, see `kiam.tf` for supported values | `any` | `{}` | no |
102 | | kong | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |
103 | | metrics\_server | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |
104 | | nginx\_ingress | Customize nginx-ingress chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |
105 | | npd | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |
106 | | priority\_class | Customize a priority class for addons | `any` | `{}` | no |
107 | | priority\_class\_ds | Customize a priority class for addons daemonsets | `any` | `{}` | no |
108 | | prometheus\_operator | Customize prometheus-operator chart, see `kube_prometheus.tf` for supported values | `any` | `{}` | no |
109 | | sealed\_secrets | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
110 | 
111 | ### Outputs
112 | 
113 | | Name | Description |
114 | |------|-------------|
115 | | flux-role-arn-irsa | n/a |
116 | | flux-role-arn-kiam | n/a |
117 | | flux-role-name-irsa | n/a |
118 | | flux-role-name-kiam | n/a |
119 | | grafana\_password | n/a |
120 | | kiam-server-role-arn | n/a |
121 | | kiam-server-role-name | n/a |
122 | 
123 | 


--------------------------------------------------------------------------------
/alb-ingress.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   alb_ingress = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                      = "aws-alb-ingress-controller"
  6 |       namespace                 = "aws-alb-ingress-controller"
  7 |       chart                     = "aws-alb-ingress-controller"
  8 |       repository                = "http://storage.googleapis.com/kubernetes-charts-incubator"
  9 |       service_account_name      = "aws-alb-ingress-controller"
 10 |       create_iam_resources_kiam = false
 11 |       create_iam_resources_irsa = true
 12 |       enabled                   = false
 13 |       chart_version             = "1.0.2"
 14 |       version                   = "v1.1.8"
 15 |       iam_policy_override       = ""
 16 |       default_network_policy    = true
 17 |     },
 18 |     var.alb_ingress
 19 |   )
 20 | 
 21 |   values_alb_ingress = <<VALUES
 22 | image:
 23 |   tag: "${local.alb_ingress["version"]}"
 24 | autoDiscoverAwsRegion: true
 25 | autoDiscoverAwsVpcID: true
 26 | clusterName: ${var.cluster-name}
 27 | rbac:
 28 |   serviceAccount:
 29 |     annotations:
 30 |       eks.amazonaws.com/role-arn: "${local.alb_ingress["enabled"] && local.alb_ingress["create_iam_resources_irsa"] ? module.iam_assumable_role_alb_ingress.this_iam_role_arn : ""}"
 31 | VALUES
 32 | }
 33 | 
 34 | module "iam_assumable_role_alb_ingress" {
 35 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 36 |   version                       = "~> v2.0"
 37 |   create_role                   = local.alb_ingress["enabled"] && local.alb_ingress["create_iam_resources_irsa"]
 38 |   role_name                     = "tf-eks-${var.cluster-name}-alb-ingress-irsa"
 39 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 40 |   role_policy_arns              = local.alb_ingress["enabled"] && local.alb_ingress["create_iam_resources_irsa"] ? [aws_iam_policy.eks-alb-ingress[0].arn] : []
 41 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.alb_ingress["namespace"]}:${local.alb_ingress["service_account_name"]}"]
 42 | }
 43 | 
 44 | resource "aws_iam_policy" "eks-alb-ingress" {
 45 |   count  = local.alb_ingress["enabled"] && (local.alb_ingress["create_iam_resources_kiam"] || local.alb_ingress["create_iam_resources_irsa"]) ? 1 : 0
 46 |   name   = "tf-eks-${var.cluster-name}-alb-ingress"
 47 |   policy = local.alb_ingress["iam_policy_override"] == "" ? data.aws_iam_policy_document.alb_ingress.json : local.alb_ingress["iam_policy_override"]
 48 | }
 49 | 
 50 | data "aws_iam_policy_document" "alb_ingress" {
 51 | 
 52 |   statement {
 53 |     effect = "Allow"
 54 | 
 55 |     actions = [
 56 |       "acm:DescribeCertificate",
 57 |       "acm:ListCertificates",
 58 |       "acm:GetCertificate"
 59 |     ]
 60 | 
 61 |     resources = ["*"]
 62 |   }
 63 | 
 64 |   statement {
 65 |     effect = "Allow"
 66 | 
 67 |     actions = [
 68 |       "ec2:AuthorizeSecurityGroupIngress",
 69 |       "ec2:CreateSecurityGroup",
 70 |       "ec2:CreateTags",
 71 |       "ec2:DeleteTags",
 72 |       "ec2:DeleteSecurityGroup",
 73 |       "ec2:DescribeAccountAttributes",
 74 |       "ec2:DescribeAddresses",
 75 |       "ec2:DescribeInstances",
 76 |       "ec2:DescribeInstanceStatus",
 77 |       "ec2:DescribeInternetGateways",
 78 |       "ec2:DescribeNetworkInterfaces",
 79 |       "ec2:DescribeSecurityGroups",
 80 |       "ec2:DescribeSubnets",
 81 |       "ec2:DescribeTags",
 82 |       "ec2:DescribeVpcs",
 83 |       "ec2:ModifyInstanceAttribute",
 84 |       "ec2:ModifyNetworkInterfaceAttribute",
 85 |       "ec2:RevokeSecurityGroupIngress"
 86 |     ]
 87 | 
 88 |     resources = ["*"]
 89 |   }
 90 | 
 91 |   statement {
 92 |     effect = "Allow"
 93 | 
 94 |     actions = [
 95 |       "elasticloadbalancing:AddListenerCertificates",
 96 |       "elasticloadbalancing:AddTags",
 97 |       "elasticloadbalancing:CreateListener",
 98 |       "elasticloadbalancing:CreateLoadBalancer",
 99 |       "elasticloadbalancing:CreateRule",
100 |       "elasticloadbalancing:CreateTargetGroup",
101 |       "elasticloadbalancing:DeleteListener",
102 |       "elasticloadbalancing:DeleteLoadBalancer",
103 |       "elasticloadbalancing:DeleteRule",
104 |       "elasticloadbalancing:DeleteTargetGroup",
105 |       "elasticloadbalancing:DeregisterTargets",
106 |       "elasticloadbalancing:DescribeListenerCertificates",
107 |       "elasticloadbalancing:DescribeListeners",
108 |       "elasticloadbalancing:DescribeLoadBalancers",
109 |       "elasticloadbalancing:DescribeLoadBalancerAttributes",
110 |       "elasticloadbalancing:DescribeRules",
111 |       "elasticloadbalancing:DescribeSSLPolicies",
112 |       "elasticloadbalancing:DescribeTags",
113 |       "elasticloadbalancing:DescribeTargetGroups",
114 |       "elasticloadbalancing:DescribeTargetGroupAttributes",
115 |       "elasticloadbalancing:DescribeTargetHealth",
116 |       "elasticloadbalancing:ModifyListener",
117 |       "elasticloadbalancing:ModifyLoadBalancerAttributes",
118 |       "elasticloadbalancing:ModifyRule",
119 |       "elasticloadbalancing:ModifyTargetGroup",
120 |       "elasticloadbalancing:ModifyTargetGroupAttributes",
121 |       "elasticloadbalancing:RegisterTargets",
122 |       "elasticloadbalancing:RemoveListenerCertificates",
123 |       "elasticloadbalancing:RemoveTags",
124 |       "elasticloadbalancing:SetIpAddressType",
125 |       "elasticloadbalancing:SetSecurityGroups",
126 |       "elasticloadbalancing:SetSubnets",
127 |       "elasticloadbalancing:SetWebACL"
128 |     ]
129 | 
130 |     resources = ["*"]
131 |   }
132 | 
133 |   statement {
134 |     effect = "Allow"
135 | 
136 |     actions = [
137 |       "iam:CreateServiceLinkedRole",
138 |       "iam:GetServerCertificate",
139 |       "iam:ListServerCertificates"
140 |     ]
141 | 
142 |     resources = ["*"]
143 |   }
144 | 
145 |   statement {
146 |     effect = "Allow"
147 | 
148 |     actions = [
149 |       "cognito-idp:DescribeUserPoolClient"
150 |     ]
151 | 
152 |     resources = ["*"]
153 |   }
154 | 
155 |   statement {
156 |     effect = "Allow"
157 | 
158 |     actions = [
159 |       "waf-regional:GetWebACLForResource",
160 |       "waf-regional:GetWebACL",
161 |       "waf-regional:AssociateWebACL",
162 |       "waf-regional:DisassociateWebACL"
163 |     ]
164 | 
165 |     resources = ["*"]
166 |   }
167 | 
168 |   statement {
169 |     effect = "Allow"
170 | 
171 |     actions = [
172 |       "tag:GetResources",
173 |       "tag:TagResources"
174 |     ]
175 | 
176 |     resources = ["*"]
177 |   }
178 | 
179 |   statement {
180 |     effect = "Allow"
181 | 
182 |     actions = [
183 |       "waf:GetWebACL"
184 |     ]
185 | 
186 |     resources = ["*"]
187 |   }
188 | 
189 |   statement {
190 |     effect = "Allow"
191 | 
192 |     actions = [
193 |       "wafv2:GetWebACL",
194 |       "wafv2:GetWebACLForResource",
195 |       "wafv2:AssociateWebACL",
196 |       "wafv2:DisassociateWebACL"
197 |     ]
198 | 
199 |     resources = ["*"]
200 |   }
201 | 
202 |   statement {
203 |     effect = "Allow"
204 | 
205 |     actions = [
206 |       "shield:DescribeProtection",
207 |       "shield:GetSubscriptionState",
208 |       "shield:DeleteProtection",
209 |       "shield:CreateProtection",
210 |       "shield:DescribeSubscription",
211 |       "shield:ListProtections"
212 |     ]
213 | 
214 |     resources = ["*"]
215 |   }
216 | }
217 | 
218 | 
219 | resource "aws_iam_role" "eks-alb-ingress-kiam" {
220 |   name  = "tf-eks-${var.cluster-name}-alb-ingress-kiam"
221 |   count = local.alb_ingress["enabled"] && local.alb_ingress["create_iam_resources_kiam"] ? 1 : 0
222 | 
223 |   assume_role_policy = <<POLICY
224 | {
225 |   "Version": "2012-10-17",
226 |   "Statement": [
227 |     {
228 |       "Effect": "Allow",
229 |       "Principal": {
230 |         "Service": "ec2.amazonaws.com"
231 |       },
232 |       "Action": "sts:AssumeRole"
233 |     },
234 |     {
235 |       "Sid": "",
236 |       "Effect": "Allow",
237 |       "Principal": {
238 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
239 |       },
240 |       "Action": "sts:AssumeRole"
241 |     }
242 |   ]
243 | }
244 | POLICY
245 | 
246 | }
247 | 
248 | resource "aws_iam_role_policy_attachment" "eks-alb-ingress-kiam" {
249 |   count      = local.alb_ingress["enabled"] && local.alb_ingress["create_iam_resources_kiam"] ? 1 : 0
250 |   role       = aws_iam_role.eks-alb-ingress-kiam[count.index].name
251 |   policy_arn = aws_iam_policy.eks-alb-ingress[count.index].arn
252 | }
253 | 
254 | resource "kubernetes_namespace" "alb_ingress" {
255 |   count = local.alb_ingress["enabled"] ? 1 : 0
256 | 
257 |   metadata {
258 |     annotations = {
259 |       "iam.amazonaws.com/permitted" = "${local.alb_ingress["create_iam_resources_kiam"] ? aws_iam_role.eks-alb-ingress-kiam[0].arn : "^$"}"
260 |     }
261 | 
262 |     labels = {
263 |       name = local.alb_ingress["namespace"]
264 |     }
265 | 
266 |     name = local.alb_ingress["namespace"]
267 |   }
268 | }
269 | 
270 | resource "helm_release" "alb_ingress" {
271 |   count                 = local.alb_ingress["enabled"] ? 1 : 0
272 |   repository            = local.alb_ingress["repository"]
273 |   name                  = local.alb_ingress["name"]
274 |   chart                 = local.alb_ingress["chart"]
275 |   version               = local.alb_ingress["chart_version"]
276 |   timeout               = local.alb_ingress["timeout"]
277 |   force_update          = local.alb_ingress["force_update"]
278 |   recreate_pods         = local.alb_ingress["recreate_pods"]
279 |   wait                  = local.alb_ingress["wait"]
280 |   atomic                = local.alb_ingress["atomic"]
281 |   cleanup_on_fail       = local.alb_ingress["cleanup_on_fail"]
282 |   dependency_update     = local.alb_ingress["dependency_update"]
283 |   disable_crd_hooks     = local.alb_ingress["disable_crd_hooks"]
284 |   disable_webhooks      = local.alb_ingress["disable_webhooks"]
285 |   render_subchart_notes = local.alb_ingress["render_subchart_notes"]
286 |   replace               = local.alb_ingress["replace"]
287 |   reset_values          = local.alb_ingress["reset_values"]
288 |   reuse_values          = local.alb_ingress["reuse_values"]
289 |   skip_crds             = local.alb_ingress["skip_crds"]
290 |   verify                = local.alb_ingress["verify"]
291 |   values = [
292 |     local.values_alb_ingress,
293 |     local.alb_ingress["extra_values"]
294 |   ]
295 |   namespace = kubernetes_namespace.alb_ingress.*.metadata.0.name[count.index]
296 | 
297 |   depends_on = [
298 |     helm_release.kiam,
299 |     helm_release.prometheus_operator
300 |   ]
301 | }
302 | 
303 | resource "kubernetes_network_policy" "alb_ingress_default_deny" {
304 |   count = local.alb_ingress["enabled"] && local.alb_ingress["default_network_policy"] ? 1 : 0
305 | 
306 |   metadata {
307 |     name      = "${kubernetes_namespace.alb_ingress.*.metadata.0.name[count.index]}-default-deny"
308 |     namespace = kubernetes_namespace.alb_ingress.*.metadata.0.name[count.index]
309 |   }
310 | 
311 |   spec {
312 |     pod_selector {
313 |     }
314 |     policy_types = ["Ingress"]
315 |   }
316 | }
317 | 
318 | resource "kubernetes_network_policy" "alb_ingress_allow_namespace" {
319 |   count = local.alb_ingress["enabled"] && local.alb_ingress["default_network_policy"] ? 1 : 0
320 | 
321 |   metadata {
322 |     name      = "${kubernetes_namespace.alb_ingress.*.metadata.0.name[count.index]}-allow-namespace"
323 |     namespace = kubernetes_namespace.alb_ingress.*.metadata.0.name[count.index]
324 |   }
325 | 
326 |   spec {
327 |     pod_selector {
328 |     }
329 | 
330 |     ingress {
331 |       from {
332 |         namespace_selector {
333 |           match_labels = {
334 |             name = kubernetes_namespace.alb_ingress.*.metadata.0.name[count.index]
335 |           }
336 |         }
337 |       }
338 |     }
339 | 
340 |     policy_types = ["Ingress"]
341 |   }
342 | }
343 | 


--------------------------------------------------------------------------------
/aws-fluent-bit.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   aws_fluent_bit = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                             = "aws-for-fluent-bit"
  7 |       namespace                        = "aws-for-fluent-bit"
  8 |       chart                            = "aws-for-fluent-bit"
  9 |       repository                       = "https://clusterfrak-dynamics.github.io/eks-charts"
 10 |       service_account_name             = "aws-for-fluent-bit"
 11 |       create_iam_resources_kiam        = false
 12 |       create_iam_resources_irsa        = true
 13 |       enabled                          = false
 14 |       chart_version                    = "0.1.3"
 15 |       version                          = "2.3.0"
 16 |       iam_policy_override              = ""
 17 |       default_network_policy           = true
 18 |       containers_log_retention_in_days = 180
 19 |     },
 20 |     var.aws_fluent_bit
 21 |   )
 22 | 
 23 |   values_aws_fluent_bit = <<VALUES
 24 | firehose:
 25 |   enabled: false
 26 | kinesis:
 27 |   enabled: false
 28 | cloudWatch:
 29 |   enabled: true
 30 |   region: "${data.aws_region.current.name}"
 31 |   logGroupName: "${local.aws_fluent_bit["enabled"] ? aws_cloudwatch_log_group.eks-aws-fluent-bit-log-group[0].name : ""}"
 32 |   autoCreateGroup: false
 33 | image:
 34 |   tag: ${local.aws_fluent_bit["version"]}
 35 | serviceAccount:
 36 |   annotations:
 37 |     eks.amazonaws.com/role-arn: "${local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["create_iam_resources_irsa"] ? module.iam_assumable_role_aws_fluent_bit.this_iam_role_arn : ""}"
 38 | tolerations:
 39 | - operator: Exists
 40 | priorityClassName: "${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}"
 41 | VALUES
 42 | }
 43 | 
 44 | module "iam_assumable_role_aws_fluent_bit" {
 45 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 46 |   version                       = "~> v2.0"
 47 |   create_role                   = local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["create_iam_resources_irsa"]
 48 |   role_name                     = "tf-eks-${var.cluster-name}-aws-fluent-bit-irsa"
 49 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 50 |   role_policy_arns              = local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["create_iam_resources_irsa"] ? [aws_iam_policy.eks-aws-fluent-bit[0].arn] : []
 51 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.aws_fluent_bit["namespace"]}:${local.aws_fluent_bit["service_account_name"]}"]
 52 | }
 53 | 
 54 | resource "aws_iam_policy" "eks-aws-fluent-bit" {
 55 |   count  = local.aws_fluent_bit["enabled"] && (local.aws_fluent_bit["create_iam_resources_kiam"] || local.aws_fluent_bit["create_iam_resources_irsa"]) ? 1 : 0
 56 |   name   = "tf-eks-${var.cluster-name}-aws-fluent-bit"
 57 |   policy = local.aws_fluent_bit["iam_policy_override"] == "" ? data.aws_iam_policy_document.aws_fluent_bit.json : local.aws_fluent_bit["iam_policy_override"]
 58 | }
 59 | 
 60 | data "aws_iam_policy_document" "aws_fluent_bit" {
 61 |   statement {
 62 |     effect = "Allow"
 63 | 
 64 |     actions = [
 65 |       "logs:DescribeLogGroups",
 66 |       "logs:DescribeLogStreams",
 67 |       "logs:CreateLogGroup",
 68 |       "logs:CreateLogStream",
 69 |       "logs:PutLogEvents"
 70 |     ]
 71 | 
 72 |     resources = ["*"]
 73 |   }
 74 | }
 75 | 
 76 | resource "aws_cloudwatch_log_group" "eks-aws-fluent-bit-log-group" {
 77 |   count             = local.aws_fluent_bit["enabled"] ? 1 : 0
 78 |   name              = "/aws/eks/${var.cluster-name}/containers"
 79 |   retention_in_days = local.aws_fluent_bit["containers_log_retention_in_days"]
 80 | }
 81 | 
 82 | resource "aws_iam_role" "eks-aws-fluent-bit-kiam" {
 83 |   name  = "tf-eks-${var.cluster-name}-aws-fluent-bit-kiam"
 84 |   count = local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["create_iam_resources_kiam"] ? 1 : 0
 85 | 
 86 |   assume_role_policy = <<POLICY
 87 | {
 88 |   "Version": "2012-10-17",
 89 |   "Statement": [
 90 |     {
 91 |       "Effect": "Allow",
 92 |       "Principal": {
 93 |         "Service": "ec2.amazonaws.com"
 94 |       },
 95 |       "Action": "sts:AssumeRole"
 96 |     },
 97 |     {
 98 |       "Sid": "",
 99 |       "Effect": "Allow",
100 |       "Principal": {
101 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
102 |       },
103 |       "Action": "sts:AssumeRole"
104 |     }
105 |   ]
106 | }
107 | POLICY
108 | 
109 | }
110 | 
111 | resource "aws_iam_role_policy_attachment" "eks-aws-fluent-bit-kiam" {
112 |   count      = local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["create_iam_resources_kiam"] ? 1 : 0
113 |   role       = aws_iam_role.eks-aws-fluent-bit-kiam[count.index].name
114 |   policy_arn = aws_iam_policy.eks-aws-fluent-bit[count.index].arn
115 | }
116 | 
117 | resource "kubernetes_namespace" "aws_fluent_bit" {
118 |   count = local.aws_fluent_bit["enabled"] ? 1 : 0
119 | 
120 |   metadata {
121 |     annotations = {
122 |       "iam.amazonaws.com/permitted" = "${local.aws_fluent_bit["create_iam_resources_kiam"] ? aws_iam_role.eks-aws-fluent-bit-kiam[0].arn : "^$"}"
123 |     }
124 | 
125 |     labels = {
126 |       name = local.aws_fluent_bit["namespace"]
127 |     }
128 | 
129 |     name = local.aws_fluent_bit["namespace"]
130 |   }
131 | }
132 | 
133 | resource "helm_release" "aws_fluent_bit" {
134 |   count                 = local.aws_fluent_bit["enabled"] ? 1 : 0
135 |   repository            = local.aws_fluent_bit["repository"]
136 |   name                  = local.aws_fluent_bit["name"]
137 |   chart                 = local.aws_fluent_bit["chart"]
138 |   version               = local.aws_fluent_bit["chart_version"]
139 |   timeout               = local.aws_fluent_bit["timeout"]
140 |   force_update          = local.aws_fluent_bit["force_update"]
141 |   recreate_pods         = local.aws_fluent_bit["recreate_pods"]
142 |   wait                  = local.aws_fluent_bit["wait"]
143 |   atomic                = local.aws_fluent_bit["atomic"]
144 |   cleanup_on_fail       = local.aws_fluent_bit["cleanup_on_fail"]
145 |   dependency_update     = local.aws_fluent_bit["dependency_update"]
146 |   disable_crd_hooks     = local.aws_fluent_bit["disable_crd_hooks"]
147 |   disable_webhooks      = local.aws_fluent_bit["disable_webhooks"]
148 |   render_subchart_notes = local.aws_fluent_bit["render_subchart_notes"]
149 |   replace               = local.aws_fluent_bit["replace"]
150 |   reset_values          = local.aws_fluent_bit["reset_values"]
151 |   reuse_values          = local.aws_fluent_bit["reuse_values"]
152 |   skip_crds             = local.aws_fluent_bit["skip_crds"]
153 |   verify                = local.aws_fluent_bit["verify"]
154 |   values = [
155 |     local.values_aws_fluent_bit,
156 |     local.aws_fluent_bit["extra_values"]
157 |   ]
158 |   namespace = kubernetes_namespace.aws_fluent_bit.*.metadata.0.name[count.index]
159 | 
160 |   depends_on = [
161 |     helm_release.kiam
162 |   ]
163 | }
164 | 
165 | resource "kubernetes_network_policy" "aws_fluent_bit_default_deny" {
166 |   count = local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["default_network_policy"] ? 1 : 0
167 | 
168 |   metadata {
169 |     name      = "${kubernetes_namespace.aws_fluent_bit.*.metadata.0.name[count.index]}-default-deny"
170 |     namespace = kubernetes_namespace.aws_fluent_bit.*.metadata.0.name[count.index]
171 |   }
172 | 
173 |   spec {
174 |     pod_selector {
175 |     }
176 |     policy_types = ["Ingress"]
177 |   }
178 | }
179 | 
180 | resource "kubernetes_network_policy" "aws_fluent_bit_allow_namespace" {
181 |   count = local.aws_fluent_bit["enabled"] && local.aws_fluent_bit["default_network_policy"] ? 1 : 0
182 | 
183 |   metadata {
184 |     name      = "${kubernetes_namespace.aws_fluent_bit.*.metadata.0.name[count.index]}-allow-namespace"
185 |     namespace = kubernetes_namespace.aws_fluent_bit.*.metadata.0.name[count.index]
186 |   }
187 | 
188 |   spec {
189 |     pod_selector {
190 |     }
191 | 
192 |     ingress {
193 |       from {
194 |         namespace_selector {
195 |           match_labels = {
196 |             name = kubernetes_namespace.aws_fluent_bit.*.metadata.0.name[count.index]
197 |           }
198 |         }
199 |       }
200 |     }
201 | 
202 |     policy_types = ["Ingress"]
203 |   }
204 | }
205 | 
206 | 


