├── .github ├── dependabot.yaml └── workflows │ ├── checkov.yaml │ ├── pre-commit.yaml │ ├── semantic.yaml │ ├── terraform-test.yaml │ ├── tflint.yaml │ └── tfsec.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── LICENSE ├── README.md ├── adot.tf ├── alarms.tf ├── alb-ingress-controller.tf ├── commitlint.config.js ├── data.tf ├── examples ├── basic │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── eks-fluent-bit │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ └── templates │ │ ├── filters.yaml.tpl │ │ ├── inputs.yaml.tpl │ │ └── outputs.yaml.tpl ├── eks-nginx-ingress-controller │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── eks-with-adot │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── eks-with-event-exporter │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ └── eks-with-event-exporter.yaml ├── eks-with-flagger │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ └── http-echo-canary-eks.yaml ├── eks-with-karpenter-and-external-secret │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ └── http-echo.yaml ├── eks-with-karpenter │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ ├── http-echo-on-demand.yaml │ └── http-echo.yaml ├── eks-with-linkerd │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ └── http-echo-linkerd-eks.yaml ├── eks-with-namespaces-and-docker-auth │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ └── http-echo.yaml ├── eks-with-s3-csi │ ├── 0-setup.tf │ ├── 1-example.tf │ ├── README.md │ ├── http-echo-eks-with-s3-csi.yaml │ └── test-cronjob.yaml ├── enable-ebs-csi-driver │ ├── README.md │ └── main.tf ├── external-dns-enabled │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── rbac-from-external-source │ ├── README.md │ └── main.tf ├── rbac-from-locals │ ├── README.md │ └── main.tf ├── spot-instance-alarms-disabled │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── spot-instance-customize-alarms │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── spot-instance-vpc-link │ ├── README.md │ └── main.tf └── spot-instance │ ├── 0-setup.tf │ ├── 1-example.tf │ └── README.md ├── fluent-bit.tf ├── git-conventional-commits.json ├── githooks ├── commit-msg └── pre-commit ├── keda.tf ├── locals.tf ├── main.tf ├── meta-system.tf ├── modules ├── README.md ├── adot │ ├── README.md │ ├── data.tf │ ├── files │ │ ├── ClusterRole.yaml │ │ ├── ClusterRoleBinding.yaml │ │ ├── Namespace.yaml │ │ ├── Role.yaml │ │ └── RoleBinding.yaml │ ├── locals.tf │ ├── main.tf │ ├── operator-permissions.tf │ ├── role.tf │ ├── service-account.tf │ ├── templates │ │ └── adot-values.yaml.tpl │ ├── tests │ │ ├── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ │ ├── configure_resources │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ │ ├── enable_logging │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ │ ├── promethus_metrics │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ ├── 2-assert.tf │ │ │ └── README.md │ │ └── template_file │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ ├── 2-assert.tf │ │ │ ├── README.md │ │ │ └── templates │ │ │ └── adot-values.yaml.tpl │ ├── variables.tf │ └── versions.tf ├── api-gw │ ├── README.md │ ├── apis.tf │ ├── iam.tf │ ├── main.tf │ ├── policies │ │ ├── api-gw-policy.json │ │ └── trusted-policy.json │ ├── sa.tf │ ├── stages.tf │ ├── tests │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── variables.tf │ ├── versions.tf │ └── vpc-links.tf ├── autoscaler │ ├── README.md │ ├── autoscaler-policy.tf │ ├── examples │ │ └── basic │ │ │ ├── README.md │ │ │ └── main.tf │ ├── kube-resoures.tf │ ├── policies │ │ ├── cluster-autoscaler-policy.json │ │ └── trusted-policy.json │ ├── variables.tf │ └── versions.tf ├── aws-load-balancer-controller │ ├── README.md │ ├── iam-policy.json │ ├── logs-to-cloudwatch.tf │ ├── main.tf │ ├── s3-bucket.tf │ ├── script-to-setup-load-balancer-aws-service-account.sh │ ├── terraform-aws-alb-cloudwatch-logs-json │ │ ├── .gitignore │ │ ├── LICENSE │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── src │ │ │ └── lambda.py │ │ └── variables.tf │ ├── variables.tf │ └── versions.tf ├── cloudwatch-metrics │ ├── README.md │ ├── main.tf │ ├── namespace.tf │ ├── role.tf │ ├── variables.tf │ └── versions.tf ├── ebs-csi │ ├── README.md │ ├── data.tf │ ├── iam_policy.tf │ ├── locals.tf │ ├── main.tf │ ├── policies │ │ └── trusted_policy.json │ └── variables.tf ├── efs-csi │ ├── README.md │ ├── iam_policy.tf │ ├── main.tf │ ├── policies │ │ ├── iam_policy_efs.json │ │ └── trusted_policy.json │ ├── serviceaccount.tf │ ├── storageClass.tf │ ├── variables.tf │ └── versions.tf ├── eks-data │ ├── README.md │ ├── data.tf │ ├── output.tf │ ├── tests │ │ └── k8s-provider │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ ├── 2-assert.tf │ │ │ └── README.md │ └── variable.tf ├── eks │ ├── README.md │ ├── data.tf │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── event-exporter │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── external-dns │ ├── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── role.tf │ ├── variables.tf │ └── versions.tf ├── external-secrets │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── version.tf ├── flagger │ ├── README.md │ ├── examples │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── load-tester.tf │ ├── main.tf │ ├── metric-template.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── fluent-bit │ ├── README.md │ ├── iam-policies.tf │ ├── iam-policy-s3-cloudwatch.json │ ├── iam-policy.json │ ├── locals.tf │ ├── main.tf │ ├── namespace.tf │ ├── tests │ │ ├── advanced │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ ├── README.md │ │ │ └── templates │ │ │ │ ├── filters.yaml.tpl │ │ │ │ ├── inputs.yaml.tpl │ │ │ │ └── outputs.yaml.tpl │ │ ├── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ │ ├── cloudwatch-export-disable │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ ├── README.md │ │ │ └── templates │ │ │ │ └── outputs.yaml.tpl │ │ └── own-values-yaml │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ ├── README.md │ │ │ └── templates │ │ │ └── values.yaml.tpl │ ├── values.yaml.tpl │ ├── variables.tf │ └── version.tf ├── karpenter │ ├── README.md │ ├── data.tf │ ├── examples │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── keda │ ├── README.md │ ├── data.tf │ ├── keda_trigger_auth.tpl │ ├── main.tf │ ├── output.tf │ ├── role.tf │ ├── tests │ │ └── basic │ │ │ ├── README.md │ │ │ ├── application │ │ │ ├── deployment.yaml │ │ │ └── scaledobject.yaml │ │ │ ├── main.tf │ │ │ ├── output.tf │ │ │ ├── providers.tf │ │ │ └── sqs.tf │ ├── trigger-auth.tf │ ├── values.yaml.tpl │ ├── variables.tf │ └── versions.tf ├── linkerd │ ├── README.md │ ├── configs.tf │ ├── examples │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── main.tf │ ├── modules │ │ └── identity-certificates-and-keys │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── metrics-server │ ├── README.md │ ├── main.tf │ ├── values.yaml │ ├── variables.tf │ └── versions.tf ├── namespaces-and-docker-auth │ ├── README.md │ ├── data.tf │ ├── examples │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── role.tf │ ├── variables.tf │ └── versions.tf ├── nginx-ingress-controller │ ├── README.md │ ├── main.tf │ ├── tests │ │ └── basic │ │ │ ├── README.md │ │ │ └── main.tf │ ├── variables.tf │ └── version.tf ├── node-problem-detector │ ├── README.md │ ├── main.tf │ ├── tests │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── values.yaml │ ├── variables.tf │ └── versions.tf ├── olm │ ├── README.md │ ├── crds.tf │ ├── main.tf │ ├── tests │ │ └── basic │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── variables.tf │ └── versions.tf ├── portainer │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── priority-class │ ├── README.md │ ├── main.tf │ ├── output.tf │ ├── tests │ │ ├── add-new-priority-class │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── output.tf │ │ │ └── providers.tf │ │ └── basic │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── output.tf │ │ │ └── providers.tf │ ├── variables.tf │ └── version.tf ├── s3-csi │ ├── README.md │ ├── data.tf │ ├── examples │ │ └── basic │ │ │ ├── 0-setup.tf │ │ │ ├── 1-example.tf │ │ │ └── README.md │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── sso-rbac │ ├── README.md │ ├── account-assignment.tf │ ├── krole.tf │ ├── krolebinding.tf │ ├── main.tf │ ├── outputs.tf │ ├── permission-set.tf │ ├── provisioner.tf │ ├── terraform-aws-sso │ │ └── modules │ │ │ ├── account-assignments │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ │ │ └── permission-sets │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── outputs.tf │ │ │ ├── variables.tf │ │ │ └── versions.tf │ ├── variables.tf │ └── versions.tf └── weave-scope │ ├── README.md │ ├── examples │ ├── README.md │ ├── minimal.tf │ ├── service-nodeport.tf │ └── with-ingress.tf │ ├── main.tf │ ├── resources │ └── values.yaml.tpl │ ├── variables.tf │ └── versions.tf ├── nginx-ingress-controller.tf ├── node-problem-detector.tf ├── olm.tf ├── outputs.tf ├── package.json ├── pre-commit.yaml ├── priority-class.tf ├── providers.tf ├── variables.tf ├── versions.tf └── wave-scope-dashboard.tf /.github/dependabot.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: "terraform" 5 | directory: 6 | - modules/aws-load-balancer-controller 7 | - modules/cloudwatch-metrics 8 | - modules/eks 9 | - modules/external-secrets 10 | - modules/fluent-bit 11 | - modules/metrics-server 12 | - modules/sso-rbac 13 | - modules/vpc 14 | - modules/weave-scope 15 | schedule: 16 | interval: "daily" 17 | -------------------------------------------------------------------------------- /.github/workflows/checkov.yaml: -------------------------------------------------------------------------------- 1 | name: Checkov 2 | on: 3 | pull_request: 4 | push: 5 | branches: [main, master] 6 | jobs: 7 | checkov-check: 8 | runs-on: ubuntu-latest 9 | permissions: {} 10 | strategy: 11 | matrix: 12 | path: 13 | - ./ 14 | steps: 15 | - uses: dasmeta/reusable-actions-workflows/checkov@4.2.0 16 | with: 17 | directory: ${{ matrix.path }} 18 | continue-on-error: true 19 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yaml: -------------------------------------------------------------------------------- 1 | name: Pre Commit 2 | on: 3 | pull_request: 4 | push: 5 | branches: [main, master] 6 | jobs: 7 | pre-commit-check: 8 | runs-on: ubuntu-latest 9 | permissions: {} 10 | strategy: 11 | matrix: 12 | path: 13 | - ./ 14 | steps: 15 | - name: Pre-Commit 16 | uses: dasmeta/reusable-actions-workflows/pre-commit@4.2.0 17 | with: 18 | repo-token: ${{ secrets.GITHUB_TOKEN }} 19 | path: ${{ matrix.path }} 20 | continue-on-error: true 21 | -------------------------------------------------------------------------------- /.github/workflows/semantic.yaml: -------------------------------------------------------------------------------- 1 | name: Semantic Release 2 | on: [pull_request, push] 3 | jobs: 4 | publish: 5 | runs-on: ubuntu-latest 6 | permissions: 7 | contents: write 8 | steps: 9 | - uses: actions/checkout@v3 10 | - name: Setup Node.js 11 | uses: actions/setup-node@v3 12 | with: 13 | node-version: 18 14 | - name: Semantic Release 15 | uses: cycjimmy/semantic-release-action@v3 16 | env: 17 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 18 | NPM_TOKEN: ${{ secrets.NPM_TOKEN }} 19 | -------------------------------------------------------------------------------- /.github/workflows/terraform-test.yaml: -------------------------------------------------------------------------------- 1 | name: Terraform Test 2 | on: 3 | pull_request: 4 | push: 5 | branches: [main, master] 6 | jobs: 7 | terraform-test: 8 | runs-on: ubuntu-latest 9 | permissions: {} 10 | strategy: 11 | matrix: 12 | path: 13 | - / 14 | 15 | steps: 16 | - uses: dasmeta/reusable-actions-workflows/terraform-test@4.2.0 17 | with: 18 | aws-region: ${{ secrets.AWS_REGION}} 19 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 20 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 21 | path: ${{ matrix.path }} 22 | continue-on-error: true 23 | -------------------------------------------------------------------------------- /.github/workflows/tflint.yaml: -------------------------------------------------------------------------------- 1 | name: Tflint 2 | on: 3 | pull_request: 4 | push: 5 | branches: [main, master] 6 | 7 | jobs: 8 | tflint-check: 9 | runs-on: ubuntu-latest 10 | permissions: {} 11 | strategy: 12 | matrix: 13 | path: 14 | - ./ 15 | steps: 16 | - uses: dasmeta/reusable-actions-workflows/tflint@4.2.0 17 | with: 18 | path: ${{ matrix.path }} 19 | repo-token: ${{ secrets.GITHUB_TOKEN }} 20 | continue-on-error: true 21 | -------------------------------------------------------------------------------- /.github/workflows/tfsec.yaml: -------------------------------------------------------------------------------- 1 | name: TFSEC 2 | on: 3 | pull_request: 4 | push: 5 | branches: [main, master] 6 | jobs: 7 | tfsec-check: 8 | runs-on: ubuntu-latest 9 | permissions: {} 10 | steps: 11 | - uses: dasmeta/reusable-actions-workflows/tfsec@4.2.0 12 | continue-on-error: true 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | # .tfstate files 4 | *.tfstate 5 | *.tfstate.* 6 | *.lock.hcl 7 | 8 | **/.idea/* 9 | 10 | .idea/ 11 | 12 | 13 | # Crash log files 14 | crash.log 15 | 16 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 17 | # .tfvars files are managed as part of configuration and so should be included in 18 | # version control. 19 | # 20 | # example.tfvars 21 | 22 | # Ignore override files as they are usually used to override resources locally and so 23 | # are not checked in 24 | override.tf 25 | override.tf.json 26 | *_override.tf 27 | *_override.tf.json 28 | 29 | # Include override files you do wish to add to version control using negated pattern 30 | # 31 | # !example_override.tf 32 | 33 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 34 | # example: *tfplan* 35 | 36 | .DS_Store 37 | .tool-versions 38 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v4.3.0 4 | hooks: 5 | - id: check-added-large-files 6 | - id: check-merge-conflict 7 | - id: check-vcs-permalinks 8 | - id: end-of-file-fixer 9 | - id: trailing-whitespace 10 | args: [--markdown-linebreak-ext=md] 11 | exclude: CHANGELOG.md 12 | - id: check-yaml 13 | - id: check-merge-conflict 14 | - id: check-case-conflict 15 | - id: mixed-line-ending 16 | args: [--fix=lf] 17 | - id: detect-aws-credentials 18 | args: ['--allow-missing-credentials'] 19 | - id: detect-private-key 20 | - repo: https://github.com/antonbabenko/pre-commit-terraform 21 | rev: v1.64.1 22 | hooks: 23 | - id: terraform_fmt 24 | - id: terraform_docs 25 | args: 26 | - --hook-config=--path-to-file=README.md 27 | - --hook-config=--add-to-existing-file=true 28 | - --hook-config=--create-file-if-not-exist=true 29 | - repo: https://github.com/qoomon/git-conventional-commits 30 | rev: v2.4.0 31 | hooks: 32 | - id: conventional-commits 33 | - repo: https://github.com/zricethezav/gitleaks 34 | rev: v8.12.0 35 | hooks: 36 | - id: gitleaks 37 | -------------------------------------------------------------------------------- /adot.tf: -------------------------------------------------------------------------------- 1 | module "adot" { 2 | source = "./modules/adot" 3 | 4 | count = var.metrics_exporter == "adot" ? 1 : 0 5 | 6 | cluster_name = var.cluster_name 7 | cluster_version = var.cluster_version 8 | eks_oidc_root_ca_thumbprint = local.eks_oidc_root_ca_thumbprint 9 | oidc_provider_arn = module.eks-cluster[0].oidc_provider_arn 10 | adot_config = var.adot_config 11 | adot_version = var.adot_version 12 | prometheus_metrics = var.prometheus_metrics 13 | region = local.region 14 | depends_on = [ 15 | module.eks-core-components, 16 | helm_release.cert-manager, 17 | kubernetes_namespace.meta-system 18 | ] 19 | } 20 | -------------------------------------------------------------------------------- /alarms.tf: -------------------------------------------------------------------------------- 1 | 2 | module "cw_alerts" { 3 | count = var.alarms.enabled ? 1 : 0 4 | 5 | source = "dasmeta/monitoring/aws//modules/alerts" 6 | version = "1.3.5" 7 | 8 | sns_topic = var.alarms.sns_topic 9 | 10 | alerts = [ 11 | { 12 | name = "EKS ${var.cluster_name} node failed" 13 | source = "ContainerInsights/ClusterName/cluster_failed_node_count" 14 | filters = { 15 | ClusterName = var.cluster_name 16 | } 17 | period = try(var.alarms.custom_values.node_failed.period, "60") 18 | threshold = try(var.alarms.custom_values.node_failed.threshold, "1") 19 | statistic = try(var.alarms.custom_values.node_failed.statistic, "max") 20 | }, 21 | ] 22 | 23 | depends_on = [module.eks-core-components] 24 | } 25 | -------------------------------------------------------------------------------- /alb-ingress-controller.tf: -------------------------------------------------------------------------------- 1 | module "alb-ingress-controller" { 2 | source = "./modules/aws-load-balancer-controller" 3 | 4 | count = var.create && (var.alb_load_balancer_controller.enabled || var.nginx_ingress_controller_config.enabled) ? 1 : 0 5 | 6 | account_id = local.account_id 7 | region = local.region 8 | 9 | cluster_name = module.eks-cluster[0].cluster_name 10 | eks_oidc_root_ca_thumbprint = local.eks_oidc_root_ca_thumbprint 11 | oidc_provider_arn = module.eks-cluster[0].oidc_provider_arn 12 | enable_waf = var.alb_load_balancer_controller.enable_waf_for_alb 13 | configs = var.alb_load_balancer_controller.configs 14 | 15 | ## the load balancer access logs sync to s3=>lambda=>cloudwatch was disabled/commented-out so this params also need/can be commented, 16 | ## after then the fix be applied for enabling this functionality we can uncomment them 17 | # create_alb_log_bucket = true 18 | # alb_log_bucket_name = var.alb_load_balancer_controller.alb_log_bucket_name != "" ? var.alb_load_balancer_controller.alb_log_bucket_name : "${module.eks-cluster[0].cluster_name}-ingress-controller-log-bucket" 19 | # alb_log_bucket_path = var.alb_load_balancer_controller.alb_log_bucket_path != "" ? var.alb_load_balancer_controller.alb_log_bucket_path : module.eks-cluster[0].cluster_name 20 | 21 | depends_on = [module.eks-core-components] 22 | } 23 | -------------------------------------------------------------------------------- /commitlint.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | extends: [ 3 | "@commitlint/config-conventional" 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /data.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "current" { 2 | count = var.account_id == null ? 1 : 0 3 | } 4 | 5 | data "aws_region" "current" { 6 | count = var.region == null ? 1 : 0 7 | } 8 | -------------------------------------------------------------------------------- /examples/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-central-1" 3 | } 4 | 5 | # Prepare for test 6 | data "aws_availability_zones" "available" {} 7 | data "aws_vpcs" "ids" { 8 | tags = { 9 | Name = "default" 10 | } 11 | } 12 | 13 | data "aws_subnets" "subnets" { 14 | filter { 15 | name = "vpc-id" 16 | values = [data.aws_vpcs.ids.ids[0]] 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /examples/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../.." 3 | 4 | cluster_name = "test-cluster-345678" 5 | 6 | vpc = { 7 | link = { 8 | id = data.aws_vpcs.ids.ids[0] 9 | private_subnet_ids = data.aws_subnets.subnets.ids 10 | } 11 | } 12 | 13 | # enable_olm = true 14 | alarms = { 15 | enabled = false 16 | sns_topic = "" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | 5.98.0 | 13 | 14 | ## Modules 15 | 16 | | Name | Source | Version | 17 | |------|--------|---------| 18 | | [this](#module\_this) | ../.. | n/a | 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 25 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 26 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 27 | 28 | ## Inputs 29 | 30 | No inputs. 31 | 32 | ## Outputs 33 | 34 | No outputs. 35 | 36 | -------------------------------------------------------------------------------- /examples/eks-fluent-bit/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 3.41" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.0, < 2.0.0" 10 | } 11 | 12 | /** 13 | * set the following env vars so that aws provider will get authenticated before apply: 14 | 15 | export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx 16 | export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx 17 | */ 18 | provider "aws" { 19 | region = "eu-central-1" 20 | } 21 | -------------------------------------------------------------------------------- /examples/eks-fluent-bit/README.md: -------------------------------------------------------------------------------- 1 | # eks-fluent-bit 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0, < 2.0.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [aws](#provider\_aws) | 4.67.0 | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [this](#module\_this) | ../.. | n/a | 22 | 23 | ## Resources 24 | 25 | | Name | Type | 26 | |------|------| 27 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 28 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 29 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 30 | 31 | ## Inputs 32 | 33 | No inputs. 34 | 35 | ## Outputs 36 | 37 | No outputs. 