├── .gitignore ├── LICENSE.md ├── README.md ├── scripts └── terraform │ ├── ack_controller_install.sh │ ├── cleanup.sh │ ├── cluster.tf │ ├── outputs.tf │ ├── provider.tf │ ├── vars.tf │ └── vpc.tf └── service-controllers ├── cloudtrail ├── README.md └── v1alpha1 │ └── trail.yaml ├── dynamodb ├── README.md └── v1alpha1 │ ├── backup.yaml │ ├── globaltable.yaml │ └── table.yaml ├── ec2 ├── README.md └── v1alpha1 │ ├── dhcpoptions.yaml │ ├── elasticipaddress.yaml │ ├── instance.yaml │ ├── internetgateway.yaml │ ├── natgateway.yaml │ ├── routetable.yaml │ ├── securitygroup.yaml │ ├── subnet.yaml │ ├── transitgateway.yaml │ ├── vpc.yaml │ └── vpcendpoint.yaml ├── ecr ├── README.md └── v1alpha1 │ ├── repository-with-image-scanning.yaml │ ├── repository-with-image-tag-mutability.yaml │ ├── repository-with-lifecycle-rule.yaml │ └── repository.yaml ├── eks ├── README.md └── v1alpha1 │ ├── addon.yaml │ ├── cluster.yaml │ ├── fargateprofile.yaml │ └── nodegroup.yaml ├── emrcontainers ├── README.md └── v1alpha1 │ └── virtualcluster.yaml ├── iam ├── README.md └── v1alpha1 │ ├── policy.yaml │ └── role.yaml ├── kms ├── README.md └── v1alpha1 │ ├── alias.yaml │ ├── customkeystore.yaml │ └── key.yaml ├── memorydb ├── README.md └── v1alpha1 │ ├── acl.yaml │ ├── cluster.yaml │ ├── parametergroup.yaml │ ├── snapshot.yaml │ ├── subnetgroup.yaml │ └── user.yaml ├── rds ├── README.md └── v1alpha1 │ ├── dbcluster.yaml │ ├── dbclusterparametergroup.yaml │ ├── dbinstance.yaml │ ├── dbparametergroup.yaml │ └── dbsubnetgroup.yaml ├── s3 ├── README.md └── v1alpha1 │ ├── bucket-with-encryption.yaml │ ├── bucket-with-lifecycle-rule.yaml │ ├── bucket-with-tags.yaml │ ├── bucket-with-versioning.yaml │ └── bucket.yaml └── sns ├── README.md └── v1alpha1 ├── platformapplication.yaml ├── platformendpoint.yaml └── topic.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | scripts/terraform/.* 4 | 5 | terraform-files/.terraform* 6 | # .tfstate files 7 | *.tfstate 8 | *.tfstate.* 9 | 10 | # Crash log files 11 | crash.log 12 | 13 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 14 | # .tfvars files are managed as part of configuration and so should be included in 15 | # version control. 16 | # 17 | # example.tfvars 18 | 19 | # Ignore override files as they are usually used to override resources locally and so 20 | # are not checked in 21 | override.tf 22 | override.tf.json 23 | *_override.tf 24 | *_override.tf.json 25 | 26 | # Include override files you do wish to add to version control using negated pattern 27 | # 28 | # !example_override.tf 29 | 30 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 31 | # example: *tfplan* 32 | 33 | .DS_Store 34 | trust.json -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Emin Alemdar 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS Controllers for Kubernetes (ACK) examples 2 | 3 | This repository consists of examples for the AWS Controllers for Kubernetes [(ACK)](https://aws-controllers-k8s.github.io/community/). ACK allows you to create AWS Resources on your behalf from Kubernetes Clusters with simple Kubernetes YAML files. 4 | 5 | ## Prerequisites 6 | 7 | - A Kubernetes Cluster 8 | 9 | - AWS IAM Permissions for creating and attaching IAM Roles 10 | 11 | - Installation of required tools: 12 | 13 | - [AWS CLI](https://aws.amazon.com/cli/) 14 | 15 | - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) 16 | 17 | - [Helm](https://helm.sh/docs/intro/install/) 18 | 19 | - [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli#install-terraform) 20 | 21 | - [eksctl](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html) 22 | 23 | If you don't have a Kubernetes cluster, you can create an EKS cluster with Terraform using the [example codes](./scripts/terraform/) within this repository. 24 | 25 | ## Terraform Codes 26 | 27 | Terraform codes in this repository uses [Amazon EKS Blueprints for Terraform](https://aws-ia.github.io/terraform-aws-eks-blueprints/main/) 28 | 29 | Terraform codes in this repository creates following resources: 30 | 31 | - VPC with 6 subnets (3 Private, 3 Public) 32 | 33 | - EKS Cluster with Kubernetes version set to 1.22 34 | 35 | - EKS Managed Node group 36 | 37 | > You can update the Terraform codes according to your requirements and environment. 