--------------------------------------------------------------------------------
/aws-node-termination-handler.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   aws_node_termination_handler = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "aws-node-termination-handler"
  6 |       namespace              = "aws-node-termination-handler"
  7 |       chart                  = "aws-node-termination-handler"
  8 |       repository             = "https://aws.github.io/eks-charts"
  9 |       enabled                = false
 10 |       chart_version          = "0.9.5"
 11 |       version                = "v1.7.0"
 12 |       default_network_policy = true
 13 |     },
 14 |     var.aws_node_termination_handler
 15 |   )
 16 | 
 17 |   values_aws_node_termination_handler = <<VALUES
 18 | image:
 19 |   tag: ${local.aws_node_termination_handler["version"]}
 20 | priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 21 | deleteLocalData: true
 22 | nodeSelector:
 23 |  node.kubernetes.io/lifecycle: spot
 24 | VALUES
 25 | 
 26 | }
 27 | 
 28 | resource "kubernetes_namespace" "aws_node_termination_handler" {
 29 |   count = local.aws_node_termination_handler["enabled"] ? 1 : 0
 30 | 
 31 |   metadata {
 32 |     labels = {
 33 |       name = local.aws_node_termination_handler["namespace"]
 34 |     }
 35 | 
 36 |     name = local.aws_node_termination_handler["namespace"]
 37 |   }
 38 | }
 39 | 
 40 | resource "helm_release" "aws_node_termination_handler" {
 41 |   count                 = local.aws_node_termination_handler["enabled"] ? 1 : 0
 42 |   repository            = local.aws_node_termination_handler["repository"]
 43 |   name                  = local.aws_node_termination_handler["name"]
 44 |   chart                 = local.aws_node_termination_handler["chart"]
 45 |   version               = local.aws_node_termination_handler["chart_version"]
 46 |   timeout               = local.aws_node_termination_handler["timeout"]
 47 |   force_update          = local.aws_node_termination_handler["force_update"]
 48 |   recreate_pods         = local.aws_node_termination_handler["recreate_pods"]
 49 |   wait                  = local.aws_node_termination_handler["wait"]
 50 |   atomic                = local.aws_node_termination_handler["atomic"]
 51 |   cleanup_on_fail       = local.aws_node_termination_handler["cleanup_on_fail"]
 52 |   dependency_update     = local.aws_node_termination_handler["dependency_update"]
 53 |   disable_crd_hooks     = local.aws_node_termination_handler["disable_crd_hooks"]
 54 |   disable_webhooks      = local.aws_node_termination_handler["disable_webhooks"]
 55 |   render_subchart_notes = local.aws_node_termination_handler["render_subchart_notes"]
 56 |   replace               = local.aws_node_termination_handler["replace"]
 57 |   reset_values          = local.aws_node_termination_handler["reset_values"]
 58 |   reuse_values          = local.aws_node_termination_handler["reuse_values"]
 59 |   skip_crds             = local.aws_node_termination_handler["skip_crds"]
 60 |   verify                = local.aws_node_termination_handler["verify"]
 61 |   values = [
 62 |     local.values_aws_node_termination_handler,
 63 |     local.aws_node_termination_handler["extra_values"]
 64 |   ]
 65 |   namespace = local.aws_node_termination_handler["namespace"]
 66 | 
 67 |   depends_on = [
 68 |     helm_release.prometheus_operator
 69 |   ]
 70 | }
 71 | 
 72 | resource "kubernetes_network_policy" "aws_node_termination_handler_default_deny" {
 73 |   count = local.aws_node_termination_handler["enabled"] && local.aws_node_termination_handler["default_network_policy"] ? 1 : 0
 74 | 
 75 |   metadata {
 76 |     name      = "${kubernetes_namespace.aws_node_termination_handler.*.metadata.0.name[count.index]}-default-deny"
 77 |     namespace = kubernetes_namespace.aws_node_termination_handler.*.metadata.0.name[count.index]
 78 |   }
 79 | 
 80 |   spec {
 81 |     pod_selector {
 82 |     }
 83 |     policy_types = ["Ingress"]
 84 |   }
 85 | }
 86 | 
 87 | resource "kubernetes_network_policy" "aws_node_termination_handler_allow_namespace" {
 88 |   count = local.aws_node_termination_handler["enabled"] && local.aws_node_termination_handler["default_network_policy"] ? 1 : 0
 89 | 
 90 |   metadata {
 91 |     name      = "${kubernetes_namespace.aws_node_termination_handler.*.metadata.0.name[count.index]}-allow-namespace"
 92 |     namespace = kubernetes_namespace.aws_node_termination_handler.*.metadata.0.name[count.index]
 93 |   }
 94 | 
 95 |   spec {
 96 |     pod_selector {
 97 |     }
 98 | 
 99 |     ingress {
100 |       from {
101 |         namespace_selector {
102 |           match_labels = {
103 |             name = kubernetes_namespace.aws_node_termination_handler.*.metadata.0.name[count.index]
104 |           }
105 |         }
106 |       }
107 |     }
108 | 
109 |     policy_types = ["Ingress"]
110 |   }
111 | }
112 | 


--------------------------------------------------------------------------------
/calico.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   calico = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                   = "calico"
  7 |       namespace              = "kube-system"
  8 |       chart                  = "aws-calico"
  9 |       repository             = "https://aws.github.io/eks-charts"
 10 |       enabled                = false
 11 |       chart_version          = "0.3.1"
 12 |       version                = "v3.13.4"
 13 |       default_network_policy = true
 14 |       create_ns              = false
 15 | 
 16 |     },
 17 |     var.calico
 18 |   )
 19 | 
 20 |   values_calico = <<VALUES
 21 | VALUES
 22 | 
 23 | }
 24 | 
 25 | resource "kubernetes_namespace" "calico" {
 26 |   count = local.calico["enabled"] && local.calico["create_ns"] ? 1 : 0
 27 | 
 28 |   metadata {
 29 |     labels = {
 30 |       name = local.calico["namespace"]
 31 |     }
 32 | 
 33 |     name = local.calico["namespace"]
 34 |   }
 35 | }
 36 | 
 37 | resource "helm_release" "calico" {
 38 |   count                 = local.calico["enabled"] ? 1 : 0
 39 |   repository            = local.calico["repository"]
 40 |   name                  = local.calico["name"]
 41 |   chart                 = local.calico["chart"]
 42 |   version               = local.calico["chart_version"]
 43 |   timeout               = local.calico["timeout"]
 44 |   force_update          = local.calico["force_update"]
 45 |   recreate_pods         = local.calico["recreate_pods"]
 46 |   wait                  = local.calico["wait"]
 47 |   atomic                = local.calico["atomic"]
 48 |   cleanup_on_fail       = local.calico["cleanup_on_fail"]
 49 |   dependency_update     = local.calico["dependency_update"]
 50 |   disable_crd_hooks     = local.calico["disable_crd_hooks"]
 51 |   disable_webhooks      = local.calico["disable_webhooks"]
 52 |   render_subchart_notes = local.calico["render_subchart_notes"]
 53 |   replace               = local.calico["replace"]
 54 |   reset_values          = local.calico["reset_values"]
 55 |   reuse_values          = local.calico["reuse_values"]
 56 |   skip_crds             = local.calico["skip_crds"]
 57 |   verify                = local.calico["verify"]
 58 |   values = [
 59 |     local.values_calico,
 60 |     local.calico["extra_values"]
 61 |   ]
 62 |   namespace = local.calico["create_ns"] ? kubernetes_namespace.calico.*.metadata.0.name[count.index] : local.calico["namespace"]
 63 | }
 64 | 
 65 | resource "kubernetes_network_policy" "calico_default_deny" {
 66 |   count = local.calico["enabled"] && local.calico["default_network_policy"] && local.calico["create_ns"] ? 1 : 0
 67 | 
 68 |   metadata {
 69 |     name      = "${kubernetes_namespace.calico.*.metadata.0.name[count.index]}-default-deny"
 70 |     namespace = kubernetes_namespace.calico.*.metadata.0.name[count.index]
 71 |   }
 72 | 
 73 |   spec {
 74 |     pod_selector {
 75 |     }
 76 |     policy_types = ["Ingress"]
 77 |   }
 78 | }
 79 | 
 80 | resource "kubernetes_network_policy" "calico_allow_namespace" {
 81 |   count = local.calico["enabled"] && local.calico["default_network_policy"] && local.calico["create_ns"] ? 1 : 0
 82 | 
 83 |   metadata {
 84 |     name      = "${kubernetes_namespace.calico.*.metadata.0.name[count.index]}-allow-namespace"
 85 |     namespace = kubernetes_namespace.calico.*.metadata.0.name[count.index]
 86 |   }
 87 | 
 88 |   spec {
 89 |     pod_selector {
 90 |     }
 91 | 
 92 |     ingress {
 93 |       from {
 94 |         namespace_selector {
 95 |           match_labels = {
 96 |             name = kubernetes_namespace.calico.*.metadata.0.name[count.index]
 97 |           }
 98 |         }
 99 |       }
100 |     }
101 | 
102 |     policy_types = ["Ingress"]
103 |   }
104 | }
105 | 


--------------------------------------------------------------------------------
/cert-manager.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   cert_manager = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                           = "cert-manager"
  7 |       namespace                      = "cert-manager"
  8 |       chart                          = "cert-manager"
  9 |       repository                     = "https://charts.jetstack.io"
 10 |       service_account_name           = "cert-manager"
 11 |       create_iam_resources_kiam      = false
 12 |       create_iam_resources_irsa      = true
 13 |       enabled                        = false
 14 |       chart_version                  = "v1.0.0"
 15 |       version                        = "v1.0.0"
 16 |       iam_policy_override            = ""
 17 |       default_network_policy         = true
 18 |       acme_email                     = "contact@acme.com"
 19 |       enable_default_cluster_issuers = false
 20 |       allowed_cidr                   = "0.0.0.0/0"
 21 |     },
 22 |     var.cert_manager
 23 |   )
 24 | 
 25 |   values_cert_manager = <<VALUES
 26 | image:
 27 |   tag: ${local.cert_manager["version"]}
 28 | global:
 29 |   podSecurityPolicy:
 30 |     enabled: true
 31 |     useAppArmor: false
 32 |   priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 33 | podAnnotations:
 34 |   iam.amazonaws.com/role: "${local.cert_manager["enabled"] && local.cert_manager["create_iam_resources_kiam"] ? aws_iam_role.eks-cert-manager-kiam[0].arn : ""}"
 35 | serviceAccount:
 36 |   annotations:
 37 |     eks.amazonaws.com/role-arn: "${local.cert_manager["enabled"] && local.cert_manager["create_iam_resources_irsa"] ? module.iam_assumable_role_cert_manager.this_iam_role_arn : ""}"
 38 | prometheus:
 39 |   servicemonitor:
 40 |     enabled: ${local.prometheus_operator["enabled"]}
 41 | securityContext:
 42 |   enabled: true
 43 |   fsGroup: 1001
 44 | installCRDs: true
 45 | VALUES
 46 | 
 47 | }
 48 | 
 49 | module "iam_assumable_role_cert_manager" {
 50 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 51 |   version                       = "~> v2.0"
 52 |   create_role                   = local.cert_manager["enabled"] && local.cert_manager["create_iam_resources_irsa"]
 53 |   role_name                     = "tf-eks-${var.cluster-name}-cert-manager-irsa"
 54 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 55 |   role_policy_arns              = local.cert_manager["enabled"] && local.cert_manager["create_iam_resources_irsa"] ? [aws_iam_policy.eks-cert-manager[0].arn] : []
 56 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.cert_manager["namespace"]}:${local.cert_manager["service_account_name"]}"]
 57 | }
 58 | 
 59 | resource "aws_iam_policy" "eks-cert-manager" {
 60 |   count  = local.cert_manager["enabled"] && (local.cert_manager["create_iam_resources_kiam"] || local.cert_manager["create_iam_resources_irsa"]) ? 1 : 0
 61 |   name   = "tf-eks-${var.cluster-name}-cert-manager"
 62 |   policy = local.cert_manager["iam_policy_override"] == "" ? data.aws_iam_policy_document.cert_manager.json : local.cert_manager["iam_policy_override"]
 63 | }
 64 | 
 65 | data "aws_iam_policy_document" "cert_manager" {
 66 |   statement {
 67 |     effect = "Allow"
 68 | 
 69 |     actions = [
 70 |       "route53:GetChange"
 71 |     ]
 72 | 
 73 |     resources = ["arn:aws:route53:::change/*"]
 74 |   }
 75 | 
 76 |   statement {
 77 |     effect = "Allow"
 78 | 
 79 |     actions = [
 80 |       "route53:ChangeResourceRecordSets",
 81 |       "route53:ListResourceRecordSets"
 82 |     ]
 83 | 
 84 |     resources = ["arn:aws:route53:::hostedzone/*"]
 85 | 
 86 |   }
 87 | 
 88 |   statement {
 89 |     effect = "Allow"
 90 | 
 91 |     actions = [
 92 |       "route53:ListHostedZonesByName"
 93 |     ]
 94 | 
 95 |     resources = ["*"]
 96 | 
 97 |   }
 98 | }
 99 | 
100 | 
101 | resource "aws_iam_role" "eks-cert-manager-kiam" {
102 |   name  = "tf-eks-${var.cluster-name}-cert-manager-kiam"
103 |   count = local.cert_manager["enabled"] && local.cert_manager["create_iam_resources_kiam"] ? 1 : 0
104 | 
105 |   assume_role_policy = <<POLICY
106 | {
107 |   "Version": "2012-10-17",
108 |   "Statement": [
109 |     {
110 |       "Effect": "Allow",
111 |       "Principal": {
112 |         "Service": "ec2.amazonaws.com"
113 |       },
114 |       "Action": "sts:AssumeRole"
115 |     },
116 |     {
117 |       "Sid": "",
118 |       "Effect": "Allow",
119 |       "Principal": {
120 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
121 |       },
122 |       "Action": "sts:AssumeRole"
123 |     }
124 |   ]
125 | }
126 | POLICY
127 | 
128 | }
129 | 
130 | resource "aws_iam_role_policy_attachment" "eks-cert-manager-kiam" {
131 |   count      = local.cert_manager["enabled"] && local.cert_manager["create_iam_resources_kiam"] ? 1 : 0
132 |   role       = aws_iam_role.eks-cert-manager-kiam[count.index].name
133 |   policy_arn = aws_iam_policy.eks-cert-manager[count.index].arn
134 | }
135 | 
136 | resource "kubernetes_namespace" "cert_manager" {
137 |   count = local.cert_manager["enabled"] ? 1 : 0
138 | 
139 |   metadata {
140 |     annotations = {
141 |       "iam.amazonaws.com/permitted"           = "${local.cert_manager["create_iam_resources_kiam"] ? aws_iam_role.eks-cert-manager-kiam[0].arn : "^$"}"
142 |       "certmanager.k8s.io/disable-validation" = "true"
143 |     }
144 | 
145 |     labels = {
146 |       name = local.cert_manager["namespace"]
147 |     }
148 | 
149 |     name = local.cert_manager["namespace"]
150 |   }
151 | }
152 | 
153 | resource "helm_release" "cert_manager" {
154 |   count                 = local.cert_manager["enabled"] ? 1 : 0
155 |   repository            = local.cert_manager["repository"]
156 |   name                  = local.cert_manager["name"]
157 |   chart                 = local.cert_manager["chart"]
158 |   version               = local.cert_manager["chart_version"]
159 |   timeout               = local.cert_manager["timeout"]
160 |   force_update          = local.cert_manager["force_update"]
161 |   recreate_pods         = local.cert_manager["recreate_pods"]
162 |   wait                  = local.cert_manager["wait"]
163 |   atomic                = local.cert_manager["atomic"]
164 |   cleanup_on_fail       = local.cert_manager["cleanup_on_fail"]
165 |   dependency_update     = local.cert_manager["dependency_update"]
166 |   disable_crd_hooks     = local.cert_manager["disable_crd_hooks"]
167 |   disable_webhooks      = local.cert_manager["disable_webhooks"]
168 |   render_subchart_notes = local.cert_manager["render_subchart_notes"]
169 |   replace               = local.cert_manager["replace"]
170 |   reset_values          = local.cert_manager["reset_values"]
171 |   reuse_values          = local.cert_manager["reuse_values"]
172 |   skip_crds             = local.cert_manager["skip_crds"]
173 |   verify                = local.cert_manager["verify"]
174 |   values = [
175 |     local.values_cert_manager,
176 |     local.cert_manager["extra_values"]
177 |   ]
178 |   namespace = kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]
179 | 
180 |   depends_on = [
181 |     helm_release.kiam,
182 |     helm_release.prometheus_operator
183 |   ]
184 | }
185 | 
186 | data "kubectl_path_documents" "cert_manager_cluster_issuers" {
187 |   pattern = "./templates/cert-manager-cluster-issuers.yaml"
188 |   vars = {
189 |     acme_email = local.cert_manager["acme_email"]
190 |     aws_region = data.aws_region.current.name
191 |   }
192 | }
193 | 
194 | resource "kubectl_manifest" "cert_manager_cluster_issuers" {
195 |   count      = (local.cert_manager["enabled"] ? 1 : 0) * (local.cert_manager["enable_default_cluster_issuers"] ? 1 : 0) * length(data.kubectl_path_documents.cert_manager_cluster_issuers.documents)
196 |   yaml_body  = element(data.kubectl_path_documents.cert_manager_cluster_issuers.documents, count.index)
197 |   depends_on = [helm_release.cert_manager]
198 | }
199 | 
200 | resource "kubernetes_network_policy" "cert_manager_default_deny" {
201 |   count = local.cert_manager["enabled"] && local.cert_manager["default_network_policy"] ? 1 : 0
202 | 
203 |   metadata {
204 |     name      = "${kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]}-default-deny"
205 |     namespace = kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]
206 |   }
207 | 
208 |   spec {
209 |     pod_selector {
210 |     }
211 |     policy_types = ["Ingress"]
212 |   }
213 | }
214 | 
215 | resource "kubernetes_network_policy" "cert_manager_allow_namespace" {
216 |   count = local.cert_manager["enabled"] && local.cert_manager["default_network_policy"] ? 1 : 0
217 | 
218 |   metadata {
219 |     name      = "${kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]}-allow-namespace"
220 |     namespace = kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]
221 |   }
222 | 
223 |   spec {
224 |     pod_selector {
225 |     }
226 | 
227 |     ingress {
228 |       from {
229 |         namespace_selector {
230 |           match_labels = {
231 |             name = kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]
232 |           }
233 |         }
234 |       }
235 |     }
236 | 
237 |     policy_types = ["Ingress"]
238 |   }
239 | }
240 | 
241 | resource "kubernetes_network_policy" "cert_manager_allow_monitoring" {
242 |   count = local.cert_manager["enabled"] && local.cert_manager["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
243 | 
244 |   metadata {
245 |     name      = "${kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]}-allow-monitoring"
246 |     namespace = kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]
247 |   }
248 | 
249 |   spec {
250 |     pod_selector {
251 |     }
252 | 
253 |     ingress {
254 |       ports {
255 |         port     = "9402"
256 |         protocol = "TCP"
257 |       }
258 | 
259 |       from {
260 |         namespace_selector {
261 |           match_labels = {
262 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
263 |           }
264 |         }
265 |       }
266 |     }
267 | 
268 |     policy_types = ["Ingress"]
269 |   }
270 | }
271 | 
272 | resource "kubernetes_network_policy" "cert_manager_allow_control_plane" {
273 |   count = local.cert_manager["enabled"] && local.cert_manager["default_network_policy"] ? 1 : 0
274 | 
275 |   metadata {
276 |     name      = "${kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]}-allow-control-plane"
277 |     namespace = kubernetes_namespace.cert_manager.*.metadata.0.name[count.index]
278 |   }
279 | 
280 |   spec {
281 |     pod_selector {
282 |       match_expressions {
283 |         key      = "app"
284 |         operator = "In"
285 |         values   = ["webhook"]
286 |       }
287 |     }
288 | 
289 |     ingress {
290 |       ports {
291 |         port     = "10250"
292 |         protocol = "TCP"
293 |       }
294 | 
295 |       dynamic "from" {
296 |         for_each = local.cert_manager["allowed_cidrs"]
297 |         content {
298 |           ip_block {
299 |             cidr = from.value
300 |           }
301 |         }
302 |       }
303 |     }
304 | 
305 |     policy_types = ["Ingress"]
306 |   }
307 | }
308 | 
309 | 