38 | 39 | -------------------------------------------------------------------------------- /examples/eks-fluent-bit/templates/filters.yaml.tpl: -------------------------------------------------------------------------------- 1 | [FILTER] 2 | Name grep 3 | Match kube.* 4 | Exclude $log (test) 5 | 6 | [FILTER] 7 | Name grep 8 | Match audit.* 9 | regex $log (test) 10 | -------------------------------------------------------------------------------- /examples/eks-fluent-bit/templates/inputs.yaml.tpl: -------------------------------------------------------------------------------- 1 | [INPUT] 2 | Name tail 3 | Tag test.* 4 | Path /var/log/containers/*.log 5 | Read_from_head true 6 | multiline.parser docker, cri 7 | Docker_Mode On 8 | Parser docker 9 | Mem_Buf_Limit 50MB 10 | -------------------------------------------------------------------------------- /examples/eks-fluent-bit/templates/outputs.yaml.tpl: -------------------------------------------------------------------------------- 1 | [OUTPUT] 2 | Name s3 3 | Match test.* 4 | bucket test-eks-fluent-bit-dasmeta 5 | region eu-central-1 6 | total_file_size 250M 7 | s3_key_format /%Y/%m/%d/%H_%M_%S.gz 8 | -------------------------------------------------------------------------------- /examples/eks-nginx-ingress-controller/0-setup.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-central-1" 3 | } 4 | -------------------------------------------------------------------------------- /examples/eks-nginx-ingress-controller/1-example.tf: -------------------------------------------------------------------------------- 1 | # Prepare for test 2 | data "aws_availability_zones" "available" {} 3 | data "aws_vpcs" "ids" { 4 | tags = { 5 | Name = "default" 6 | } 7 | } 8 | data "aws_subnets" "subnets" { 9 | filter { 10 | name = "vpc-id" 11 | values = [data.aws_vpcs.ids.ids[0]] 12 | } 13 | } 14 | 15 | # test 16 | module "basic" { 17 | source = "../.." 18 | 19 | cluster_name = "test-cluster-345678" 20 | 21 | vpc = { 22 | link = { 23 | id = data.aws_vpcs.ids.ids[0] 24 | private_subnet_ids = data.aws_subnets.subnets.ids 25 | } 26 | } 27 | 28 | alarms = { 29 | enabled = false 30 | sns_topic = "" 31 | } 32 | 33 | nginx_ingress_controller_config = { 34 | enabled = true 35 | name = "nginx" 36 | create_namespace = true 37 | namespace = "ingress-nginx" 38 | replicacount = 3 39 | metrics_enabled = true 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/eks-nginx-ingress-controller/README.md: -------------------------------------------------------------------------------- 1 | # eks-nginx-ingress-controller 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | n/a | 13 | 14 | ## Modules 15 | 16 | | Name | Source | Version | 17 | |------|--------|---------| 18 | | [basic](#module\_basic) | ../.. | n/a | 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 25 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 26 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 27 | 28 | ## Inputs 29 | 30 | No inputs. 31 | 32 | ## Outputs 33 | 34 | No outputs. 35 | 36 | -------------------------------------------------------------------------------- /examples/eks-with-adot/0-setup.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-central-1" 3 | } 4 | -------------------------------------------------------------------------------- /examples/eks-with-adot/1-example.tf: -------------------------------------------------------------------------------- 1 | # Prepare for test 2 | data "aws_availability_zones" "available" {} 3 | data "aws_vpcs" "ids" { 4 | tags = { 5 | Name = "default" 6 | } 7 | } 8 | 9 | data "aws_subnets" "subnets" { 10 | filter { 11 | name = "vpc-id" 12 | values = [data.aws_vpcs.ids.ids[0]] 13 | } 14 | } 15 | 16 | # test 17 | module "basic" { 18 | source = "../.." 19 | 20 | cluster_name = "test-cluster-345678" 21 | 22 | vpc = { 23 | link = { 24 | id = data.aws_vpcs.ids.ids[0] 25 | private_subnet_ids = data.aws_subnets.subnets.ids 26 | } 27 | } 28 | 29 | adot_config = { 30 | accept_namespace_regex = "(default|runner|awattgarde|prefect-jobs)" 31 | log_group_name = "/aws/containerinsights/prod/adot" 32 | 33 | # to export additional metrics 34 | additional_metrics = [ 35 | "pod_memory_working_set", 36 | "pod_cpu_usage_total" 37 | ] 38 | } 39 | 40 | # to collect additional metrics from kube-state-metrics 41 | prometheus_metrics = [ 42 | "kube_deployment_spec_replicas", 43 | "kube_deployment_status_replicas_available" 44 | ] 45 | 46 | alarms = { 47 | enabled = false 48 | sns_topic = "" 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /examples/eks-with-adot/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | n/a | 13 | 14 | ## Modules 15 | 16 | | Name | Source | Version | 17 | |------|--------|---------| 18 | | [basic](#module\_basic) | ../.. | n/a | 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 25 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 26 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 27 | 28 | ## Inputs 29 | 30 | No inputs. 31 | 32 | ## Outputs 33 | 34 | No outputs. 35 | 36 | -------------------------------------------------------------------------------- /examples/eks-with-event-exporter/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.3" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.31, < 6.0.0" 8 | } 9 | tls = { 10 | source = "hashicorp/tls" 11 | version = "~> 4.0" 12 | } 13 | } 14 | } 15 | 16 | provider "aws" { 17 | region = "eu-central-1" 18 | } 19 | 20 | provider "helm" { 21 | kubernetes { 22 | host = module.this.cluster_host 23 | cluster_ca_certificate = module.this.cluster_certificate 24 | token = module.this.cluster_token 25 | } 26 | } 27 | 28 | # Prepare for test 29 | data "aws_availability_zones" "available" {} 30 | data "aws_vpcs" "ids" { 31 | tags = { 32 | Name = "default" 33 | } 34 | } 35 | 36 | data "aws_subnets" "subnets" { 37 | filter { 38 | name = "vpc-id" 39 | values = [data.aws_vpcs.ids.ids[0]] 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/eks-with-event-exporter/README.md: -------------------------------------------------------------------------------- 1 | # eks-with-event-exporter 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | ~> 1.3 | 9 | | [aws](#requirement\_aws) | >= 3.31, < 6.0.0 | 10 | | [tls](#requirement\_tls) | ~> 4.0 | 11 | 12 | ## Providers 13 | 14 | | Name | Version | 15 | |------|---------| 16 | | [aws](#provider\_aws) | 5.98.0 | 17 | | [helm](#provider\_helm) | 2.17.0 | 18 | 19 | ## Modules 20 | 21 | | Name | Source | Version | 22 | |------|--------|---------| 23 | | [this](#module\_this) | ../.. | n/a | 24 | 25 | ## Resources 26 | 27 | | Name | Type | 28 | |------|------| 29 | | [helm_release.http_echo](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 30 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 31 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 32 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 33 | 34 | ## Inputs 35 | 36 | No inputs. 37 | 38 | ## Outputs 39 | 40 | No outputs. 41 | 42 | -------------------------------------------------------------------------------- /examples/eks-with-event-exporter/eks-with-event-exporter.yaml: -------------------------------------------------------------------------------- 1 | # helm diff upgrade --install -n default http-echo dasmeta/base --version 0.3.10 -f ./eks-with-event-exporter.yaml 2 | 3 | image: 4 | repository: mendhak/http-https-echo 5 | tag: 34 6 | 7 | config: 8 | TEST_CONFIG_FOR_ROLLOUT_TRIGGER: "1" 9 | 10 | containerPort: 8080 11 | 12 | service: 13 | enabled: true 14 | type: ClusterIP 15 | 16 | autoscaling: 17 | enabled: true 18 | minReplicas: 2 19 | maxReplicas: 5 20 | targetCPUUtilizationPercentage: 99 21 | 22 | pdb: 23 | enabled: true 24 | minAvailable: 1 25 | 26 | readinessProbe: 27 | initialDelaySeconds: 5 28 | failureThreshold: 1 29 | httpGet: 30 | path: /health 31 | port: http 32 | livenessProbe: 33 | initialDelaySeconds: 5 34 | failureThreshold: 3 35 | httpGet: 36 | path: /health 37 | port: http 38 | resources: 39 | requests: 40 | cpu: 100m 41 | 42 | setIngressClassByField: true 43 | ingress: 44 | enabled: true 45 | class: nginx 46 | hosts: 47 | - host: eks-with-event-exporter.devops.dasmeta.com 48 | paths: 49 | - path: "/" 50 | -------------------------------------------------------------------------------- /examples/eks-with-flagger/0-setup.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-central-1" 3 | } 4 | 5 | provider "helm" { 6 | kubernetes { 7 | host = module.this.cluster_host 8 | cluster_ca_certificate = module.this.cluster_certificate 9 | token = module.this.cluster_token 10 | } 11 | } 12 | 13 | # Prepare for test 14 | data "aws_availability_zones" "available" {} 15 | data "aws_vpcs" "ids" { 16 | tags = { 17 | Name = "default" 18 | } 19 | } 20 | 21 | data "aws_subnets" "subnets" { 22 | filter { 23 | name = "vpc-id" 24 | values = [data.aws_vpcs.ids.ids[0]] 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /examples/eks-with-flagger/README.md: -------------------------------------------------------------------------------- 1 | # eks-with-flagger 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | 5.92.0 | 13 | | [helm](#provider\_helm) | 2.17.0 | 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | | Name | Type | 24 | |------|------| 25 | | [helm_release.http_echo](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 26 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 27 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 28 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /examples/eks-with-karpenter-and-external-secret/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.3" 3 | 4 | required_providers { 5 | kubectl = { 6 | source = "gavinbunney/kubectl" 7 | # version = "~>1.14" 8 | } 9 | } 10 | } 11 | 12 | provider "aws" { 13 | region = "eu-central-1" 14 | } 15 | 16 | provider "helm" { 17 | kubernetes { 18 | host = module.this.cluster_host 19 | cluster_ca_certificate = module.this.cluster_certificate 20 | token = module.this.cluster_token 21 | } 22 | } 23 | 24 | provider "kubectl" { 25 | host = module.this.cluster_host 26 | cluster_ca_certificate = module.this.cluster_certificate 27 | token = module.this.cluster_token 28 | load_config_file = false 29 | } 30 | 31 | provider "kubernetes" { 32 | host = module.this.cluster_host 33 | cluster_ca_certificate = module.this.cluster_certificate 34 | token = module.this.cluster_token 35 | } 36 | 37 | # Prepare for test 38 | data "aws_availability_zones" "available" {} 39 | data "aws_vpcs" "ids" { 40 | tags = { 41 | Name = "default" 42 | } 43 | } 44 | data "aws_subnets" "subnets" { 45 | filter { 46 | name = "vpc-id" 47 | values = [data.aws_vpcs.ids.ids[0]] 48 | } 49 | } 50 | 51 | locals { 52 | cluster_name = "test-eks-with-karp-and-secret" 53 | namespace = "default" 54 | } 55 | -------------------------------------------------------------------------------- /examples/eks-with-karpenter/0-setup.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-central-1" 3 | } 4 | 5 | provider "helm" { 6 | kubernetes { 7 | host = module.this.cluster_host 8 | cluster_ca_certificate = module.this.cluster_certificate 9 | token = module.this.cluster_token 10 | } 11 | } 12 | 13 | # Prepare for test 14 | data "aws_availability_zones" "available" {} 15 | data "aws_vpcs" "ids" { 16 | tags = { 17 | Name = "default" 18 | } 19 | } 20 | data "aws_subnets" "subnets" { 21 | filter { 22 | name = "vpc-id" 23 | values = [data.aws_vpcs.ids.ids[0]] 24 | } 25 | } 26 | 27 | locals { 28 | cluster_name = "test-eks-with-karpenter" 29 | } 30 | -------------------------------------------------------------------------------- /examples/eks-with-karpenter/README.md: -------------------------------------------------------------------------------- 1 | # eks-with-karpenter 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | 5.86.0 | 13 | | [helm](#provider\_helm) | 2.17.0 | 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | | Name | Type | 24 | |------|------| 25 | | [helm_release.http_echo](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 26 | | [helm_release.http_echo_on_demand](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 27 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 28 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 29 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 30 | 31 | ## Inputs 32 | 33 | No inputs. 34 | 35 | ## Outputs 36 | 37 | No outputs. 38 | 39 | -------------------------------------------------------------------------------- /examples/eks-with-karpenter/http-echo-on-demand.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: mendhak/http-https-echo 3 | tag: 34 4 | 5 | containerPort: 8080 6 | 7 | service: 8 | enabled: true 9 | type: ClusterIP 10 | 11 | externalSecretsApiVersion: external-secrets.io/v1beta1 # IMPORTANT to upgrade external secret api version as new eks module bring new external secret operator 12 | 13 | autoscaling: 14 | enabled: true 15 | minReplicas: 4 16 | maxReplicas: 10 17 | targetCPUUtilizationPercentage: 99 18 | 19 | # set this to inform karpenter to keep at least 2 pods of this setup to be running when rollout happens 20 | pdb: 21 | enabled: true 22 | minAvailable: 2 23 | 24 | # set this to not allow karpenter decide when pod/node-for-it will be disrupted 25 | podAnnotations: 26 | karpenter.sh/do-not-disrupt: "true" 27 | 28 | readinessProbe: 29 | initialDelaySeconds: 5 30 | failureThreshold: 1 31 | httpGet: 32 | path: /health 33 | port: http 34 | livenessProbe: 35 | initialDelaySeconds: 5 36 | failureThreshold: 3 37 | httpGet: 38 | path: /health 39 | port: http 40 | resources: 41 | requests: 42 | cpu: 15m 43 | ingress: 44 | enabled: true 45 | class: nginx 46 | hosts: 47 | - host: http-echo-on-demand-karpenter.devops.dasmeta.com 48 | paths: 49 | - path: "/ping" 50 | backend: 51 | serviceName: http-echo 52 | servicePort: 80 53 | 54 | nodeSelector: 55 | nodetype: "on-demand" 56 | 57 | tolerations: 58 | - key: "nodegroup" 59 | operator: "Equal" 60 | value: "on-demand" 61 | effect: "NoSchedule" 62 | -------------------------------------------------------------------------------- /examples/eks-with-karpenter/http-echo.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: mendhak/http-https-echo 3 | tag: 34 4 | 5 | containerPort: 8080 6 | 7 | service: 8 | enabled: true 9 | type: ClusterIP 10 | 11 | externalSecretsApiVersion: external-secrets.io/v1beta1 # IMPORTANT to upgrade external secret api version as new eks module bring new external secret operator 12 | 13 | autoscaling: 14 | enabled: true 15 | minReplicas: 20 16 | maxReplicas: 30 17 | targetCPUUtilizationPercentage: 99 18 | 19 | pdb: 20 | enabled: true 21 | minAvailable: 1 22 | 23 | readinessProbe: 24 | initialDelaySeconds: 5 25 | failureThreshold: 1 26 | httpGet: 27 | path: /health 28 | port: http 29 | livenessProbe: 30 | initialDelaySeconds: 5 31 | failureThreshold: 3 32 | httpGet: 33 | path: /health 34 | port: http 35 | resources: 36 | requests: 37 | cpu: 15m 38 | 39 | ingress: 40 | enabled: true 41 | class: nginx 42 | hosts: 43 | - host: http-echo-karpenter.devops.dasmeta.com 44 | paths: 45 | - path: "/ping" 46 | backend: 47 | serviceName: http-echo 48 | servicePort: 80 49 | -------------------------------------------------------------------------------- /examples/eks-with-linkerd/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.3" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.31, < 6.0.0" 8 | } 9 | tls = { 10 | source = "hashicorp/tls" 11 | version = "~> 4.0" 12 | } 13 | } 14 | } 15 | 16 | provider "aws" { 17 | region = "eu-central-1" 18 | } 19 | 20 | provider "helm" { 21 | kubernetes { 22 | host = module.this.cluster_host 23 | cluster_ca_certificate = module.this.cluster_certificate 24 | token = module.this.cluster_token 25 | } 26 | } 27 | 28 | # Prepare for test 29 | data "aws_availability_zones" "available" {} 30 | data "aws_vpcs" "ids" { 31 | tags = { 32 | Name = "default" 33 | } 34 | } 35 | 36 | data "aws_subnets" "subnets" { 37 | filter { 38 | name = "vpc-id" 39 | values = [data.aws_vpcs.ids.ids[0]] 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/eks-with-linkerd/README.md: -------------------------------------------------------------------------------- 1 | # eks-with-linkerd 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | ~> 1.3 | 9 | | [aws](#requirement\_aws) | >= 3.31, < 6.0.0 | 10 | | [tls](#requirement\_tls) | ~> 4.0 | 11 | 12 | ## Providers 13 | 14 | | Name | Version | 15 | |------|---------| 16 | | [aws](#provider\_aws) | 5.97.0 | 17 | | [helm](#provider\_helm) | 2.17.0 | 18 | 19 | ## Modules 20 | 21 | | Name | Source | Version | 22 | |------|--------|---------| 23 | | [this](#module\_this) | ../.. | n/a | 24 | 25 | ## Resources 26 | 27 | | Name | Type | 28 | |------|------| 29 | | [helm_release.http_echo](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 30 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 31 | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | 32 | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | 33 | 34 | ## Inputs 35 | 36 | No inputs. 37 | 38 | ## Outputs 39 | 40 | No outputs. 41 | 42 | -------------------------------------------------------------------------------- /examples/eks-with-linkerd/http-echo-linkerd-eks.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: mendhak/http-https-echo 3 | tag: 34 4 | 5 | # make sure you set the following annotations for your setups to enable linkerd and setup graceful shutdown seconds and cpu requests. The linkerd acts as proxy and consumes low resources(relatively similar to nginx), but to have stable setup we need to set some values at least for request cpu 6 | podAnnotations: 7 | linkerd.io/inject: enabled 8 | config.linkerd.io/proxy-cpu-request: 50m 9 | config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "5" 10 | 11 | config: 12 | TEST_CONFIG_FOR_ROLLOUT_TRIGGER: "1" 13 | 14 | containerPort: 8080 15 | 16 | service: 17 | enabled: true 18 | type: ClusterIP 19 | 20 | autoscaling: 21 | enabled: true 22 | minReplicas: 2 23 | maxReplicas: 5 24 | targetCPUUtilizationPercentage: 99 25 | 26 | pdb: 27 | enabled: true 28 | minAvailable: 1 29 | 30 | readinessProbe: 31 | initialDelaySeconds: 5 32 | failureThreshold: 1 33 | httpGet: 34 | path: /health 35 | port: http 36 | livenessProbe: 37 | initialDelaySeconds: 5 38 | failureThreshold: 3 39 | httpGet: 40 | path: /health 41 | port: http 42 | resources: 43 | requests: 44 | cpu: 100m 45 | 46 | setIngressClassByField: true 47 | ingress: 48 | enabled: true 49 | class: nginx 50 | hosts: 51 | - host: http-echo-linkerd.devops.dasmeta.com 52 | paths: 53 | - path: "/" 54 | -------------------------------------------------------------------------------- /examples/eks-with-s3-csi/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.3" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.31, < 6.0.0" 8 | } 9 | tls = { 10 | source = "hashicorp/tls" 11 | version = "~> 4.0" 12 | } 13 | } 14 | } 15 | 16 | provider "aws" { 17 | region = "eu-central-1" 18 | } 19 | 20 | provider "helm" { 21 | kubernetes { 22 | host = module.this.cluster_host 23 | cluster_ca_certificate = module.this.cluster_certificate 24 | token = module.this.cluster_token 25 | } 26 | } 27 | 28 | # Prepare for test 29 | data "aws_availability_zones" "available" {} 30 | data "aws_vpcs" "ids" { 31 | tags = { 32 | Name = "default" 33 | } 34 | } 35 | 36 | data "aws_subnets" "subnets" { 37 | filter { 38 | name = "vpc-id" 39 | values = [data.aws_vpcs.ids.ids[0]] 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/eks-with-s3-csi/test-cronjob.yaml: -------------------------------------------------------------------------------- 1 | # helm diff upgrade --install -n default test-cronjob dasmeta/base-cronjob --version 0.1.22 -f ./test-cronjob.yaml 2 | 3 | jobs: 4 | - name: test-cronjob 5 | schedule: "* * * * *" 6 | concurrencyPolicy: Forbid 7 | startingDeadlineSeconds: 60 8 | restartPolicy: Never 9 | image: 10 | repository: nginx 11 | tag: latest 12 | command: 13 | - /bin/sh 14 | - -c 15 | - rm -rf /s3/test-cronjob-hi.txt && echo "hi" > /s3/test-cronjob-hi.txt && sleep 60 16 | 17 | storage: 18 | - persistentVolumeClaimName: test-cronjob 19 | requestedSize: 1Gi 20 | accessModes: 21 | - ReadWriteMany 22 | className: "" 23 | enableDataSource: false 24 | persistentVolume: 25 | create: true 26 | csi: 27 | driver: s3.csi.aws.com 28 | volumeHandle: s3-csi-driver-volume # Must be unique 29 | volumeAttributes: 30 | bucketName: test-eks-with-s3-csi-dasmeta-bucket 31 | mountOptions: 32 | - allow-delete 33 | volumes: 34 | - name: test-cronjob-volume 35 | mountPath: /s3 36 | persistentVolumeClaim: 37 | claimName: test-cronjob 38 | -------------------------------------------------------------------------------- /examples/enable-ebs-csi-driver/README.md: -------------------------------------------------------------------------------- 1 | # enable-ebs-csi-driver 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [cluster\_min](#module\_cluster\_min) | ../.. | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /examples/enable-ebs-csi-driver/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_enabled_log_types = ["audit"] 3 | cluster_name = "test" 4 | cluster_endpoint_public_access = true 5 | 6 | # Prod Parameters 7 | node_groups_default = { 8 | create_launch_template = false 9 | launch_template_name = "" 10 | disk_size = 50 11 | } 12 | node_groups = { 13 | regular = { 14 | min_size = 1 15 | max_size = 1 16 | desired_size = 1 17 | instance_types = ["t3.medium"] 18 | } 19 | } 20 | 21 | users = ["**USERS**"] 22 | 23 | map_roles = [{ 24 | rolearn = "" 25 | username = "" 26 | groups = [] 27 | }] 28 | } 29 | 30 | module "cluster_min" { 31 | source = "../.." 