38 | 39 | ### Installation of EKS Cluster 40 | 41 | ```shell 42 | terraform init 43 | terraform plan 44 | terraform apply --auto-approve 45 | ``` 46 | 47 | > PS: 48 | > 49 | > - These resources are not Free Tier eligible. 50 | > - You need to configure AWS Authentication for Terraform with either [Environment Variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-set) or AWS CLI [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html#cli-configure-profiles-create). 51 | 52 | You can connect to your cluster using this command: 53 | 54 | ```bash 55 | aws eks --region update-kubeconfig --name 56 | ``` 57 | 58 | > You need to change `region` and `cluster_name` parameters. 59 | 60 | ### Installation of a Service Controller 61 | 62 | When you want to install a Service Controller and configure IAM Permissions you can run `./ack_controller_install.sh ` and change the *service_name* accordingly. 63 | 64 | The [script](./scripts/terraform/ack_controller_install.sh) has two functions called install and permissions. 65 | 66 | - Install function downloads the required Helm Chart from the official AWS Registry installs it to the Kubernetes cluster. 67 | 68 | - Permissions function creates OIDC identity provider for the Kubernetes cluster and creates IAM Roles for for Service Accounts of the Service Controllers. 69 | 70 | ### Cleanup 71 | 72 | When you want to delete all the resources created in this repository, you can run `./cleanup.sh ` script in the root directory of this repository and change the *service_name* accordingly. 73 | 74 | The [script](./scripts/terraform/cleanup.sh) has one function and does the following: 75 | 76 | - Uninstalls the Helm Chart for Service Controller 77 | 78 | - Deletes the CRDs created for Service Controller 79 | 80 | - Deletes the OIDC Provider of EKS Cluster 81 | 82 | - Deletes the EKS Cluster created with Terraform 83 | -------------------------------------------------------------------------------- /scripts/terraform/ack_controller_install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | : ' 3 | The following script has two functions with different actions 4 | 5 | Install function downloads the required Helm Chart 6 | for the Service Controller and installs it 7 | on the Kubernetes cluster. 8 | Permissions function creates required IRSA config 9 | and configures required IAM Permissions for the 10 | Service Controller and connects those to the 11 | service account. 12 | ' 13 | declare SERVICE="$1" 14 | declare AWS_REGION="eu-west-1" 15 | declare ACK_SYSTEM_NAMESPACE="ack-system" 16 | 17 | install(){ 18 | 19 | echo "====================================================" 20 | echo "Creating required Environment Variables." 21 | echo "====================================================" 22 | 23 | # Setting the Environment variables for Service Controller Helm Chart 24 | # declare -i HELM_EXPERIMENTAL_OCI=1 # Only required for Helm below v3.8.0 25 | declare RELEASE_VERSION=$(curl -sL https://api.github.com/repos/aws-controllers-k8s/${SERVICE}-controller/releases/latest | grep '"tag_name":' | cut -d'"' -f4) 26 | declare CHART_REPO="public.ecr.aws/aws-controllers-k8s/${SERVICE}-chart" 27 | 28 | echo "====================================================" 29 | echo "Installing the Service Controller Helm Chart." 30 | echo "====================================================" 31 | 32 | # Log into the ECR Public OCI repository 33 | aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin public.ecr.aws 34 | 35 | # Pulling the Helm Chart from Official AWS Registry and installing it. 36 | helm install --create-namespace --namespace "$ACK_SYSTEM_NAMESPACE" ack-${SERVICE}-controller \ 37 | --set aws.region="$AWS_REGION" oci://${CHART_REPO} 38 | } 39 | 40 | ##################################################################################################################### 41 | ##################################################################################################################### 42 | 43 | permissions(){ 44 | 45 | echo "====================================================" 46 | echo "Creating IRSA for EKS Cluster" 47 | echo "====================================================" 48 | 49 | ########################################################### 50 | # You can skip this step if you have already configured # 51 | # IRSA for your Kubernetes Cluster. # 52 | ########################################################### 53 | 54 | declare EKS_CLUSTER_NAME="eks-cluster-for-ack" 55 | eksctl utils associate-iam-oidc-provider --cluster ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --approve 56 | 57 | echo "====================================================" 58 | echo "Creating Required IAM Role and Policy" 59 | echo "====================================================" 60 | 61 | # Setting the required parameters for OIDC Provider. 62 | AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) 63 | OIDC_PROVIDER=$(aws eks describe-cluster --name ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///") 64 | 65 | ACK_K8S_SERVICE_ACCOUNT_NAME=ack-${SERVICE}-controller 66 | 67 | # Creating IAM Trust Policy. 68 | read -r -d '' TRUST_RELATIONSHIP < trust.json 88 | 89 | # Setting the required Environment Variables for IRSA (IAM Roles for Service Accounts). 90 | ACK_CONTROLLER_IAM_ROLE="ack-${SERVICE}-controller" 91 | ACK_CONTROLLER_IAM_ROLE_DESCRIPTION='IRSA role for ACK $SERVICE controller deployment on EKS cluster using Helm charts' 92 | aws iam create-role --role-name "${ACK_CONTROLLER_IAM_ROLE}" --assume-role-policy-document file://trust.json --description "${ACK_CONTROLLER_IAM_ROLE_DESCRIPTION}" 93 | ACK_CONTROLLER_IAM_ROLE_ARN=$(aws iam get-role --role-name=${ACK_CONTROLLER_IAM_ROLE} --query Role.Arn --output text) 94 | 95 | echo "====================================================" 96 | echo "Attaching the policy to the IAM Role" 97 | echo "====================================================" 98 | 99 | # Environment variables for required ARNs. 100 | BASE_URL=https://raw.githubusercontent.com/aws-controllers-k8s/${SERVICE}-controller/main 101 | POLICY_ARN_URL=${BASE_URL}/config/iam/recommended-policy-arn 102 | POLICY_ARN_STRINGS="$(wget -qO- ${POLICY_ARN_URL})" 103 | 104 | INLINE_POLICY_URL=${BASE_URL}/config/iam/recommended-inline-policy 105 | INLINE_POLICY="$(wget -qO- ${INLINE_POLICY_URL})" 106 | 107 | # Attaching the policy to the IAM Role. 108 | while IFS= read -r POLICY_ARN; do 109 | echo -n "Attaching ${POLICY_ARN} ... " 110 | aws iam attach-role-policy \ 111 | --role-name "${ACK_CONTROLLER_IAM_ROLE}" \ 112 | --policy-arn "${POLICY_ARN}" 113 | echo "ok." 114 | done <<< "$POLICY_ARN_STRINGS" 115 | 116 | if [ ! -z "${INLINE_POLICY}" ]; then 117 | echo -n "Putting inline policy ... " 118 | aws iam put-role-policy \ 119 | --role-name "${ACK_CONTROLLER_IAM_ROLE}" \ 120 | --policy-name "ack-recommended-policy" \ 121 | --policy-document "${INLINE_POLICY}" 122 | echo "ok." 123 | fi 124 | 125 | echo "====================================================" 126 | echo "Associating the Role with the Service Account" 127 | echo "====================================================" 128 | 129 | # Updating the Kubernetes Service Account with the new IAM Role 130 | declare IRSA_ROLE_ARN=eks.amazonaws.com/role-arn=${ACK_CONTROLLER_IAM_ROLE_ARN} 131 | kubectl annotate serviceaccount -n ${ACK_SYSTEM_NAMESPACE} ${ACK_K8S_SERVICE_ACCOUNT_NAME} ${IRSA_ROLE_ARN} 132 | 133 | # Note the deployment name for ACK service controller from following command 134 | ACK_DEPLOYMENT_NAME=$(kubectl get deployments -n ${ACK_SYSTEM_NAMESPACE} --no-headers | grep "$SERVICE" | awk '{print $1}') 135 | kubectl -n ${ACK_SYSTEM_NAMESPACE} rollout restart deployment "$ACK_DEPLOYMENT_NAME" 136 | } 137 | 138 | install "$SERVICE" 139 | permissions "$SERVICE" -------------------------------------------------------------------------------- /scripts/terraform/cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | : ' 3 | The following script cleans up the resources created in 4 | this repository gracefully. 5 | ' 6 | declare SERVICE="$1" 7 | declare AWS_REGION="eu-west-1" 8 | declare ACK_SYSTEM_NAMESPACE="ack-system" 9 | 10 | cleanup(){ 11 | 12 | echo "====================================================" 13 | echo "Creating required Environment Variables." 