--------------------------------------------------------------------------------
/cluster-autoscaler.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   cluster_autoscaler = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                      = "cluster-autoscaler"
  6 |       namespace                 = "cluster-autoscaler"
  7 |       chart                     = "cluster-autoscaler-chart"
  8 |       repository                = "https://kubernetes.github.io/autoscaler"
  9 |       service_account_name      = "cluster-autoscaler"
 10 |       create_iam_resources_kiam = false
 11 |       create_iam_resources_irsa = true
 12 |       enabled                   = false
 13 |       chart_version             = "1.0.3"
 14 |       version                   = "v1.17.3"
 15 |       iam_policy_override       = ""
 16 |       default_network_policy    = true
 17 |       cluster_name              = "cluster"
 18 |     },
 19 |     var.cluster_autoscaler
 20 |   )
 21 | 
 22 |   values_cluster_autoscaler = <<VALUES
 23 | nameOverride: "${local.cluster_autoscaler["name"]}"
 24 | autoDiscovery:
 25 |   clusterName: ${local.cluster_autoscaler["cluster_name"]}
 26 | awsRegion: ${data.aws_region.current.name}
 27 | rbac:
 28 |   create: true
 29 |   pspEnabled: true
 30 |   serviceAccount:
 31 |     annotations:
 32 |       eks.amazonaws.com/role-arn: "${local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["create_iam_resources_irsa"] ? module.iam_assumable_role_cluster_autoscaler.this_iam_role_arn : ""}"
 33 | image:
 34 |   tag: ${local.cluster_autoscaler["version"]}
 35 | podAnnotations:
 36 |   iam.amazonaws.com/role: "${local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["create_iam_resources_kiam"] ? aws_iam_role.eks-cluster-autoscaler-kiam[0].arn : "^$"}"
 37 | extraArgs:
 38 |   balance-similar-node-groups: true
 39 | serviceMonitor:
 40 |   enabled: ${local.prometheus_operator["enabled"]}
 41 | VALUES
 42 | }
 43 | 
 44 | module "iam_assumable_role_cluster_autoscaler" {
 45 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 46 |   version                       = "~> v2.0"
 47 |   create_role                   = local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["create_iam_resources_irsa"]
 48 |   role_name                     = "tf-eks-${var.cluster-name}-cluster-autoscaler-irsa"
 49 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 50 |   role_policy_arns              = local.cluster_autoscaler["create_iam_resources_irsa"] ? [aws_iam_policy.eks-cluster-autoscaler[0].arn] : []
 51 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.cluster_autoscaler["namespace"]}:${local.cluster_autoscaler["service_account_name"]}"]
 52 | }
 53 | 
 54 | resource "aws_iam_policy" "eks-cluster-autoscaler" {
 55 |   count  = local.cluster_autoscaler["enabled"] && (local.cluster_autoscaler["create_iam_resources_kiam"] || local.cluster_autoscaler["create_iam_resources_irsa"]) ? 1 : 0
 56 |   name   = "tf-eks-${var.cluster-name}-cluster-autoscaler"
 57 |   policy = local.cluster_autoscaler["iam_policy_override"] == "" ? data.aws_iam_policy_document.cluster_autoscaler.json : local.cluster_autoscaler["iam_policy_override"]
 58 | }
 59 | 
 60 | data "aws_iam_policy_document" "cluster_autoscaler" {
 61 |   statement {
 62 |     sid    = "clusterAutoscalerAll"
 63 |     effect = "Allow"
 64 | 
 65 |     actions = [
 66 |       "autoscaling:DescribeAutoScalingGroups",
 67 |       "autoscaling:DescribeAutoScalingInstances",
 68 |       "autoscaling:DescribeLaunchConfigurations",
 69 |       "autoscaling:DescribeTags",
 70 |       "ec2:DescribeLaunchTemplateVersions",
 71 |     ]
 72 | 
 73 |     resources = ["*"]
 74 |   }
 75 | 
 76 |   statement {
 77 |     sid    = "clusterAutoscalerOwn"
 78 |     effect = "Allow"
 79 | 
 80 |     actions = [
 81 |       "autoscaling:SetDesiredCapacity",
 82 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
 83 |       "autoscaling:UpdateAutoScalingGroup",
 84 |     ]
 85 | 
 86 |     resources = ["*"]
 87 | 
 88 |     condition {
 89 |       test     = "StringEquals"
 90 |       variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${var.cluster-name}"
 91 |       values   = ["owned"]
 92 |     }
 93 | 
 94 |     condition {
 95 |       test     = "StringEquals"
 96 |       variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
 97 |       values   = ["true"]
 98 |     }
 99 |   }
100 | }
101 | 
102 | 
103 | resource "aws_iam_role" "eks-cluster-autoscaler-kiam" {
104 |   name  = "tf-eks-${var.cluster-name}-cluster-autoscaler-kiam"
105 |   count = local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["create_iam_resources_kiam"] ? 1 : 0
106 | 
107 |   assume_role_policy = <<POLICY
108 | {
109 |   "Version": "2012-10-17",
110 |   "Statement": [
111 |     {
112 |       "Effect": "Allow",
113 |       "Principal": {
114 |         "Service": "ec2.amazonaws.com"
115 |       },
116 |       "Action": "sts:AssumeRole"
117 |     },
118 |     {
119 |       "Sid": "",
120 |       "Effect": "Allow",
121 |       "Principal": {
122 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
123 |       },
124 |       "Action": "sts:AssumeRole"
125 |     }
126 |   ]
127 | }
128 | POLICY
129 | 
130 | }
131 | 
132 | resource "aws_iam_role_policy_attachment" "eks-cluster-autoscaler-kiam" {
133 |   count      = local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["create_iam_resources_kiam"] ? 1 : 0
134 |   role       = aws_iam_role.eks-cluster-autoscaler-kiam[count.index].name
135 |   policy_arn = aws_iam_policy.eks-cluster-autoscaler[count.index].arn
136 | }
137 | 
138 | resource "kubernetes_namespace" "cluster_autoscaler" {
139 |   count = local.cluster_autoscaler["enabled"] ? 1 : 0
140 | 
141 |   metadata {
142 |     annotations = {
143 |       "iam.amazonaws.com/permitted" = "${local.cluster_autoscaler["create_iam_resources_kiam"] ? aws_iam_role.eks-cluster-autoscaler-kiam[0].arn : "^$"}"
144 |     }
145 | 
146 |     labels = {
147 |       name = local.cluster_autoscaler["namespace"]
148 |     }
149 | 
150 |     name = local.cluster_autoscaler["namespace"]
151 |   }
152 | }
153 | 
154 | resource "helm_release" "cluster_autoscaler" {
155 |   count                 = local.cluster_autoscaler["enabled"] ? 1 : 0
156 |   repository            = local.cluster_autoscaler["repository"]
157 |   name                  = local.cluster_autoscaler["name"]
158 |   chart                 = local.cluster_autoscaler["chart"]
159 |   version               = local.cluster_autoscaler["chart_version"]
160 |   timeout               = local.cluster_autoscaler["timeout"]
161 |   force_update          = local.cluster_autoscaler["force_update"]
162 |   recreate_pods         = local.cluster_autoscaler["recreate_pods"]
163 |   wait                  = local.cluster_autoscaler["wait"]
164 |   atomic                = local.cluster_autoscaler["atomic"]
165 |   cleanup_on_fail       = local.cluster_autoscaler["cleanup_on_fail"]
166 |   dependency_update     = local.cluster_autoscaler["dependency_update"]
167 |   disable_crd_hooks     = local.cluster_autoscaler["disable_crd_hooks"]
168 |   disable_webhooks      = local.cluster_autoscaler["disable_webhooks"]
169 |   render_subchart_notes = local.cluster_autoscaler["render_subchart_notes"]
170 |   replace               = local.cluster_autoscaler["replace"]
171 |   reset_values          = local.cluster_autoscaler["reset_values"]
172 |   reuse_values          = local.cluster_autoscaler["reuse_values"]
173 |   skip_crds             = local.cluster_autoscaler["skip_crds"]
174 |   verify                = local.cluster_autoscaler["verify"]
175 |   values = [
176 |     local.values_cluster_autoscaler,
177 |     local.cluster_autoscaler["extra_values"]
178 |   ]
179 |   namespace = kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]
180 | 
181 |   depends_on = [
182 |     helm_release.kiam,
183 |     helm_release.prometheus_operator
184 |   ]
185 | }
186 | 
187 | resource "kubernetes_network_policy" "cluster_autoscaler_default_deny" {
188 |   count = local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["default_network_policy"] ? 1 : 0
189 | 
190 |   metadata {
191 |     name      = "${kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]}-default-deny"
192 |     namespace = kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]
193 |   }
194 | 
195 |   spec {
196 |     pod_selector {
197 |     }
198 |     policy_types = ["Ingress"]
199 |   }
200 | }
201 | 
202 | resource "kubernetes_network_policy" "cluster_autoscaler_allow_namespace" {
203 |   count = local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["default_network_policy"] ? 1 : 0
204 | 
205 |   metadata {
206 |     name      = "${kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]}-allow-namespace"
207 |     namespace = kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]
208 |   }
209 | 
210 |   spec {
211 |     pod_selector {
212 |     }
213 | 
214 |     ingress {
215 |       from {
216 |         namespace_selector {
217 |           match_labels = {
218 |             name = kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]
219 |           }
220 |         }
221 |       }
222 |     }
223 | 
224 |     policy_types = ["Ingress"]
225 |   }
226 | }
227 | 
228 | resource "kubernetes_network_policy" "cluster_autoscaler_allow_monitoring" {
229 |   count = local.cluster_autoscaler["enabled"] && local.cluster_autoscaler["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
230 | 
231 |   metadata {
232 |     name      = "${kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]}-allow-monitoring"
233 |     namespace = kubernetes_namespace.cluster_autoscaler.*.metadata.0.name[count.index]
234 |   }
235 | 
236 |   spec {
237 |     pod_selector {
238 |     }
239 | 
240 |     ingress {
241 |       ports {
242 |         port     = "8085"
243 |         protocol = "TCP"
244 |       }
245 | 
246 |       from {
247 |         namespace_selector {
248 |           match_labels = {
249 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
250 |           }
251 |         }
252 |       }
253 |     }
254 | 
255 |     policy_types = ["Ingress"]
256 |   }
257 | }
258 | 


--------------------------------------------------------------------------------
/cni-metrics-helper.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   cni_metrics_helper = merge(
 3 |     {
 4 |       create_iam_resources_irsa = true
 5 |       create_iam_resources_kiam = false
 6 |       enabled                   = false
 7 |       version                   = "v1.6.3"
 8 |       iam_policy_override       = ""
 9 |     },
10 |     var.cni_metrics_helper
11 |   )
12 | }
13 | 
14 | module "iam_assumable_role_cni_metrics_helper" {
15 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
16 |   version                       = "~> v2.0"
17 |   create_role                   = local.cni_metrics_helper["enabled"] && local.cni_metrics_helper["create_iam_resources_irsa"]
18 |   role_name                     = "tf-eks-${var.cluster-name}-cni-metrics-helper-irsa"
19 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
20 |   role_policy_arns              = local.cni_metrics_helper["enabled"] && local.cni_metrics_helper["create_iam_resources_irsa"] ? [aws_iam_policy.eks-cni-metrics-helper[0].arn] : []
21 |   oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:cni-metrics-helper"]
22 | }
23 | 
24 | resource "aws_iam_policy" "eks-cni-metrics-helper" {
25 |   count  = local.cni_metrics_helper["enabled"] && (local.cni_metrics_helper["create_iam_resources_kiam"] || local.cni_metrics_helper["create_iam_resources_irsa"]) ? 1 : 0
26 |   name   = "tf-eks-${var.cluster-name}-cni-metrics-helper"
27 |   policy = local.cni_metrics_helper["iam_policy_override"] == "" ? data.aws_iam_policy_document.cni_metrics_helper.json : local.cni_metrics_helper["iam_policy_override"]
28 | }
29 | 
30 | data "aws_iam_policy_document" "cni_metrics_helper" {
31 |   statement {
32 |     effect = "Allow"
33 | 
34 |     actions = [
35 |       "cloudwatch:PutMetricData",
36 |       "ec2:DescribeTags"
37 |     ]
38 | 
39 |     resources = ["*"]
40 |   }
41 | }
42 | 
43 | resource "aws_iam_role" "eks-cni-metrics-helper-kiam" {
44 |   name  = "tf-eks-${var.cluster-name}-cni-metrics-helper-kiam"
45 |   count = local.cni_metrics_helper["enabled"] && local.cni_metrics_helper["create_iam_resources_kiam"] ? 1 : 0
46 | 
47 |   assume_role_policy = <<POLICY
48 | {
49 |   "Version": "2012-10-17",
50 |   "Statement": [
51 |     {
52 |       "Effect": "Allow",
53 |       "Principal": {
54 |         "Service": "ec2.amazonaws.com"
55 |       },
56 |       "Action": "sts:AssumeRole"
57 |     },
58 |     {
59 |       "Sid": "",
60 |       "Effect": "Allow",
61 |       "Principal": {
62 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
63 |       },
64 |       "Action": "sts:AssumeRole"
65 |     }
66 |   ]
67 | }
68 | POLICY
69 | 
70 | }
71 | 
72 | resource "aws_iam_role_policy_attachment" "eks-cni-metrics-helper-kiam" {
73 |   count      = local.cni_metrics_helper["enabled"] && local.cni_metrics_helper["create_iam_resources_kiam"] ? 1 : 0
74 |   role       = aws_iam_role.eks-cni-metrics-helper-kiam[count.index].name
75 |   policy_arn = aws_iam_policy.eks-cni-metrics-helper[count.index].arn
76 | }
77 | 
78 | resource "kubectl_manifest" "cni_metrics_helper" {
79 |   count = local.cni_metrics_helper["enabled"] ? 1 : 0
80 |   yaml_body = templatefile("${path.module}/templates/cni-metrics-helper.yaml", {
81 |     cni_metrics_helper_role_arn_kiam = local.cni_metrics_helper["create_iam_resources_kiam"] ? aws_iam_role.eks-cni-metrics-helper-kiam[0].arn : ""
82 |     cni_metrics_helper_role_arn_irsa = local.cni_metrics_helper["create_iam_resources_irsa"] ? module.iam_assumable_role_cni_metrics_helper.this_iam_role_arn : ""
83 |     cni_metrics_helper_version       = local.cni_metrics_helper["version"]
84 |   })
85 | }
86 | 


--------------------------------------------------------------------------------
/data.tf:
--------------------------------------------------------------------------------
1 | data "aws_region" "current" {}
2 | 
3 | data "aws_caller_identity" "current" {}
4 | 


--------------------------------------------------------------------------------
/examples/terraform/main.tf:
--------------------------------------------------------------------------------
  1 | module "eks-addons" {
  2 |   source        = "../.."
  3 | 
  4 |   alb_ingress = {
  5 |     enabled = true
  6 |   }
  7 | 
  8 |   nginx_ingress = {
  9 |     enabled = true
 10 |   }
 11 | 
 12 |   istio_operator = {
 13 |     enabled = true
 14 |   }
 15 | 
 16 |   cluster_autoscaler = {
 17 |     enabled      = true
 18 |     cluster_name = var.cluster-name
 19 |     extra_values = <<-EXTRA_VALUES
 20 |       image:
 21 |         repository: eu.gcr.io/k8s-artifacts-prod/autoscaling/cluster-autoscaler
 22 |       EXTRA_VALUES
 23 |   }
 24 | 
 25 |   external_dns = {
 26 |     enabled = true
 27 |   }
 28 | 
 29 |   cert_manager = {
 30 |     enabled                        = true
 31 |     acme_email                     = "kevin@particule.io"
 32 |     enable_default_cluster_issuers = true
 33 |   }
 34 | 
 35 |   metrics_server = {
 36 |     enabled       = true
 37 |   }
 38 | 
 39 |   flux = {
 40 |     enabled      = true
 41 |     extra_values = <<-EXTRA_VALUES
 42 |       git:
 43 |         url: "ssh://git@gitlab.com/myrepo/gitops.git"
 44 |         pollInterval: "2m"
 45 |       rbac:
 46 |         create: false
 47 |       registry:
 48 |         automationInterval: "2m"
 49 |       EXTRA_VALUES
 50 |   }
 51 | 
 52 |   prometheus_operator = {
 53 |     enabled       = true
 54 |     extra_values  = <<-EXTRA_VALUES
 55 |       grafana:
 56 |         deploymentStrategy:
 57 |           type: Recreate
 58 |         ingress:
 59 |           enabled: true
 60 |           annotations:
 61 |             kubernetes.io/ingress.class: nginx
 62 |             cert-manager.io/cluster-issuer: "letsencrypt"
 63 |           hosts:
 64 |             - grafana.clusterfrak-dynamics.io
 65 |           tls:
 66 |             - secretName: grafana-clusterfrak-dynamics-io
 67 |               hosts:
 68 |                 - grafana.clusterfrak-dynamics.io
 69 |         persistence:
 70 |           enabled: true
 71 |           storageClassName: gp2
 72 |           accessModes:
 73 |             - ReadWriteOnce
 74 |           size: 10Gi
 75 |       prometheus:
 76 |         prometheusSpec:
 77 |           replicas: 1
 78 |           retention: 180d
 79 |           ruleSelectorNilUsesHelmValues: false
 80 |           serviceMonitorSelectorNilUsesHelmValues: false
 81 |           storageSpec:
 82 |             volumeClaimTemplate:
 83 |               spec:
 84 |                 storageClassName: gp2
 85 |                 accessModes: ["ReadWriteOnce"]
 86 |                 resources:
 87 |                   requests:
 88 |                     storage: 50Gi
 89 |       EXTRA_VALUES
 90 |   }
 91 | 
 92 |   fluentd_cloudwatch = {
 93 |     enabled = false
 94 |   }
 95 | 
 96 |   npd = {
 97 |     enabled = true
 98 |   }
 99 | 
100 |   sealed_secrets = {
101 |     enabled = true
102 |   }
103 | 
104 |   cni_metrics_helper = {
105 |     enabled = true
106 |   }
107 | 
108 |   kong = {
109 |     enabled = true
110 |   }
111 | 
112 |   keycloak = {
113 |     enabled = false
114 |   }
115 | 
116 |   karma = {
117 |     enabled      = true
118 |     extra_values = <<-EXTRA_VALUES
119 |       ingress:
120 |         enabled: true
121 |         path: /
122 |         annotations:
123 |           kubernetes.io/ingress.class: nginx
124 |           cert-manager.io/cluster-issuer: "letsencrypt"
125 |         hosts:
126 |           - karma.clusterfrak-dynamics.io
127 |         tls:
128 |           - secretName: karma-clusterfrak-dynamics-io
129 |             hosts:
130 |               - karma.clusterfrak-dynamics.io
131 |       env:
132 |         - name: ALERTMANAGER_URI
133 |           value: "http://prometheus-operator-alertmanager.monitoring.svc.cluster.local:9093"
134 |         - name: ALERTMANAGER_PROXY
135 |           value: "true"
136 |         - name: FILTERS_DEFAULT
137 |           value: "@state=active severity!=info severity!=none"
138 |       EXTRA_VALUES
139 |   }
140 | }
141 | 


--------------------------------------------------------------------------------
/examples/terraform/providers.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |   }
 4 | }
 5 | 
 6 | provider "aws" {
 7 |   region  = var.aws["region"]
 8 | }
 9 | 
10 | provider "kubectl" {
11 |   host                   = data.aws_eks_cluster.cluster.endpoint
12 |   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
13 |   token                  = data.aws_eks_cluster_auth.cluster.token
14 |   load_config_file       = false
15 | }
16 | 
17 | provider "kubernetes" {
18 |   host                   = data.aws_eks_cluster.cluster.endpoint
19 |   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
20 |   token                  = data.aws_eks_cluster_auth.cluster.token
21 |   load_config_file       = false
22 | }
23 | 
24 | provider "helm" {
25 |   version = "~> 1.0"
26 |   kubernetes {
27 |     host                   = data.aws_eks_cluster.cluster.endpoint
28 |     cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
29 |     token                  = data.aws_eks_cluster_auth.cluster.token
30 |     load_config_file       = false
31 |   }
32 | }
33 | 
34 | data "aws_availability_zones" "available" {
35 | }
36 | 
37 | data "aws_caller_identity" "current" {
38 | }
39 | 
40 | data "aws_eks_cluster" "cluster" {
41 |   name = var.cluster-name
42 | }
43 | 
44 | data "aws_eks_cluster_auth" "cluster" {
45 |   name = var.cluster-name
46 | }
47 | 


--------------------------------------------------------------------------------
/examples/terraform/variables.tf:
--------------------------------------------------------------------------------
1 | variable "aws" {
2 |   type    = any
3 |   default = {}
4 | }
5 | 
6 | variable "cluster-name" {
7 |   default = "cluster"
8 | }
9 | 


--------------------------------------------------------------------------------
/examples/terragrunt/README.md:
--------------------------------------------------------------------------------
1 | # Terragrunt
2 | 
3 | Terragrunt example are available in [tEKS](https://github.com/clusterfrak-dynamics/teks)
4 | 