32 | 33 | enable_ebs_driver = true 34 | cluster_name = local.cluster_name 35 | users = local.users 36 | map_roles = local.map_roles 37 | node_groups_default = local.node_groups_default 38 | node_groups = local.node_groups 39 | 40 | vpc = { 41 | link = { 42 | id = "vpc-1234" 43 | private_subnet_ids = ["subent-1", "subnet-2"] 44 | } 45 | } 46 | 47 | alarms = { enabled = false } 48 | } 49 | -------------------------------------------------------------------------------- /examples/external-dns-enabled/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 3.41" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.0" 10 | } 11 | 12 | /** 13 | * set the following env vars so that aws provider will get authenticated before apply: 14 | 15 | export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx 16 | export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx 17 | */ 18 | provider "aws" { 19 | region = "eu-central-1" 20 | } 21 | 22 | data "aws_availability_zones" "available" {} 23 | data "aws_caller_identity" "current" {} 24 | -------------------------------------------------------------------------------- /examples/external-dns-enabled/1-example.tf: -------------------------------------------------------------------------------- 1 | module "cluster_min" { 2 | source = "../../" 3 | 4 | cluster_name = "test-eks-spot-instances" 5 | 6 | vpc = { 7 | create = { 8 | name = "test-eks-spot-instances" 9 | cidr = "10.16.0.0/16" 10 | availability_zones = data.aws_availability_zones.available.names 11 | private_subnets = ["10.16.1.0/24", "10.16.2.0/24", "10.16.3.0/24"] 12 | public_subnets = ["10.16.4.0/24", "10.16.5.0/24", "10.16.6.0/24"] 13 | } 14 | } 15 | account_id = data.aws_caller_identity.current.account_id 16 | 17 | node_groups = { 18 | example = { 19 | max_capacity = 1 20 | min_size = 1 21 | max_size = 1 22 | desired_size = 1 23 | } 24 | } 25 | 26 | node_groups_default = { 27 | instance_types = ["t3.large"] 28 | capacity_type = "SPOT" 29 | } 30 | // enable ebs-csi driver to be able to create pv/pvc 31 | enable_ebs_driver = true 32 | ebs_csi_version = "v1.35.0-eksbuild.1" 33 | 34 | external_dns = { 35 | enabled = true 36 | configs = { sources = ["service"] } 37 | } 38 | 39 | // disable some other features 40 | alarms = { 41 | enabled = false 42 | sns_topic = "" 43 | } 44 | fluent_bit_configs = { 45 | enabled = false 46 | } 47 | metrics_exporter = "disabled" 48 | autoscaling = false 49 | } 50 | -------------------------------------------------------------------------------- /examples/external-dns-enabled/README.md: -------------------------------------------------------------------------------- 1 | # spot-instance 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [aws](#provider\_aws) | 4.67.0 | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [cluster\_min](#module\_cluster\_min) | ../../ | n/a | 22 | 23 | ## Resources 24 | 25 | | Name | Type | 26 | |------|------| 27 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 28 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /examples/rbac-from-external-source/README.md: -------------------------------------------------------------------------------- 1 | # rbac-from-external-source 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [bindings](#module\_bindings) | from some sorce that controlled by security specialist | n/a | 17 | | [roles](#module\_roles) | from some sorce that controlled by security specialist | n/a | 18 | | [this](#module\_this) | ../../ | n/a | 19 | 20 | ## Resources 21 | 22 | No resources. 23 | 24 | ## Inputs 25 | 26 | No inputs. 27 | 28 | ## Outputs 29 | 30 | No outputs. 31 | 32 | -------------------------------------------------------------------------------- /examples/rbac-from-external-source/main.tf: -------------------------------------------------------------------------------- 1 | module "roles" { 2 | source = "from some sorce that controlled by security specialist" 3 | } 4 | 5 | module "bindings" { 6 | source = "from some sorce that controlled by security specialist" 7 | } 8 | 9 | module "this" { 10 | source = "../../" 11 | 12 | cluster_name = "my-cluster-sso" 13 | 14 | vpc = { 15 | create = { 16 | name = "test-eks-spot-instances" 17 | cidr = "172.16.0.0/16" 18 | availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] 19 | private_subnets = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"] 20 | public_subnets = ["172.16.4.0/24", "172.16.5.0/24", "172.16.6.0/24"] 21 | } 22 | } 23 | 24 | users = [{ 25 | username = "macos" 26 | }] 27 | 28 | enable_sso_rbac = true 29 | 30 | weave_scope_config = { 31 | namespace = "weave" 32 | create_namespace = true 33 | ingress_class = "ingressClass" 34 | ingress_host = "www.example.com" 35 | annotations = { 36 | "key1" = "value1" 37 | "key2" = "value2" 38 | } 39 | service_type = "NodePort" 40 | weave_helm_release_name = "weave" 41 | } 42 | 43 | weave_scope_enabled = true 44 | 45 | roles = module.roles 46 | bindings = module.bindings 47 | 48 | alarms = { 49 | enabled = false 50 | sns_topic = "" 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /examples/rbac-from-locals/README.md: -------------------------------------------------------------------------------- 1 | # rbac-from-locals 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [this](#module\_this) | ../../ | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /examples/spot-instance-alarms-disabled/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 3.41" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.0" 10 | } 11 | 12 | /** 13 | * set the following env vars so that aws provider will get authenticated before apply: 14 | 15 | export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx 16 | export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx 17 | */ 18 | provider "aws" { 19 | region = "eu-central-1" 20 | } 21 | 22 | data "aws_availability_zones" "available" {} 23 | data "aws_caller_identity" "current" {} 24 | -------------------------------------------------------------------------------- /examples/spot-instance-alarms-disabled/1-example.tf: -------------------------------------------------------------------------------- 1 | module "cluster_min" { 2 | source = "../../" 3 | 4 | cluster_name = "test-eks-spot-instances" 5 | 6 | vpc = { 7 | create = { 8 | name = "test-eks-spot-instances" 9 | cidr = "10.16.0.0/16" 10 | availability_zones = data.aws_availability_zones.available.names 11 | private_subnets = ["10.16.1.0/24", "10.16.2.0/24", "10.16.3.0/24"] 12 | public_subnets = ["10.16.4.0/24", "10.16.5.0/24", "10.16.6.0/24"] 13 | } 14 | } 15 | account_id = data.aws_caller_identity.current.account_id 16 | 17 | # users = [ 18 | # { 19 | # username : "julia.aghamyan" 20 | # } 21 | # ] 22 | 23 | node_groups = { 24 | example = { 25 | max_capacity = 1 26 | min_size = 1 27 | max_size = 1 28 | desired_size = 1 29 | } 30 | } 31 | 32 | node_groups_default = { 33 | instance_types = ["t3.large"] 34 | capacity_type = "SPOT" 35 | } 36 | 37 | alarms = { 38 | enabled = false 39 | sns_topic = "" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/spot-instance-alarms-disabled/README.md: -------------------------------------------------------------------------------- 1 | # spot-instance-alarms-disabled 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [aws](#provider\_aws) | >= 3.41 | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [cluster\_min](#module\_cluster\_min) | ../../ | n/a | 22 | 23 | ## Resources 24 | 25 | | Name | Type | 26 | |------|------| 27 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 28 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /examples/spot-instance-customize-alarms/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 3.41" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.0" 10 | } 11 | 12 | /** 13 | * set the following env vars so that aws provider will get authenticated before apply: 14 | 15 | export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx 16 | export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx 17 | */ 18 | provider "aws" { 19 | region = "eu-central-1" 20 | } 21 | 22 | data "aws_availability_zones" "available" {} 23 | data "aws_caller_identity" "current" {} 24 | -------------------------------------------------------------------------------- /examples/spot-instance-customize-alarms/1-example.tf: -------------------------------------------------------------------------------- 1 | module "cluster_min" { 2 | source = "../../" 3 | 4 | cluster_name = "test-eks-spot-instances" 5 | 6 | vpc = { 7 | create = { 8 | name = "test-eks-spot-instances" 9 | cidr = "10.16.0.0/16" 10 | availability_zones = data.aws_availability_zones.available.names 11 | private_subnets = ["10.16.1.0/24", "10.16.2.0/24", "10.16.3.0/24"] 12 | public_subnets = ["10.16.4.0/24", "10.16.5.0/24", "10.16.6.0/24"] 13 | } 14 | } 15 | account_id = data.aws_caller_identity.current.account_id 16 | 17 | node_groups = { 18 | example = { 19 | max_capacity = 1 20 | min_size = 1 21 | max_size = 1 22 | desired_size = 1 23 | } 24 | } 25 | 26 | node_groups_default = { 27 | instance_types = ["t3.medium"] 28 | capacity_type = "SPOT" 29 | } 30 | 31 | alarms = { 32 | sns_topic = "Default" 33 | custom_values = { 34 | node_failed = { 35 | period = "62" 36 | threshold = "1" 37 | statistic = "max" 38 | } 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/spot-instance-customize-alarms/README.md: -------------------------------------------------------------------------------- 1 | # spot-instance-customize-alarms 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [aws](#provider\_aws) | >= 3.41 | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [cluster\_min](#module\_cluster\_min) | ../../ | n/a | 22 | 23 | ## Resources 24 | 25 | | Name | Type | 26 | |------|------| 27 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 28 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /examples/spot-instance-vpc-link/README.md: -------------------------------------------------------------------------------- 1 | # spot-instance 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [this](#module\_this) | ../../ | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /examples/spot-instance-vpc-link/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_name = "dev" 3 | 4 | node_groups = { 5 | example = { 6 | name = "nodegroup" 7 | name-prefix = "nodegroup" 8 | # additional_tags = { 9 | # "Name" = "node" 10 | # "ExtraTag" = "ExtraTag" 11 | # } 12 | 13 | instance_type = "t3.medium" 14 | max_capacity = 1 15 | disk_size = 50 16 | create_launch_template = false 17 | subnet = ["subnet_id"] 18 | capacity_type = "SPOT" 19 | } 20 | } 21 | 22 | node_groups_default = { 23 | disk_size = 50 24 | instance_types = ["t3.medium"] 25 | capacity_type = "SPOT" 26 | } 27 | } 28 | 29 | module "this" { 30 | source = "../../" 31 | 32 | cluster_name = local.cluster_name 33 | 34 | # TODO: test this 35 | vpc = { 36 | link = { 37 | id = "vpc-0abcfb66512c24a4a" 38 | private_subnet_ids = ["subnet-09bf9e87454585646", "subnet-05e5e04e31dd17b14"] 39 | } 40 | } 41 | node_groups = local.node_groups 42 | node_groups_default = local.node_groups_default 43 | 44 | alarms = { 45 | enabled = false 46 | sns_topic = "" 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /examples/spot-instance/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 3.41" 6 | } 7 | } 8 | 9 | required_version = ">= 1.3.0" 10 | } 11 | 12 | /** 13 | * set the following env vars so that aws provider will get authenticated before apply: 14 | 15 | export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx 16 | export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx 17 | */ 18 | provider "aws" { 19 | region = "eu-central-1" 20 | } 21 | 22 | data "aws_availability_zones" "available" {} 23 | data "aws_caller_identity" "current" {} 24 | -------------------------------------------------------------------------------- /examples/spot-instance/1-example.tf: -------------------------------------------------------------------------------- 1 | module "cluster_min" { 2 | source = "../../" 3 | 4 | cluster_name = "test-eks-spot-instances" 5 | 6 | vpc = { 7 | create = { 8 | name = "test-eks-spot-instances" 9 | cidr = "10.16.0.0/16" 10 | availability_zones = data.aws_availability_zones.available.names 11 | private_subnets = ["10.16.1.0/24", "10.16.2.0/24", "10.16.3.0/24"] 12 | public_subnets = ["10.16.4.0/24", "10.16.5.0/24", "10.16.6.0/24"] 13 | } 14 | } 15 | account_id = data.aws_caller_identity.current.account_id 16 | 17 | node_groups = { 18 | example = { 19 | max_capacity = 1 20 | min_size = 1 21 | max_size = 1 22 | desired_size = 1 23 | } 24 | } 25 | 26 | node_groups_default = { 27 | instance_types = ["t3.large"] 28 | capacity_type = "SPOT" 29 | } 30 | 31 | alarms = { 32 | sns_topic = "Default" 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /examples/spot-instance/README.md: -------------------------------------------------------------------------------- 1 | # spot-instance 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [aws](#provider\_aws) | 4.67.0 | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [cluster\_min](#module\_cluster\_min) | ../../ | n/a | 22 | 23 | ## Resources 24 | 25 | | Name | Type | 26 | |------|------| 27 | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | 28 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /git-conventional-commits.json: -------------------------------------------------------------------------------- 1 | { 2 | "convention" : { 3 | "commitTypes": [ 4 | "feat", 5 | "fix", 6 | "perf", 7 | "refactor", 8 | "style", 9 | "test", 10 | "build", 11 | "ops", 12 | "docs", 13 | "merge", 14 | "chore" 15 | ], 16 | "commitScopes": [], 17 | "releaseTagGlobPattern": "v[0-9]*.[0-9]*.[0-9]*", 18 | "issueRegexPattern": "(^|\\s)#\\d+(\\s|$)" 19 | }, 20 | "changelog" : { 21 | "commitTypes": [ 22 | "feat", 23 | "fix", 24 | "perf", 25 | "merge" 26 | ], 27 | "includeInvalidCommits": true, 28 | "commitScopes": [], 29 | "commitIgnoreRegexPattern": "^WIP ", 30 | "headlines": { 31 | "feat": "Features", 32 | "fix": "Bug Fixes", 33 | "perf": "Performance Improvements", 34 | "merge": "Merged Branches", 35 | "breakingChange": "BREAKING CHANGES" 36 | }, 37 | "commitUrl": "https://github.com/ACCOUNT/REPOSITORY/commit/%commit%", 38 | "commitRangeUrl": "https://github.com/ACCOUNT/REPOSITORY/compare/%from%...%to%?diff=split", 39 | "issueUrl": "https://github.com/ACCOUNT/REPOSITORY/issues/%issue%" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /githooks/commit-msg: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # File generated by pre-commit: https://pre-commit.com 3 | # ID: 138fd403232d2ddd5efb44317e38bf03 4 | 5 | # start templated 6 | INSTALL_PYTHON=/usr/bin/python3 7 | ARGS=(hook-impl --config=.pre-commit-config.yaml --hook-type=commit-msg) 8 | # end templated 9 | 10 | HERE="$(cd "$(dirname "$0")" && pwd)" 11 | ARGS+=(--hook-dir "$HERE" -- "$@") 12 | 13 | if command -v pre-commit > /dev/null; then 14 | exec pre-commit "${ARGS[@]}" 15 | elif [ -x "$INSTALL_PYTHON" ]; then 16 | exec "$INSTALL_PYTHON" -mpre_commit "${ARGS[@]}" 17 | else 18 | echo '`pre-commit` not found. Did you forget to activate your virtualenv?' 1>&2 19 | exit 1a 20 | fi 21 | -------------------------------------------------------------------------------- /githooks/pre-commit: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | pre-commit run --show-diff-on-failure --color=always --all-files 5 | -------------------------------------------------------------------------------- /keda.tf: -------------------------------------------------------------------------------- 1 | module "keda" { 2 | source = "./modules/keda" 3 | count = var.keda.enabled ? 1 : 0 4 | 5 | account_id = local.account_id 6 | oidc_provider_arn = module.eks-cluster[0].oidc_provider_arn 7 | name = var.keda.name 8 | namespace = var.keda.namespace 9 | create_namespace = var.keda.create_namespace 10 | keda_version = var.keda.keda_version 11 | attach_policies = var.keda.attach_policies 12 | eks_cluster_name = module.eks-cluster[0].cluster_name 13 | 14 | depends_on = [module.eks-core-components-and-alb] 15 | } 16 | -------------------------------------------------------------------------------- /locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | account_id = coalesce(var.account_id, try(data.aws_caller_identity.current[0].account_id, null)) 3 | region = coalesce(var.region, try(data.aws_region.current[0].name, null)) 4 | 5 | eks_oidc_root_ca_thumbprint = replace(try(module.eks-cluster[0].oidc_provider_arn, ""), "/.*id//", "") 6 | cluster_autoscaler_enabled = var.autoscaling && !var.karpenter.enabled # We disable eks cluster autoscaler in case karpenter have been enabled as karpenter replaces cluster autoscaler and there are possibility of conflicts if both are enabled 7 | 8 | vpc_id = var.vpc.create.name != null ? module.vpc[0].id : var.vpc.link.id 9 | subnet_ids = var.vpc.create.name != null ? module.vpc[0].private_subnets : var.vpc.link.private_subnet_ids 10 | 11 | cluster_addons = { for key, value in merge(var.cluster_addons, var.default_addons) : key => merge( 12 | value, 13 | try(value.configuration_values, null) == null ? {} : { for key, value in(can(tostring(value.configuration_values)) ? { configuration_values = null } : { configuration_values = jsonencode(value.configuration_values) }) : key => value if value != null } 14 | ) } 15 | } 16 | -------------------------------------------------------------------------------- /meta-system.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_namespace" "meta-system" { 2 | metadata { 3 | name = "meta-system" 4 | } 5 | 6 | depends_on = [module.eks-core-components] 7 | } 8 | -------------------------------------------------------------------------------- /modules/README.md: -------------------------------------------------------------------------------- 1 | # How To 2 | This module is used to organize AWS SSO group and EKS RBAC Syncronization 3 | 4 | 5 | ### Example 1 6 | 7 | 8 | ``` 9 | module "sso_module" { 10 | source = "../module" 11 | 12 | eks_module = module.eks 13 | 14 | assignment = [{ 15 | name = "role1" 16 | group = "development" 17 | namespace = "development" 18 | role = [local.role1] 19 | 20 | }, { 21 | name = "role2" 22 | group = "accounting" 23 | namespace = "accounting" 24 | role = [local.role2] 25 | }] 26 | } 27 | 28 | locals { 29 | 30 | role1 = { 31 | actions = ["get", "list", "watch"] 32 | resources = ["deployments"] 33 | } 34 | 35 | role2 = { 36 | actions = ["get", "list", "watch"] 37 | resources = ["pods"] 38 | } 39 | } 40 | 41 | output "iam_permission_set_arns" { 42 | value = module.sso_module.iam_permission_set_arns 43 | } 44 | ``` 45 | -------------------------------------------------------------------------------- /modules/adot/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_eks_cluster" "this" { 2 | name = var.cluster_name 3 | } 4 | 5 | data "aws_iam_openid_connect_provider" "this" { 6 | url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer 7 | } 8 | 9 | data "aws_region" "current" { 10 | count = var.region == null ? 1 : 0 11 | } 12 | 13 | data "aws_eks_addon_version" "this" { 14 | count = var.adot_version == null ? 1 : 0 15 | 16 | addon_name = local.addon_name 17 | kubernetes_version = var.cluster_version 18 | most_recent = var.most_recent 19 | } 20 | -------------------------------------------------------------------------------- /modules/adot/files/ClusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: eks:addon-manager-otel 5 | subjects: 6 | - kind: User 7 | name: eks:addon-manager 8 | apiGroup: rbac.authorization.k8s.io 9 | roleRef: 10 | kind: ClusterRole 11 | name: eks:addon-manager-otel 12 | apiGroup: rbac.authorization.k8s.io 13 | -------------------------------------------------------------------------------- /modules/adot/files/Namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: opentelemetry-operator-system 7 | -------------------------------------------------------------------------------- /modules/adot/files/RoleBinding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: eks:addon-manager 5 | namespace: opentelemetry-operator-system 6 | subjects: 7 | - kind: User 8 | name: eks:addon-manager 9 | apiGroup: rbac.authorization.k8s.io 10 | roleRef: 11 | kind: Role 12 | name: eks:addon-manager 13 | apiGroup: rbac.authorization.k8s.io 14 | -------------------------------------------------------------------------------- /modules/adot/operator-permissions.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | files = [ 3 | "${path.module}/files/Namespace.yaml", 4 | "${path.module}/files/Role.yaml", 5 | "${path.module}/files/RoleBinding.yaml", 6 | "${path.module}/files/ClusterRoleBinding.yaml", 7 | "${path.module}/files/ClusterRole.yaml" 8 | ] 9 | } 10 | 11 | resource "kubernetes_namespace" "operator" { 12 | count = var.create_namespace ? 1 : 0 13 | metadata { 14 | name = var.namespace 15 | labels = { 16 | "control-plane" = "controller-manager" 17 | } 18 | } 19 | } 20 | 21 | resource "kubectl_manifest" "this" { 22 | count = length(local.files) 23 | 24 | yaml_body = file(local.files[count.index]) 25 | apply_only = true 26 | } 27 | -------------------------------------------------------------------------------- /modules/adot/service-account.tf: -------------------------------------------------------------------------------- 1 | resource "aws_eks_addon" "this" { 2 | cluster_name = var.cluster_name 3 | addon_name = local.addon_name 4 | addon_version = coalesce(var.adot_version, try(data.aws_eks_addon_version.this[0].version, null)) 5 | service_account_role_arn = aws_iam_role.adot_collector.arn 6 | depends_on = [ 7 | kubectl_manifest.this 8 | ] 9 | } 10 | 11 | resource "kubernetes_namespace" "this" { 12 | count = var.create_namespace ? 1 : 0 13 | metadata { 14 | name = var.namespace 15 | } 16 | } 17 | 18 | resource "kubernetes_service_account_v1" "adot-collector" { 19 | metadata { 20 | name = local.service_account_name 21 | namespace = var.namespace 22 | annotations = { 23 | "eks.amazonaws.com/role-arn" = aws_iam_role.adot_collector.arn 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /modules/adot/tests/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "adot" { 2 | source = "../.." 3 | 4 | cluster_name = local.cluster_name 5 | eks_oidc_root_ca_thumbprint = replace(try(data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn, ""), "/.*id//", "") 6 | oidc_provider_arn = data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn 7 | region = "eu-central-1" 8 | } 9 | -------------------------------------------------------------------------------- /modules/adot/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | | [helm](#requirement\_helm) | >= 2.0 | 11 | | [kubectl](#requirement\_kubectl) | ~> 1.14 | 12 | | [kubernetes](#requirement\_kubernetes) | ~> 2.23 | 13 | 14 | ## Providers 15 | 16 | | Name | Version | 17 | |------|---------| 18 | | [aws](#provider\_aws) | >= 3.41 | 19 | 20 | ## Modules 21 | 22 | | Name | Source | Version | 23 | |------|--------|---------| 24 | | [adot](#module\_adot) | ../.. | n/a | 25 | 26 | ## Resources 27 | 28 | | Name | Type | 29 | |------|------| 30 | | [aws_eks_cluster.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 31 | | [aws_eks_cluster_auth.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 32 | | [aws_iam_openid_connect_provider.test-cluster-oidc-provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | 33 | 34 | ## Inputs 35 | 36 | No inputs. 37 | 38 | ## Outputs 39 | 40 | No outputs. 41 | 42 | -------------------------------------------------------------------------------- /modules/adot/tests/configure_resources/1-example.tf: -------------------------------------------------------------------------------- 1 | module "adot" { 2 | source = "../.." 3 | 4 | cluster_name = local.cluster_name 5 | eks_oidc_root_ca_thumbprint = replace(try(data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn, ""), "/.*id//", "") 6 | oidc_provider_arn = data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn 7 | region = "eu-central-1" 8 | 9 | adot_config = { 10 | resources = { 11 | limit = { 12 | memory = "1000Mi" 13 | } 14 | requests = { 15 | memory = "500Mi" 16 | cpu = "300m" 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /modules/adot/tests/configure_resources/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | | [helm](#requirement\_helm) | >= 2.0 | 11 | | [kubectl](#requirement\_kubectl) | ~> 1.14 | 12 | | [kubernetes](#requirement\_kubernetes) | ~> 2.23 | 13 | 14 | ## Providers 15 | 16 | | Name | Version | 17 | |------|---------| 18 | | [aws](#provider\_aws) | >= 3.41 | 19 | 20 | ## Modules 21 | 22 | | Name | Source | Version | 23 | |------|--------|---------| 24 | | [adot](#module\_adot) | ../.. | n/a | 25 | 26 | ## Resources 27 | 28 | | Name | Type | 29 | |------|------| 30 | | [aws_eks_cluster.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 31 | | [aws_eks_cluster_auth.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 32 | | [aws_iam_openid_connect_provider.test-cluster-oidc-provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | 33 | 34 | ## Inputs 35 | 36 | No inputs. 37 | 38 | ## Outputs 39 | 40 | No outputs. 41 | 42 | -------------------------------------------------------------------------------- /modules/adot/tests/enable_logging/1-example.tf: -------------------------------------------------------------------------------- 1 | module "adot" { 2 | source = "../.." 3 | 4 | cluster_name = local.cluster_name 5 | eks_oidc_root_ca_thumbprint = replace(try(data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn, ""), "/.*id//", "") 6 | oidc_provider_arn = data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn 7 | region = "eu-central-1" 8 | 9 | adot_config = { 10 | logging_enable = true 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /modules/adot/tests/enable_logging/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.41 | 10 | | [helm](#requirement\_helm) | >= 2.0 | 11 | | [kubectl](#requirement\_kubectl) | ~> 1.14 | 12 | | [kubernetes](#requirement\_kubernetes) | ~> 2.23 | 13 | 14 | ## Providers 15 | 16 | | Name | Version | 17 | |------|---------| 18 | | [aws](#provider\_aws) | >= 3.41 | 19 | 20 | ## Modules 21 | 22 | | Name | Source | Version | 23 | |------|--------|---------| 24 | | [adot](#module\_adot) | ../.. | n/a | 25 | 26 | ## Resources 27 | 28 | | Name | Type | 29 | |------|------| 30 | | [aws_eks_cluster.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 31 | | [aws_eks_cluster_auth.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 32 | | [aws_iam_openid_connect_provider.test-cluster-oidc-provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | 33 | 34 | ## Inputs 35 | 36 | No inputs. 37 | 38 | ## Outputs 39 | 40 | No outputs. 41 | 42 | -------------------------------------------------------------------------------- /modules/adot/tests/promethus_metrics/1-example.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "cert-manager" { 2 | namespace = "cert-manager" 3 | create_namespace = true 4 | name = "cert-manager" 5 | chart = "cert-manager" 6 | repository = "https://charts.jetstack.io" 7 | atomic = true 8 | set { 9 | name = "installCRDs" 10 | value = "true" 11 | } 12 | } 13 | 14 | module "adot" { 15 | source = "../../" 16 | 17 | cluster_name = local.cluster_name 18 | eks_oidc_root_ca_thumbprint = replace(try(data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn, ""), "/.*id//", "") 19 | oidc_provider_arn = data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn 20 | region = "eu-central-1" 21 | 22 | adot_config = { 23 | log_group_name = "adot_log_group" 24 | accept_namespace_regex = "(default|kube-system)" 25 | 26 | additional_metrics = [ 27 | "pod_cpu_utilization", 28 | "kube_deployment_status_replicas_unavailable", 29 | "kube_deployment_status_replicas_available" 30 | ] 31 | } 32 | 33 | prometheus_metrics = [ 34 | "kube_deployment_status_replicas_unavailable", 35 | "kube_deployment_status_replicas_available" 36 | ] 37 | 38 | depends_on = [ 39 | helm_release.cert-manager 40 | ] 41 | } 42 | -------------------------------------------------------------------------------- /modules/adot/tests/promethus_metrics/2-assert.tf: -------------------------------------------------------------------------------- 1 | resource "test_assertions" "dummy" { 2 | component = "this" 3 | 4 | equal "scheme" { 5 | description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." 6 | got = "all good" 7 | want = "all good" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /modules/adot/tests/template_file/1-example.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "cert-manager" { 2 | namespace = "cert-manager" 3 | create_namespace = true 4 | name = "cert-manager" 5 | chart = "cert-manager" 6 | repository = "https://charts.jetstack.io" 7 | atomic = true 8 | set { 9 | name = "installCRDs" 10 | value = "true" 11 | } 12 | } 13 | 14 | module "adot" { 15 | source = "../../" 16 | 17 | cluster_name = local.cluster_name 18 | eks_oidc_root_ca_thumbprint = replace(try(data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn, ""), "/.*id//", "") 19 | oidc_provider_arn = data.aws_iam_openid_connect_provider.test-cluster-oidc-provider.arn 20 | region = "eu-central-1" 21 | adot_config = { 22 | helm_values = templatefile("${path.module}/templates/adot-values.yaml.tpl", { 23 | region = "eu-central-1" 24 | cluster_name = local.cluster_name 25 | log_group_name = "/aws/containerinsights/${local.cluster_name}/adot" 26 | }) 27 | } 28 | depends_on = [ 29 | helm_release.cert-manager 30 | ] 31 | } 32 | -------------------------------------------------------------------------------- /modules/adot/tests/template_file/2-assert.tf: -------------------------------------------------------------------------------- 1 | resource "test_assertions" "dummy" { 2 | component = "this" 3 | 4 | equal "scheme" { 5 | description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." 6 | got = "all good" 7 | want = "all good" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /modules/adot/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | required_providers { 4 | aws = { 5 | version = ">= 4.7.0" 6 | } 7 | helm = ">= 2.0" 8 | kubernetes = { 9 | version = "~>2.23" 10 | } 11 | kubectl = { 12 | source = "gavinbunney/kubectl" 13 | version = "~>1.14" 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /modules/api-gw/apis.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_manifest" "api" { 2 | for_each = { for index, api in var.api_gateway_resources : index => api } 3 | manifest = { 4 | apiVersion = "apigatewayv2.services.k8s.aws/v1alpha1" 5 | kind = "API" 6 | metadata = { 7 | name = each.value.api.name 8 | namespace = each.value.namespace 9 | } 10 | spec = { 11 | name = each.value.api.name 12 | protocolType = each.value.api.protocolType 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /modules/api-gw/iam.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | oidc_id = split("/", var.cluster_oidc_arn)[3] 3 | } 4 | 5 | data "aws_region" "current" {} 6 | 7 | data "aws_caller_identity" "this" {} 8 | 9 | resource "aws_iam_policy" "policy" { 10 | name = "AmazonEKSClusterApiGateway-${var.cluster_name}-${data.aws_region.current.name}" 11 | path = "/" 12 | description = "Amazon EKS API gateway Policy" 13 | 14 | policy = templatefile("${path.module}/policies/api-gw-policy.json", { 15 | cluster_name = var.cluster_name 16 | }) 17 | } 18 | 19 | resource "aws_iam_role" "role" { 20 | name = "api-gw-${var.cluster_name}-${data.aws_region.current.name}" 21 | assume_role_policy = templatefile("${path.module}/policies/trusted-policy.json", { 22 | oidc = var.cluster_oidc_arn, 23 | current_region = data.aws_region.current.name, 24 | oidc_id = local.oidc_id }) 25 | managed_policy_arns = [aws_iam_policy.policy.arn] 26 | } 27 | -------------------------------------------------------------------------------- /modules/api-gw/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "api-gw-release" { 2 | depends_on = [kubernetes_service_account.servciceaccount] 3 | 4 | name = "api-gateway-controller" 5 | repository = "oci://public.ecr.aws/aws-controllers-k8s" 6 | chart = "apigatewayv2-chart" 7 | version = var.chart_version 8 | namespace = "kube-system" 9 | 10 | set { 11 | name = "serviceAccount.create" 12 | value = "false" 13 | } 14 | 15 | set { 16 | name = "aws.region" 17 | value = var.deploy_region == "" ? data.aws_region.current.name : var.deploy_region 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /modules/api-gw/policies/api-gw-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": [ 7 | "apigateway:*" 8 | ], 9 | "Resource": "arn:aws:apigateway:*::/*" 10 | }, 11 | { 12 | "Effect": "Allow", 13 | "Action": "iam:CreateServiceLinkedRole", 14 | "Resource": "*" 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /modules/api-gw/policies/trusted-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Principal": { 7 | "Federated": "${oidc}" 8 | }, 9 | "Action": "sts:AssumeRoleWithWebIdentity", 10 | "Condition": { 11 | "StringEquals": { 12 | "oidc.eks.${current_region}.amazonaws.com/id/${oidc_id}:sub": "system:serviceaccount:kube-system:ack-apigatewayv2-controller" 13 | } 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /modules/api-gw/sa.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_service_account" "servciceaccount" { 2 | metadata { 3 | name = "ack-apigatewayv2-controller" 4 | namespace = "kube-system" 5 | annotations = { 6 | "eks.amazonaws.com/role-arn" = aws_iam_role.role.arn 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /modules/api-gw/stages.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_manifest" "stage" { 2 | #for_each = { for api in flatten([for api in var.api_gateway_resources : api.stages]) : api.name => api } 3 | for_each = { for stage in flatten([for api in var.api_gateway_resources : api.stages != null ? api.stages : []]) : stage.name => stage } 4 | manifest = { 5 | apiVersion = "apigatewayv2.services.k8s.aws/v1alpha1" 6 | kind = "Stage" 7 | metadata = { 8 | name = each.value.name 9 | namespace = each.value.namespace != null ? each.value.namespace : "default" 10 | } 11 | spec = { 12 | apiRef = { 13 | from = { 14 | name = each.value.apiRef_name 15 | } 16 | } 17 | stageName = each.value.stageName 18 | autoDeploy = each.value.autoDeploy 19 | description = each.value.description 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/api-gw/tests/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | # data 2 | provider "helm" { 3 | kubernetes { 4 | config_path = "~/.kube/config" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /modules/api-gw/tests/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "basic" { 2 | source = "../.." 3 | } 4 | -------------------------------------------------------------------------------- /modules/api-gw/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [basic](#module\_basic) | ../.. | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /modules/api-gw/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_oidc_arn" { 2 | type = string 3 | description = "Cluster OIDC arn to pass to policy" 4 | } 5 | 6 | variable "cluster_name" { 7 | type = string 8 | description = "Cluster name to pass to role" 9 | } 10 | 11 | variable "chart_version" { 12 | description = "Chart version of api-gw" 13 | type = string 14 | default = "1.0.17" 15 | } 16 | 17 | variable "deploy_region" { 18 | description = "Region in which API gatewat will be configured" 19 | type = string 20 | } 21 | 22 | variable "vpc_id" { 23 | type = string 24 | } 25 | 26 | variable "subnet_ids" { 27 | type = list(string) 28 | } 29 | 30 | variable "api_gateway_resources" { 31 | description = "Nested map containing API, Stage, and VPC Link resources" 32 | type = list(object({ 33 | namespace = string 34 | api = object({ 35 | name = string 36 | protocolType = string 37 | }) 38 | stages = optional(list(object({ 39 | namespace = string 40 | name = string 41 | apiRef_name = string 42 | stageName = string 43 | autoDeploy = bool 44 | description = string 45 | }))) 46 | vpc_links = optional(list(object({ 47 | namespace = string 48 | name = string 49 | }))) 50 | })) 51 | } 52 | -------------------------------------------------------------------------------- /modules/api-gw/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.3" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.31" 8 | } 9 | 10 | helm = { 11 | source = "hashicorp/helm" 12 | version = ">= 2.4.1" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /modules/autoscaler/autoscaler-policy.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" {} 2 | data "aws_caller_identity" "this" {} 3 | 4 | resource "aws_iam_policy" "policy" { 5 | name = "AmazonEKSClusterAutoscalerPolicy-${var.cluster_name}" 6 | path = "/" 7 | description = "Amazon EKS Autoscaler Policy" 8 | 9 | policy = templatefile("${path.module}/policies/cluster-autoscaler-policy.json", { 10 | cluster_name = var.cluster_name 11 | }) 12 | } 13 | 14 | resource "aws_iam_role" "role" { 15 | name = "cluster-autoscaler-${var.cluster_name}-${data.aws_region.current.name}" 16 | assume_role_policy = templatefile("${path.module}/policies/trusted-policy.json", { 17 | oidc = var.cluster_oidc_arn, 18 | current_region = data.aws_region.current.name, 19 | oidc_id = local.oidc_id }) 20 | managed_policy_arns = [aws_iam_policy.policy.arn] 21 | } 22 | 23 | locals { 24 | oidc_id = split("/", var.cluster_oidc_arn)[3] 25 | } 26 | -------------------------------------------------------------------------------- /modules/autoscaler/examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # examples 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [cluster\_min](#module\_cluster\_min) | ../.. | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /modules/autoscaler/examples/basic/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_name = "dev" 3 | } 4 | 5 | module "cluster_min" { 6 | source = "../.." 7 | 8 | cluster_name = local.cluster_name 9 | cluster_oidc_arn = "" 10 | autoscaler_image_patch = 0 #(Optional) 11 | scale_down_unneeded_time = 2 #(Scale down unneeded time in minutes, default is 2 minutes) 12 | } 13 | -------------------------------------------------------------------------------- /modules/autoscaler/policies/cluster-autoscaler-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "VisualEditor0", 6 | "Effect": "Allow", 7 | "Action": [ 8 | "autoscaling:SetDesiredCapacity", 9 | "autoscaling:TerminateInstanceInAutoScalingGroup" 10 | ], 11 | "Resource": "*", 12 | "Condition": { 13 | "StringEquals": { 14 | "aws:ResourceTag/k8s.io/cluster-autoscaler/${cluster_name}": "owned" 15 | } 16 | } 17 | }, 18 | { 19 | "Sid": "VisualEditor1", 20 | "Effect": "Allow", 21 | "Action": [ 22 | "autoscaling:DescribeAutoScalingInstances", 23 | "autoscaling:DescribeAutoScalingGroups", 24 | "ec2:DescribeLaunchTemplateVersions", 25 | "autoscaling:DescribeTags", 26 | "autoscaling:DescribeLaunchConfigurations", 27 | "ec2:DescribeInstanceTypes" 28 | ], 29 | "Resource": "*" 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /modules/autoscaler/policies/trusted-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Principal": { 7 | "Federated": "${oidc}" 8 | }, 9 | "Action": "sts:AssumeRoleWithWebIdentity", 10 | "Condition": { 11 | "StringEquals": { 12 | "oidc.eks.${current_region}.amazonaws.com/id/${oidc_id}:sub": "system:serviceaccount:kube-system:cluster-autoscaler" 13 | } 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /modules/autoscaler/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_oidc_arn" { 2 | type = string 3 | description = "Cluster OIDC arn to pass to policy" 4 | } 5 | 6 | variable "cluster_name" { 7 | type = string 8 | description = "Cluster name to pass to role" 9 | } 10 | 11 | variable "limits" { 12 | type = object({ 13 | cpu = string 14 | memory = string 15 | }) 16 | default = { 17 | cpu = "100m" 18 | memory = "600Mi" 19 | } 20 | } 21 | 22 | variable "requests" { 23 | type = object({ 24 | cpu = string 25 | memory = string 26 | }) 27 | default = { 28 | cpu = "100m" 29 | memory = "600Mi" 30 | } 31 | } 32 | 33 | variable "eks_version" { 34 | type = string 35 | default = "1.30" 36 | description = "The version of eks cluster" 37 | } 38 | 39 | variable "autoscaler_image_patch" { 40 | type = number 41 | description = "The patch number of autoscaler image" 42 | default = 0 43 | } 44 | 45 | variable "scale_down_unneeded_time" { 46 | type = number 47 | description = "Scale down unneeded in minutes" 48 | default = 2 49 | } 50 | -------------------------------------------------------------------------------- /modules/autoscaler/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | kubernetes = { 4 | source = "hashicorp/kubernetes" 5 | version = "~>2.23" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /modules/aws-load-balancer-controller/logs-to-cloudwatch.tf: -------------------------------------------------------------------------------- 1 | # resource "aws_cloudwatch_log_group" "test" { 2 | # name = "ingress-${aws_s3_bucket.ingress-logs-bucket.bucket}" 3 | # retention_in_days = 365 4 | # } 5 | 6 | 7 | # //This module usage causes error in Terraform Cloud, as there is not Python. Set send_alb_logs to false to disable this momdule. 8 | # module "alb_logs_to_cloudwatch" { 9 | # source = "./terraform-aws-alb-cloudwatch-logs-json" 10 | # count = var.send_alb_logs_to_cloudwatch ? 1 : 0 11 | 12 | # account_id = var.account_id 13 | # region = var.region 14 | 15 | # bucket_name = aws_s3_bucket.ingress-logs-bucket.bucket 16 | # log_group_name = aws_cloudwatch_log_group.test.name 17 | 18 | # create_alarm = false 19 | # } 20 | 21 | # resource "aws_lambda_permission" "bucket" { 22 | # statement_id = "AllowExecutionFromS3Bucket" 23 | # action = "lambda:InvokeFunction" 24 | # function_name = module.alb_logs_to_cloudwatch[0].function_name 25 | # principal = "s3.amazonaws.com" 26 | # source_arn = aws_s3_bucket.ingress-logs-bucket.arn 27 | # } 28 | 29 | # resource "aws_s3_bucket_notification" "logs" { 30 | # bucket = aws_s3_bucket.ingress-logs-bucket.bucket 31 | # depends_on = [ 32 | # aws_lambda_permission.bucket 33 | # ] 34 | 35 | # lambda_function { 36 | # lambda_function_arn = module.alb_logs_to_cloudwatch[0].function_arn 37 | # events = ["s3:ObjectCreated:*"] 38 | # } 39 | # } 40 | -------------------------------------------------------------------------------- /modules/aws-load-balancer-controller/s3-bucket.tf: -------------------------------------------------------------------------------- 1 | ## the load balancer access logs sync to s3=>lambda=>cloudwatch was disabled/commented-out so this bucket also need/can be commented, 2 | ## after then the fix be applied for enabling this functionality we can uncomment them 3 | # resource "aws_s3_bucket" "ingress-logs-bucket" { 4 | # bucket = var.alb_log_bucket_name 5 | 6 | # policy = < sc } 27 | 28 | metadata { 29 | name = each.value.name 30 | } 31 | 32 | storage_provisioner = "efs.csi.aws.com" 33 | 34 | parameters = merge( 35 | { 36 | provisioningMode = each.value.provisioning_mode 37 | fileSystemId = each.value.file_system_id 38 | directoryPerms = each.value.directory_perms 39 | basePath = each.value.base_path 40 | }, 41 | each.value.uid != null ? { "uid" : each.value.uid } : {} 42 | ) 43 | } 44 | -------------------------------------------------------------------------------- /modules/efs-csi/variables.tf: -------------------------------------------------------------------------------- 1 | variable "efs_id" { 2 | description = "Id of EFS filesystem in AWS (Required)" 3 | type = string 4 | } 5 | 6 | variable "cluster_oidc_arn" { 7 | description = "oidc arn of cluster" 8 | type = string 9 | } 10 | 11 | variable "cluster_name" { 12 | description = "Parent cluster name" 13 | type = string 14 | } 15 | 16 | variable "storage_classes" { 17 | description = "Additional storage class configurations: by default, 2 storage classes are created - efs-sc and efs-sc-root which has 0 uid. One can add another storage classes besides these 2." 