--------------------------------------------------------------------------------
/external-dns-secondary.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   external_dns_secondary = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                      = "external-dns-secondary"
  7 |       namespace                 = "external-dns-secondary"
  8 |       chart                     = "external-dns"
  9 |       repository                = "https://charts.bitnami.com/bitnami"
 10 |       service_account_name      = "external-dns-secondary"
 11 |       create_iam_resources_kiam = false
 12 |       create_iam_resources_irsa = true
 13 |       enabled                   = false
 14 |       chart_version             = "3.3.0"
 15 |       version                   = "0.7.3-debian-10-r0"
 16 |       iam_policy_override       = ""
 17 |       default_network_policy    = true
 18 |     },
 19 |     var.external_dns_secondary
 20 |   )
 21 | 
 22 |   values_external_dns_secondary = <<VALUES
 23 | image:
 24 |   tag: ${local.external_dns_secondary["version"]}
 25 | provider: aws
 26 | txtPrefix: "ext-dns-"
 27 | rbac:
 28 |  create: true
 29 |  pspEnabled: true
 30 | serviceAccount:
 31 |   annotations:
 32 |     eks.amazonaws.com/role-arn: "${local.external_dns_secondary["enabled"] && local.external_dns_secondary["create_iam_resources_irsa"] ? module.iam_assumable_role_external_dns_secondary.this_iam_role_arn : ""}"
 33 | podAnnotations:
 34 |   iam.amazonaws.com/role: "${local.external_dns_secondary["enabled"] && local.external_dns_secondary["create_iam_resources_kiam"] ? aws_iam_role.eks-external-dns-secondary-kiam[0].arn : ""}"
 35 | metrics:
 36 |   enabled: ${local.prometheus_operator["enabled"]}
 37 |   serviceMonitor:
 38 |     enabled: ${local.prometheus_operator["enabled"]}
 39 | priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 40 | VALUES
 41 | }
 42 | 
 43 | module "iam_assumable_role_external_dns_secondary" {
 44 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 45 |   version                       = "~> v2.0"
 46 |   create_role                   = local.external_dns_secondary["enabled"] && local.external_dns_secondary["create_iam_resources_irsa"]
 47 |   role_name                     = "tf-eks-${var.cluster-name}-external-dns-secondary-irsa"
 48 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 49 |   role_policy_arns              = local.external_dns_secondary["enabled"] && local.external_dns_secondary["create_iam_resources_irsa"] ? [aws_iam_policy.eks-external-dns-secondary[0].arn] : []
 50 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.external_dns_secondary["namespace"]}:${local.external_dns_secondary["service_account_name"]}"]
 51 | }
 52 | 
 53 | resource "aws_iam_policy" "eks-external-dns-secondary" {
 54 |   count  = local.external_dns_secondary["enabled"] && (local.external_dns_secondary["create_iam_resources_kiam"] || local.external_dns_secondary["create_iam_resources_irsa"]) ? 1 : 0
 55 |   name   = "tf-eks-${var.cluster-name}-external-dns-secondary"
 56 |   policy = local.external_dns_secondary["iam_policy_override"] == "" ? data.aws_iam_policy_document.external_dns_secondary.json : local.external_dns_secondary["iam_policy_override"]
 57 | }
 58 | 
 59 | data "aws_iam_policy_document" "external_dns_secondary" {
 60 |   statement {
 61 |     effect = "Allow"
 62 | 
 63 |     actions = [
 64 |       "route53:ChangeResourceRecordSets"
 65 |     ]
 66 | 
 67 |     resources = ["arn:aws:route53:::hostedzone/*"]
 68 |   }
 69 | 
 70 |   statement {
 71 |     effect = "Allow"
 72 | 
 73 |     actions = [
 74 |       "route53:ListHostedZones",
 75 |       "route53:ListResourceRecordSets"
 76 |     ]
 77 | 
 78 |     resources = ["*"]
 79 | 
 80 |   }
 81 | }
 82 | 
 83 | resource "aws_iam_role" "eks-external-dns-secondary-kiam" {
 84 |   name  = "terraform-eks-${var.cluster-name}-external-dns-secondary-kiam"
 85 |   count = local.external_dns_secondary["enabled"] && local.external_dns_secondary["create_iam_resources_kiam"] ? 1 : 0
 86 | 
 87 |   assume_role_policy = <<POLICY
 88 | {
 89 |   "Version": "2012-10-17",
 90 |   "Statement": [
 91 |     {
 92 |       "Effect": "Allow",
 93 |       "Principal": {
 94 |         "Service": "ec2.amazonaws.com"
 95 |       },
 96 |       "Action": "sts:AssumeRole"
 97 |     },
 98 |     {
 99 |       "Sid": "",
100 |       "Effect": "Allow",
101 |       "Principal": {
102 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
103 |       },
104 |       "Action": "sts:AssumeRole"
105 |     }
106 |   ]
107 | }
108 | POLICY
109 | 
110 | }
111 | 
112 | resource "aws_iam_role_policy_attachment" "eks-external-dns-secondary-kiam" {
113 |   count      = local.external_dns_secondary["enabled"] && local.external_dns_secondary["create_iam_resources_kiam"] ? 1 : 0
114 |   role       = aws_iam_role.eks-external-dns-secondary-kiam[count.index].name
115 |   policy_arn = aws_iam_policy.eks-external-dns-secondary[count.index].arn
116 | }
117 | 
118 | resource "kubernetes_namespace" "external_dns_secondary" {
119 |   count = local.external_dns_secondary["enabled"] ? 1 : 0
120 | 
121 |   metadata {
122 |     annotations = {
123 |       "iam.amazonaws.com/permitted" = "${local.external_dns_secondary["create_iam_resources_kiam"] ? aws_iam_role.eks-external-dns-secondary-kiam[0].arn : "^$"}"
124 |     }
125 | 
126 |     labels = {
127 |       name = local.external_dns_secondary["namespace"]
128 |     }
129 | 
130 |     name = local.external_dns_secondary["namespace"]
131 |   }
132 | }
133 | 
134 | resource "helm_release" "external_dns_secondary" {
135 |   count                 = local.external_dns_secondary["enabled"] ? 1 : 0
136 |   repository            = local.external_dns_secondary["repository"]
137 |   name                  = local.external_dns_secondary["name"]
138 |   chart                 = local.external_dns_secondary["chart"]
139 |   version               = local.external_dns_secondary["chart_version"]
140 |   timeout               = local.external_dns_secondary["timeout"]
141 |   force_update          = local.external_dns_secondary["force_update"]
142 |   recreate_pods         = local.external_dns_secondary["recreate_pods"]
143 |   wait                  = local.external_dns_secondary["wait"]
144 |   atomic                = local.external_dns_secondary["atomic"]
145 |   cleanup_on_fail       = local.external_dns_secondary["cleanup_on_fail"]
146 |   dependency_update     = local.external_dns_secondary["dependency_update"]
147 |   disable_crd_hooks     = local.external_dns_secondary["disable_crd_hooks"]
148 |   disable_webhooks      = local.external_dns_secondary["disable_webhooks"]
149 |   render_subchart_notes = local.external_dns_secondary["render_subchart_notes"]
150 |   replace               = local.external_dns_secondary["replace"]
151 |   reset_values          = local.external_dns_secondary["reset_values"]
152 |   reuse_values          = local.external_dns_secondary["reuse_values"]
153 |   skip_crds             = local.external_dns_secondary["skip_crds"]
154 |   verify                = local.external_dns_secondary["verify"]
155 |   values = [
156 |     local.values_external_dns_secondary,
157 |     local.external_dns_secondary["extra_values"]
158 |   ]
159 |   namespace = kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]
160 | 
161 |   depends_on = [
162 |     helm_release.kiam,
163 |     helm_release.prometheus_operator
164 |   ]
165 | }
166 | 
167 | resource "kubernetes_network_policy" "external_dns_secondary_default_deny" {
168 |   count = local.external_dns_secondary["enabled"] && local.external_dns_secondary["default_network_policy"] ? 1 : 0
169 | 
170 |   metadata {
171 |     name      = "${kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]}-default-deny"
172 |     namespace = kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]
173 |   }
174 | 
175 |   spec {
176 |     pod_selector {
177 |     }
178 |     policy_types = ["Ingress"]
179 |   }
180 | }
181 | 
182 | resource "kubernetes_network_policy" "external_dns_secondary_allow_namespace" {
183 |   count = local.external_dns_secondary["enabled"] && local.external_dns_secondary["default_network_policy"] ? 1 : 0
184 | 
185 |   metadata {
186 |     name      = "${kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]}-allow-namespace"
187 |     namespace = kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]
188 |   }
189 | 
190 |   spec {
191 |     pod_selector {
192 |     }
193 | 
194 |     ingress {
195 |       from {
196 |         namespace_selector {
197 |           match_labels = {
198 |             name = kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]
199 |           }
200 |         }
201 |       }
202 |     }
203 | 
204 |     policy_types = ["Ingress"]
205 |   }
206 | }
207 | 
208 | resource "kubernetes_network_policy" "external_dns_secondary_allow_monitoring" {
209 |   count = local.external_dns_secondary["enabled"] && local.external_dns_secondary["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
210 | 
211 |   metadata {
212 |     name      = "${kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]}-allow-monitoring"
213 |     namespace = kubernetes_namespace.external_dns_secondary.*.metadata.0.name[count.index]
214 |   }
215 | 
216 |   spec {
217 |     pod_selector {
218 |     }
219 | 
220 |     ingress {
221 |       ports {
222 |         port     = "http"
223 |         protocol = "TCP"
224 |       }
225 | 
226 |       from {
227 |         namespace_selector {
228 |           match_labels = {
229 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
230 |           }
231 |         }
232 |       }
233 |     }
234 | 
235 |     policy_types = ["Ingress"]
236 |   }
237 | }
238 | 


--------------------------------------------------------------------------------
/external-dns.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   external_dns = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                      = "external-dns"
  7 |       namespace                 = "external-dns"
  8 |       chart                     = "external-dns"
  9 |       repository                = "https://charts.bitnami.com/bitnami"
 10 |       service_account_name      = "external-dns"
 11 |       create_iam_resources_kiam = false
 12 |       create_iam_resources_irsa = true
 13 |       enabled                   = false
 14 |       chart_version             = "3.3.0"
 15 |       version                   = "0.7.3-debian-10-r0"
 16 |       iam_policy_override       = ""
 17 |       default_network_policy    = true
 18 |     },
 19 |     var.external_dns
 20 |   )
 21 | 
 22 |   values_external_dns = <<VALUES
 23 | image:
 24 |   tag: ${local.external_dns["version"]}
 25 | provider: aws
 26 | txtPrefix: "ext-dns-"
 27 | rbac:
 28 |  create: true
 29 |  pspEnabled: true
 30 | serviceAccount:
 31 |   annotations:
 32 |     eks.amazonaws.com/role-arn: "${local.external_dns["enabled"] && local.external_dns["create_iam_resources_irsa"] ? module.iam_assumable_role_external_dns.this_iam_role_arn : ""}"
 33 | podAnnotations:
 34 |   iam.amazonaws.com/role: "${local.external_dns["enabled"] && local.external_dns["create_iam_resources_kiam"] ? aws_iam_role.eks-external-dns-kiam[0].arn : ""}"
 35 | metrics:
 36 |   enabled: ${local.prometheus_operator["enabled"]}
 37 |   serviceMonitor:
 38 |     enabled: ${local.prometheus_operator["enabled"]}
 39 | priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 40 | VALUES
 41 | }
 42 | 
 43 | module "iam_assumable_role_external_dns" {
 44 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 45 |   version                       = "~> v2.0"
 46 |   create_role                   = local.external_dns["enabled"] && local.external_dns["create_iam_resources_irsa"]
 47 |   role_name                     = "tf-eks-${var.cluster-name}-external-dns-irsa"
 48 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 49 |   role_policy_arns              = local.external_dns["enabled"] && local.external_dns["create_iam_resources_irsa"] ? [aws_iam_policy.eks-external-dns[0].arn] : []
 50 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.external_dns["namespace"]}:${local.external_dns["service_account_name"]}"]
 51 | }
 52 | 
 53 | resource "aws_iam_policy" "eks-external-dns" {
 54 |   count  = local.external_dns["enabled"] && (local.external_dns["create_iam_resources_kiam"] || local.external_dns["create_iam_resources_irsa"]) ? 1 : 0
 55 |   name   = "tf-eks-${var.cluster-name}-external-dns"
 56 |   policy = local.external_dns["iam_policy_override"] == "" ? data.aws_iam_policy_document.external_dns.json : local.external_dns["iam_policy_override"]
 57 | }
 58 | 
 59 | data "aws_iam_policy_document" "external_dns" {
 60 |   statement {
 61 |     effect = "Allow"
 62 | 
 63 |     actions = [
 64 |       "route53:ChangeResourceRecordSets"
 65 |     ]
 66 | 
 67 |     resources = ["arn:aws:route53:::hostedzone/*"]
 68 |   }
 69 | 
 70 |   statement {
 71 |     effect = "Allow"
 72 | 
 73 |     actions = [
 74 |       "route53:ListHostedZones",
 75 |       "route53:ListResourceRecordSets"
 76 |     ]
 77 | 
 78 |     resources = ["*"]
 79 | 
 80 |   }
 81 | }
 82 | 
 83 | resource "aws_iam_role" "eks-external-dns-kiam" {
 84 |   name  = "terraform-eks-${var.cluster-name}-external-dns-kiam"
 85 |   count = local.external_dns["enabled"] && local.external_dns["create_iam_resources_kiam"] ? 1 : 0
 86 | 
 87 |   assume_role_policy = <<POLICY
 88 | {
 89 |   "Version": "2012-10-17",
 90 |   "Statement": [
 91 |     {
 92 |       "Effect": "Allow",
 93 |       "Principal": {
 94 |         "Service": "ec2.amazonaws.com"
 95 |       },
 96 |       "Action": "sts:AssumeRole"
 97 |     },
 98 |     {
 99 |       "Sid": "",
100 |       "Effect": "Allow",
101 |       "Principal": {
102 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
103 |       },
104 |       "Action": "sts:AssumeRole"
105 |     }
106 |   ]
107 | }
108 | POLICY
109 | 
110 | }
111 | 
112 | resource "aws_iam_role_policy_attachment" "eks-external-dns-kiam" {
113 |   count      = local.external_dns["enabled"] && local.external_dns["create_iam_resources_kiam"] ? 1 : 0
114 |   role       = aws_iam_role.eks-external-dns-kiam[count.index].name
115 |   policy_arn = aws_iam_policy.eks-external-dns[count.index].arn
116 | }
117 | 
118 | resource "kubernetes_namespace" "external_dns" {
119 |   count = local.external_dns["enabled"] ? 1 : 0
120 | 
121 |   metadata {
122 |     annotations = {
123 |       "iam.amazonaws.com/permitted" = "${local.external_dns["create_iam_resources_kiam"] ? aws_iam_role.eks-external-dns-kiam[0].arn : "^$"}"
124 |     }
125 | 
126 |     labels = {
127 |       name = local.external_dns["namespace"]
128 |     }
129 | 
130 |     name = local.external_dns["namespace"]
131 |   }
132 | }
133 | 
134 | resource "helm_release" "external_dns" {
135 |   count                 = local.external_dns["enabled"] ? 1 : 0
136 |   repository            = local.external_dns["repository"]
137 |   name                  = local.external_dns["name"]
138 |   chart                 = local.external_dns["chart"]
139 |   version               = local.external_dns["chart_version"]
140 |   timeout               = local.external_dns["timeout"]
141 |   force_update          = local.external_dns["force_update"]
142 |   recreate_pods         = local.external_dns["recreate_pods"]
143 |   wait                  = local.external_dns["wait"]
144 |   atomic                = local.external_dns["atomic"]
145 |   cleanup_on_fail       = local.external_dns["cleanup_on_fail"]
146 |   dependency_update     = local.external_dns["dependency_update"]
147 |   disable_crd_hooks     = local.external_dns["disable_crd_hooks"]
148 |   disable_webhooks      = local.external_dns["disable_webhooks"]
149 |   render_subchart_notes = local.external_dns["render_subchart_notes"]
150 |   replace               = local.external_dns["replace"]
151 |   reset_values          = local.external_dns["reset_values"]
152 |   reuse_values          = local.external_dns["reuse_values"]
153 |   skip_crds             = local.external_dns["skip_crds"]
154 |   verify                = local.external_dns["verify"]
155 |   values = [
156 |     local.values_external_dns,
157 |     local.external_dns["extra_values"]
158 |   ]
159 |   namespace = kubernetes_namespace.external_dns.*.metadata.0.name[count.index]
160 | 
161 |   depends_on = [
162 |     helm_release.kiam,
163 |     helm_release.prometheus_operator
164 |   ]
165 | }
166 | 
167 | resource "kubernetes_network_policy" "external_dns_default_deny" {
168 |   count = local.external_dns["enabled"] && local.external_dns["default_network_policy"] ? 1 : 0
169 | 
170 |   metadata {
171 |     name      = "${kubernetes_namespace.external_dns.*.metadata.0.name[count.index]}-default-deny"
172 |     namespace = kubernetes_namespace.external_dns.*.metadata.0.name[count.index]
173 |   }
174 | 
175 |   spec {
176 |     pod_selector {
177 |     }
178 |     policy_types = ["Ingress"]
179 |   }
180 | }
181 | 
182 | resource "kubernetes_network_policy" "external_dns_allow_namespace" {
183 |   count = local.external_dns["enabled"] && local.external_dns["default_network_policy"] ? 1 : 0
184 | 
185 |   metadata {
186 |     name      = "${kubernetes_namespace.external_dns.*.metadata.0.name[count.index]}-allow-namespace"
187 |     namespace = kubernetes_namespace.external_dns.*.metadata.0.name[count.index]
188 |   }
189 | 
190 |   spec {
191 |     pod_selector {
192 |     }
193 | 
194 |     ingress {
195 |       from {
196 |         namespace_selector {
197 |           match_labels = {
198 |             name = kubernetes_namespace.external_dns.*.metadata.0.name[count.index]
199 |           }
200 |         }
201 |       }
202 |     }
203 | 
204 |     policy_types = ["Ingress"]
205 |   }
206 | }
207 | 
208 | resource "kubernetes_network_policy" "external_dns_allow_monitoring" {
209 |   count = local.external_dns["enabled"] && local.external_dns["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
210 | 
211 |   metadata {
212 |     name      = "${kubernetes_namespace.external_dns.*.metadata.0.name[count.index]}-allow-monitoring"
213 |     namespace = kubernetes_namespace.external_dns.*.metadata.0.name[count.index]
214 |   }
215 | 
216 |   spec {
217 |     pod_selector {
218 |     }
219 | 
220 |     ingress {
221 |       ports {
222 |         port     = "http"
223 |         protocol = "TCP"
224 |       }
225 | 
226 |       from {
227 |         namespace_selector {
228 |           match_labels = {
229 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
230 |           }
231 |         }
232 |       }
233 |     }
234 | 
235 |     policy_types = ["Ingress"]
236 |   }
237 | }
238 | 


--------------------------------------------------------------------------------
/fluentd-cloudwatch.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   fluentd_cloudwatch = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                             = "fluentd-cloudwatch"
  7 |       namespace                        = "fluentd-cloudwatch"
  8 |       chart                            = "fluentd-cloudwatch"
  9 |       repository                       = "https://kubernetes-charts-incubator.storage.googleapis.com"
 10 |       service_account_name             = "fluentd-cloudwatch"
 11 |       create_iam_resources_kiam        = false
 12 |       create_iam_resources_irsa        = true
 13 |       enabled                          = false
 14 |       chart_version                    = "0.13.0"
 15 |       version                          = "v1.11-debian-cloudwatch-1"
 16 |       iam_policy_override              = ""
 17 |       default_network_policy           = true
 18 |       containers_log_retention_in_days = 180
 19 |     },
 20 |     var.fluentd_cloudwatch
 21 |   )
 22 | 
 23 |   values_fluentd_cloudwatch = <<VALUES
 24 | image:
 25 |   tag: ${local.fluentd_cloudwatch["version"]}
 26 | rbac:
 27 |   create: true
 28 |   pspEnabled: true
 29 |   serviceAccountAnnotations:
 30 |     eks.amazonaws.com/role-arn: "${local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["create_iam_resources_irsa"] ? module.iam_assumable_role_fluentd_cloudwatch.this_iam_role_arn : ""}"
 31 | tolerations:
 32 |   - operator: Exists
 33 | awsRole: "${local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["create_iam_resources_kiam"] ? aws_iam_role.eks-fluentd-cloudwatch-kiam[0].arn : ""}"
 34 | awsRegion: "${data.aws_region.current.name}"
 35 | logGroupName: "${local.fluentd_cloudwatch["enabled"] ? aws_cloudwatch_log_group.eks-fluentd-cloudwatch-log-group[0].name : ""}"
 36 | extraVars:
 37 |   - "{ name: FLUENT_UID, value: '0' }"
 38 | updateStrategy:
 39 |   type: RollingUpdate
 40 | priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 41 | VALUES
 42 | }
 43 | 
 44 | module "iam_assumable_role_fluentd_cloudwatch" {
 45 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 46 |   version                       = "~> v2.0"
 47 |   create_role                   = local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["create_iam_resources_irsa"]
 48 |   role_name                     = "tf-eks-${var.cluster-name}-fluentd-cloudwatch-irsa"
 49 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 50 |   role_policy_arns              = local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["create_iam_resources_irsa"] ? [aws_iam_policy.eks-fluentd-cloudwatch[0].arn] : []
 51 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.fluentd_cloudwatch["namespace"]}:${local.fluentd_cloudwatch["service_account_name"]}"]
 52 | }
 53 | 
 54 | resource "aws_iam_policy" "eks-fluentd-cloudwatch" {
 55 |   count  = local.fluentd_cloudwatch["enabled"] && (local.fluentd_cloudwatch["create_iam_resources_kiam"] || local.fluentd_cloudwatch["create_iam_resources_irsa"]) ? 1 : 0
 56 |   name   = "tf-eks-${var.cluster-name}-fluentd-cloudwatch"
 57 |   policy = local.fluentd_cloudwatch["iam_policy_override"] == "" ? data.aws_iam_policy_document.fluentd_cloudwatch.json : local.fluentd_cloudwatch["iam_policy_override"]
 58 | }
 59 | 
 60 | data "aws_iam_policy_document" "fluentd_cloudwatch" {
 61 |   statement {
 62 |     effect = "Allow"
 63 | 
 64 |     actions = [
 65 |       "logs:DescribeLogGroups",
 66 |       "logs:DescribeLogStreams",
 67 |       "logs:CreateLogGroup",
 68 |       "logs:CreateLogStream",
 69 |       "logs:PutLogEvents"
 70 |     ]
 71 | 
 72 |     resources = ["*"]
 73 |   }
 74 | }
 75 | 
 76 | resource "aws_cloudwatch_log_group" "eks-fluentd-cloudwatch-log-group" {
 77 |   count             = local.fluentd_cloudwatch["enabled"] ? 1 : 0
 78 |   name              = "/aws/eks/${var.cluster-name}/containers"
 79 |   retention_in_days = local.fluentd_cloudwatch["containers_log_retention_in_days"]
 80 | }
 81 | 
 82 | resource "aws_iam_role" "eks-fluentd-cloudwatch-kiam" {
 83 |   name  = "tf-eks-${var.cluster-name}-fluentd-cloudwatch-kiam"
 84 |   count = local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["create_iam_resources_kiam"] ? 1 : 0
 85 | 
 86 |   assume_role_policy = <<POLICY
 87 | {
 88 |   "Version": "2012-10-17",
 89 |   "Statement": [
 90 |     {
 91 |       "Effect": "Allow",
 92 |       "Principal": {
 93 |         "Service": "ec2.amazonaws.com"
 94 |       },
 95 |       "Action": "sts:AssumeRole"
 96 |     },
 97 |     {
 98 |       "Sid": "",
 99 |       "Effect": "Allow",
100 |       "Principal": {
101 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
102 |       },
103 |       "Action": "sts:AssumeRole"
104 |     }
105 |   ]
106 | }
107 | POLICY
108 | 
109 | }
110 | 
111 | resource "aws_iam_role_policy_attachment" "eks-fluentd-cloudwatch-kiam" {
112 |   count      = local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["create_iam_resources_kiam"] ? 1 : 0
113 |   role       = aws_iam_role.eks-fluentd-cloudwatch-kiam[count.index].name
114 |   policy_arn = aws_iam_policy.eks-fluentd-cloudwatch[count.index].arn
115 | }
116 | 
117 | resource "kubernetes_namespace" "fluentd_cloudwatch" {
118 |   count = local.fluentd_cloudwatch["enabled"] ? 1 : 0
119 | 
120 |   metadata {
121 |     annotations = {
122 |       "iam.amazonaws.com/permitted" = "${local.fluentd_cloudwatch["create_iam_resources_kiam"] ? aws_iam_role.eks-fluentd-cloudwatch-kiam[0].arn : "^$"}"
123 |     }
124 | 
125 |     labels = {
126 |       name = local.fluentd_cloudwatch["namespace"]
127 |     }
128 | 
129 |     name = local.fluentd_cloudwatch["namespace"]
130 |   }
131 | }
132 | 
133 | resource "helm_release" "fluentd_cloudwatch" {
134 |   count                 = local.fluentd_cloudwatch["enabled"] ? 1 : 0
135 |   repository            = local.fluentd_cloudwatch["repository"]
136 |   name                  = local.fluentd_cloudwatch["name"]
137 |   chart                 = local.fluentd_cloudwatch["chart"]
138 |   version               = local.fluentd_cloudwatch["chart_version"]
139 |   timeout               = local.fluentd_cloudwatch["timeout"]
140 |   force_update          = local.fluentd_cloudwatch["force_update"]
141 |   recreate_pods         = local.fluentd_cloudwatch["recreate_pods"]
142 |   wait                  = local.fluentd_cloudwatch["wait"]
143 |   atomic                = local.fluentd_cloudwatch["atomic"]
144 |   cleanup_on_fail       = local.fluentd_cloudwatch["cleanup_on_fail"]
145 |   dependency_update     = local.fluentd_cloudwatch["dependency_update"]
146 |   disable_crd_hooks     = local.fluentd_cloudwatch["disable_crd_hooks"]
147 |   disable_webhooks      = local.fluentd_cloudwatch["disable_webhooks"]
148 |   render_subchart_notes = local.fluentd_cloudwatch["render_subchart_notes"]
149 |   replace               = local.fluentd_cloudwatch["replace"]
150 |   reset_values          = local.fluentd_cloudwatch["reset_values"]
151 |   reuse_values          = local.fluentd_cloudwatch["reuse_values"]
152 |   skip_crds             = local.fluentd_cloudwatch["skip_crds"]
153 |   verify                = local.fluentd_cloudwatch["verify"]
154 |   values = [
155 |     local.values_fluentd_cloudwatch,
156 |     local.fluentd_cloudwatch["extra_values"]
157 |   ]
158 |   namespace = kubernetes_namespace.fluentd_cloudwatch.*.metadata.0.name[count.index]
159 | 
160 |   depends_on = [
161 |     helm_release.kiam
162 |   ]
163 | }
164 | 
165 | resource "kubernetes_network_policy" "fluentd_cloudwatch_default_deny" {
166 |   count = local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["default_network_policy"] ? 1 : 0
167 | 
168 |   metadata {
169 |     name      = "${kubernetes_namespace.fluentd_cloudwatch.*.metadata.0.name[count.index]}-default-deny"
170 |     namespace = kubernetes_namespace.fluentd_cloudwatch.*.metadata.0.name[count.index]
171 |   }
172 | 
173 |   spec {
174 |     pod_selector {
175 |     }
176 |     policy_types = ["Ingress"]
177 |   }
178 | }
179 | 
180 | resource "kubernetes_network_policy" "fluentd_cloudwatch_allow_namespace" {
181 |   count = local.fluentd_cloudwatch["enabled"] && local.fluentd_cloudwatch["default_network_policy"] ? 1 : 0
182 | 
183 |   metadata {
184 |     name      = "${kubernetes_namespace.fluentd_cloudwatch.*.metadata.0.name[count.index]}-allow-namespace"
185 |     namespace = kubernetes_namespace.fluentd_cloudwatch.*.metadata.0.name[count.index]
186 |   }
187 | 
188 |   spec {
189 |     pod_selector {
190 |     }
191 | 
192 |     ingress {
193 |       from {
194 |         namespace_selector {
195 |           match_labels = {
196 |             name = kubernetes_namespace.fluentd_cloudwatch.*.metadata.0.name[count.index]
197 |           }
198 |         }
199 |       }
200 |     }
201 | 
202 |     policy_types = ["Ingress"]
203 |   }
204 | }
205 | 
206 | 