18 | type = list(object({ 19 | name : string 20 | provisioning_mode : optional(string, "efs-ap") 21 | file_system_id : string 22 | directory_perms : optional(string, "755") 23 | base_path : optional(string, "/") 24 | uid : optional(number) 25 | })) 26 | default = [] 27 | } 28 | 29 | variable "chart_version" { 30 | type = string 31 | default = "3.1.8" 32 | description = "The app chart version" 33 | } 34 | -------------------------------------------------------------------------------- /modules/efs-csi/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | helm = ">= 2.0" 4 | 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = "~> 2.23" 8 | } 9 | } 10 | 11 | } 12 | -------------------------------------------------------------------------------- /modules/eks-data/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_eks_cluster_auth" "cluster" { 2 | name = var.cluster_name 3 | } 4 | 5 | data "aws_eks_cluster" "cluster" { 6 | name = var.cluster_name 7 | } 8 | 9 | data "aws_iam_openid_connect_provider" "this" { 10 | count = var.get_oidc_provider_data ? 1 : 0 11 | 12 | url = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer 13 | } 14 | -------------------------------------------------------------------------------- /modules/eks-data/output.tf: -------------------------------------------------------------------------------- 1 | output "token" { 2 | value = data.aws_eks_cluster_auth.cluster.token 3 | } 4 | 5 | output "host" { 6 | value = data.aws_eks_cluster.cluster.endpoint 7 | } 8 | 9 | output "ca_certificate" { 10 | value = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) 11 | } 12 | 13 | output "oidc_provider" { 14 | value = try(data.aws_iam_openid_connect_provider.this[0], {}) 15 | } 16 | -------------------------------------------------------------------------------- /modules/eks-data/tests/k8s-provider/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | 4 | test = { 5 | source = "terraform.io/builtin/test" 6 | } 7 | 8 | aws = { 9 | source = "hashicorp/aws" 10 | version = ">= 4.0" 11 | configuration_aliases = [] 12 | } 13 | 14 | kubectl = { 15 | source = "gavinbunney/kubectl" 16 | version = "1.14.0" 17 | configuration_aliases = [] 18 | } 19 | 20 | } 21 | 22 | required_version = ">= 1.3.0" 23 | } 24 | /** 25 | * set the following env vars so that aws provider will get authenticated before apply: 26 | 27 | export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx 28 | export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx 29 | */ 30 | provider "aws" { 31 | region = "eu-central-1" 32 | } 33 | -------------------------------------------------------------------------------- /modules/eks-data/tests/k8s-provider/1-example.tf: -------------------------------------------------------------------------------- 1 | module "eks_data" { 2 | source = "../../" 3 | cluster_name = "eks-stage" 4 | } 5 | -------------------------------------------------------------------------------- /modules/eks-data/tests/k8s-provider/2-assert.tf: -------------------------------------------------------------------------------- 1 | resource "test_assertions" "dummy" { 2 | component = "this" 3 | 4 | equal "scheme" { 5 | description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." 6 | got = "all good" 7 | want = "all good" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /modules/eks-data/tests/k8s-provider/README.md: -------------------------------------------------------------------------------- 1 | # k8s-provider 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 4.0 | 10 | | [kubectl](#requirement\_kubectl) | 1.14.0 | 11 | 12 | ## Providers 13 | 14 | | Name | Version | 15 | |------|---------| 16 | | [test](#provider\_test) | n/a | 17 | 18 | ## Modules 19 | 20 | | Name | Source | Version | 21 | |------|--------|---------| 22 | | [eks\_data](#module\_eks\_data) | ../../ | n/a | 23 | 24 | ## Resources 25 | 26 | | Name | Type | 27 | |------|------| 28 | | test_assertions.dummy | resource | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /modules/eks-data/variable.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | type = string 3 | description = "Cluster Name" 4 | } 5 | 6 | variable "get_oidc_provider_data" { 7 | type = bool 8 | default = false 9 | description = "Whether to get eks cluster OIDC provider data like arn, thumbprint_list" 10 | } 11 | -------------------------------------------------------------------------------- /modules/eks/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_eks_cluster_auth" "cluster" { 2 | name = module.eks-cluster.cluster_name 3 | } 4 | 5 | data "aws_iam_user" "user_arn" { 6 | for_each = { for user in var.users : user.username => user } 7 | user_name = each.value.username 8 | } 9 | -------------------------------------------------------------------------------- /modules/eks/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | kubernetes = { 4 | source = "hashicorp/kubernetes" 5 | version = "~> 2.23" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /modules/event-exporter/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "this" { 2 | name = "kube-events-exporter" 3 | repository = "oci://registry-1.docker.io/bitnamicharts" 4 | chart = "kubernetes-event-exporter" 5 | namespace = var.namespace 6 | version = var.chart_version 7 | create_namespace = var.create_namespace 8 | atomic = true 9 | wait = false 10 | 11 | values = [ 12 | jsonencode(var.configs) 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /modules/event-exporter/outputs.tf: -------------------------------------------------------------------------------- 1 | output "helm_metadata" { 2 | value = helm_release.this.metadata 3 | description = "Helm release metadata" 4 | } 5 | -------------------------------------------------------------------------------- /modules/event-exporter/variables.tf: -------------------------------------------------------------------------------- 1 | variable "chart_version" { 2 | type = string 3 | default = "3.5.3" 4 | description = "The app chart version to use" 5 | } 6 | 7 | variable "namespace" { 8 | description = "The namespace to install app helm." 9 | type = string 10 | default = "meta-system" 11 | } 12 | 13 | variable "create_namespace" { 14 | type = bool 15 | default = false 16 | description = "Create namespace if requested" 17 | } 18 | 19 | variable "configs" { 20 | type = any 21 | default = {} 22 | description = "Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/bitnami/kubernetes-event-exporter" 23 | } 24 | -------------------------------------------------------------------------------- /modules/event-exporter/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | aws = { 6 | version = ">= 4.7.0" 7 | } 8 | helm = ">= 2.0" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/external-dns/locals.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" { 2 | count = var.region == null ? 1 : 0 3 | } 4 | 5 | locals { 6 | region = coalesce(var.region, try(data.aws_region.current[0].name, null)) 7 | oidc_provider = regex("^arn:aws:iam::[0-9]+:oidc-provider/(.*)$", var.oidc_provider_arn)[0] 8 | } 9 | -------------------------------------------------------------------------------- /modules/external-dns/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "this" { 2 | name = "external-dns" 3 | repository = "oci://registry-1.docker.io/bitnamicharts" 4 | chart = "external-dns" 5 | namespace = var.namespace 6 | version = var.chart_version 7 | create_namespace = var.create_namespace 8 | atomic = true 9 | wait = false 10 | 11 | values = [ 12 | jsonencode(merge( 13 | { 14 | aws = { region = local.region } 15 | serviceAccount = { 16 | create = true 17 | name = var.service_account_name 18 | annotations = { "eks.amazonaws.com/role-arn" = module.role.arn } 19 | } 20 | }, 21 | var.configs 22 | )) 23 | ] 24 | 25 | depends_on = [ 26 | module.role 27 | ] 28 | } 29 | -------------------------------------------------------------------------------- /modules/external-dns/outputs.tf: -------------------------------------------------------------------------------- 1 | output "role_arn" { 2 | value = module.role.arn 3 | description = "Created iam role arn, which was used for attaching to service account" 4 | } 5 | 6 | output "helm_metadata" { 7 | value = helm_release.this.metadata 8 | description = "Helm release metadata" 9 | } 10 | -------------------------------------------------------------------------------- /modules/external-dns/role.tf: -------------------------------------------------------------------------------- 1 | module "role" { 2 | source = "dasmeta/iam/aws//modules/role" 3 | version = "1.2.1" 4 | 5 | name = "${var.cluster_name}-external-dns" 6 | description = "${var.cluster_name} eks cluster external-dns role" 7 | 8 | policy = [ 9 | { 10 | actions = ["route53:ChangeResourceRecordSets"] 11 | resources = ["arn:aws:route53:::hostedzone/*"] 12 | }, 13 | { 14 | actions = [ 15 | "route53:ListHostedZones", 16 | "route53:ListResourceRecordSets", 17 | "route53:ListTagsForResource" 18 | ] 19 | resources = ["*"] 20 | } 21 | ] 22 | 23 | trust_relationship = [ 24 | { 25 | principals = { 26 | type = "Service" 27 | identifiers = ["eks.amazonaws.com"] 28 | }, 29 | actions = ["sts:AssumeRole"] 30 | }, 31 | { 32 | principals = { 33 | type = "Federated" 34 | identifiers = ["${var.oidc_provider_arn}"] 35 | }, 36 | actions = ["sts:AssumeRoleWithWebIdentity"] 37 | conditions = [ 38 | { 39 | type = "StringEquals" 40 | key = "${local.oidc_provider}:aud" 41 | value = ["sts.amazonaws.com"] 42 | }, 43 | { 44 | type = "StringEquals" 45 | key = "${local.oidc_provider}:sub" 46 | value = ["system:serviceaccount:${var.namespace}:${var.service_account_name}"] 47 | } 48 | ] 49 | } 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /modules/external-dns/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | aws = { 6 | version = ">= 4.7.0" 7 | } 8 | helm = ">= 2.0" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/external-secrets/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # How to use 3 | * This needs to be included in eks cluster along side with other services. 4 | * 5 | * At this stage it does not require any credentials. 6 | * 7 | * ``` 8 | * module external-secrets-staging { 9 | * source = "dasmeta/terraform/modules/external-secrets" 10 | * } 11 | * ``` 12 | * 13 | * After this one has to deploy specific stores which do contain credentials to pull secrets from AWS Secret Manager. 14 | * 15 | * See related modules: 16 | * - external-secret-store 17 | * - aws-secret 18 | */ 19 | 20 | module "release" { 21 | source = "terraform-module/release/helm" 22 | version = "2.8.2" 23 | 24 | namespace = var.namespace 25 | repository = "https://charts.external-secrets.io" 26 | 27 | app = { 28 | name = "external-secrets" 29 | version = var.chart_version 30 | chart = "external-secrets" 31 | recreate_pods = false 32 | deploy = 1 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /modules/external-secrets/outputs.tf: -------------------------------------------------------------------------------- 1 | output "deployment" { 2 | value = module.release.deployment 3 | } 4 | -------------------------------------------------------------------------------- /modules/external-secrets/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace" { 2 | type = string 3 | description = "The namespace of kubernetes resources" 4 | default = "kube-system" 5 | } 6 | 7 | variable "chart_version" { 8 | type = string 9 | default = "0.15.0" 10 | description = "The app chart version to use" 11 | } 12 | -------------------------------------------------------------------------------- /modules/external-secrets/version.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | helm = ">= 2.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /modules/flagger/examples/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | 9 | provider "helm" {} 10 | -------------------------------------------------------------------------------- /modules/flagger/examples/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../.." 3 | 4 | configs = { 5 | meshProvider = "nginx" 6 | prometheus = { 7 | install = true # most possibly the prometheus is already installed, in that case set this to false and use `metricsServer` option to set the endpoint to prometheus 8 | } 9 | slack = { 10 | url = "https://hooks.slack.com/services/xxx/yyyy/zzz" 11 | channel = "#test-canary-notifications" 12 | user = "Flagger" 13 | } 14 | } 15 | enable_metric_template = true 16 | } 17 | -------------------------------------------------------------------------------- /modules/flagger/examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | 11 | ## Providers 12 | 13 | No providers. 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | No resources. 24 | 25 | ## Inputs 26 | 27 | No inputs. 28 | 29 | ## Outputs 30 | 31 | No outputs. 32 | 33 | -------------------------------------------------------------------------------- /modules/flagger/load-tester.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "flagger_loadtester" { 2 | count = var.enable_loadtester ? 1 : 0 3 | 4 | name = "flagger-loadtester" 5 | repository = "https://flagger.app" 6 | chart = "loadtester" 7 | namespace = var.namespace 8 | version = var.load_tester_chart_version 9 | create_namespace = false 10 | atomic = var.atomic 11 | wait = var.wait 12 | 13 | depends_on = [helm_release.this] 14 | } 15 | -------------------------------------------------------------------------------- /modules/flagger/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "this" { 2 | name = "flagger" 3 | repository = "https://flagger.app" 4 | chart = "flagger" 5 | namespace = var.namespace 6 | version = var.chart_version 7 | create_namespace = var.create_namespace 8 | atomic = var.atomic 9 | wait = var.wait 10 | 11 | values = [jsonencode(var.configs)] 12 | } 13 | -------------------------------------------------------------------------------- /modules/flagger/metric-template.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "flagger_metrics_and_alerts" { 2 | count = var.metrics_and_alerts_configs != {} ? 1 : 0 3 | 4 | name = "flagger-metrics-and-alerts" 5 | repository = "https://dasmeta.github.io/helm" 6 | chart = "flagger-metrics-and-alerts" 7 | namespace = var.namespace 8 | version = var.metric_template_chart_version 9 | create_namespace = false 10 | atomic = var.atomic 11 | wait = var.wait 12 | 13 | values = [jsonencode(var.metrics_and_alerts_configs)] 14 | 15 | depends_on = [helm_release.this] 16 | } 17 | -------------------------------------------------------------------------------- /modules/flagger/outputs.tf: -------------------------------------------------------------------------------- 1 | output "helm_metadata" { 2 | value = helm_release.this.metadata 3 | description = "Helm release metadata" 4 | } 5 | -------------------------------------------------------------------------------- /modules/flagger/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /modules/fluent-bit/iam-policies.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_policy" "this" { 2 | name = "${var.cluster_name}-fluent-bit" 3 | description = "Permissions that are required to manage AWS cloudwatch metrics by fluent bit" 4 | 5 | policy = var.s3_permission ? file("${path.module}/iam-policy-s3-cloudwatch.json") : file("${path.module}/iam-policy.json") 6 | } 7 | 8 | resource "aws_iam_role" "fluent-bit" { 9 | name = "${var.cluster_name}-fluent-bit" 10 | 11 | assume_role_policy = < 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [aws](#requirement\_aws) | ~> 4.37 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | | [kubernetes](#requirement\_kubernetes) | ~>2.23 | 11 | 12 | ## Providers 13 | 14 | No providers. 15 | 16 | ## Modules 17 | 18 | | Name | Source | Version | 19 | |------|--------|---------| 20 | | [fluent-bit](#module\_fluent-bit) | ../../ | n/a | 21 | 22 | ## Resources 23 | 24 | No resources. 25 | 26 | ## Inputs 27 | 28 | No inputs. 29 | 30 | ## Outputs 31 | 32 | | Name | Description | 33 | |------|-------------| 34 | | [merged\_inputs](#output\_merged\_inputs) | n/a | 35 | 36 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/advanced/templates/filters.yaml.tpl: -------------------------------------------------------------------------------- 1 | [FILTER] 2 | Name grep 3 | Match kube.* 4 | Exclude $log (test) 5 | 6 | [FILTER] 7 | Name grep 8 | Match audit.* 9 | regex $log (test) 10 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/advanced/templates/inputs.yaml.tpl: -------------------------------------------------------------------------------- 1 | [INPUT] 2 | Name tail 3 | Tag test.* 4 | Path /var/log/containers/*.log 5 | Read_from_head true 6 | multiline.parser docker, cri 7 | Docker_Mode On 8 | Parser docker 9 | Mem_Buf_Limit 50MB 10 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/advanced/templates/outputs.yaml.tpl: -------------------------------------------------------------------------------- 1 | [OUTPUT] 2 | Name s3 3 | Match test.* 4 | bucket s3-bucket 5 | region eu-central-1 6 | total_file_size 250M 7 | s3_key_format /%Y/%m/%d/%H_%M_%S.gz 8 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 4.37" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "~>2.23" 10 | } 11 | helm = ">= 2.0" 12 | } 13 | } 14 | 15 | provider "aws" {} 16 | provider "helm" {} 17 | provider "kubernetes" {} 18 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/6F40EA94327Dh8956DDB9S0AE7907CFD" 3 | } 4 | 5 | module "fluent-bit" { 6 | source = "../../" 7 | 8 | cluster_name = "Test" 9 | oidc_provider_arn = local.oidc_provider_arn 10 | eks_oidc_root_ca_thumbprint = replace(local.oidc_provider_arn, "/.*id//", "") 11 | region = "eu-central-1" 12 | log_group_name = "Test-fluent-bit" 13 | create_log_group = true 14 | account_id = 000000000000 15 | log_retention_days = 7 16 | } 17 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [aws](#requirement\_aws) | ~> 4.37 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | | [kubernetes](#requirement\_kubernetes) | ~>2.23 | 11 | 12 | ## Providers 13 | 14 | No providers. 15 | 16 | ## Modules 17 | 18 | | Name | Source | Version | 19 | |------|--------|---------| 20 | | [fluent-bit](#module\_fluent-bit) | ../../ | n/a | 21 | 22 | ## Resources 23 | 24 | No resources. 25 | 26 | ## Inputs 27 | 28 | No inputs. 29 | 30 | ## Outputs 31 | 32 | No outputs. 33 | 34 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/cloudwatch-export-disable/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 4.37" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "~>2.23" 10 | } 11 | helm = ">= 2.0" 12 | } 13 | } 14 | 15 | provider "aws" {} 16 | provider "helm" {} 17 | provider "kubernetes" {} 18 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/cloudwatch-export-disable/1-example.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/6F40EA94327Dh8956DDB9S0AE7907CFD" 3 | } 4 | 5 | module "fluent-bit" { 6 | source = "../../" 7 | 8 | cluster_name = "Test" 9 | oidc_provider_arn = local.oidc_provider_arn 10 | eks_oidc_root_ca_thumbprint = replace(local.oidc_provider_arn, "/.*id//", "") 11 | region = "eu-central-1" 12 | account_id = 000000000000 13 | log_retention_days = 7 14 | 15 | fluent_bit_config = { 16 | outputs = templatefile("${path.module}/templates/outputs.yaml.tpl", {}) # some custom output/exporter for logs 17 | cloudwatch_outputs_enabled = false # whether to disable default cloudwatch exporter/output 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/cloudwatch-export-disable/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [aws](#requirement\_aws) | ~> 4.37 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | | [kubernetes](#requirement\_kubernetes) | ~>2.23 | 11 | 12 | ## Providers 13 | 14 | No providers. 15 | 16 | ## Modules 17 | 18 | | Name | Source | Version | 19 | |------|--------|---------| 20 | | [fluent-bit](#module\_fluent-bit) | ../../ | n/a | 21 | 22 | ## Resources 23 | 24 | No resources. 25 | 26 | ## Inputs 27 | 28 | No inputs. 29 | 30 | ## Outputs 31 | 32 | No outputs. 