--------------------------------------------------------------------------------
/flux.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   flux = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                      = "flux"
  7 |       namespace                 = "flux"
  8 |       chart                     = "flux"
  9 |       repository                = "https://charts.fluxcd.io"
 10 |       service_account_name      = "flux"
 11 |       create_iam_resources_kiam = false
 12 |       create_iam_resources_irsa = true
 13 |       enabled                   = false
 14 |       chart_version             = "1.5.0"
 15 |       version                   = "1.20.2"
 16 |       default_network_policy    = true
 17 |     },
 18 |     var.flux
 19 |   )
 20 | 
 21 |   values_flux = <<VALUES
 22 | image:
 23 |   tag: ${local.flux["version"]}
 24 | rbac:
 25 |   create: true
 26 |   pspEnabled: true
 27 | syncGarbageCollection:
 28 |   enabled: true
 29 |   dry: false
 30 | annotations:
 31 |   iam.amazonaws.com/role: "${local.flux["enabled"] && local.flux["create_iam_resources_kiam"] ? aws_iam_role.eks-flux-kiam[0].arn : ""}"
 32 | serviceAccount:
 33 |   annotations:
 34 |     eks.amazonaws.com/role-arn: "${local.flux["enabled"] && local.flux["create_iam_resources_irsa"] ? module.iam_assumable_role_flux.this_iam_role_arn : ""}"
 35 | prometheus:
 36 |   enabled: ${local.prometheus_operator["enabled"]}
 37 |   serviceMonitor:
 38 |     create: ${local.prometheus_operator["enabled"]}
 39 | VALUES
 40 | }
 41 | 
 42 | module "iam_assumable_role_flux" {
 43 |   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
 44 |   version                       = "~> v2.0"
 45 |   create_role                   = local.flux["enabled"] && local.flux["create_iam_resources_irsa"]
 46 |   role_name                     = "tf-eks-${var.cluster-name}-flux-irsa"
 47 |   provider_url                  = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
 48 |   role_policy_arns              = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 49 |   oidc_fully_qualified_subjects = ["system:serviceaccount:${local.flux["namespace"]}:${local.flux["service_account_name"]}"]
 50 | }
 51 | 
 52 | resource "aws_iam_role" "eks-flux-kiam" {
 53 |   name  = "tf-eks-${var.cluster-name}-flux-kiam"
 54 |   count = local.flux["enabled"] && local.flux["create_iam_resources_kiam"] ? 1 : 0
 55 | 
 56 |   assume_role_policy = <<POLICY
 57 | {
 58 |   "Version": "2012-10-17",
 59 |   "Statement": [
 60 |     {
 61 |       "Effect": "Allow",
 62 |       "Principal": {
 63 |         "Service": "ec2.amazonaws.com"
 64 |       },
 65 |       "Action": "sts:AssumeRole"
 66 |     },
 67 |     {
 68 |       "Sid": "",
 69 |       "Effect": "Allow",
 70 |       "Principal": {
 71 |         "AWS": "${aws_iam_role.eks-kiam-server-role[count.index].arn}"
 72 |       },
 73 |       "Action": "sts:AssumeRole"
 74 |     }
 75 |   ]
 76 | }
 77 | POLICY
 78 | }
 79 | 
 80 | resource "aws_iam_role_policy_attachment" "eks-flux-kiam" {
 81 |   count      = local.flux["enabled"] && local.flux["create_iam_resources_kiam"] ? 1 : 0
 82 |   role       = aws_iam_role.eks-flux-kiam[count.index].name
 83 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 84 | }
 85 | 
 86 | resource "kubernetes_namespace" "flux" {
 87 |   count = local.flux["enabled"] ? 1 : 0
 88 | 
 89 |   metadata {
 90 |     annotations = {
 91 |       "iam.amazonaws.com/permitted" = "${local.flux["create_iam_resources_kiam"] ? aws_iam_role.eks-flux-kiam[0].arn : "^$"}"
 92 |     }
 93 | 
 94 |     labels = {
 95 |       name = local.flux["namespace"]
 96 |     }
 97 | 
 98 |     name = local.flux["namespace"]
 99 |   }
100 | }
101 | 
102 | resource "kubernetes_role" "flux" {
103 |   count = local.flux["enabled"] ? 1 : 0
104 | 
105 |   metadata {
106 |     name      = "flux-${kubernetes_namespace.flux.*.metadata.0.name[count.index]}"
107 |     namespace = kubernetes_namespace.flux.*.metadata.0.name[count.index]
108 |   }
109 | 
110 |   rule {
111 |     api_groups = ["", "batch", "extensions", "apps"]
112 |     resources  = ["*"]
113 |     verbs      = ["*"]
114 |   }
115 | }
116 | 
117 | resource "kubernetes_role_binding" "flux" {
118 |   count = local.flux["enabled"] ? 1 : 0
119 | 
120 |   metadata {
121 |     name      = "flux-${kubernetes_namespace.flux.*.metadata.0.name[count.index]}-binding"
122 |     namespace = kubernetes_namespace.flux.*.metadata.0.name[count.index]
123 |   }
124 | 
125 |   role_ref {
126 |     api_group = "rbac.authorization.k8s.io"
127 |     kind      = "Role"
128 |     name      = kubernetes_role.flux.*.metadata.0.name[count.index]
129 |   }
130 | 
131 |   subject {
132 |     kind      = "ServiceAccount"
133 |     name      = "flux"
134 |     namespace = "flux"
135 |   }
136 | }
137 | 
138 | resource "helm_release" "flux" {
139 |   count                 = local.flux["enabled"] ? 1 : 0
140 |   repository            = local.flux["repository"]
141 |   name                  = local.flux["name"]
142 |   chart                 = local.flux["chart"]
143 |   version               = local.flux["chart_version"]
144 |   timeout               = local.flux["timeout"]
145 |   force_update          = local.flux["force_update"]
146 |   recreate_pods         = local.flux["recreate_pods"]
147 |   wait                  = local.flux["wait"]
148 |   atomic                = local.flux["atomic"]
149 |   cleanup_on_fail       = local.flux["cleanup_on_fail"]
150 |   dependency_update     = local.flux["dependency_update"]
151 |   disable_crd_hooks     = local.flux["disable_crd_hooks"]
152 |   disable_webhooks      = local.flux["disable_webhooks"]
153 |   render_subchart_notes = local.flux["render_subchart_notes"]
154 |   replace               = local.flux["replace"]
155 |   reset_values          = local.flux["reset_values"]
156 |   reuse_values          = local.flux["reuse_values"]
157 |   skip_crds             = local.flux["skip_crds"]
158 |   verify                = local.flux["verify"]
159 |   values = [
160 |     local.values_flux,
161 |     local.flux["extra_values"]
162 |   ]
163 |   namespace = kubernetes_namespace.flux.*.metadata.0.name[count.index]
164 | 
165 |   depends_on = [
166 |     helm_release.kiam,
167 |     helm_release.prometheus_operator
168 |   ]
169 | }
170 | 
171 | resource "kubernetes_network_policy" "flux_default_deny" {
172 |   count = local.flux["enabled"] && local.flux["default_network_policy"] ? 1 : 0
173 | 
174 |   metadata {
175 |     name      = "${kubernetes_namespace.flux.*.metadata.0.name[count.index]}-default-deny"
176 |     namespace = kubernetes_namespace.flux.*.metadata.0.name[count.index]
177 |   }
178 | 
179 |   spec {
180 |     pod_selector {
181 |     }
182 |     policy_types = ["Ingress"]
183 |   }
184 | }
185 | 
186 | resource "kubernetes_network_policy" "flux_allow_namespace" {
187 |   count = local.flux["enabled"] && local.flux["default_network_policy"] ? 1 : 0
188 | 
189 |   metadata {
190 |     name      = "${kubernetes_namespace.flux.*.metadata.0.name[count.index]}-allow-namespace"
191 |     namespace = kubernetes_namespace.flux.*.metadata.0.name[count.index]
192 |   }
193 | 
194 |   spec {
195 |     pod_selector {
196 |     }
197 | 
198 |     ingress {
199 |       from {
200 |         namespace_selector {
201 |           match_labels = {
202 |             name = kubernetes_namespace.flux.*.metadata.0.name[count.index]
203 |           }
204 |         }
205 |       }
206 |     }
207 | 
208 |     policy_types = ["Ingress"]
209 |   }
210 | }
211 | 
212 | resource "kubernetes_network_policy" "flux_allow_monitoring" {
213 |   count = local.flux["enabled"] && local.flux["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
214 | 
215 |   metadata {
216 |     name      = "${kubernetes_namespace.flux.*.metadata.0.name[count.index]}-allow-monitoring"
217 |     namespace = kubernetes_namespace.flux.*.metadata.0.name[count.index]
218 |   }
219 | 
220 |   spec {
221 |     pod_selector {
222 |     }
223 | 
224 |     ingress {
225 |       ports {
226 |         port     = "3030"
227 |         protocol = "TCP"
228 |       }
229 | 
230 |       from {
231 |         namespace_selector {
232 |           match_labels = {
233 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
234 |           }
235 |         }
236 |       }
237 |     }
238 | 
239 |     policy_types = ["Ingress"]
240 |   }
241 | }
242 | 
243 | output flux-role-arn-kiam {
244 |   value = aws_iam_role.eks-flux-kiam.*.arn
245 | }
246 | 
247 | output flux-role-name-kiam {
248 |   value = aws_iam_role.eks-flux-kiam.*.name
249 | }
250 | 
251 | output flux-role-arn-irsa {
252 |   value = module.iam_assumable_role_flux.this_iam_role_arn
253 | }
254 | 
255 | output flux-role-name-irsa {
256 |   value = module.iam_assumable_role_flux.this_iam_role_name
257 | }
258 | 


--------------------------------------------------------------------------------
/istio-operator.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   istio_operator = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "istio-operator"
  6 |       namespace              = "istio-system"
  7 |       chart                  = "istio-operator"
  8 |       repository             = "https://clusterfrak-dynamics.github.io/istio/"
  9 |       enabled                = false
 10 |       chart_version          = "1.7.0"
 11 |       version                = "1.7.0"
 12 |       default_network_policy = true
 13 |     },
 14 |     var.istio_operator
 15 |   )
 16 | 
 17 |   values_istio_operator = <<VALUES
 18 | hub: istio
 19 | tag: ${local.istio_operator["version"]}-distroless
 20 | VALUES
 21 | }
 22 | 
 23 | resource "kubernetes_namespace" "istio_operator" {
 24 |   count = local.istio_operator["enabled"] ? 1 : 0
 25 | 
 26 |   metadata {
 27 |     labels = {
 28 |       name = local.istio_operator["namespace"]
 29 |     }
 30 | 
 31 |     name = local.istio_operator["namespace"]
 32 |   }
 33 | }
 34 | 
 35 | resource "helm_release" "istio_operator" {
 36 |   count                 = local.istio_operator["enabled"] ? 1 : 0
 37 |   repository            = local.istio_operator["repository"]
 38 |   name                  = local.istio_operator["name"]
 39 |   chart                 = local.istio_operator["chart"]
 40 |   version               = local.istio_operator["chart_version"]
 41 |   timeout               = local.istio_operator["timeout"]
 42 |   force_update          = local.istio_operator["force_update"]
 43 |   recreate_pods         = local.istio_operator["recreate_pods"]
 44 |   wait                  = local.istio_operator["wait"]
 45 |   atomic                = local.istio_operator["atomic"]
 46 |   cleanup_on_fail       = local.istio_operator["cleanup_on_fail"]
 47 |   dependency_update     = local.istio_operator["dependency_update"]
 48 |   disable_crd_hooks     = local.istio_operator["disable_crd_hooks"]
 49 |   disable_webhooks      = local.istio_operator["disable_webhooks"]
 50 |   render_subchart_notes = local.istio_operator["render_subchart_notes"]
 51 |   replace               = local.istio_operator["replace"]
 52 |   reset_values          = local.istio_operator["reset_values"]
 53 |   reuse_values          = local.istio_operator["reuse_values"]
 54 |   skip_crds             = local.istio_operator["skip_crds"]
 55 |   verify                = local.istio_operator["verify"]
 56 |   values = [
 57 |     local.values_istio_operator,
 58 |     local.istio_operator["extra_values"]
 59 |   ]
 60 |   namespace = kubernetes_namespace.istio_operator.*.metadata.0.name[count.index]
 61 | }
 62 | 
 63 | resource "kubernetes_network_policy" "istio_operator_default_deny" {
 64 |   count = local.istio_operator["enabled"] && local.istio_operator["default_network_policy"] ? 1 : 0
 65 | 
 66 |   metadata {
 67 |     name      = "${kubernetes_namespace.istio_operator.*.metadata.0.name[count.index]}-default-deny"
 68 |     namespace = kubernetes_namespace.istio_operator.*.metadata.0.name[count.index]
 69 |   }
 70 | 
 71 |   spec {
 72 |     pod_selector {
 73 |     }
 74 |     policy_types = ["Ingress"]
 75 |   }
 76 | }
 77 | 
 78 | resource "kubernetes_network_policy" "istio_operator_allow_namespace" {
 79 |   count = local.istio_operator["enabled"] && local.istio_operator["default_network_policy"] ? 1 : 0
 80 | 
 81 |   metadata {
 82 |     name      = "${kubernetes_namespace.istio_operator.*.metadata.0.name[count.index]}-allow-namespace"
 83 |     namespace = kubernetes_namespace.istio_operator.*.metadata.0.name[count.index]
 84 |   }
 85 | 
 86 |   spec {
 87 |     pod_selector {
 88 |     }
 89 | 
 90 |     ingress {
 91 |       from {
 92 |         namespace_selector {
 93 |           match_labels = {
 94 |             name = kubernetes_namespace.istio_operator.*.metadata.0.name[count.index]
 95 |           }
 96 |         }
 97 |       }
 98 |     }
 99 | 
100 |     policy_types = ["Ingress"]
101 |   }
102 | }
103 | 


--------------------------------------------------------------------------------
/karma.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   karma = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "karma"
  6 |       namespace              = "monitoring"
  7 |       chart                  = "karma"
  8 |       repository             = "https://kubernetes-charts.storage.googleapis.com/"
  9 |       create_ns              = false
 10 |       enabled                = false
 11 |       chart_version          = "1.5.2"
 12 |       version                = "v0.68"
 13 |       default_network_policy = true
 14 |     },
 15 |     var.karma
 16 |   )
 17 | 
 18 |   values_karma = <<VALUES
 19 | image:
 20 |   tag: ${local.karma["version"]}
 21 | VALUES
 22 | 
 23 | }
 24 | 
 25 | resource "kubernetes_namespace" "karma" {
 26 |   count = local.karma["enabled"] && local.karma["create_ns"] ? 1 : 0
 27 | 
 28 |   metadata {
 29 |     labels = {
 30 |       name = local.karma["namespace"]
 31 |     }
 32 | 
 33 |     name = local.karma["namespace"]
 34 |   }
 35 | }
 36 | 
 37 | resource "helm_release" "karma" {
 38 |   count                 = local.karma["enabled"] ? 1 : 0
 39 |   repository            = local.karma["repository"]
 40 |   name                  = local.karma["name"]
 41 |   chart                 = local.karma["chart"]
 42 |   version               = local.karma["chart_version"]
 43 |   timeout               = local.karma["timeout"]
 44 |   force_update          = local.karma["force_update"]
 45 |   recreate_pods         = local.karma["recreate_pods"]
 46 |   wait                  = local.karma["wait"]
 47 |   atomic                = local.karma["atomic"]
 48 |   cleanup_on_fail       = local.karma["cleanup_on_fail"]
 49 |   dependency_update     = local.karma["dependency_update"]
 50 |   disable_crd_hooks     = local.karma["disable_crd_hooks"]
 51 |   disable_webhooks      = local.karma["disable_webhooks"]
 52 |   render_subchart_notes = local.karma["render_subchart_notes"]
 53 |   replace               = local.karma["replace"]
 54 |   reset_values          = local.karma["reset_values"]
 55 |   reuse_values          = local.karma["reuse_values"]
 56 |   skip_crds             = local.karma["skip_crds"]
 57 |   verify                = local.karma["verify"]
 58 |   values = [
 59 |     local.values_karma,
 60 |     local.karma["extra_values"]
 61 |   ]
 62 |   namespace = local.karma["create_ns"] ? kubernetes_namespace.karma.*.metadata.0.name[count.index] : local.karma["namespace"]
 63 | 
 64 |   depends_on = [
 65 |     helm_release.prometheus_operator
 66 |   ]
 67 | }
 68 | 
 69 | resource "kubernetes_network_policy" "karma_default_deny" {
 70 |   count = local.karma["create_ns"] && local.karma["enabled"] && local.karma["default_network_policy"] ? 1 : 0
 71 | 
 72 |   metadata {
 73 |     name      = "${kubernetes_namespace.karma.*.metadata.0.name[count.index]}-default-deny"
 74 |     namespace = kubernetes_namespace.karma.*.metadata.0.name[count.index]
 75 |   }
 76 | 
 77 |   spec {
 78 |     pod_selector {
 79 |     }
 80 |     policy_types = ["Ingress"]
 81 |   }
 82 | }
 83 | 
 84 | resource "kubernetes_network_policy" "karma_allow_namespace" {
 85 |   count = local.karma["create_ns"] && local.karma["enabled"] && local.karma["default_network_policy"] ? 1 : 0
 86 | 
 87 |   metadata {
 88 |     name      = "${kubernetes_namespace.karma.*.metadata.0.name[count.index]}-allow-namespace"
 89 |     namespace = kubernetes_namespace.karma.*.metadata.0.name[count.index]
 90 |   }
 91 | 
 92 |   spec {
 93 |     pod_selector {
 94 |     }
 95 | 
 96 |     ingress {
 97 |       from {
 98 |         namespace_selector {
 99 |           match_labels = {
100 |             name = kubernetes_namespace.karma.*.metadata.0.name[count.index]
101 |           }
102 |         }
103 |       }
104 |     }
105 | 
106 |     policy_types = ["Ingress"]
107 |   }
108 | }
109 | 
110 | resource "kubernetes_network_policy" "karma_allow_ingress_nginx" {
111 |   count = local.karma["enabled"] && local.karma["default_network_policy"] ? 1 : 0
112 | 
113 |   metadata {
114 |     name      = "karma-allow-ingress-nginx"
115 |     namespace = local.karma["create_ns"] ? kubernetes_namespace.karma.*.metadata.0.name[count.index] : kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
116 |   }
117 | 
118 |   spec {
119 |     pod_selector {
120 |       match_expressions {
121 |         key      = "app.kubernetes.io/name"
122 |         operator = "In"
123 |         values   = ["karma"]
124 |       }
125 |     }
126 | 
127 |     ingress {
128 |       from {
129 |         namespace_selector {
130 |           match_labels = {
131 |             name = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
132 |           }
133 |         }
134 |       }
135 |     }
136 | 
137 |     policy_types = ["Ingress"]
138 |   }
139 | }
140 | 