33 | 34 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/cloudwatch-export-disable/templates/outputs.yaml.tpl: -------------------------------------------------------------------------------- 1 | [OUTPUT] 2 | Name s3 3 | Match test.* 4 | bucket s3-bucket 5 | region eu-central-1 6 | total_file_size 250M 7 | s3_key_format /%Y/%m/%d/%H_%M_%S.gz 8 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/own-values-yaml/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 4.37" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "~>2.23" 10 | } 11 | helm = ">= 2.0" 12 | } 13 | } 14 | 15 | provider "aws" {} 16 | provider "helm" {} 17 | provider "kubernetes" {} 18 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/own-values-yaml/1-example.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/6F40EA94327Dh8956DDB9S0AE7907CFD" 3 | region = "eu-central-1" 4 | } 5 | 6 | module "fluent-bit" { 7 | source = "../../" 8 | 9 | cluster_name = "Test" 10 | oidc_provider_arn = local.oidc_provider_arn 11 | eks_oidc_root_ca_thumbprint = replace(local.oidc_provider_arn, "/.*id//", "") 12 | region = local.region 13 | account_id = 000000000000 14 | 15 | # If your fluent bit configuration is more complex than the module supports you can ingst a own yaml configuration file for the values.yaml of the helm chart. 16 | values_yaml = templatefile("${path.module}/templates/values.yaml.tpl", { 17 | log_group_name_application = "applogs" 18 | log_group_name_system = "systemlogs" 19 | log_retention_days = 7 20 | region = local.region 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/own-values-yaml/README.md: -------------------------------------------------------------------------------- 1 | # own-values-yaml 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [aws](#requirement\_aws) | ~> 4.37 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | | [kubernetes](#requirement\_kubernetes) | ~>2.23 | 11 | 12 | ## Providers 13 | 14 | No providers. 15 | 16 | ## Modules 17 | 18 | | Name | Source | Version | 19 | |------|--------|---------| 20 | | [fluent-bit](#module\_fluent-bit) | ../../ | n/a | 21 | 22 | ## Resources 23 | 24 | No resources. 25 | 26 | ## Inputs 27 | 28 | No inputs. 29 | 30 | ## Outputs 31 | 32 | No outputs. 33 | 34 | -------------------------------------------------------------------------------- /modules/fluent-bit/tests/own-values-yaml/templates/values.yaml.tpl: -------------------------------------------------------------------------------- 1 | config: 2 | outputs: | 3 | [OUTPUT] 4 | Name cloudwatch_logs 5 | Match host.* 6 | region ${region} 7 | log_group_name ${log_group_name_system} 8 | log_stream_prefix eks- 9 | auto_create_group Off 10 | log_retention_days ${log_retention_days} 11 | 12 | [OUTPUT] 13 | Name cloudwatch_logs 14 | Match kube.* 15 | region ${region} 16 | log_group_name ${log_group_name_system} 17 | log_stream_prefix eks- 18 | auto_create_group Off 19 | log_retention_days ${log_retention_days} 20 | log_stream_template $kubernetes['pod_name'].$kubernetes['container_name'] 21 | 22 | [OUTPUT] 23 | Name cloudwatch_logs 24 | Match app.* 25 | region ${region} 26 | log_group_name ${log_group_name_application} 27 | log_stream_prefix app-logs- 28 | auto_create_group Off 29 | log_retention_days ${log_retention_days} 30 | log_stream_template $kubernetes['labels']['app'].$kubernetes['container_name'] 31 | 32 | filters: | 33 | [FILTER] 34 | Name kubernetes 35 | Match kube.* 36 | Merge_Log On 37 | Keep_Log Off 38 | K8S-Logging.Parser On 39 | K8S-Logging.Exclude On 40 | 41 | [FILTER] 42 | Name rewrite_tag 43 | Match kube.* 44 | Rule $kubernetes['namespace_name'] ^(application.*)$ app.$TAG false 45 | -------------------------------------------------------------------------------- /modules/fluent-bit/version.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 4.0" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "~>2.23" 10 | } 11 | helm = ">= 2.0" 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /modules/karpenter/data.tf: -------------------------------------------------------------------------------- 1 | # select an random ec2 instance from eks node pools to get its ami id for using in karpenter 2 | data "aws_instances" "ec2_from_eks_node_pools" { 3 | filter { 4 | name = "tag:karpenter.sh/discovery" 5 | values = [var.cluster_name] 6 | } 7 | 8 | instance_state_names = ["running"] 9 | } 10 | 11 | data "aws_instance" "ec2_from_eks_node_pool" { 12 | instance_id = data.aws_instances.ec2_from_eks_node_pools.ids[0] 13 | } 14 | 15 | data "aws_ami" "this" { 16 | most_recent = true 17 | filter { 18 | name = "image-id" 19 | values = [data.aws_instance.ec2_from_eks_node_pool.ami] 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /modules/karpenter/examples/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | 9 | provider "helm" {} 10 | -------------------------------------------------------------------------------- /modules/karpenter/examples/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../.." 3 | 4 | cluster_name = "test-cluster-with-karpenter" 5 | cluster_endpoint = "" 6 | oidc_provider_arn = "" 7 | subnet_ids = ["", "", ""] 8 | 9 | resource_configs = { 10 | nodePools = { 11 | general = { weight = 1 } # by default it use linux amd64 cpu<6, memory<10000Mi, >2 generation and ["spot", "on-demand"] type nodes so that it tries to get spot at first and if no then on-demand 12 | on-demand = { 13 | # weight = 0 # by default the weight is 0 and this is lowest priority, we can schedule pod in this not 14 | template = { 15 | spec = { 16 | requirements = [ 17 | { 18 | key = "karpenter.sh/capacity-type" 19 | operator = "In" 20 | values = ["on-demand"] 21 | } 22 | ] 23 | } 24 | } 25 | } 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /modules/karpenter/examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | 11 | ## Providers 12 | 13 | No providers. 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | No resources. 24 | 25 | ## Inputs 26 | 27 | No inputs. 28 | 29 | ## Outputs 30 | 31 | No outputs. 32 | 33 | -------------------------------------------------------------------------------- /modules/karpenter/outputs.tf: -------------------------------------------------------------------------------- 1 | output "karpenter_data" { 2 | value = module.this 3 | description = "Karpenter data" 4 | } 5 | 6 | output "helm_metadata" { 7 | value = helm_release.this.metadata 8 | description = "Helm release metadata" 9 | } 10 | -------------------------------------------------------------------------------- /modules/karpenter/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /modules/keda/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "current" { 2 | count = var.account_id == null ? 1 : 0 3 | } 4 | 5 | module "eks_data" { 6 | source = "../eks-data" 7 | 8 | cluster_name = var.eks_cluster_name 9 | get_oidc_provider_data = true 10 | } 11 | 12 | locals { 13 | account_id = coalesce(var.account_id, try(data.aws_caller_identity.current[0].account_id, null)) 14 | } 15 | -------------------------------------------------------------------------------- /modules/keda/keda_trigger_auth.tpl: -------------------------------------------------------------------------------- 1 | apiVersion: keda.sh/v1alpha1 2 | kind: ClusterTriggerAuthentication 3 | metadata: 4 | name: keda-trigger-auth-default 5 | namespace: ${namespace} 6 | spec: 7 | podIdentity: 8 | provider: aws 9 | -------------------------------------------------------------------------------- /modules/keda/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "keda" { 2 | name = var.name 3 | namespace = var.namespace 4 | create_namespace = var.create_namespace 5 | 6 | repository = "https://kedacore.github.io/charts" 7 | chart = var.chart_name 8 | version = var.keda_version 9 | 10 | values = [templatefile("${path.module}/values.yaml.tpl", { 11 | role_arn = aws_iam_role.keda-role.arn 12 | }) 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /modules/keda/output.tf: -------------------------------------------------------------------------------- 1 | output "keda_iam_role_arn" { 2 | description = "IAM Role ARN for KEDA to access SQS" 3 | value = aws_iam_role.keda-role.arn 4 | } 5 | -------------------------------------------------------------------------------- /modules/keda/role.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_role" "keda-role" { 2 | name = "${var.eks_cluster_name}-${var.name}-role" 3 | 4 | assume_role_policy = jsonencode({ 5 | Version = "2012-10-17" 6 | Statement = [ 7 | { 8 | Effect = "Allow" 9 | Principal = { 10 | Federated = var.oidc_provider_arn != null ? var.oidc_provider_arn : module.eks_data.oidc_provider.arn 11 | } 12 | Action = "sts:AssumeRoleWithWebIdentity" 13 | }, 14 | { 15 | Effect = "Allow" 16 | Principal = { 17 | AWS = "${local.account_id}" 18 | } 19 | Action = "sts:AssumeRole" 20 | } 21 | ] 22 | }) 23 | } 24 | 25 | resource "aws_iam_policy" "keda_sqs_policy" { 26 | count = var.attach_policies.sqs ? 1 : 0 27 | 28 | name = "${var.eks_cluster_name}-${var.name}-role-policy-sqs" 29 | description = "IAM policy for KEDA to read SQS messages" 30 | 31 | policy = jsonencode({ 32 | Version = "2012-10-17" 33 | Statement = [ 34 | { 35 | Effect = "Allow" 36 | Action = [ 37 | "sqs:*", 38 | "sqs:GetQueueAttributes", 39 | "sqs:ReceiveMessage", 40 | "sqs:DeleteMessage", 41 | "sqs:ChangeMessageVisibility" 42 | ] 43 | Resource = "*" 44 | } 45 | ] 46 | }) 47 | } 48 | 49 | resource "aws_iam_role_policy_attachment" "attach_keda_sqs_policy" { 50 | count = var.attach_policies.sqs ? 1 : 0 51 | 52 | policy_arn = aws_iam_policy.keda_sqs_policy[0].arn 53 | role = aws_iam_role.keda-role.name 54 | } 55 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | n/a | 13 | 14 | ## Modules 15 | 16 | | Name | Source | Version | 17 | |------|--------|---------| 18 | | [keda](#module\_keda) | ../../ | n/a | 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [aws_sqs_queue.worker_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | 25 | | [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 26 | | [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 27 | 28 | ## Inputs 29 | 30 | No inputs. 31 | 32 | ## Outputs 33 | 34 | | Name | Description | 35 | |------|-------------| 36 | | [keda\_iam\_role\_arn](#output\_keda\_iam\_role\_arn) | IAM Role ARN for KEDA to access SQS | 37 | 38 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/application/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: worker 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: worker 10 | template: 11 | metadata: 12 | labels: 13 | app: worker 14 | spec: 15 | containers: 16 | - name: worker 17 | image: amazonlinux 18 | command: ["/bin/sh", "-c", "while true; do sleep 30; done"] 19 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/application/scaledobject.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: keda.sh/v1alpha1 2 | kind: ScaledObject 3 | metadata: 4 | name: worker-scaledobject 5 | spec: 6 | scaleTargetRef: 7 | name: worker # Target deployment 8 | minReplicaCount: 1 9 | maxReplicaCount: 10 10 | triggers: 11 | - type: aws-sqs-queue 12 | authenticationRef: 13 | name: keda-trigger-auth-default 14 | metadata: 15 | queueURL: # AWS SQS queue url 16 | queueLength: "5" # Scale up if there are 5+ messages in the queue 17 | awsRegion: "eu-central-1" # AWS region where AWS SQS located 18 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/main.tf: -------------------------------------------------------------------------------- 1 | module "keda" { 2 | source = "../../" 3 | 4 | name = "keda" 5 | eks_cluster_name = "buycycle-cluster" 6 | attach_policies = { "sqs" : true } 7 | } 8 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/output.tf: -------------------------------------------------------------------------------- 1 | output "keda_iam_role_arn" { 2 | description = "IAM Role ARN for KEDA to access SQS" 3 | value = module.keda.keda_iam_role_arn 4 | } 5 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/providers.tf: -------------------------------------------------------------------------------- 1 | data "aws_eks_cluster" "eks" { 2 | name = "buycycle-cluster" 3 | } 4 | 5 | data "aws_eks_cluster_auth" "eks" { 6 | name = data.aws_eks_cluster.eks.name 7 | } 8 | 9 | provider "aws" { 10 | region = "eu-central-1" 11 | } 12 | 13 | provider "kubernetes" { 14 | host = data.aws_eks_cluster.eks.endpoint 15 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data) 16 | token = data.aws_eks_cluster_auth.eks.token 17 | } 18 | 19 | provider "helm" { 20 | kubernetes { 21 | host = data.aws_eks_cluster.eks.endpoint 22 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data) 23 | token = data.aws_eks_cluster_auth.eks.token 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /modules/keda/tests/basic/sqs.tf: -------------------------------------------------------------------------------- 1 | resource "aws_sqs_queue" "worker_queue" { 2 | name = "worker-queue" 3 | visibility_timeout_seconds = 30 4 | } 5 | -------------------------------------------------------------------------------- /modules/keda/trigger-auth.tf: -------------------------------------------------------------------------------- 1 | resource "kubectl_manifest" "keda_trigger_authentication" { 2 | yaml_body = templatefile("${path.module}/keda_trigger_auth.tpl", { 3 | namespace = var.namespace 4 | }) 5 | 6 | depends_on = [helm_release.keda] 7 | } 8 | 9 | resource "kubectl_manifest" "keda_trigger_authentication_additional" { 10 | count = var.keda_trigger_auth_additional != null ? 1 : 0 11 | yaml_body = var.keda_trigger_auth_additional 12 | 13 | depends_on = [helm_release.keda] 14 | } 15 | -------------------------------------------------------------------------------- /modules/keda/values.yaml.tpl: -------------------------------------------------------------------------------- 1 | serviceAccount: 2 | annotations: 3 | eks.amazonaws.com/role-arn: "${role_arn}" 4 | -------------------------------------------------------------------------------- /modules/keda/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" # Ensure Terraform version compatibility 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.0" # This ensures compatibility with AWS provider v5 8 | } 9 | 10 | kubectl = { 11 | source = "gavinbunney/kubectl" 12 | version = "~>1.14" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /modules/linkerd/examples/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | 9 | provider "helm" {} 10 | -------------------------------------------------------------------------------- /modules/linkerd/examples/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../.." 3 | } 4 | -------------------------------------------------------------------------------- /modules/linkerd/examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | 11 | ## Providers 12 | 13 | No providers. 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | No resources. 24 | 25 | ## Inputs 26 | 27 | No inputs. 28 | 29 | ## Outputs 30 | 31 | No outputs. 32 | 33 | -------------------------------------------------------------------------------- /modules/linkerd/modules/identity-certificates-and-keys/main.tf: -------------------------------------------------------------------------------- 1 | resource "tls_private_key" "trust_anchor_key" { 2 | algorithm = "ECDSA" 3 | ecdsa_curve = "P256" 4 | } 5 | 6 | resource "tls_self_signed_cert" "trust_anchor_cert" { 7 | private_key_pem = tls_private_key.trust_anchor_key.private_key_pem 8 | validity_period_hours = 187600 9 | is_ca_certificate = true 10 | 11 | subject { 12 | common_name = "identity.linkerd.cluster.local" 13 | } 14 | 15 | allowed_uses = [ 16 | "crl_signing", 17 | "cert_signing", 18 | "server_auth", 19 | "client_auth" 20 | ] 21 | } 22 | 23 | resource "tls_private_key" "issuer_key" { 24 | algorithm = "ECDSA" 25 | ecdsa_curve = "P256" 26 | } 27 | 28 | resource "tls_cert_request" "issuer_req" { 29 | private_key_pem = tls_private_key.issuer_key.private_key_pem 30 | 31 | subject { 32 | common_name = "identity.linkerd.cluster.local" 33 | } 34 | } 35 | 36 | resource "tls_locally_signed_cert" "issuer_cert" { 37 | cert_request_pem = tls_cert_request.issuer_req.cert_request_pem 38 | ca_private_key_pem = tls_private_key.trust_anchor_key.private_key_pem 39 | ca_cert_pem = tls_self_signed_cert.trust_anchor_cert.cert_pem 40 | validity_period_hours = 187600 41 | is_ca_certificate = true 42 | 43 | allowed_uses = [ 44 | "crl_signing", 45 | "cert_signing", 46 | "server_auth", 47 | "client_auth" 48 | ] 49 | } 50 | -------------------------------------------------------------------------------- /modules/linkerd/modules/identity-certificates-and-keys/outputs.tf: -------------------------------------------------------------------------------- 1 | 2 | output "identity" { 3 | value = { 4 | trustAnchorsPEM = tls_self_signed_cert.trust_anchor_cert.cert_pem, 5 | issuerTlsCrtPEM = tls_locally_signed_cert.issuer_cert.cert_pem, 6 | issuerTlsKeyPEM = tls_private_key.issuer_key.private_key_pem 7 | } 8 | description = "The generated and required config field for linkerd identity module, this configs usually being generated/passed automatically when we use `linkerd` cli to install linkerd, but for terraform/helm install we need to generate them, for more info check README.md" 9 | sensitive = true 10 | } 11 | -------------------------------------------------------------------------------- /modules/linkerd/modules/identity-certificates-and-keys/variables.tf: -------------------------------------------------------------------------------- 1 | variable "validity_period_hours" { 2 | type = number 3 | default = 187600 4 | description = "The number of hours, after initial issuing, that the certificates will remain valid for. The default `187600` one is >21 years." 5 | } 6 | -------------------------------------------------------------------------------- /modules/linkerd/modules/identity-certificates-and-keys/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | tls = { 6 | source = "hashicorp/tls" 7 | version = "~> 4.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/linkerd/outputs.tf: -------------------------------------------------------------------------------- 1 | output "helm_metadata" { 2 | value = helm_release.this.metadata 3 | description = "Helm release metadata" 4 | } 5 | -------------------------------------------------------------------------------- /modules/linkerd/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | tls = { 7 | source = "hashicorp/tls" 8 | version = "~> 4.0" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /modules/metrics-server/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Installs metrics-server helm chart 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [helm](#requirement\_helm) | >= 2.0 | 9 | 10 | ## Providers 11 | 12 | | Name | Version | 13 | |------|---------| 14 | | [helm](#provider\_helm) | >= 2.0 | 15 | 16 | ## Modules 17 | 18 | No modules. 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 25 | 26 | ## Inputs 27 | 28 | | Name | Description | Type | Default | Required | 29 | |------|-------------|------|---------|:--------:| 30 | | [chart\_version](#input\_chart\_version) | The app chart version | `string` | `"7.4.1"` | no | 31 | | [name](#input\_name) | Metrics server name. | `string` | `"metrics-server"` | no | 32 | 33 | ## Outputs 34 | 35 | No outputs. 36 | 37 | -------------------------------------------------------------------------------- /modules/metrics-server/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * # Installs metrics-server helm chart 3 | */ 4 | 5 | resource "helm_release" "metrics_server" { 6 | name = var.name 7 | repository = "oci://registry-1.docker.io/bitnamicharts" 8 | chart = "metrics-server" 9 | version = var.chart_version 10 | namespace = "kube-system" 11 | 12 | values = [ 13 | file("${path.module}/values.yaml") 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /modules/metrics-server/values.yaml: -------------------------------------------------------------------------------- 1 | extraArgs: 2 | - --kubelet-insecure-tls 3 | 4 | apiService: 5 | ## Specifies whether the v1beta1.metrics.k8s.io API service should be created 6 | ## This should not be necessary in k8s version >= 1.8, but depends on vendors and cloud providers. 7 | ## 8 | create: true 9 | -------------------------------------------------------------------------------- /modules/metrics-server/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | default = "metrics-server" 4 | description = "Metrics server name." 5 | } 6 | 7 | variable "chart_version" { 8 | type = string 9 | default = "7.4.1" 10 | description = "The app chart version" 11 | } 12 | -------------------------------------------------------------------------------- /modules/metrics-server/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | helm = ">= 2.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" { 2 | count = var.region == null ? 1 : 0 3 | } 4 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/examples/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | 9 | provider "helm" {} 10 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/examples/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../.." 3 | 4 | cluster_name = "test-cluster-with-karpenter" 5 | cluster_endpoint = "" 6 | oidc_provider_arn = "" 7 | } 8 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [helm](#requirement\_helm) | >= 2.0 | 10 | 11 | ## Providers 12 | 13 | No providers. 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | No resources. 