--------------------------------------------------------------------------------
/keycloak.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   keycloak = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "keycloak"
  6 |       namespace              = "keycloak"
  7 |       chart                  = "keycloak"
  8 |       repository             = "https://codecentric.github.io/helm-charts"
  9 |       prometheus_plugin      = true
 10 |       enabled                = false
 11 |       chart_version          = "9.0.6"
 12 |       version                = "11.0.2"
 13 |       default_network_policy = true
 14 |     },
 15 |     var.keycloak
 16 |   )
 17 | 
 18 |   values_keycloak = <<VALUES
 19 | image:
 20 |   tag: ${local.keycloak["version"]}
 21 | prometheus:
 22 |   operator:
 23 |     enabled: ${local.prometheus_operator["enabled"]}
 24 |     prometheusRules:
 25 |       enabled: ${local.prometheus_operator["enabled"]}
 26 | keycloak:
 27 |   priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 28 | VALUES
 29 | 
 30 |   values_keycloak_prometheus = <<VALUES
 31 | extraInitContainers: |
 32 |   - name: extensions
 33 |     image: busybox
 34 |     imagePullPolicy: IfNotPresent
 35 |     command:
 36 |       - sh
 37 |     args:
 38 |       - -c
 39 |       - |
 40 |         echo "Copying extensions..."
 41 |         wget -O /deployments/keycloak-metrics-spi.jar https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.0.1/keycloak-metrics-spi-2.0.1.jar
 42 |     volumeMounts:
 43 |       - name: deployments
 44 |         mountPath: /deployments
 45 | 
 46 | extraVolumeMounts: |
 47 |   - name: deployments
 48 |     mountPath: /opt/jboss/keycloak/standalone/deployments
 49 | 
 50 | extraVolumes: |
 51 |   - name: deployments
 52 |     emptyDir: {}
 53 | VALUES
 54 | }
 55 | 
 56 | resource "kubernetes_namespace" "keycloak" {
 57 |   count = local.keycloak["enabled"] ? 1 : 0
 58 | 
 59 |   metadata {
 60 |     labels = {
 61 |       name = local.keycloak["namespace"]
 62 |     }
 63 | 
 64 |     name = local.keycloak["namespace"]
 65 |   }
 66 | }
 67 | 
 68 | resource "helm_release" "keycloak" {
 69 |   count                 = local.keycloak["enabled"] ? 1 : 0
 70 |   repository            = local.keycloak["repository"]
 71 |   name                  = local.keycloak["name"]
 72 |   chart                 = local.keycloak["chart"]
 73 |   version               = local.keycloak["chart_version"]
 74 |   timeout               = local.keycloak["timeout"]
 75 |   force_update          = local.keycloak["force_update"]
 76 |   recreate_pods         = local.keycloak["recreate_pods"]
 77 |   wait                  = local.keycloak["wait"]
 78 |   atomic                = local.keycloak["atomic"]
 79 |   cleanup_on_fail       = local.keycloak["cleanup_on_fail"]
 80 |   dependency_update     = local.keycloak["dependency_update"]
 81 |   disable_crd_hooks     = local.keycloak["disable_crd_hooks"]
 82 |   disable_webhooks      = local.keycloak["disable_webhooks"]
 83 |   render_subchart_notes = local.keycloak["render_subchart_notes"]
 84 |   replace               = local.keycloak["replace"]
 85 |   reset_values          = local.keycloak["reset_values"]
 86 |   reuse_values          = local.keycloak["reuse_values"]
 87 |   skip_crds             = local.keycloak["skip_crds"]
 88 |   verify                = local.keycloak["verify"]
 89 |   values = [
 90 |     local.values_keycloak,
 91 |     local.keycloak["prometheus_plugin"] ? local.values_keycloak_prometheus : "",
 92 |     local.keycloak["extra_values"]
 93 |   ]
 94 |   namespace = kubernetes_namespace.keycloak.*.metadata.0.name[count.index]
 95 | 
 96 |   depends_on = [
 97 |     helm_release.prometheus_operator
 98 |   ]
 99 | }
100 | 
101 | resource "kubernetes_network_policy" "keycloak_default_deny" {
102 |   count = local.keycloak["enabled"] && local.keycloak["default_network_policy"] ? 1 : 0
103 | 
104 |   metadata {
105 |     name      = "${kubernetes_namespace.keycloak.*.metadata.0.name[count.index]}-default-deny"
106 |     namespace = kubernetes_namespace.keycloak.*.metadata.0.name[count.index]
107 |   }
108 | 
109 |   spec {
110 |     pod_selector {
111 |     }
112 |     policy_types = ["Ingress"]
113 |   }
114 | }
115 | 
116 | resource "kubernetes_network_policy" "keycloak_allow_namespace" {
117 |   count = local.keycloak["enabled"] && local.keycloak["default_network_policy"] ? 1 : 0
118 | 
119 |   metadata {
120 |     name      = "${kubernetes_namespace.keycloak.*.metadata.0.name[count.index]}-allow-namespace"
121 |     namespace = kubernetes_namespace.keycloak.*.metadata.0.name[count.index]
122 |   }
123 | 
124 |   spec {
125 |     pod_selector {
126 |     }
127 | 
128 |     ingress {
129 |       from {
130 |         namespace_selector {
131 |           match_labels = {
132 |             name = kubernetes_namespace.keycloak.*.metadata.0.name[count.index]
133 |           }
134 |         }
135 |       }
136 |     }
137 | 
138 |     policy_types = ["Ingress"]
139 |   }
140 | }
141 | 
142 | resource "kubernetes_network_policy" "keycloak_allow_monitoring" {
143 |   count = local.keycloak["enabled"] && local.keycloak["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
144 | 
145 |   metadata {
146 |     name      = "${kubernetes_namespace.keycloak.*.metadata.0.name[count.index]}-allow-monitoring"
147 |     namespace = kubernetes_namespace.keycloak.*.metadata.0.name[count.index]
148 |   }
149 | 
150 |   spec {
151 |     pod_selector {
152 |     }
153 | 
154 |     ingress {
155 |       ports {
156 |         port     = "8080"
157 |         protocol = "TCP"
158 |       }
159 | 
160 |       from {
161 |         namespace_selector {
162 |           match_labels = {
163 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
164 |           }
165 |         }
166 |       }
167 |     }
168 | 
169 |     policy_types = ["Ingress"]
170 |   }
171 | }
172 | 


--------------------------------------------------------------------------------
/kiam.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   kiam = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                        = "kiam"
  6 |       namespace                   = "kiam"
  7 |       chart                       = "kiam"
  8 |       repository                  = "https://uswitch.github.io/kiam-helm-charts/charts/"
  9 |       server_use_host_network     = true
 10 |       create_iam_user             = true
 11 |       create_iam_resources        = true
 12 |       enabled                     = false
 13 |       assume_role_policy_override = ""
 14 |       chart_version               = "5.10.0"
 15 |       version                     = "v3.6"
 16 |       iam_policy_override         = ""
 17 |       default_network_policy      = true
 18 |       iam_user                    = ""
 19 |     },
 20 |     var.kiam
 21 |   )
 22 | 
 23 |   values_kiam = <<VALUES
 24 | psp:
 25 |   create: true
 26 | agent:
 27 |   image:
 28 |     tag: ${local.kiam["version"]}
 29 |   host:
 30 |     interface: "eni+"
 31 |     iptables: true
 32 |   updateStrategy: "RollingUpdate"
 33 |   tolerations: ${local.kiam["server_use_host_network"] ? "[{'operator': 'Exists'}]" : "[]"}
 34 |   whiteListRouteRegexp: "^(/latest/dynamic/instance-identity/document|/latest/meta-data/placement/availability-zone)$"
 35 |   prometheus:
 36 |     servicemonitor:
 37 |       enabled: ${local.prometheus_operator["enabled"]}
 38 |   priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 39 | server:
 40 |   service:
 41 |     targetPort: 11443
 42 |     port: 11443
 43 |   updateStrategy: "RollingUpdate"
 44 |   useHostNetwork: ${local.kiam["server_use_host_network"]}
 45 |   image:
 46 |     tag: ${local.kiam["version"]}
 47 |   assumeRoleArn: ${local.kiam["enabled"] && local.kiam["create_iam_resources"] ? aws_iam_role.eks-kiam-server-role[0].arn : ""}
 48 |   sslCertHostPath: "/etc/pki/ca-trust/extracted/pem"
 49 |   extraEnv:
 50 |     - name: AWS_DEFAULT_REGION
 51 |       value: ${data.aws_region.current.name}
 52 |     - name: AWS_ACCESS_KEY_ID
 53 |       value: ${local.kiam["enabled"] && local.kiam["create_iam_resources"] ? aws_iam_access_key.eks-kiam-user-key[0].id : ""}
 54 |     - name: AWS_SECRET_ACCESS_KEY
 55 |       value: ${local.kiam["enabled"] && local.kiam["create_iam_resources"] ? aws_iam_access_key.eks-kiam-user-key[0].secret : ""}
 56 |   prometheus:
 57 |     servicemonitor:
 58 |       enabled: ${local.prometheus_operator["enabled"]}
 59 |   priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 60 | VALUES
 61 | }
 62 | 
 63 | data "aws_iam_policy_document" "kiam" {
 64 |   statement {
 65 |     effect = "Allow"
 66 | 
 67 |     actions = [
 68 |       "sts:AssumeRole"
 69 |     ]
 70 | 
 71 |     resources = ["*"]
 72 |   }
 73 | }
 74 | 
 75 | resource "aws_iam_policy" "eks-kiam-server-node" {
 76 |   count = local.kiam["enabled"] && local.kiam["create_iam_resources"] ? 1 : 0
 77 |   name  = "tf-eks-${var.cluster-name}-kiam-server-node"
 78 | 
 79 |   policy = <<EOF
 80 | {
 81 |   "Version": "2012-10-17",
 82 |   "Statement": [
 83 |     {
 84 |       "Effect": "Allow",
 85 |       "Action": [
 86 |         "sts:AssumeRole"
 87 |       ],
 88 |       "Resource": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/tf-eks-${var.cluster-name}-kiam-server-role"
 89 |     }
 90 |   ]
 91 | }
 92 | EOF
 93 | 
 94 | }
 95 | 
 96 | resource "aws_iam_role" "eks-kiam-server-role" {
 97 |   count       = local.kiam["enabled"] && local.kiam["create_iam_resources"] ? 1 : 0
 98 |   name        = "tf-eks-${var.cluster-name}-kiam-server-role"
 99 |   description = "Role the Kiam Server process assumes"
100 | 
101 |   assume_role_policy = <<EOF
102 | {
103 |   "Version": "2012-10-17",
104 |   "Statement": [
105 |     {
106 |       "Sid": "",
107 |       "Effect": "Allow",
108 |       "Principal": {
109 |         "AWS": [
110 |           "${local.kiam["create_iam_user"] ? aws_iam_user.eks-kiam-user[0].arn : local.kiam["iam_user"]}"
111 |         ]
112 |       },
113 |       "Action": "sts:AssumeRole"
114 |     }
115 |   ]
116 | }
117 | EOF
118 | 
119 | }
120 | 
121 | resource "aws_iam_policy" "eks-kiam-server-policy" {
122 |   count       = local.kiam["enabled"] && local.kiam["create_iam_resources"] ? 1 : 0
123 |   name        = "tf-eks-${var.cluster-name}-kiam-server-policy"
124 |   description = "Policy for the Kiam Server process"
125 |   policy      = local.kiam["assume_role_policy_override"] == "" ? data.aws_iam_policy_document.kiam.json : local.kiam["assume_role_policy_override"]
126 | }
127 | 
128 | resource "aws_iam_user" "eks-kiam-user" {
129 |   count = local.kiam["enabled"] && local.kiam["create_iam_resources"] && local.kiam["create_iam_user"] ? 1 : 0
130 |   name  = "tf-eks-${var.cluster-name}-kiam-user"
131 | }
132 | 
133 | resource "aws_iam_access_key" "eks-kiam-user-key" {
134 |   count = local.kiam["enabled"] && local.kiam["create_iam_resources"] && local.kiam["create_iam_user"] ? 1 : 0
135 |   user  = aws_iam_user.eks-kiam-user[0].name
136 | }
137 | 
138 | resource "aws_iam_user_policy_attachment" "eks-kiam-user" {
139 |   count      = local.kiam["enabled"] && local.kiam["create_iam_resources"] && local.kiam["create_iam_user"] ? 1 : 0
140 |   user       = aws_iam_user.eks-kiam-user[0].name
141 |   policy_arn = aws_iam_policy.eks-kiam-server-node[0].arn
142 | }
143 | 
144 | resource "aws_iam_role_policy_attachment" "eks-kiam-server-policy" {
145 |   count      = local.kiam["enabled"] && local.kiam["create_iam_resources"] ? 1 : 0
146 |   role       = aws_iam_role.eks-kiam-server-role[0].name
147 |   policy_arn = aws_iam_policy.eks-kiam-server-policy[0].arn
148 | }
149 | 
150 | resource "kubernetes_namespace" "kiam" {
151 |   count = local.kiam["enabled"] ? 1 : 0
152 | 
153 |   metadata {
154 |     labels = {
155 |       name = local.kiam["namespace"]
156 |     }
157 | 
158 |     name = local.kiam["namespace"]
159 |   }
160 | }
161 | 
162 | resource "helm_release" "kiam" {
163 |   count                 = local.kiam["enabled"] ? 1 : 0
164 |   repository            = local.kiam["repository"]
165 |   name                  = local.kiam["name"]
166 |   chart                 = local.kiam["chart"]
167 |   version               = local.kiam["chart_version"]
168 |   timeout               = local.kiam["timeout"]
169 |   force_update          = local.kiam["force_update"]
170 |   recreate_pods         = local.kiam["recreate_pods"]
171 |   wait                  = local.kiam["wait"]
172 |   atomic                = local.kiam["atomic"]
173 |   cleanup_on_fail       = local.kiam["cleanup_on_fail"]
174 |   dependency_update     = local.kiam["dependency_update"]
175 |   disable_crd_hooks     = local.kiam["disable_crd_hooks"]
176 |   disable_webhooks      = local.kiam["disable_webhooks"]
177 |   render_subchart_notes = local.kiam["render_subchart_notes"]
178 |   replace               = local.kiam["replace"]
179 |   reset_values          = local.kiam["reset_values"]
180 |   reuse_values          = local.kiam["reuse_values"]
181 |   skip_crds             = local.kiam["skip_crds"]
182 |   verify                = local.kiam["verify"]
183 |   values = [
184 |     local.values_kiam,
185 |     local.kiam["extra_values"]
186 |   ]
187 |   namespace = kubernetes_namespace.kiam.*.metadata.0.name[count.index]
188 |   depends_on = [
189 |     helm_release.prometheus_operator
190 |   ]
191 | }
192 | 
193 | resource "kubernetes_network_policy" "kiam_default_deny" {
194 |   count = local.kiam["enabled"] && local.kiam["default_network_policy"] ? 1 : 0
195 | 
196 |   metadata {
197 |     name      = "${kubernetes_namespace.kiam.*.metadata.0.name[count.index]}-default-deny"
198 |     namespace = kubernetes_namespace.kiam.*.metadata.0.name[count.index]
199 |   }
200 | 
201 |   spec {
202 |     pod_selector {
203 |     }
204 |     policy_types = ["Ingress"]
205 |   }
206 | }
207 | 
208 | resource "kubernetes_network_policy" "kiam_allow_namespace" {
209 |   count = local.kiam["enabled"] && local.kiam["default_network_policy"] ? 1 : 0
210 | 
211 |   metadata {
212 |     name      = "${kubernetes_namespace.kiam.*.metadata.0.name[count.index]}-allow-namespace"
213 |     namespace = kubernetes_namespace.kiam.*.metadata.0.name[count.index]
214 |   }
215 | 
216 |   spec {
217 |     pod_selector {
218 |     }
219 | 
220 |     ingress {
221 |       from {
222 |         namespace_selector {
223 |           match_labels = {
224 |             name = kubernetes_namespace.kiam.*.metadata.0.name[count.index]
225 |           }
226 |         }
227 |       }
228 |     }
229 | 
230 |     policy_types = ["Ingress"]
231 |   }
232 | }
233 | 
234 | resource "kubernetes_network_policy" "kiam_allow_requests" {
235 |   count = local.kiam["enabled"] && local.kiam["default_network_policy"] ? 1 : 0
236 | 
237 |   metadata {
238 |     name      = "${kubernetes_namespace.kiam.*.metadata.0.name[count.index]}-allow-requests"
239 |     namespace = kubernetes_namespace.kiam.*.metadata.0.name[count.index]
240 |   }
241 | 
242 |   spec {
243 |     pod_selector {
244 |       match_expressions {
245 |         key      = "app"
246 |         operator = "In"
247 |         values   = ["kiam"]
248 |       }
249 | 
250 |       match_expressions {
251 |         key      = "component"
252 |         operator = "In"
253 |         values   = ["server"]
254 |       }
255 |     }
256 | 
257 |     ingress {
258 |       ports {
259 |         port     = "grpclb"
260 |         protocol = "TCP"
261 |       }
262 | 
263 |       from {
264 |         namespace_selector {
265 |         }
266 |         pod_selector {
267 |         }
268 |       }
269 |     }
270 | 
271 |     policy_types = ["Ingress"]
272 |   }
273 | }
274 | 
275 | resource "kubernetes_network_policy" "kiam_allow_monitoring" {
276 |   count = local.kiam["enabled"] && local.kiam["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
277 | 
278 |   metadata {
279 |     name      = "${kubernetes_namespace.kiam.*.metadata.0.name[count.index]}-allow-monitoring"
280 |     namespace = kubernetes_namespace.kiam.*.metadata.0.name[count.index]
281 |   }
282 | 
283 |   spec {
284 |     pod_selector {
285 |     }
286 | 
287 |     ingress {
288 |       ports {
289 |         port     = "metrics"
290 |         protocol = "TCP"
291 |       }
292 | 
293 |       from {
294 |         namespace_selector {
295 |           match_labels = {
296 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
297 |           }
298 |         }
299 |       }
300 |     }
301 | 
302 |     policy_types = ["Ingress"]
303 |   }
304 | }
305 | 
306 | output kiam-server-role-arn {
307 |   value = aws_iam_role.eks-kiam-server-role.*.arn
308 | }
309 | 
310 | output kiam-server-role-name {
311 |   value = aws_iam_role.eks-kiam-server-role.*.name
312 | }
313 | 


--------------------------------------------------------------------------------
/kong.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   kong = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                   = "kong"
  7 |       namespace              = "kong"
  8 |       chart                  = "kong"
  9 |       repository             = "https://charts.konghq.com"
 10 |       enabled                = false
 11 |       default_network_policy = true
 12 |       ingress_cidr           = "0.0.0.0/0"
 13 |       chart_version          = "1.9.1"
 14 |       version                = "2.0"
 15 |     },
 16 |     var.kong
 17 |   )
 18 | 
 19 |   values_kong = <<VALUES
 20 | image:
 21 |   tag: "${local.kong["version"]}"
 22 | ingressController:
 23 |   enabled: true
 24 |   installCRDs: false
 25 |   resources:
 26 |     requests:
 27 |       cpu: 50m
 28 |       memory: 64Mi
 29 | postgresql:
 30 |   enabled: false
 31 | env:
 32 |   database: "off"
 33 | admin:
 34 |   type: ClusterIP
 35 | podSecurityPolicy:
 36 |   enabled: true
 37 | autoscaling:
 38 |   enabled: true
 39 | replicaCount: 2
 40 | serviceMonitor:
 41 |   enabled: ${local.prometheus_operator["enabled"]}
 42 | resources:
 43 |   requests:
 44 |     cpu: 100m
 45 |     memory: 128Mi
 46 | VALUES
 47 | }
 48 | 
 49 | resource "kubernetes_namespace" "kong" {
 50 |   count = local.kong["enabled"] ? 1 : 0
 51 | 
 52 |   metadata {
 53 |     labels = {
 54 |       name = local.kong["namespace"]
 55 |     }
 56 | 
 57 |     name = local.kong["namespace"]
 58 |   }
 59 | }
 60 | 
 61 | resource "helm_release" "kong" {
 62 |   count                 = local.kong["enabled"] ? 1 : 0
 63 |   repository            = local.kong["repository"]
 64 |   name                  = local.kong["name"]
 65 |   chart                 = local.kong["chart"]
 66 |   version               = local.kong["chart_version"]
 67 |   timeout               = local.kong["timeout"]
 68 |   force_update          = local.kong["force_update"]
 69 |   recreate_pods         = local.kong["recreate_pods"]
 70 |   wait                  = local.kong["wait"]
 71 |   atomic                = local.kong["atomic"]
 72 |   cleanup_on_fail       = local.kong["cleanup_on_fail"]
 73 |   dependency_update     = local.kong["dependency_update"]
 74 |   disable_crd_hooks     = local.kong["disable_crd_hooks"]
 75 |   disable_webhooks      = local.kong["disable_webhooks"]
 76 |   render_subchart_notes = local.kong["render_subchart_notes"]
 77 |   replace               = local.kong["replace"]
 78 |   reset_values          = local.kong["reset_values"]
 79 |   reuse_values          = local.kong["reuse_values"]
 80 |   skip_crds             = local.kong["skip_crds"]
 81 |   verify                = local.kong["verify"]
 82 |   values = [
 83 |     local.values_kong,
 84 |     local.kong["extra_values"]
 85 |   ]
 86 |   namespace = kubernetes_namespace.kong.*.metadata.0.name[count.index]
 87 | 
 88 |   depends_on = [
 89 |     helm_release.prometheus_operator
 90 |   ]
 91 | }
 92 | 
 93 | resource "kubernetes_network_policy" "kong_default_deny" {
 94 |   count = local.kong["enabled"] && local.kong["default_network_policy"] ? 1 : 0
 95 | 
 96 |   metadata {
 97 |     name      = "${kubernetes_namespace.kong.*.metadata.0.name[count.index]}-default-deny"
 98 |     namespace = kubernetes_namespace.kong.*.metadata.0.name[count.index]
 99 |   }
100 | 
101 |   spec {
102 |     pod_selector {
103 |     }
104 |     policy_types = ["Ingress"]
105 |   }
106 | }
107 | 
108 | resource "kubernetes_network_policy" "kong_allow_namespace" {
109 |   count = local.kong["enabled"] && local.kong["default_network_policy"] ? 1 : 0
110 | 
111 |   metadata {
112 |     name      = "${kubernetes_namespace.kong.*.metadata.0.name[count.index]}-allow-namespace"
113 |     namespace = kubernetes_namespace.kong.*.metadata.0.name[count.index]
114 |   }
115 | 
116 |   spec {
117 |     pod_selector {
118 |     }
119 | 
120 |     ingress {
121 |       from {
122 |         namespace_selector {
123 |           match_labels = {
124 |             name = kubernetes_namespace.kong.*.metadata.0.name[count.index]
125 |           }
126 |         }
127 |       }
128 |     }
129 | 
130 |     policy_types = ["Ingress"]
131 |   }
132 | }
133 | 
134 | resource "kubernetes_network_policy" "kong_allow_ingress" {
135 |   count = local.kong["enabled"] && local.kong["default_network_policy"] ? 1 : 0
136 | 
137 |   metadata {
138 |     name      = "${kubernetes_namespace.kong.*.metadata.0.name[count.index]}-allow-ingress"
139 |     namespace = kubernetes_namespace.kong.*.metadata.0.name[count.index]
140 |   }
141 | 
142 |   spec {
143 |     pod_selector {
144 |       match_expressions {
145 |         key      = "app"
146 |         operator = "In"
147 |         values   = ["kong"]
148 |       }
149 |     }
150 | 
151 |     ingress {
152 |       ports {
153 |         port     = "8000"
154 |         protocol = "TCP"
155 |       }
156 |       ports {
157 |         port     = "8443"
158 |         protocol = "TCP"
159 |       }
160 | 
161 |       from {
162 |         ip_block {
163 |           cidr = local.kong["ingress_cidr"]
164 |         }
165 |       }
166 |     }
167 | 
168 |     policy_types = ["Ingress"]
169 |   }
170 | }
171 | 
172 | resource "kubernetes_network_policy" "kong_allow_monitoring" {
173 |   count = local.kong["enabled"] && local.kong["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
174 | 
175 |   metadata {
176 |     name      = "${kubernetes_namespace.kong.*.metadata.0.name[count.index]}-allow-monitoring"
177 |     namespace = kubernetes_namespace.kong.*.metadata.0.name[count.index]
178 |   }
179 | 
180 |   spec {
181 |     pod_selector {
182 |     }
183 | 
184 |     ingress {
185 |       ports {
186 |         port     = "metrics"
187 |         protocol = "TCP"
188 |       }
189 | 
190 |       from {
191 |         namespace_selector {
192 |           match_labels = {
193 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
194 |           }
195 |         }
196 |       }
197 |     }
198 | 
199 |     policy_types = ["Ingress"]
200 |   }
201 | }
202 | 
203 | 


--------------------------------------------------------------------------------
/kube-prometheus.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   prometheus_operator = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "prometheus-operator"
  6 |       namespace              = "monitoring"
  7 |       chart                  = "prometheus-operator"
  8 |       repository             = "https://kubernetes-charts.storage.googleapis.com/"
  9 |       kiam_allowed_regexp    = "^$"
 10 |       enabled                = false
 11 |       chart_version          = "v9.3.1"
 12 |       allowed_cidr           = "0.0.0.0/0"
 13 |       default_network_policy = true
 14 |     },
 15 |     var.prometheus_operator
 16 |   )
 17 | 
 18 |   values_prometheus_operator = <<VALUES
 19 | kubeScheduler:
 20 |   enabled: false
 21 | kubeControllerManager:
 22 |   enabled: false
 23 | kubeEtcd:
 24 |   enabled: false
 25 | grafana:
 26 |   rbac:
 27 |     pspUseAppArmor: false
 28 |   adminPassword: ${join(",", random_string.grafana_password.*.result)}
 29 |   dashboardProviders:
 30 |     dashboardproviders.yaml:
 31 |       apiVersion: 1
 32 |       providers:
 33 |       - name: 'default' # Configure a dashboard provider file to
 34 |         orgId: 1        # put Kong dashboard into.
 35 |         folder: ''
 36 |         type: file
 37 |         disableDeletion: false
 38 |         editable: true
 39 |         options:
 40 |           path: /var/lib/grafana/dashboards/default
 41 |   dashboards:
 42 |     default:
 43 |       kong-dash:
 44 |         gnetId: 7424
 45 |         revision: 6
 46 |         datasource: Prometheus
 47 |       nginx-ingress:
 48 |         url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
 49 |       cluster-autoscaler:
 50 |         gnetId: 3831
 51 |         datasource: Prometheus
 52 | prometheus-node-exporter:
 53 |   priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 54 | prometheus:
 55 |   prometheusSpec:
 56 |     priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 57 | alertmanager:
 58 |   alertmanagerSpec:
 59 |     priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 60 | VALUES
 61 | }
 62 | 
 63 | 
 64 | resource "kubernetes_namespace" "prometheus_operator" {
 65 |   count = local.prometheus_operator["enabled"] ? 1 : 0
 66 | 
 67 |   metadata {
 68 |     labels = {
 69 |       name = local.prometheus_operator["namespace"]
 70 |     }
 71 |     annotations = {
 72 |       "iam.amazonaws.com/permitted" = local.kiam["enabled"] ? local.prometheus_operator["kiam_allowed_regexp"] : "^$"
 73 |     }
 74 | 
 75 |     name = local.prometheus_operator["namespace"]
 76 |   }
 77 | }
 78 | 
 79 | resource "random_string" "grafana_password" {
 80 |   count   = local.prometheus_operator["enabled"] ? 1 : 0
 81 |   length  = 16
 82 |   special = false
 83 | }
 84 | 
 85 | resource "helm_release" "prometheus_operator" {
 86 |   count                 = local.prometheus_operator["enabled"] ? 1 : 0
 87 |   repository            = local.prometheus_operator["repository"]
 88 |   name                  = local.prometheus_operator["name"]
 89 |   chart                 = local.prometheus_operator["chart"]
 90 |   version               = local.prometheus_operator["chart_version"]
 91 |   timeout               = local.prometheus_operator["timeout"]
 92 |   force_update          = local.prometheus_operator["force_update"]
 93 |   recreate_pods         = local.prometheus_operator["recreate_pods"]
 94 |   wait                  = local.prometheus_operator["wait"]
 95 |   atomic                = local.prometheus_operator["atomic"]
 96 |   cleanup_on_fail       = local.prometheus_operator["cleanup_on_fail"]
 97 |   dependency_update     = local.prometheus_operator["dependency_update"]
 98 |   disable_crd_hooks     = local.prometheus_operator["disable_crd_hooks"]
 99 |   disable_webhooks      = local.prometheus_operator["disable_webhooks"]
100 |   render_subchart_notes = local.prometheus_operator["render_subchart_notes"]
101 |   replace               = local.prometheus_operator["replace"]
102 |   reset_values          = local.prometheus_operator["reset_values"]
103 |   reuse_values          = local.prometheus_operator["reuse_values"]
104 |   skip_crds             = local.prometheus_operator["skip_crds"]
105 |   verify                = local.prometheus_operator["verify"]
106 |   values = [
107 |     local.values_prometheus_operator,
108 |     local.prometheus_operator["extra_values"]
109 |   ]
110 |   namespace = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
111 | }
112 | 
113 | resource "kubernetes_network_policy" "prometheus_operator_default_deny" {
114 |   count = local.prometheus_operator["enabled"] && local.prometheus_operator["default_network_policy"] ? 1 : 0
115 | 
116 |   metadata {
117 |     name      = "${kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]}-default-deny"
118 |     namespace = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
119 |   }
120 | 
121 |   spec {
122 |     pod_selector {
123 |     }
124 |     policy_types = ["Ingress"]
125 |   }
126 | }
127 | 
128 | resource "kubernetes_network_policy" "prometheus_operator_allow_namespace" {
129 |   count = local.prometheus_operator["enabled"] && local.prometheus_operator["default_network_policy"] ? 1 : 0
130 | 
131 |   metadata {
132 |     name      = "${kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]}-allow-namespace"
133 |     namespace = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
134 |   }
135 | 
136 |   spec {
137 |     pod_selector {
138 |     }
139 | 
140 |     ingress {
141 |       from {
142 |         namespace_selector {
143 |           match_labels = {
144 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
145 |           }
146 |         }
147 |       }
148 |     }
149 | 
150 |     policy_types = ["Ingress"]
151 |   }
152 | }
153 | 
154 | resource "kubernetes_network_policy" "prometheus_operator_allow_ingress_nginx" {
155 |   count = local.prometheus_operator["enabled"] && local.prometheus_operator["default_network_policy"] && local.nginx_ingress["enabled"] ? 1 : 0
156 | 
157 |   metadata {
158 |     name      = "${kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]}-allow-ingress-nginx"
159 |     namespace = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
160 |   }
161 | 
162 |   spec {
163 |     pod_selector {
164 |       match_expressions {
165 |         key      = "app.kubernetes.io/name"
166 |         operator = "In"
167 |         values   = ["grafana"]
168 |       }
169 |     }
170 | 
171 |     ingress {
172 |       from {
173 |         namespace_selector {
174 |           match_labels = {
175 |             name = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
176 |           }
177 |         }
178 |       }
179 |     }
180 | 
181 |     policy_types = ["Ingress"]
182 |   }
183 | }
184 | 
185 | resource "kubernetes_network_policy" "prometheus_operator_allow_control_plane" {
186 |   count = local.prometheus_operator["enabled"] && local.prometheus_operator["default_network_policy"] ? 1 : 0
187 | 
188 |   metadata {
189 |     name      = "${kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]}-allow-control-plane"
190 |     namespace = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
191 |   }
192 | 
193 |   spec {
194 |     pod_selector {
195 |       match_expressions {
196 |         key      = "app"
197 |         operator = "In"
198 |         values   = ["${local.prometheus_operator["name"]}-operator"]
199 |       }
200 |     }
201 | 
202 |     ingress {
203 |       ports {
204 |         port     = "8443"
205 |         protocol = "TCP"
206 |       }
207 | 
208 |       dynamic "from" {
209 |         for_each = local.prometheus_operator["allowed_cidrs"]
210 |         content {
211 |           ip_block {
212 |             cidr = from.value
213 |           }
214 |         }
215 |       }
216 |     }
217 | 
218 |     policy_types = ["Ingress"]
219 |   }
220 | }
221 | 
222 | 
223 | output "grafana_password" {
224 |   value     = random_string.grafana_password.*.result
225 |   sensitive = true
226 | }
227 | 


--------------------------------------------------------------------------------
/locals.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 | 
 3 |   helm_defaults_defaults = {
 4 |     atomic                = false
 5 |     cleanup_on_fail       = false
 6 |     dependency_update     = false
 7 |     disable_crd_hooks     = false
 8 |     disable_webhooks      = false
 9 |     force_update          = false
10 |     recreate_pods         = false
11 |     render_subchart_notes = true
12 |     replace               = false
13 |     reset_values          = false
14 |     reuse_values          = false
15 |     skip_crds             = false
16 |     timeout               = 3600
17 |     verify                = false
18 |     wait                  = true
19 |     extra_values          = ""
20 |   }
21 | 
22 |   helm_defaults = merge(
23 |     local.helm_defaults_defaults,
24 |     var.helm_defaults
25 |   )
26 | 
27 | }
28 | 


--------------------------------------------------------------------------------
/metrics-server.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   metrics_server = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "metrics-server"
  6 |       namespace              = "metrics-server"
  7 |       chart                  = "metrics-server"
  8 |       repository             = "https://kubernetes-charts.storage.googleapis.com/"
  9 |       enabled                = false
 10 |       chart_version          = "2.11.1"
 11 |       version                = "v0.3.6"
 12 |       default_network_policy = true
 13 |       allowed_cidrs          = ["0.0.0.0/0"]
 14 |     },
 15 |     var.metrics_server
 16 |   )
 17 | 
 18 |   values_metrics_server = <<VALUES
 19 | image:
 20 |   tag: ${local.metrics_server["version"]}
 21 | args:
 22 |   - --logtostderr
 23 |   - --kubelet-preferred-address-types=InternalIP,ExternalIP
 24 | rbac:
 25 |   pspEnabled: true
 26 | priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 27 | VALUES
 28 | 
 29 | }
 30 | 
 31 | resource "kubernetes_namespace" "metrics_server" {
 32 |   count = local.metrics_server["enabled"] ? 1 : 0
 33 | 
 34 |   metadata {
 35 |     labels = {
 36 |       name = local.metrics_server["namespace"]
 37 |     }
 38 | 
 39 |     name = local.metrics_server["namespace"]
 40 |   }
 41 | }
 42 | 
 43 | resource "helm_release" "metrics_server" {
 44 |   count                 = local.metrics_server["enabled"] ? 1 : 0
 45 |   repository            = local.metrics_server["repository"]
 46 |   name                  = local.metrics_server["name"]
 47 |   chart                 = local.metrics_server["chart"]
 48 |   version               = local.metrics_server["chart_version"]
 49 |   timeout               = local.metrics_server["timeout"]
 50 |   force_update          = local.metrics_server["force_update"]
 51 |   recreate_pods         = local.metrics_server["recreate_pods"]
 52 |   wait                  = local.metrics_server["wait"]
 53 |   atomic                = local.metrics_server["atomic"]
 54 |   cleanup_on_fail       = local.metrics_server["cleanup_on_fail"]
 55 |   dependency_update     = local.metrics_server["dependency_update"]
 56 |   disable_crd_hooks     = local.metrics_server["disable_crd_hooks"]
 57 |   disable_webhooks      = local.metrics_server["disable_webhooks"]
 58 |   render_subchart_notes = local.metrics_server["render_subchart_notes"]
 59 |   replace               = local.metrics_server["replace"]
 60 |   reset_values          = local.metrics_server["reset_values"]
 61 |   reuse_values          = local.metrics_server["reuse_values"]
 62 |   skip_crds             = local.metrics_server["skip_crds"]
 63 |   verify                = local.metrics_server["verify"]
 64 |   values = [
 65 |     local.values_metrics_server,
 66 |     local.metrics_server["extra_values"]
 67 |   ]
 68 |   namespace = kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]
 69 | }
 70 | 
 71 | resource "kubernetes_network_policy" "metrics_server_default_deny" {
 72 |   count = local.metrics_server["enabled"] && local.metrics_server["default_network_policy"] ? 1 : 0
 73 | 
 74 |   metadata {
 75 |     name      = "${kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]}-default-deny"
 76 |     namespace = kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]
 77 |   }
 78 | 
 79 |   spec {
 80 |     pod_selector {
 81 |     }
 82 |     policy_types = ["Ingress"]
 83 |   }
 84 | }
 85 | 
 86 | resource "kubernetes_network_policy" "metrics_server_allow_namespace" {
 87 |   count = local.metrics_server["enabled"] && local.metrics_server["default_network_policy"] ? 1 : 0
 88 | 
 89 |   metadata {
 90 |     name      = "${kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]}-allow-namespace"
 91 |     namespace = kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]
 92 |   }
 93 | 
 94 |   spec {
 95 |     pod_selector {
 96 |     }
 97 | 
 98 |     ingress {
 99 |       from {
100 |         namespace_selector {
101 |           match_labels = {
102 |             name = kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]
103 |           }
104 |         }
105 |       }
106 |     }
107 | 
108 |     policy_types = ["Ingress"]
109 |   }
110 | }
111 | 
112 | resource "kubernetes_network_policy" "metrics_server_allow_control_plane" {
113 |   count = local.metrics_server["enabled"] && local.metrics_server["default_network_policy"] ? 1 : 0
114 | 
115 |   metadata {
116 |     name      = "${kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]}-allow-control-plane"
117 |     namespace = kubernetes_namespace.metrics_server.*.metadata.0.name[count.index]
118 |   }
119 | 
120 |   spec {
121 |     pod_selector {
122 |       match_expressions {
123 |         key      = "app"
124 |         operator = "In"
125 |         values   = ["metrics-server"]
126 |       }
127 |     }
128 | 
129 |     ingress {
130 |       ports {
131 |         port     = "8443"
132 |         protocol = "TCP"
133 |       }
134 | 
135 |       dynamic "from" {
136 |         for_each = local.metrics_server["allowed_cidrs"]
137 |         content {
138 |           ip_block {
139 |             cidr = from.value
140 |           }
141 |         }
142 |       }
143 |     }
144 | 
145 |     policy_types = ["Ingress"]
146 |   }
147 | }
148 | 
149 | 


--------------------------------------------------------------------------------
/nginx-ingress.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   nginx_ingress = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                   = "ingress-nginx"
  7 |       namespace              = "ingress-nginx"
  8 |       chart                  = "ingress-nginx"
  9 |       repository             = "https://kubernetes.github.io/ingress-nginx"
 10 |       use_nlb                = false
 11 |       use_l7                 = false
 12 |       enabled                = false
 13 |       default_network_policy = true
 14 |       ingress_cidr           = "0.0.0.0/0"
 15 |       chart_version          = "2.15.0"
 16 |       version                = "0.35.0"
 17 |       allowed_cidrs          = ["0.0.0.0/0"]
 18 |     },
 19 |     var.nginx_ingress
 20 |   )
 21 | 
 22 |   values_nginx_ingress_l4 = <<VALUES
 23 | controller:
 24 |   metrics:
 25 |     enabled: ${local.prometheus_operator["enabled"]}
 26 |     serviceMonitor:
 27 |       enabled: ${local.prometheus_operator["enabled"]}
 28 |   image:
 29 |     tag: ${local.nginx_ingress["version"]}
 30 |   updateStrategy:
 31 |     type: RollingUpdate
 32 |   kind: "DaemonSet"
 33 |   service:
 34 |     annotations:
 35 |       service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
 36 |       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
 37 |   publishService:
 38 |     enabled: true
 39 |   config:
 40 |     use-proxy-protocol: "true"
 41 |   priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 42 | defaultBackend:
 43 |   replicaCount: 2
 44 | podSecurityPolicy:
 45 |   enabled: true
 46 | VALUES
 47 | 
 48 |   values_nginx_ingress_nlb = <<VALUES
 49 | controller:
 50 |   metrics:
 51 |     enabled: ${local.prometheus_operator["enabled"]}
 52 |     serviceMonitor:
 53 |       enabled: ${local.prometheus_operator["enabled"]}
 54 |   image:
 55 |     tag: ${local.nginx_ingress["version"]}
 56 |   updateStrategy:
 57 |     type: RollingUpdate
 58 |   kind: "DaemonSet"
 59 |   service:
 60 |     annotations:
 61 |       service.beta.kubernetes.io/aws-load-balancer-type: nlb
 62 |     externalTrafficPolicy: "Local"
 63 |   publishService:
 64 |     enabled: true
 65 |   config:
 66 |     use-proxy-protocol: "false"
 67 |   priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 68 | defaultBackend:
 69 |   replicaCount: 2
 70 | podSecurityPolicy:
 71 |   enabled: true
 72 | VALUES
 73 | 
 74 |   values_nginx_ingress_l7 = <<VALUES
 75 | controller:
 76 |   metrics:
 77 |     enabled: ${local.prometheus_operator["enabled"]}
 78 |     serviceMonitor:
 79 |       enabled: ${local.prometheus_operator["enabled"]}
 80 |   image:
 81 |     tag: ${local.nginx_ingress["version"]}
 82 |   updateStrategy:
 83 |     type: RollingUpdate
 84 |   kind: "DaemonSet"
 85 |   service:
 86 |     targetPorts:
 87 |       http: http
 88 |       https: http
 89 |     annotations:
 90 |       service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
 91 |       service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
 92 |       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
 93 |     externalTrafficPolicy: "Cluster"
 94 |   publishService:
 95 |     enabled: true
 96 |   config:
 97 |     use-proxy-protocol: "false"
 98 |     use-forwarded-headers: "true"
 99 |     proxy-real-ip-cidr: "0.0.0.0/0"
100 |   priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
101 | defaultBackend:
102 |   replicaCount: 2
103 | podSecurityPolicy:
104 |   enabled: true
105 | VALUES
106 | 
107 | }
108 | 
109 | resource "kubernetes_namespace" "nginx_ingress" {
110 |   count = local.nginx_ingress["enabled"] ? 1 : 0
111 | 
112 |   metadata {
113 |     labels = {
114 |       name = local.nginx_ingress["namespace"]
115 |     }
116 | 
117 |     name = local.nginx_ingress["namespace"]
118 |   }
119 | }
120 | 
121 | resource "helm_release" "nginx_ingress" {
122 |   count                 = local.nginx_ingress["enabled"] ? 1 : 0
123 |   repository            = local.nginx_ingress["repository"]
124 |   name                  = local.nginx_ingress["name"]
125 |   chart                 = local.nginx_ingress["chart"]
126 |   version               = local.nginx_ingress["chart_version"]
127 |   timeout               = local.nginx_ingress["timeout"]
128 |   force_update          = local.nginx_ingress["force_update"]
129 |   recreate_pods         = local.nginx_ingress["recreate_pods"]
130 |   wait                  = local.nginx_ingress["wait"]
131 |   atomic                = local.nginx_ingress["atomic"]
132 |   cleanup_on_fail       = local.nginx_ingress["cleanup_on_fail"]
133 |   dependency_update     = local.nginx_ingress["dependency_update"]
134 |   disable_crd_hooks     = local.nginx_ingress["disable_crd_hooks"]
135 |   disable_webhooks      = local.nginx_ingress["disable_webhooks"]
136 |   render_subchart_notes = local.nginx_ingress["render_subchart_notes"]
137 |   replace               = local.nginx_ingress["replace"]
138 |   reset_values          = local.nginx_ingress["reset_values"]
139 |   reuse_values          = local.nginx_ingress["reuse_values"]
140 |   skip_crds             = local.nginx_ingress["skip_crds"]
141 |   verify                = local.nginx_ingress["verify"]
142 |   values = [
143 |     local.nginx_ingress["use_nlb"] ? local.values_nginx_ingress_nlb : local.nginx_ingress["use_l7"] ? local.values_nginx_ingress_l7 : local.values_nginx_ingress_l4,
144 |     local.nginx_ingress["extra_values"],
145 |   ]
146 |   namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
147 | 
148 |   depends_on = [
149 |     helm_release.prometheus_operator
150 |   ]
151 | }
152 | 
153 | resource "kubernetes_network_policy" "nginx_ingress_default_deny" {
154 |   count = local.nginx_ingress["enabled"] && local.nginx_ingress["default_network_policy"] ? 1 : 0
155 | 
156 |   metadata {
157 |     name      = "${kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]}-default-deny"
158 |     namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
159 |   }
160 | 
161 |   spec {
162 |     pod_selector {
163 |     }
164 |     policy_types = ["Ingress"]
165 |   }
166 | }
167 | 
168 | resource "kubernetes_network_policy" "nginx_ingress_allow_namespace" {
169 |   count = local.nginx_ingress["enabled"] && local.nginx_ingress["default_network_policy"] ? 1 : 0
170 | 
171 |   metadata {
172 |     name      = "${kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]}-allow-namespace"
173 |     namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
174 |   }
175 | 
176 |   spec {
177 |     pod_selector {
178 |     }
179 | 
180 |     ingress {
181 |       from {
182 |         namespace_selector {
183 |           match_labels = {
184 |             name = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
185 |           }
186 |         }
187 |       }
188 |     }
189 | 
190 |     policy_types = ["Ingress"]
191 |   }
192 | }
193 | 
194 | resource "kubernetes_network_policy" "nginx_ingress_allow_ingress" {
195 |   count = local.nginx_ingress["enabled"] && local.nginx_ingress["default_network_policy"] ? 1 : 0
196 | 
197 |   metadata {
198 |     name      = "${kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]}-allow-ingress"
199 |     namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
200 |   }
201 | 
202 |   spec {
203 |     pod_selector {
204 |       match_expressions {
205 |         key      = "app.kubernetes.io/name"
206 |         operator = "In"
207 |         values   = ["ingress-nginx"]
208 |       }
209 |     }
210 | 
211 |     ingress {
212 |       ports {
213 |         port     = "80"
214 |         protocol = "TCP"
215 |       }
216 |       ports {
217 |         port     = "443"
218 |         protocol = "TCP"
219 |       }
220 | 
221 |       from {
222 |         ip_block {
223 |           cidr = local.nginx_ingress["ingress_cidr"]
224 |         }
225 |       }
226 |     }
227 | 
228 |     policy_types = ["Ingress"]
229 |   }
230 | }
231 | 
232 | resource "kubernetes_network_policy" "nginx_ingress_allow_monitoring" {
233 |   count = local.nginx_ingress["enabled"] && local.nginx_ingress["default_network_policy"] && local.prometheus_operator["enabled"] ? 1 : 0
234 | 
235 |   metadata {
236 |     name      = "${kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]}-allow-monitoring"
237 |     namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
238 |   }
239 | 
240 |   spec {
241 |     pod_selector {
242 |     }
243 | 
244 |     ingress {
245 |       ports {
246 |         port     = "metrics"
247 |         protocol = "TCP"
248 |       }
249 | 
250 |       from {
251 |         namespace_selector {
252 |           match_labels = {
253 |             name = kubernetes_namespace.prometheus_operator.*.metadata.0.name[count.index]
254 |           }
255 |         }
256 |       }
257 |     }
258 | 
259 |     policy_types = ["Ingress"]
260 |   }
261 | }
262 | 
263 | resource "kubernetes_network_policy" "nginx_ingress_allow_control_plane" {
264 |   count = local.nginx_ingress["enabled"] && local.nginx_ingress["default_network_policy"] ? 1 : 0
265 | 
266 |   metadata {
267 |     name      = "${kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]}-allow-control-plane"
268 |     namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
269 |   }
270 | 
271 |   spec {
272 |     pod_selector {
273 |       match_expressions {
274 |         key      = "app.kubernetes.io/name"
275 |         operator = "In"
276 |         values   = ["ingress-nginx"]
277 |       }
278 |     }
279 | 
280 |     ingress {
281 |       ports {
282 |         port     = "8443"
283 |         protocol = "TCP"
284 |       }
285 | 
286 |       dynamic "from" {
287 |         for_each = local.nginx_ingress["allowed_cidrs"]
288 |         content {
289 |           ip_block {
290 |             cidr = from.value
291 |           }
292 |         }
293 |       }
294 |     }
295 | 
296 |     policy_types = ["Ingress"]
297 |   }
298 | }
299 | 