24 | 25 | ## Inputs 26 | 27 | No inputs. 28 | 29 | ## Outputs 30 | 31 | No outputs. 32 | 33 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | region = coalesce(var.region, try(data.aws_region.current[0].name, null)) 3 | } 4 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * # terraform module allows to create/deploy application namespaces into eks cluster, with configuring docker registry image pull secrets 4 | * 5 | * ## example 6 | * ```terraform 7 | * module "this" { 8 | * source = "dasmeta/eks/aws//modules/namespaces-and-docker-auth" 9 | * 10 | * cluster_name = "test-cluster-with-linkerd" 11 | * cluster_endpoint = "" 12 | * oidc_provider_arn = "" 13 | * region = "eu-central-1" 14 | * configs = {} # the default should work, but there are some dependencies, like aws secret should be created already 15 | * } 16 | * ``` 17 | * 18 | * 19 | **/ 20 | 21 | resource "helm_release" "this" { 22 | name = var.name 23 | repository = "https://dasmeta.github.io/helm" 24 | chart = "namespaces-and-docker-auth" 25 | namespace = var.namespace 26 | version = var.chart_version 27 | create_namespace = false 28 | atomic = var.atomic 29 | wait = var.wait 30 | 31 | values = [jsonencode(module.custom_default_configs_deep.merged)] 32 | } 33 | 34 | module "custom_default_configs_deep" { 35 | source = "cloudposse/config/yaml//modules/deepmerge" 36 | version = "1.0.2" 37 | 38 | maps = [ 39 | { 40 | dockerAuth = { 41 | serviceAccountRoleArn = try(module.dockerhub_auth_secret_iam_eks_role[0].iam_role_arn, null) 42 | region = local.region 43 | } 44 | }, 45 | var.configs 46 | ] 47 | } 48 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/outputs.tf: -------------------------------------------------------------------------------- 1 | output "helm_metadata" { 2 | value = helm_release.this.metadata 3 | description = "Helm release metadata" 4 | } 5 | -------------------------------------------------------------------------------- /modules/namespaces-and-docker-auth/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | helm = ">= 2.0" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /modules/nginx-ingress-controller/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [this](#module\_this) | ../../ | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /modules/nginx-ingress-controller/tests/basic/main.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../../" 3 | 4 | } 5 | -------------------------------------------------------------------------------- /modules/nginx-ingress-controller/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | default = "nginx" 4 | description = "Name" 5 | } 6 | 7 | variable "namespace" { 8 | type = string 9 | default = "ingress-nginx" 10 | description = "Namespace name" 11 | } 12 | 13 | variable "chart_version" { 14 | type = string 15 | default = "4.12.0" 16 | description = "The app chart version" 17 | } 18 | 19 | variable "create_namespace" { 20 | type = bool 21 | default = true 22 | description = "Create namespace or use existing one" 23 | } 24 | 25 | variable "replicacount" { 26 | type = number 27 | default = 3 28 | description = "Nginx Ingress controller replica count" 29 | } 30 | 31 | variable "metrics_enabled" { 32 | type = bool 33 | default = true 34 | description = "Enable metric export" 35 | } 36 | 37 | variable "configs" { 38 | type = any 39 | default = {} 40 | description = "Configurations to pass and override default ones. Check the helm chart available configs here: https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx/4.12.0?modal=values" 41 | } 42 | -------------------------------------------------------------------------------- /modules/nginx-ingress-controller/version.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | helm = ">= 2.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /modules/node-problem-detector/README.md: -------------------------------------------------------------------------------- 1 | # Node Problem detector 2 | Component will detect and report issues to k8s api server and prometheus. 3 | 4 | See helm and git repos for details. 5 | https://github.com/kubernetes/node-problem-detector 6 | https://artifacthub.io/packages/helm/deliveryhero/node-problem-detector 7 | 8 | ## Requirements 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [terraform](#requirement\_terraform) | >= 1.0.0 | 13 | 14 | ## Providers 15 | 16 | No providers. 17 | 18 | ## Modules 19 | 20 | | Name | Source | Version | 21 | |------|--------|---------| 22 | | [node-problem-detector](#module\_node-problem-detector) | terraform-module/release/helm | 2.8.2 | 23 | 24 | ## Resources 25 | 26 | No resources. 27 | 28 | ## Inputs 29 | 30 | | Name | Description | Type | Default | Required | 31 | |------|-------------|------|---------|:--------:| 32 | | [chart\_version](#input\_chart\_version) | The app chart version to use | `string` | `"2.3.14"` | no | 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /modules/node-problem-detector/main.tf: -------------------------------------------------------------------------------- 1 | module "node-problem-detector" { 2 | source = "terraform-module/release/helm" 3 | version = "2.8.2" 4 | 5 | namespace = "kube-system" 6 | repository = "https://charts.deliveryhero.io/" 7 | 8 | app = { 9 | name = "node-problem-detector" 10 | version = var.chart_version 11 | chart = "node-problem-detector" 12 | force_update = true 13 | wait = true 14 | recreate_pods = false 15 | deploy = 1 16 | } 17 | values = [templatefile("${path.module}/values.yaml", {})] 18 | 19 | set = [] 20 | 21 | set_sensitive = [] 22 | } 23 | -------------------------------------------------------------------------------- /modules/node-problem-detector/tests/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | # data 2 | provider "helm" { 3 | kubernetes { 4 | config_path = "~/.kube/config" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /modules/node-problem-detector/tests/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "basic" { 2 | source = "../.." 3 | } 4 | -------------------------------------------------------------------------------- /modules/node-problem-detector/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [basic](#module\_basic) | ../.. | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /modules/node-problem-detector/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dasmeta/terraform-aws-eks/4c42afc69b954ee111fc89dcdce0184b42d7ce43/modules/node-problem-detector/values.yaml -------------------------------------------------------------------------------- /modules/node-problem-detector/variables.tf: -------------------------------------------------------------------------------- 1 | variable "chart_version" { 2 | type = string 3 | default = "2.3.14" 4 | description = "The app chart version to use" 5 | } 6 | -------------------------------------------------------------------------------- /modules/node-problem-detector/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/olm/README.md: -------------------------------------------------------------------------------- 1 | # olm 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [kubernetes](#requirement\_kubernetes) | ~>2.23 | 9 | 10 | ## Providers 11 | 12 | | Name | Version | 13 | |------|---------| 14 | | [kubernetes](#provider\_kubernetes) | ~>2.23 | 15 | 16 | ## Modules 17 | 18 | | Name | Source | Version | 19 | |------|--------|---------| 20 | | [yaml](#module\_yaml) | dasmeta/helpers/null//modules/yaml | 0.0.1 | 21 | 22 | ## Resources 23 | 24 | | Name | Type | 25 | |------|------| 26 | | [kubernetes_manifest.olm](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | 27 | 28 | ## Inputs 29 | 30 | | Name | Description | Type | Default | Required | 31 | |------|-------------|------|---------|:--------:| 32 | | [version\_tag](#input\_version\_tag) | OlM version | `string` | `"v0.30.0"` | no | 33 | 34 | ## Outputs 35 | 36 | No outputs. 37 | 38 | -------------------------------------------------------------------------------- /modules/olm/crds.tf: -------------------------------------------------------------------------------- 1 | module "yaml" { 2 | source = "dasmeta/helpers/null//modules/yaml" 3 | version = "0.0.1" 4 | 5 | files = [ 6 | "https://raw.githubusercontent.com/operator-framework/operator-lifecycle-manager/${var.version_tag}/deploy/upstream/quickstart/crds.yaml", 7 | "https://raw.githubusercontent.com/operator-framework/operator-lifecycle-manager/${var.version_tag}/deploy/upstream/quickstart/olm.yaml" 8 | ] 9 | } 10 | 11 | resource "kubernetes_manifest" "olm" { 12 | for_each = toset(module.yaml.yamls) 13 | 14 | manifest = yamldecode(each.value) 15 | } 16 | -------------------------------------------------------------------------------- /modules/olm/main.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dasmeta/terraform-aws-eks/4c42afc69b954ee111fc89dcdce0184b42d7ce43/modules/olm/main.tf -------------------------------------------------------------------------------- /modules/olm/tests/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "olm-simple" { 2 | source = "../../" 3 | } 4 | -------------------------------------------------------------------------------- /modules/olm/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [olm-simple](#module\_olm-simple) | ../../ | n/a | 17 | 18 | ## Resources 19 | 20 | No resources. 21 | 22 | ## Inputs 23 | 24 | No inputs. 25 | 26 | ## Outputs 27 | 28 | No outputs. 29 | 30 | -------------------------------------------------------------------------------- /modules/olm/variables.tf: -------------------------------------------------------------------------------- 1 | variable "version_tag" { 2 | type = string 3 | default = "v0.30.0" 4 | description = "OlM version" 5 | } 6 | -------------------------------------------------------------------------------- /modules/olm/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | kubernetes = { 4 | source = "hashicorp/kubernetes" 5 | version = "~>2.23" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /modules/portainer/README.md: -------------------------------------------------------------------------------- 1 | # portainer 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [helm](#requirement\_helm) | >= 2.0 | 9 | 10 | ## Providers 11 | 12 | | Name | Version | 13 | |------|---------| 14 | | [helm](#provider\_helm) | >= 2.0 | 15 | 16 | ## Modules 17 | 18 | No modules. 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [helm_release.portainer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 25 | 26 | ## Inputs 27 | 28 | | Name | Description | Type | Default | Required | 29 | |------|-------------|------|---------|:--------:| 30 | | [chart\_version](#input\_chart\_version) | The app chart version | `string` | `"1.0.62"` | no | 31 | | [enable\_ingress](#input\_enable\_ingress) | Weather create ingress or not in k8s | `bool` | `true` | no | 32 | | [host](#input\_host) | Ingress host name | `string` | `"portainer.dasmeta.com"` | no | 33 | 34 | ## Outputs 35 | 36 | | Name | Description | 37 | |------|-------------| 38 | | [portainer\_host](#output\_portainer\_host) | n/a | 39 | 40 | -------------------------------------------------------------------------------- /modules/portainer/main.tf: -------------------------------------------------------------------------------- 1 | resource "helm_release" "portainer" { 2 | name = "portainer" 3 | repository = "https://portainer.github.io/k8s/" 4 | chart = "portainer" 5 | version = var.chart_version 6 | create_namespace = true 7 | namespace = "portainer" 8 | 9 | set { 10 | name = "service.type" 11 | value = "NodePort" 12 | } 13 | 14 | set { 15 | name = "tls.force" 16 | value = "true" 17 | } 18 | 19 | set { 20 | name = "ingress.enabled" 21 | value = "true" ? var.enable_ingress : "false" 22 | } 23 | 24 | set { 25 | name = "ingress.annotations.alb\\.ingress\\.kubernetes\\.io/group\\.name" 26 | value = "portainer" 27 | } 28 | 29 | set { 30 | name = "ingress.annotations.kubernetes\\.io/ingress\\.class" 31 | value = "alb" 32 | } 33 | 34 | set { 35 | name = "ingress.annotations.alb\\.ingress\\.kubernetes\\.io/listen-ports" 36 | value = "[{'HTTPS':443}]" 37 | } 38 | 39 | set { 40 | name = "ingress.hosts[0].host" 41 | value = local.host 42 | } 43 | 44 | set { 45 | name = "ingress.hosts[0].paths[0].path" 46 | value = "/" 47 | } 48 | 49 | set { 50 | name = "persistence.size" 51 | value = "10Gi" 52 | } 53 | 54 | set { 55 | name = "persistence.storageClass" 56 | value = "gp2" 57 | } 58 | } 59 | 60 | locals { 61 | host = join("\\.", split(".", var.host)) 62 | } 63 | -------------------------------------------------------------------------------- /modules/portainer/outputs.tf: -------------------------------------------------------------------------------- 1 | output "portainer_host" { 2 | value = var.host 3 | } 4 | -------------------------------------------------------------------------------- /modules/portainer/variables.tf: -------------------------------------------------------------------------------- 1 | variable "host" { 2 | description = "Ingress host name" 3 | type = string 4 | default = "portainer.dasmeta.com" 5 | } 6 | 7 | variable "enable_ingress" { 8 | description = "Weather create ingress or not in k8s" 9 | type = bool 10 | default = true 11 | } 12 | 13 | variable "chart_version" { 14 | type = string 15 | default = "1.0.62" 16 | description = "The app chart version" 17 | } 18 | -------------------------------------------------------------------------------- /modules/portainer/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | helm = ">= 2.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /modules/priority-class/README.md: -------------------------------------------------------------------------------- 1 | # priority-class 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [kubernetes](#requirement\_kubernetes) | ~>2.23 | 9 | 10 | ## Providers 11 | 12 | | Name | Version | 13 | |------|---------| 14 | | [kubernetes](#provider\_kubernetes) | ~>2.23 | 15 | 16 | ## Modules 17 | 18 | No modules. 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [kubernetes_priority_class.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource | 25 | 26 | ## Inputs 27 | 28 | | Name | Description | Type | Default | Required | 29 | |------|-------------|------|---------|:--------:| 30 | | [additional\_priority\_classes](#input\_additional\_priority\_classes) | Defines Priority Classes in Kubernetes, used to assign different levels of priority to pods. By default, this module creates three Priority Classes: 'high'(1000000), 'medium'(500000) and 'low'(250000) . You can also provide a custom list of Priority Classes if needed. | 
list(object({
    name  = string
    value = string # number in string form
  }))
| `[]` | no | 31 | 32 | ## Outputs 33 | 34 | | Name | Description | 35 | |------|-------------| 36 | | [priority\_class](#output\_priority\_class) | n/a | 37 | 38 | -------------------------------------------------------------------------------- /modules/priority-class/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | priority_class_default = [ 3 | { 4 | name = "high" 5 | value = "1000000" 6 | }, 7 | { 8 | name = "medium" 9 | value = "500000" 10 | }, 11 | { 12 | name = "low" 13 | value = "250000" 14 | } 15 | ] 16 | priority_class = concat(local.priority_class_default, var.additional_priority_classes) 17 | } 18 | 19 | resource "kubernetes_priority_class" "this" { 20 | # Transform the list of maps into a key-value map suitable for for_each 21 | for_each = { for pc in local.priority_class : pc.name => pc } 22 | 23 | metadata { 24 | name = each.key 25 | } 26 | 27 | value = each.value.value 28 | } 29 | -------------------------------------------------------------------------------- /modules/priority-class/output.tf: -------------------------------------------------------------------------------- 1 | output "priority_class" { 2 | value = local.priority_class 3 | } 4 | -------------------------------------------------------------------------------- /modules/priority-class/tests/add-new-priority-class/README.md: -------------------------------------------------------------------------------- 1 | # add-new-priority-class 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | n/a | 13 | 14 | ## Modules 15 | 16 | | Name | Source | Version | 17 | |------|--------|---------| 18 | | [test](#module\_test) | ../../ | n/a | 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [aws_eks_cluster.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 25 | | [aws_eks_cluster_auth.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 26 | | [aws_iam_openid_connect_provider.test-cluster-oidc-provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | 27 | 28 | ## Inputs 29 | 30 | No inputs. 31 | 32 | ## Outputs 33 | 34 | | Name | Description | 35 | |------|-------------| 36 | | [priority\_class](#output\_priority\_class) | n/a | 37 | 38 | -------------------------------------------------------------------------------- /modules/priority-class/tests/add-new-priority-class/main.tf: -------------------------------------------------------------------------------- 1 | module "test" { 2 | source = "../../" 3 | 4 | additional_priority_classes = [ 5 | { 6 | name = "important" 7 | value = "2000000" 8 | }, 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /modules/priority-class/tests/add-new-priority-class/output.tf: -------------------------------------------------------------------------------- 1 | output "priority_class" { 2 | value = module.test.priority_class 3 | } 4 | -------------------------------------------------------------------------------- /modules/priority-class/tests/add-new-priority-class/providers.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_name = "stage" 3 | } 4 | 5 | data "aws_eks_cluster" "test-cluster" { 6 | name = local.cluster_name 7 | } 8 | 9 | data "aws_eks_cluster_auth" "test-cluster" { 10 | name = local.cluster_name 11 | } 12 | 13 | data "aws_iam_openid_connect_provider" "test-cluster-oidc-provider" { 14 | url = data.aws_eks_cluster.test-cluster.identity[0].oidc[0].issuer 15 | } 16 | 17 | provider "kubernetes" { 18 | host = data.aws_eks_cluster.test-cluster.endpoint 19 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.test-cluster.certificate_authority.0.data) 20 | token = data.aws_eks_cluster_auth.test-cluster.token 21 | 22 | exec { 23 | api_version = "client.authentication.k8s.io/v1beta1" 24 | args = ["eks", "--region", "eu-central-1", "get-token", "--cluster-name", local.cluster_name] 25 | command = "aws" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /modules/priority-class/tests/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | n/a | 13 | 14 | ## Modules 15 | 16 | | Name | Source | Version | 17 | |------|--------|---------| 18 | | [test](#module\_test) | ../../ | n/a | 19 | 20 | ## Resources 21 | 22 | | Name | Type | 23 | |------|------| 24 | | [aws_eks_cluster.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 25 | | [aws_eks_cluster_auth.test-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 26 | | [aws_iam_openid_connect_provider.test-cluster-oidc-provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | 27 | 28 | ## Inputs 29 | 30 | No inputs. 31 | 32 | ## Outputs 33 | 34 | | Name | Description | 35 | |------|-------------| 36 | | [priority\_class](#output\_priority\_class) | n/a | 37 | 38 | -------------------------------------------------------------------------------- /modules/priority-class/tests/basic/main.tf: -------------------------------------------------------------------------------- 1 | module "test" { 2 | source = "../../" 3 | } 4 | -------------------------------------------------------------------------------- /modules/priority-class/tests/basic/output.tf: -------------------------------------------------------------------------------- 1 | output "priority_class" { 2 | value = module.test.priority_class 3 | } 4 | -------------------------------------------------------------------------------- /modules/priority-class/tests/basic/providers.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | cluster_name = "stage" 3 | } 4 | 5 | data "aws_eks_cluster" "test-cluster" { 6 | name = local.cluster_name 7 | } 8 | 9 | data "aws_eks_cluster_auth" "test-cluster" { 10 | name = local.cluster_name 11 | } 12 | 13 | data "aws_iam_openid_connect_provider" "test-cluster-oidc-provider" { 14 | url = data.aws_eks_cluster.test-cluster.identity[0].oidc[0].issuer 15 | } 16 | 17 | provider "kubernetes" { 18 | host = data.aws_eks_cluster.test-cluster.endpoint 19 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.test-cluster.certificate_authority.0.data) 20 | token = data.aws_eks_cluster_auth.test-cluster.token 21 | 22 | exec { 23 | api_version = "client.authentication.k8s.io/v1beta1" 24 | args = ["eks", "--region", "eu-central-1", "get-token", "--cluster-name", local.cluster_name] 25 | command = "aws" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /modules/priority-class/variables.tf: -------------------------------------------------------------------------------- 1 | variable "additional_priority_classes" { 2 | type = list(object({ 3 | name = string 4 | value = string # number in string form 5 | })) 6 | description = "Defines Priority Classes in Kubernetes, used to assign different levels of priority to pods. By default, this module creates three Priority Classes: 'high'(1000000), 'medium'(500000) and 'low'(250000) . You can also provide a custom list of Priority Classes if needed." 