--------------------------------------------------------------------------------
/node-problem-detector.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   npd = merge(
  3 |     local.helm_defaults,
  4 |     {
  5 |       name                   = "node-problem-detector"
  6 |       namespace              = "node-problem-detector"
  7 |       chart                  = "node-problem-detector"
  8 |       repository             = "https://kubernetes-charts.storage.googleapis.com/"
  9 |       enabled                = false
 10 |       chart_version          = "1.7.1"
 11 |       version                = "v0.8.1"
 12 |       default_network_policy = true
 13 |     },
 14 |     var.npd
 15 |   )
 16 | 
 17 |   values_npd = <<VALUES
 18 | rbac:
 19 |   pspEnabled: true
 20 | image:
 21 |   tag: ${local.npd["version"]}
 22 | priorityClassName: ${local.priority_class_ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
 23 | VALUES
 24 | 
 25 | }
 26 | 
 27 | resource "kubernetes_namespace" "node_problem_detector" {
 28 |   count = local.npd["enabled"] ? 1 : 0
 29 | 
 30 |   metadata {
 31 |     labels = {
 32 |       name = local.npd["namespace"]
 33 |     }
 34 | 
 35 |     name = local.npd["namespace"]
 36 |   }
 37 | }
 38 | 
 39 | resource "helm_release" "node_problem_detector" {
 40 |   count                 = local.npd["enabled"] ? 1 : 0
 41 |   repository            = local.npd["repository"]
 42 |   name                  = local.npd["name"]
 43 |   chart                 = local.npd["chart"]
 44 |   version               = local.npd["chart_version"]
 45 |   timeout               = local.npd["timeout"]
 46 |   force_update          = local.npd["force_update"]
 47 |   recreate_pods         = local.npd["recreate_pods"]
 48 |   wait                  = local.npd["wait"]
 49 |   atomic                = local.npd["atomic"]
 50 |   cleanup_on_fail       = local.npd["cleanup_on_fail"]
 51 |   dependency_update     = local.npd["dependency_update"]
 52 |   disable_crd_hooks     = local.npd["disable_crd_hooks"]
 53 |   disable_webhooks      = local.npd["disable_webhooks"]
 54 |   render_subchart_notes = local.npd["render_subchart_notes"]
 55 |   replace               = local.npd["replace"]
 56 |   reset_values          = local.npd["reset_values"]
 57 |   reuse_values          = local.npd["reuse_values"]
 58 |   skip_crds             = local.npd["skip_crds"]
 59 |   verify                = local.npd["verify"]
 60 |   values = [
 61 |     local.values_npd,
 62 |     local.npd["extra_values"]
 63 |   ]
 64 |   namespace = kubernetes_namespace.node_problem_detector.*.metadata.0.name[count.index]
 65 | }
 66 | 
 67 | resource "kubernetes_network_policy" "npd_default_deny" {
 68 |   count = local.npd["enabled"] && local.npd["default_network_policy"] ? 1 : 0
 69 | 
 70 |   metadata {
 71 |     name      = "${kubernetes_namespace.node_problem_detector.*.metadata.0.name[count.index]}-default-deny"
 72 |     namespace = kubernetes_namespace.node_problem_detector.*.metadata.0.name[count.index]
 73 |   }
 74 | 
 75 |   spec {
 76 |     pod_selector {
 77 |     }
 78 |     policy_types = ["Ingress"]
 79 |   }
 80 | }
 81 | 
 82 | resource "kubernetes_network_policy" "npd_allow_namespace" {
 83 |   count = local.npd["enabled"] && local.npd["default_network_policy"] ? 1 : 0
 84 | 
 85 |   metadata {
 86 |     name      = "${kubernetes_namespace.node_problem_detector.*.metadata.0.name[count.index]}-allow-namespace"
 87 |     namespace = kubernetes_namespace.node_problem_detector.*.metadata.0.name[count.index]
 88 |   }
 89 | 
 90 |   spec {
 91 |     pod_selector {
 92 |     }
 93 | 
 94 |     ingress {
 95 |       from {
 96 |         namespace_selector {
 97 |           match_labels = {
 98 |             name = kubernetes_namespace.node_problem_detector.*.metadata.0.name[count.index]
 99 |           }
100 |         }
101 |       }
102 |     }
103 | 
104 |     policy_types = ["Ingress"]
105 |   }
106 | }
107 | 
108 | 


--------------------------------------------------------------------------------
/priority-class.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   priority_class_ds = merge(
 3 |     {
 4 |       create = true
 5 |       name   = "kubernetes-addons-ds"
 6 |       value  = "10000"
 7 | 
 8 |     },
 9 |     var.priority_class_ds
10 |   )
11 |   priority_class = merge(
12 |     {
13 |       create = true
14 |       name   = "kubernetes-addons"
15 |       value  = "9000"
16 | 
17 |     },
18 |     var.priority_class
19 |   )
20 | }
21 | 
22 | resource "kubernetes_priority_class" "kubernetes_addons_ds" {
23 |   count = local.priority_class_ds["create"] ? 1 : 0
24 |   metadata {
25 |     name = local.priority_class_ds["name"]
26 |   }
27 | 
28 |   value = local.priority_class_ds["value"]
29 | }
30 | 
31 | resource "kubernetes_priority_class" "kubernetes_addons" {
32 |   count = local.priority_class["create"] ? 1 : 0
33 |   metadata {
34 |     name = local.priority_class["name"]
35 |   }
36 | 
37 |   value = local.priority_class["value"]
38 | }
39 | 


--------------------------------------------------------------------------------
/sealed-secrets.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 | 
  3 |   sealed_secrets = merge(
  4 |     local.helm_defaults,
  5 |     {
  6 |       name                   = "sealed-secrets"
  7 |       namespace              = "sealed-secrets"
  8 |       chart                  = "sealed-secrets"
  9 |       repository             = "https://kubernetes-charts.storage.googleapis.com/"
 10 |       enabled                = false
 11 |       chart_version          = "1.10.3"
 12 |       version                = "v0.12.4"
 13 |       default_network_policy = true
 14 |     },
 15 |     var.sealed_secrets
 16 |   )
 17 | 
 18 |   values_sealed_secrets = <<VALUES
 19 | rbac:
 20 |   pspEnabled: true
 21 | image:
 22 |   tag: ${local.sealed_secrets["version"]}
 23 | priorityClassName: ${local.priority_class["create"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : ""}
 24 | VALUES
 25 | 
 26 | }
 27 | 
 28 | resource "kubernetes_namespace" "sealed_secrets" {
 29 |   count = local.sealed_secrets["enabled"] ? 1 : 0
 30 | 
 31 |   metadata {
 32 |     labels = {
 33 |       name = local.sealed_secrets["namespace"]
 34 |     }
 35 | 
 36 |     name = local.sealed_secrets["namespace"]
 37 |   }
 38 | }
 39 | 
 40 | resource "helm_release" "sealed_secrets" {
 41 |   count                 = local.sealed_secrets["enabled"] ? 1 : 0
 42 |   repository            = local.sealed_secrets["repository"]
 43 |   name                  = local.sealed_secrets["name"]
 44 |   chart                 = local.sealed_secrets["chart"]
 45 |   version               = local.sealed_secrets["chart_version"]
 46 |   timeout               = local.sealed_secrets["timeout"]
 47 |   force_update          = local.sealed_secrets["force_update"]
 48 |   recreate_pods         = local.sealed_secrets["recreate_pods"]
 49 |   wait                  = local.sealed_secrets["wait"]
 50 |   atomic                = local.sealed_secrets["atomic"]
 51 |   cleanup_on_fail       = local.sealed_secrets["cleanup_on_fail"]
 52 |   dependency_update     = local.sealed_secrets["dependency_update"]
 53 |   disable_crd_hooks     = local.sealed_secrets["disable_crd_hooks"]
 54 |   disable_webhooks      = local.sealed_secrets["disable_webhooks"]
 55 |   render_subchart_notes = local.sealed_secrets["render_subchart_notes"]
 56 |   replace               = local.sealed_secrets["replace"]
 57 |   reset_values          = local.sealed_secrets["reset_values"]
 58 |   reuse_values          = local.sealed_secrets["reuse_values"]
 59 |   skip_crds             = local.sealed_secrets["skip_crds"]
 60 |   verify                = local.sealed_secrets["verify"]
 61 |   values = [
 62 |     local.values_sealed_secrets,
 63 |     local.sealed_secrets["extra_values"]
 64 |   ]
 65 |   namespace = kubernetes_namespace.sealed_secrets.*.metadata.0.name[count.index]
 66 | }
 67 | 
 68 | resource "kubernetes_network_policy" "sealed_secrets_default_deny" {
 69 |   count = local.sealed_secrets["enabled"] && local.sealed_secrets["default_network_policy"] ? 1 : 0
 70 | 
 71 |   metadata {
 72 |     name      = "${kubernetes_namespace.sealed_secrets.*.metadata.0.name[count.index]}-default-deny"
 73 |     namespace = kubernetes_namespace.sealed_secrets.*.metadata.0.name[count.index]
 74 |   }
 75 | 
 76 |   spec {
 77 |     pod_selector {
 78 |     }
 79 |     policy_types = ["Ingress"]
 80 |   }
 81 | }
 82 | 
 83 | resource "kubernetes_network_policy" "sealed_secrets_allow_namespace" {
 84 |   count = local.sealed_secrets["enabled"] && local.sealed_secrets["default_network_policy"] ? 1 : 0
 85 | 
 86 |   metadata {
 87 |     name      = "${kubernetes_namespace.sealed_secrets.*.metadata.0.name[count.index]}-allow-namespace"
 88 |     namespace = kubernetes_namespace.sealed_secrets.*.metadata.0.name[count.index]
 89 |   }
 90 | 
 91 |   spec {
 92 |     pod_selector {
 93 |     }
 94 | 
 95 |     ingress {
 96 |       from {
 97 |         namespace_selector {
 98 |           match_labels = {
 99 |             name = kubernetes_namespace.sealed_secrets.*.metadata.0.name[count.index]
100 |           }
101 |         }
102 |       }
103 |     }
104 | 
105 |     policy_types = ["Ingress"]
106 |   }
107 | }
108 | 
109 | 


--------------------------------------------------------------------------------
/templates/cert-manager-cluster-issuers.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: cert-manager.io/v1
 3 | kind: ClusterIssuer
 4 | metadata:
 5 |   name: letsencrypt-staging
 6 | spec:
 7 |   acme:
 8 |     server: https://acme-staging-v02.api.letsencrypt.org/directory
 9 |     email: '${acme_email}'
10 |     privateKeySecretRef:
11 |       name: letsencrypt-staging
12 |     solvers:
13 |     - dns01:
14 |         route53:
15 |           region: '${aws_region}'
16 | ---
17 | apiVersion: cert-manager.io/v1
18 | kind: ClusterIssuer
19 | metadata:
20 |   name: letsencrypt
21 | spec:
22 |   acme:
23 |     server: https://acme-v02.api.letsencrypt.org/directory
24 |     email: '${acme_email}'
25 |     privateKeySecretRef:
26 |       name: letsencrypt
27 |     solvers:
28 |     - dns01:
29 |         route53:
30 |           region: '${aws_region}'
31 | 


--------------------------------------------------------------------------------
/templates/cni-metrics-helper.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | # kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1
 4 | kind: ClusterRole
 5 | metadata:
 6 |   name: cni-metrics-helper
 7 | rules:
 8 |   - apiGroups: [""]
 9 |     resources:
10 |       - nodes
11 |       - pods
12 |       - pods/proxy
13 |       - services
14 |       - resourcequotas
15 |       - replicationcontrollers
16 |       - limitranges
17 |       - persistentvolumeclaims
18 |       - persistentvolumes
19 |       - namespaces
20 |       - endpoints
21 |     verbs: ["list", "watch", "get"]
22 |   - apiGroups: ["extensions"]
23 |     resources:
24 |       - daemonsets
25 |       - deployments
26 |       - replicasets
27 |     verbs: ["list", "watch"]
28 |   - apiGroups: ["apps"]
29 |     resources:
30 |       - statefulsets
31 |     verbs: ["list", "watch"]
32 |   - apiGroups: ["batch"]
33 |     resources:
34 |       - cronjobs
35 |       - jobs
36 |     verbs: ["list", "watch"]
37 |   - apiGroups: ["autoscaling"]
38 |     resources:
39 |       - horizontalpodautoscalers
40 |     verbs: ["list", "watch"]
41 | ---
42 | apiVersion: v1
43 | kind: ServiceAccount
44 | metadata:
45 |   name: cni-metrics-helper
46 |   namespace: kube-system
47 |   annotations:
48 |     eks.amazonaws.com/role-arn: "${cni_metrics_helper_role_arn_irsa}"
49 | ---
50 | apiVersion: rbac.authorization.k8s.io/v1
51 | # kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1
52 | kind: ClusterRoleBinding
53 | metadata:
54 |   name: cni-metrics-helper
55 | roleRef:
56 |   apiGroup: rbac.authorization.k8s.io
57 |   kind: ClusterRole
58 |   name: cni-metrics-helper
59 | subjects:
60 |   - kind: ServiceAccount
61 |     name: cni-metrics-helper
62 |     namespace: kube-system
63 | ---
64 | kind: Deployment
65 | apiVersion: apps/v1
66 | metadata:
67 |   name: cni-metrics-helper
68 |   namespace: kube-system
69 |   labels:
70 |     k8s-app: cni-metrics-helper
71 | spec:
72 |   selector:
73 |     matchLabels:
74 |       k8s-app: cni-metrics-helper
75 |   template:
76 |     metadata:
77 |       labels:
78 |         k8s-app: cni-metrics-helper
79 |       annotations:
80 |         iam.amazonaws.com/role: "${cni_metrics_helper_role_arn_kiam}"
81 |     spec:
82 |       serviceAccountName: cni-metrics-helper
83 |       containers:
84 |       - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:${cni_metrics_helper_version}
85 |         imagePullPolicy: Always
86 |         name: cni-metrics-helper
87 |         env:
88 |           - name: USE_CLOUDWATCH
89 |             value: "true"
90 |       priorityClassName: "system-cluster-critical"
91 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "cluster-name" {
  2 |   description = "Name of the Kubernetes cluster"
  3 |   default     = "sample-cluster"
  4 |   type        = string
  5 | }
  6 | variable "aws" {
  7 |   description = "AWS provider customization"
  8 |   type        = any
  9 |   default     = {}
 10 | }
 11 | 
 12 | variable "eks" {
 13 |   description = "EKS cluster inputs"
 14 |   type        = any
 15 |   default     = {}
 16 | }
 17 | 
 18 | variable "nginx_ingress" {
 19 |   description = "Customize nginx-ingress chart, see `nginx-ingress.tf` for supported values"
 20 |   type        = any
 21 |   default     = {}
 22 | }
 23 | 
 24 | variable "cluster_autoscaler" {
 25 |   description = "Customize cluster-autoscaler chart, see `cluster_autoscaler.tf` for supported values"
 26 |   type        = any
 27 |   default     = {}
 28 | }
 29 | 
 30 | variable "external_dns" {
 31 |   description = "Customize external-dns chart, see `external_dns.tf` for supported values"
 32 |   type        = any
 33 |   default     = {}
 34 | }
 35 | 
 36 | variable "external_dns_secondary" {
 37 |   description = "Customize external-dns chart, see `external_dns_secondary.tf` for supported values"
 38 |   type        = any
 39 |   default     = {}
 40 | }
 41 | 
 42 | variable "cert_manager" {
 43 |   description = "Customize cert-manager chart, see `cert_manager.tf` for supported values"
 44 |   type        = any
 45 |   default     = {}
 46 | }
 47 | 
 48 | variable "kiam" {
 49 |   description = "Customize kiam chart, see `kiam.tf` for supported values"
 50 |   type        = any
 51 |   default     = {}
 52 | }
 53 | 
 54 | variable "metrics_server" {
 55 |   description = "Customize metrics-server chart, see `metrics_server.tf` for supported values"
 56 |   type        = any
 57 |   default     = {}
 58 | }
 59 | 
 60 | variable "prometheus_operator" {
 61 |   description = "Customize prometheus-operator chart, see `kube_prometheus.tf` for supported values"
 62 |   type        = any
 63 |   default     = {}
 64 | }
 65 | 
 66 | variable "fluentd_cloudwatch" {
 67 |   description = "Customize fluentd-cloudwatch chart, see `fluentd-cloudwatch.tf` for supported values"
 68 |   type        = any
 69 |   default     = {}
 70 | }
 71 | 
 72 | variable "npd" {
 73 |   description = "Customize node-problem-detector chart, see `npd.tf` for supported values"
 74 |   type        = any
 75 |   default     = {}
 76 | }
 77 | 
 78 | variable "flux" {
 79 |   description = "Customize fluxcd chart, see `flux.tf` for supported values"
 80 |   type        = any
 81 |   default     = {}
 82 | }
 83 | 
 84 | variable "sealed_secrets" {
 85 |   description = "Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values"
 86 |   type        = any
 87 |   default     = {}
 88 | }
 89 | 
 90 | 
 91 | variable "cni_metrics_helper" {
 92 |   description = "Customize cni-metrics-helper deployment, see `cni_metrics_helper.tf` for supported values"
 93 |   type        = any
 94 |   default     = {}
 95 | }
 96 | 
 97 | variable "kong" {
 98 |   description = "Customize kong-ingress chart, see `kong.tf` for supported values"
 99 |   type        = any
100 |   default     = {}
101 | }
102 | 
103 | variable "keycloak" {
104 |   description = "Customize keycloak chart, see `keycloak.tf` for supported values"
105 |   type        = any
106 |   default     = {}
107 | }
108 | 
109 | variable "karma" {
110 |   description = "Customize karma chart, see `karma.tf` for supported values"
111 |   type        = any
112 |   default     = {}
113 | }
114 | 
115 | variable "istio_operator" {
116 |   description = "Customize istio operator deployment, see `istio_operator.tf` for supported values"
117 |   type        = any
118 |   default     = {}
119 | }
120 | 
121 | variable "alb_ingress" {
122 |   description = "Customize alb-ingress chart, see `alb-ingress.tf` for supported values"
123 |   type        = any
124 |   default     = {}
125 | }
126 | 
127 | variable "aws_node_termination_handler" {
128 |   description = "Customize aws-node-termination-handler chart, see `aws-node-termination-handler.tf`"
129 |   type        = any
130 |   default     = {}
131 | }
132 | 
133 | variable "calico" {
134 |   description = "Customize calico helm chart, see `calico.tf`"
135 |   type        = any
136 |   default     = {}
137 | }
138 | 
139 | variable "aws_fluent_bit" {
140 |   description = "Customize aws-for-fluent-bit helm chart, see `aws_fluent_bit.tf`"
141 |   type        = any
142 |   default     = {}
143 | }
144 | 
145 | variable "helm_defaults" {
146 |   description = "Customize default Helm behavior"
147 |   type        = any
148 |   default     = {}
149 | }
150 | 
151 | variable "priority_class" {
152 |   description = "Customize a priority class for addons"
153 |   type        = any
154 |   default     = {}
155 | }
156 | 
157 | variable "priority_class_ds" {
158 |   description = "Customize a priority class for addons daemonsets"
159 |   type        = any
160 |   default     = {}
161 | }
162 | 


--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = ">= 0.13"
 3 |   required_providers {
 4 |     aws = ">= 2.55.0"
 5 |     kubectl = {
 6 |       source  = "gavinbunney/kubectl"
 7 |       version = "1.6.2"
 8 |     }
 9 |   }
10 | }
11 | 


--------------------------------------------------------------------------------