7 | default = [] 8 | } 9 | -------------------------------------------------------------------------------- /modules/priority-class/version.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | kubernetes = { 4 | source = "hashicorp/kubernetes" 5 | version = "~>2.23" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /modules/s3-csi/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" { 2 | count = var.region == null ? 1 : 0 3 | } 4 | 5 | data "aws_eks_addon_version" "this" { 6 | count = var.addon_version == null ? 1 : 0 7 | 8 | addon_name = local.addon_name 9 | kubernetes_version = var.cluster_version 10 | most_recent = var.most_recent 11 | } 12 | 13 | data "aws_s3_bucket" "this" { 14 | count = length(var.s3_buckets) 15 | 16 | bucket = var.s3_buckets[count.index] 17 | } 18 | -------------------------------------------------------------------------------- /modules/s3-csi/examples/basic/0-setup.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.31, < 6.0.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/s3-csi/examples/basic/1-example.tf: -------------------------------------------------------------------------------- 1 | module "this" { 2 | source = "../.." 3 | 4 | cluster_name = "test-cluster-with-karpenter" 5 | oidc_provider_arn = "" 6 | } 7 | -------------------------------------------------------------------------------- /modules/s3-csi/examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | 4 | ## Requirements 5 | 6 | | Name | Version | 7 | |------|---------| 8 | | [terraform](#requirement\_terraform) | >= 1.3.0 | 9 | | [aws](#requirement\_aws) | >= 3.31, < 6.0.0 | 10 | 11 | ## Providers 12 | 13 | No providers. 14 | 15 | ## Modules 16 | 17 | | Name | Source | Version | 18 | |------|--------|---------| 19 | | [this](#module\_this) | ../.. | n/a | 20 | 21 | ## Resources 22 | 23 | No resources. 24 | 25 | ## Inputs 26 | 27 | No inputs. 28 | 29 | ## Outputs 30 | 31 | No outputs. 32 | 33 | -------------------------------------------------------------------------------- /modules/s3-csi/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | addon_name = "aws-mountpoint-s3-csi-driver" 3 | 4 | mountpoint_s3_csi_bucket_arns = length(var.s3_buckets) > 0 ? data.aws_s3_bucket.this.*.arn : ["arn:aws:s3:::*"] 5 | mountpoint_s3_csi_path_arns = [for item in local.mountpoint_s3_csi_bucket_arns : "${item}/*"] 6 | 7 | region = coalesce(var.region, try(data.aws_region.current[0].name, null)) 8 | } 9 | -------------------------------------------------------------------------------- /modules/s3-csi/main.tf: -------------------------------------------------------------------------------- 1 | module "iam_role_for_service_accounts_eks" { 2 | source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" 3 | version = "5.55.0" 4 | 5 | role_name = "eks-s3-csi-${var.cluster_name}-${local.region}" 6 | 7 | attach_mountpoint_s3_csi_policy = true 8 | mountpoint_s3_csi_bucket_arns = local.mountpoint_s3_csi_bucket_arns 9 | mountpoint_s3_csi_path_arns = local.mountpoint_s3_csi_path_arns 10 | 11 | oidc_providers = { 12 | one = { 13 | provider_arn = var.oidc_provider_arn 14 | namespace_service_accounts = ["${var.namespace}:${var.serviceAccount}"] 15 | } 16 | } 17 | } 18 | 19 | resource "aws_eks_addon" "this" { 20 | cluster_name = var.cluster_name 21 | addon_name = local.addon_name 22 | addon_version = coalesce(var.addon_version, try(data.aws_eks_addon_version.this[0].version, null)) 23 | resolve_conflicts_on_create = "OVERWRITE" 24 | resolve_conflicts_on_update = "OVERWRITE" 25 | service_account_role_arn = module.iam_role_for_service_accounts_eks.iam_role_arn 26 | configuration_values = jsonencode(var.configs) 27 | } 28 | -------------------------------------------------------------------------------- /modules/s3-csi/outputs.tf: -------------------------------------------------------------------------------- 1 | output "addon_arn" { 2 | value = aws_eks_addon.this.arn 3 | description = "The arn of installed/created addon" 4 | } 5 | 6 | output "role_arn" { 7 | value = module.iam_role_for_service_accounts_eks.iam_role_arn 8 | description = "The arn of service account role" 9 | } 10 | -------------------------------------------------------------------------------- /modules/sso-rbac/account-assignment.tf: -------------------------------------------------------------------------------- 1 | module "sso_account_assignments" { 2 | source = "./terraform-aws-sso/modules/account-assignments" 3 | for_each = { for kr in var.bindings : "${kr.namespace}-${kr.group}" => kr } 4 | account_assignments = [ 5 | { 6 | permission_set_name = "ps-${each.value.namespace}-${each.value.group}" 7 | account = var.account_id 8 | permission_set_arn = module.permission_sets[each.key].permission_sets["ps-${each.key}"].arn 9 | principal_type = "GROUP", 10 | principal_name = "${each.value.group}" 11 | } 12 | ] 13 | } 14 | 15 | data "aws_ssoadmin_instances" "this" {} 16 | 17 | data "aws_identitystore_group" "this" { 18 | for_each = { for as in var.bindings : "${as.namespace}-${as.group}" => as } 19 | identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] 20 | 21 | filter { 22 | attribute_path = local.attribute_path 23 | attribute_value = each.value.group 24 | } 25 | } 26 | 27 | 28 | 29 | locals { 30 | attribute_path = "DisplayName" 31 | principal_type = "GROUP" 32 | target_type = "AWS_ACCOUNT" 33 | permission_set_role = local.arns_without_path 34 | } 35 | -------------------------------------------------------------------------------- /modules/sso-rbac/krole.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_role_v1" "k8s-rbac" { 2 | 3 | for_each = { for bind in var.bindings : "${bind.namespace}-${bind.group}" => bind } 4 | 5 | metadata { 6 | name = each.key 7 | namespace = each.value.namespace 8 | } 9 | 10 | dynamic "rule" { 11 | for_each = var.roles 12 | 13 | content { 14 | api_groups = [""] 15 | resources = rule.value.resources 16 | verbs = rule.value.actions 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /modules/sso-rbac/krolebinding.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_role_binding" "example" { 2 | 3 | for_each = { for bind in var.bindings : "${bind.namespace}-${bind.group}" => bind } 4 | 5 | metadata { 6 | name = each.value.group 7 | namespace = each.value.namespace 8 | } 9 | 10 | subject { 11 | kind = "Group" 12 | name = each.value.group 13 | api_group = "rbac.authorization.k8s.io" 14 | } 15 | 16 | role_ref { 17 | api_group = "rbac.authorization.k8s.io" 18 | kind = "Role" 19 | name = each.key 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /modules/sso-rbac/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * ### This is basic usage of module `sso-rbac` 3 | * 4 | * ``` 5 | * module "sso-rbac" { 6 | * source = "dasmeta/eks/aws//modules/sso-rbac" 7 | * roles = var.roles 8 | * bindings = var.bindings 9 | * eks_module = module.eks-cluster.eks_module 10 | * account_id = var.account_id 11 | * } 12 | * 13 | * locals { 14 | * 15 | * roles = [{ 16 | * name = "viewers" 17 | * actions = ["get", "list", "watch"] 18 | * resources = ["deployments"] 19 | * }, { 20 | * name = "editors" 21 | * actions = ["get", "list", "watch"] 22 | * resources = ["pods"] 23 | * }] 24 | * 25 | * bindings = [{ 26 | * group = "developers" 27 | * namespace = "development" 28 | * roles = ["viewers", "editors"] 29 | * 30 | * }, { 31 | * group = "accountants" 32 | * namespace = "accounting" 33 | * roles = ["editors"] 34 | * }] 35 | * } 36 | * ``` 37 | **/ 38 | -------------------------------------------------------------------------------- /modules/sso-rbac/outputs.tf: -------------------------------------------------------------------------------- 1 | output "role_arns_without_path" { 2 | value = local.arns_without_path 3 | } 4 | 5 | output "role_arns" { 6 | value = data.aws_iam_roles.sso.arns 7 | } 8 | 9 | output "config_yaml" { 10 | value = module.eks_auth.aws_auth_configmap_yaml 11 | } 12 | -------------------------------------------------------------------------------- /modules/sso-rbac/permission-set.tf: -------------------------------------------------------------------------------- 1 | module "permission_sets" { 2 | source = "./terraform-aws-sso/modules/permission-sets" 3 | 4 | for_each = { for kr in var.bindings : "${kr.namespace}-${kr.group}" => kr } 5 | permission_sets = [ 6 | { 7 | name = "ps-${each.value.namespace}-${each.value.group}" 8 | tags = {}, 9 | policy_attachments = ["arn:aws:iam::aws:policy/PowerUserAccess"] 10 | customer_managed_policy_attachments = [] 11 | description = "ps-${each.value.namespace}-${each.value.group}" 12 | inline_policy = "" 13 | session_duration = "PT12H" 14 | relay_state = "" 15 | } 16 | ] 17 | } 18 | 19 | locals { 20 | value = module.permission_sets 21 | } 22 | 23 | locals { 24 | arns = tolist(data.aws_iam_roles.sso.arns) 25 | 26 | arns_without_path = [ 27 | for parts in [for arn in data.aws_iam_roles.sso.arns : split("/", arn)] : 28 | format("%s/%s", parts[0], element(parts, length(parts) - 1)) 29 | ] 30 | 31 | names = [ 32 | for parts in [for arn in local.arns : split("_", arn)] : 33 | join("_", slice(parts, 1, length(parts) - 1)) 34 | ] 35 | } 36 | 37 | data "aws_iam_roles" "sso" { 38 | depends_on = [module.permission_sets] 39 | name_regex = "AWSReservedSSO_.*" 40 | } 41 | -------------------------------------------------------------------------------- /modules/sso-rbac/provisioner.tf: -------------------------------------------------------------------------------- 1 | module "eks_auth" { 2 | source = "aidanmelen/eks-auth/aws" 3 | eks = var.eks_module 4 | version = "1.0.0" 5 | 6 | map_roles = [for role_binding in var.bindings : { 7 | rolearn = [for role_arn in local.arns_without_path : role_arn if length(regexall(".+AWSReservedSSO_ps-${role_binding.namespace}-${role_binding.group}.+", role_arn)) > 0][0] 8 | username = role_binding.group 9 | groups = [role_binding.group] 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /modules/sso-rbac/terraform-aws-sso/modules/account-assignments/outputs.tf: -------------------------------------------------------------------------------- 1 | output "assignments" { 2 | value = aws_ssoadmin_account_assignment.this 3 | } 4 | -------------------------------------------------------------------------------- /modules/sso-rbac/terraform-aws-sso/modules/account-assignments/variables.tf: -------------------------------------------------------------------------------- 1 | variable "account_assignments" { 2 | type = list(object({ 3 | account = string 4 | permission_set_name = string 5 | permission_set_arn = string 6 | principal_name = string 7 | principal_type = string 8 | })) 9 | } 10 | -------------------------------------------------------------------------------- /modules/sso-rbac/terraform-aws-sso/modules/account-assignments/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.26.0, < 6.0.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/sso-rbac/terraform-aws-sso/modules/permission-sets/outputs.tf: -------------------------------------------------------------------------------- 1 | output "permission_sets" { 2 | value = aws_ssoadmin_permission_set.this 3 | } 4 | -------------------------------------------------------------------------------- /modules/sso-rbac/terraform-aws-sso/modules/permission-sets/variables.tf: -------------------------------------------------------------------------------- 1 | variable "permission_sets" { 2 | type = list(object({ 3 | name = string 4 | description = string 5 | relay_state = string 6 | session_duration = string 7 | tags = map(string) 8 | inline_policy = string 9 | policy_attachments = list(string) 10 | customer_managed_policy_attachments = list(object({ 11 | name = string 12 | path = string 13 | })) 14 | })) 15 | 16 | default = [] 17 | } 18 | -------------------------------------------------------------------------------- /modules/sso-rbac/terraform-aws-sso/modules/permission-sets/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.30.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/sso-rbac/variables.tf: -------------------------------------------------------------------------------- 1 | variable "bindings" { 2 | description = "Bindings to bind namespace and roles and then pass to kubernetes objects" 3 | type = list(object({ 4 | group = string 5 | namespace = string 6 | roles = list(string) 7 | 8 | })) 9 | } 10 | 11 | variable "roles" { 12 | description = "Roles to provide kubernetes object" 13 | type = list(object({ 14 | actions = list(string) 15 | resources = list(string) 16 | })) 17 | } 18 | 19 | variable "eks_module" { 20 | description = "terraform-aws-eks module to used for aws-auth update" 21 | type = any 22 | } 23 | 24 | variable "account_id" { 25 | description = "Account Id to apply changes into" 26 | type = string 27 | } 28 | 29 | variable "map_roles" { 30 | description = "Additional IAM roles to add to the aws-auth configmap." 31 | type = list(object({ 32 | rolearn = string 33 | username = string 34 | groups = list(string) 35 | })) 36 | default = [] 37 | } 38 | 39 | variable "map_users" { 40 | description = "Additional IAM users to add to the aws-auth configmap." 41 | type = list(object({ 42 | userarn = string 43 | username = string 44 | groups = list(string) 45 | })) 46 | default = [] 47 | } 48 | -------------------------------------------------------------------------------- /modules/sso-rbac/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = ">= 4.0" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "~>2.23" 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /modules/weave-scope/examples/README.md: -------------------------------------------------------------------------------- 1 | # examples 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | No providers. 11 | 12 | ## Modules 13 | 14 | | Name | Source | Version | 15 | |------|--------|---------| 16 | | [weave-scope-minimal](#module\_weave-scope-minimal) | ./modules/weave-scope | n/a | 17 | | [weave-scope-with-ingress](#module\_weave-scope-with-ingress) | ./modules/weave-scope | n/a | 18 | 19 | ## Resources 20 | 21 | No resources. 22 | 23 | ## Inputs 24 | 25 | No inputs. 26 | 27 | ## Outputs 28 | 29 | No outputs. 30 | 31 | -------------------------------------------------------------------------------- /modules/weave-scope/examples/minimal.tf: -------------------------------------------------------------------------------- 1 | module "weave-scope-minimal" { 2 | source = "./modules/weave-scope" 3 | } 4 | -------------------------------------------------------------------------------- /modules/weave-scope/examples/service-nodeport.tf: -------------------------------------------------------------------------------- 1 | module "weave-scope-with-ingress" { 2 | source = "../" 3 | 4 | service_type = "NodePort" 5 | } 6 | -------------------------------------------------------------------------------- /modules/weave-scope/examples/with-ingress.tf: -------------------------------------------------------------------------------- 1 | module "weave-scope-with-ingress" { 2 | source = "./modules/weave-scope" 3 | ingress_class = "nginx" 4 | ingress_host = "www.weave-scope.com" 5 | ingress_name = "weave-ingress" 6 | } 7 | -------------------------------------------------------------------------------- /modules/weave-scope/resources/values.yaml.tpl: -------------------------------------------------------------------------------- 1 | global: 2 | image: 3 | repository: weaveworks/scope 4 | tag: 1.10.1 5 | pullPolicy: "IfNotPresent" 6 | service: 7 | port: 80 8 | type: ${service_type} 9 | weave-scope-frontend: 10 | enabled: true 11 | 12 | ingress: 13 | enabled: enabled 14 | name: ${ingress_name} 15 | host: ${ingress_host} 16 | path: "/" 17 | className: ${ingress_class} 18 | extraPaths: "" 19 | annotations: 20 | %{~ for config_key, config_value in config ~} 21 | "${config_key}": "${config_value}" 22 | %{~ endfor ~} 23 | 24 | service: 25 | serviceName: weave-weave-scope 26 | servicePort: 80 27 | externalPort: 8080 28 | 29 | weave-scope-agent: 30 | enabled: true 31 | dockerBridge: "docker0" 32 | scopeFrontendAddr: "" 33 | probeToken: "" 34 | rbac: 35 | create: true 36 | readOnly: ${read_only} 37 | serviceAccount: 38 | create: true 39 | -------------------------------------------------------------------------------- /modules/weave-scope/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | helm = ">= 2.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /nginx-ingress-controller.tf: -------------------------------------------------------------------------------- 1 | module "nginx-ingress-controller" { 2 | source = "./modules/nginx-ingress-controller/" 3 | 4 | count = var.create && var.nginx_ingress_controller_config.enabled ? 1 : 0 5 | 6 | name = var.nginx_ingress_controller_config.name 7 | create_namespace = var.nginx_ingress_controller_config.create_namespace 8 | namespace = var.nginx_ingress_controller_config.namespace 9 | replicacount = var.nginx_ingress_controller_config.replicacount 10 | metrics_enabled = var.nginx_ingress_controller_config.metrics_enabled 11 | configs = var.nginx_ingress_controller_config.configs 12 | 13 | depends_on = [module.alb-ingress-controller] 14 | } 15 | -------------------------------------------------------------------------------- /node-problem-detector.tf: -------------------------------------------------------------------------------- 1 | module "node-problem-detector" { 2 | source = "./modules/node-problem-detector" 3 | 4 | count = var.enable_node_problem_detector ? 1 : 0 5 | 6 | depends_on = [module.eks-core-components] 7 | } 8 | -------------------------------------------------------------------------------- /olm.tf: -------------------------------------------------------------------------------- 1 | module "olm" { 2 | source = "./modules/olm" 3 | 4 | count = var.create && var.enable_olm ? 1 : 0 5 | 6 | depends_on = [module.eks-core-components] 7 | } 8 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "app", 3 | "devDependencies": { 4 | "@commitlint/cli": "^17.0.3", 5 | "@commitlint/config-conventional": "^17.0.3", 6 | "husky": "^8.0.1", 7 | "@semantic-release/github": "^8.0.4", 8 | "semantic-release": "^19.0.3" 9 | }, 10 | "release": { 11 | "branches": [ 12 | "main", "master", "next" 13 | ] 14 | }, 15 | "private": true, 16 | "plugins": [ 17 | "@semantic-release/commit-analyzer", 18 | "@semantic-release/release-notes-generator", 19 | "@semantic-release/github", 20 | "@semantic-release/npm" 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /pre-commit.yaml: -------------------------------------------------------------------------------- 1 | on: 2 | pull_request: 3 | push: 4 | branches: [main, test*] 5 | 6 | jobs: 7 | main: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v2 11 | - uses: actions/setup-python@v3 12 | - name: self test action 13 | uses: dasmeta/reusable-actions-workflows/pre-commit@0.0.6 14 | with: 15 | repo-token: ${{ secrets.GITHUB_TOKEN }} 16 | -------------------------------------------------------------------------------- /priority-class.tf: -------------------------------------------------------------------------------- 1 | module "priority_class" { 2 | source = "./modules/priority-class/" 3 | 4 | additional_priority_classes = var.additional_priority_classes 5 | 6 | depends_on = [module.eks-core-components] 7 | } 8 | -------------------------------------------------------------------------------- /providers.tf: -------------------------------------------------------------------------------- 1 | provider "kubernetes" { 2 | host = try(module.eks-cluster[0].host, null) 3 | cluster_ca_certificate = try(module.eks-cluster[0].certificate, null) 4 | token = try(module.eks-cluster[0].token, null) 5 | # load_config_file = false 6 | } 7 | 8 | provider "kubectl" { 9 | host = try(module.eks-cluster[0].host, null) 10 | cluster_ca_certificate = try(module.eks-cluster[0].certificate, null) 11 | token = try(module.eks-cluster[0].token, null) 12 | load_config_file = false 13 | } 14 | 15 | provider "helm" { 16 | kubernetes { 17 | host = try(module.eks-cluster[0].host, null) 18 | cluster_ca_certificate = try(module.eks-cluster[0].certificate, null) 19 | token = try(module.eks-cluster[0].token, null) 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.3" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.31, < 6.0.0" 8 | } 9 | 10 | helm = { 11 | source = "hashicorp/helm" 12 | version = ">= 2.4.1" 13 | } 14 | 15 | kubectl = { 16 | source = "gavinbunney/kubectl" 17 | version = "~>1.14" 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /wave-scope-dashboard.tf: -------------------------------------------------------------------------------- 1 | module "weave-scope" { 2 | count = var.weave_scope_enabled ? 1 : 0 3 | source = "./modules/weave-scope" 4 | namespace = var.weave_scope_config.namespace 5 | create_namespace = var.weave_scope_config.create_namespace 6 | release_name = var.weave_scope_config.weave_helm_release_name 7 | ingress_class = var.weave_scope_config.ingress_class 8 | ingress_host = var.weave_scope_config.ingress_host 9 | ingress_name = var.weave_scope_config.ingress_name 10 | annotations = var.weave_scope_config.annotations 11 | service_type = var.weave_scope_config.service_type 12 | 13 | depends_on = [module.eks-core-components] 14 | } 15 | --------------------------------------------------------------------------------