14 | echo "====================================================" 15 | 16 | declare CHART_EXPORT_PATH="/tmp/chart" 17 | declare ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account') 18 | declare EKS_CLUSTER_NAME="eks-cluster-for-ack" 19 | declare OIDCURL=$(aws eks describe-cluster --name ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --query "cluster.identity.oidc.issuer" --output text | sed -r 's/https:\/\///') 20 | 21 | echo "====================================================" 22 | echo "Uninstalling the ACK Service Controller." 23 | echo "====================================================" 24 | 25 | helm uninstall -n "$ACK_SYSTEM_NAMESPACE" ack-${SERVICE}-controller 26 | 27 | echo "====================================================" 28 | echo "Deleting the CRDs for Service Controllers." 29 | echo "====================================================" 30 | 31 | kubectl delete -f ${CHART_EXPORT_PATH}/${SERVICE}-chart/crds 32 | 33 | echo "====================================================" 34 | echo "Deleting the Kubernetes Namespace." 35 | echo "====================================================" 36 | 37 | kubectl delete namespace "$ACK_SYSTEM_NAMESPACE" 38 | 39 | echo "====================================================" 40 | echo "Deleting the OIDC Provider." 41 | echo "====================================================" 42 | 43 | aws iam delete-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDCURL} 44 | 45 | echo "====================================================" 46 | echo "Deleting the EKS Cluster." 47 | echo "====================================================" 48 | 49 | terraform destroy --auto-approve 50 | } 51 | 52 | cleanup "$SERVICE" -------------------------------------------------------------------------------- /scripts/terraform/cluster.tf: -------------------------------------------------------------------------------- 1 | module "eks_cluster" { 2 | source = "github.com/aws-ia/terraform-aws-eks-blueprints?ref=v4.32.1" 3 | 4 | cluster_name = var.cluster_name 5 | cluster_version = var.cluster_version 6 | 7 | vpc_id = module.vpc.vpc_id 8 | private_subnet_ids = module.vpc.private_subnets 9 | 10 | node_security_group_additional_rules = { 11 | # Extend node-to-node security group rules. Recommended and required for the Add-ons 12 | ingress_self_all = { 13 | description = "Node to node all ports/protocols" 14 | protocol = "-1" 15 | from_port = 0 16 | to_port = 0 17 | type = "ingress" 18 | self = true 19 | } 20 | 21 | # Recommended outbound traffic for Node groups 22 | egress_all = { 23 | description = "Node all egress" 24 | protocol = "-1" 25 | from_port = 0 26 | to_port = 0 27 | type = "egress" 28 | cidr_blocks = ["0.0.0.0/0"] 29 | ipv6_cidr_blocks = ["::/0"] 30 | } 31 | # Allows Control Plane Nodes to talk to Worker nodes on all ports. Added this to simplify the example and further avoid issues with Add-ons communication with Control plane. 32 | # This can be restricted further to specific port based on the requirement for each Add-on e.g., metrics-server 4443, spark-operator 8080, karpenter 8443 etc. 33 | # Change this according to your security requirements if needed 34 | ingress_cluster_to_node_all_traffic = { 35 | description = "Cluster API to Nodegroup all traffic" 36 | protocol = "-1" 37 | from_port = 0 38 | to_port = 0 39 | type = "ingress" 40 | source_cluster_security_group = true 41 | } 42 | } 43 | 44 | managed_node_groups = { 45 | node_group = { 46 | node_group_name = "managed-ondemand" 47 | instance_types = ["t3.large"] 48 | subnet_ids = module.vpc.private_subnets 49 | force_update_version = true 50 | min_size = 1 51 | max_size = 1 52 | desired_size = 1 53 | } 54 | } 55 | 56 | tags = { 57 | Name = var.cluster_name 58 | } 59 | } 60 | 61 | data "aws_eks_addon_version" "latest" { 62 | for_each = toset(["vpc-cni"]) 63 | 64 | addon_name = each.value 65 | kubernetes_version = module.eks_cluster.eks_cluster_version 66 | most_recent = true 67 | } 68 | 69 | data "aws_eks_addon_version" "default" { 70 | for_each = toset(["kube-proxy"]) 71 | 72 | addon_name = each.value 73 | kubernetes_version = module.eks_cluster.eks_cluster_version 74 | most_recent = false 75 | } 76 | 77 | 78 | module "eks_kubernetes_addons" { 79 | source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" 80 | 81 | eks_cluster_id = module.eks_cluster.eks_cluster_id 82 | eks_cluster_endpoint = module.eks_cluster.eks_cluster_endpoint 83 | eks_cluster_version = module.eks_cluster.eks_cluster_version 84 | eks_oidc_provider = module.eks_cluster.oidc_provider 85 | eks_worker_security_group_id = module.eks_cluster.worker_node_security_group_id 86 | auto_scaling_group_names = module.eks_cluster.self_managed_node_group_autoscaling_groups 87 | 88 | # EKS Addons 89 | enable_amazon_eks_vpc_cni = true 90 | amazon_eks_vpc_cni_config = { 91 | addon_version = data.aws_eks_addon_version.latest["vpc-cni"].version 92 | resolve_conflicts = "OVERWRITE" 93 | } 94 | 95 | enable_amazon_eks_kube_proxy = true 96 | amazon_eks_kube_proxy_config = { 97 | addon_version = data.aws_eks_addon_version.default["kube-proxy"].version 98 | resolve_conflicts = "OVERWRITE" 99 | } 100 | 101 | tags = { 102 | Name = var.cluster_name 103 | } 104 | 105 | } -------------------------------------------------------------------------------- /scripts/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # Cluster Data 3 | ################################################################################ 4 | 5 | output "cluster_id" { 6 | description = "eks_cluster cluster ID." 7 | value = module.eks_cluster.eks_cluster_id 8 | } 9 | 10 | output "cluster_endpoint" { 11 | description = "Endpoint for eks_cluster control plane." 12 | value = module.eks_cluster.eks_cluster_endpoint 13 | } -------------------------------------------------------------------------------- /scripts/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "5.1.0" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "2.21.1" 10 | } 11 | helm = { 12 | source = "hashicorp/helm" 13 | version = "2.10.1" 14 | } 15 | } 16 | } 17 | 18 | provider "aws" { 19 | region = var.region 20 | } 21 | 22 | provider "kubernetes" { 23 | host = module.eks_cluster.eks_cluster_endpoint 24 | cluster_ca_certificate = base64decode(module.eks_cluster.eks_cluster_certificate_authority_data) 25 | 26 | exec { 27 | api_version = "client.authentication.k8s.io/v1beta1" 28 | command = "aws" 29 | # This requires the awscli to be installed locally where Terraform is executed 30 | args = ["eks", "get-token", "--cluster-name", module.eks_cluster.eks_cluster_id] 31 | } 32 | } 33 | 34 | provider "helm" { 35 | kubernetes { 36 | host = module.eks_cluster.eks_cluster_endpoint 37 | cluster_ca_certificate = base64decode(module.eks_cluster.eks_cluster_certificate_authority_data) 38 | 39 | exec { 40 | api_version = "client.authentication.k8s.io/v1beta1" 41 | command = "aws" 42 | # This requires the awscli to be installed locally where Terraform is executed 43 | args = ["eks", "get-token", "--cluster-name", module.eks_cluster.eks_cluster_id] 44 | } 45 | } 46 | } -------------------------------------------------------------------------------- /scripts/terraform/vars.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | default = "eu-west-1" 3 | description = "AWS region" 4 | } 5 | 6 | variable "cluster_name" { 7 | default = "eks-cluster-for-ack" 8 | } 9 | 10 | variable "cluster_version" { 11 | default = "1.26" 12 | description = "Kubernetes version of the EKS Cluster" 13 | } 14 | 15 | variable "vpc_name" { 16 | default = "eks-vpc" 17 | } 18 | 19 | variable "vpc_cidr" { 20 | default = "10.0.0.0/16" 21 | } 22 | 23 | variable "private_subnets" { 24 | description = "List of private subnets" 25 | type = list(string) 26 | default = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"] 27 | } 28 | 29 | variable "public_subnets" { 30 | description = "List of public subnets" 31 | type = list(string) 32 | default = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"] 33 | } -------------------------------------------------------------------------------- /scripts/terraform/vpc.tf: -------------------------------------------------------------------------------- 1 | module "vpc" { 2 | source = "terraform-aws-modules/vpc/aws" 3 | version = "5.0.0" 4 | 5 | name = var.vpc_name 6 | cidr = var.vpc_cidr 7 | 8 | azs = ["${var.region}a", "${var.region}b", "${var.region}c"] 9 | private_subnets = var.private_subnets 10 | public_subnets = var.public_subnets 11 | 12 | enable_nat_gateway = true 13 | single_nat_gateway = true 14 | enable_dns_hostnames = true 15 | 16 | public_subnet_tags = { 17 | "kubernetes.io/cluster/${var.cluster_name}" = "shared" 18 | } 19 | 20 | private_subnet_tags = { 21 | "kubernetes.io/cluster/${var.cluster_name}" = "shared" 22 | } 23 | 24 | tags = { 25 | Name = var.vpc_name 26 | } 27 | } 28 | 29 | -------------------------------------------------------------------------------- /service-controllers/cloudtrail/README.md: -------------------------------------------------------------------------------- 1 | # CloudTrail Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating CloudTrail Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic CloudTrail creation: 7 | 8 | ```yaml 9 | apiVersion: cloudtrail.services.k8s.aws/v1alpha1 10 | kind: Trail 11 | metadata: 12 | name: $TRAIL_NAME 13 | spec: 14 | name: $TRAIL_NAME 15 | s3BucketName: $BUCKET_NAME 16 | tags: 17 | - key: $TRAIL_TAG_KEY 18 | value: $TRAIL_TAG_VALUE 19 | ``` 20 | 21 | ## Create the CloudTrail Resource 22 | 23 | ```bash 24 | kubectl apply -f #Change the file name accordingly 25 | ``` 26 | 27 | ## Delete the CloudTrail Resource 28 | 29 | ```bash 30 | kubectl delete trail #Change the Trail name accordingly and also change the resource name accordingly 31 | ``` 32 | -------------------------------------------------------------------------------- /service-controllers/cloudtrail/v1alpha1/trail.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cloudtrail.services.k8s.aws/v1alpha1 3 | kind: Trail 4 | metadata: 5 | name: $TRAIL_NAME 6 | spec: 7 | name: $TRAIL_NAME 8 | cloudWatchLogsLogGroupARN: $CLOUDWATCH_LOG_GROUP_ARN 9 | cloudWatchLogsRoleARN: $CLOUDWATCH_LOG_ROLE_ARN 10 | includeGlobalServiceEvents: true 11 | isMultiRegionTrail: true 12 | isOrganizationTrail: false 13 | s3BucketName: $S3_BUCKET_NAME 14 | snsTopicName: $SNS_TOPIC_NAME 15 | tags: 16 | - key: $TRAIL_TAG_KEY 17 | value: $TRAIL_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/dynamodb/README.md: -------------------------------------------------------------------------------- 1 | # DynamoDB Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating DynamoDB Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic DynamoDB Table creation: 7 | 8 | ```yaml 9 | apiVersion: dynamodb.services.k8s.aws/v1alpha1 10 | kind: Table 11 | metadata: 12 | name: $TABLE_NAME 13 | spec: 14 | tableName: $TABLE_NAME 15 | attributeDefinitions: 16 | - attributeName: $ATTRIBUTE_NAME 17 | attributeType: S 18 | keySchema: 19 | - attributeName: $ATTRIBUTE_NAME 20 | keyType: HASH 21 | localSecondaryIndexes: 22 | - indexName: LastPostIndex 23 | keySchema: 24 | - attributeName: $ATTRIBUTE_NAME 25 | keyType: HASH 26 | projection: 27 | projectionType: KEYS_ONLY 28 | provisionedThroughput: 29 | readCapacityUnits: 5 30 | writeCapacityUnits: 5 31 | tags: 32 | - key: $DYNAMODB_TABLE_TAG_KEY 33 | value: $DYNAMODB_TABLE_TAG_VALUE 34 | ``` 35 | 36 | ## Create the DynamoDB Resource 37 | 38 | ```bash 39 | kubectl apply -f #Change the file name accordingly 40 | ``` 41 | 42 | ## Delete the DynamoDB Resource 43 | 44 | ```bash 45 | kubectl delete table #Change the table name accordingly and also change the resource name accordingly 46 | ``` 47 | -------------------------------------------------------------------------------- /service-controllers/dynamodb/v1alpha1/backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: dynamodb.services.k8s.aws/v1alpha1 3 | kind: Backup 4 | metadata: 5 | name: $BACKUP_NAME 6 | spec: 7 | backupName: $BACKUP_NAME 8 | tableName: $TABLE_NAME -------------------------------------------------------------------------------- /service-controllers/dynamodb/v1alpha1/globaltable.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: dynamodb.services.k8s.aws/v1alpha1 3 | kind: GlobalTable 4 | metadata: 5 | name: $GLOBAL_TABLE_NAME 6 | spec: 7 | globalTableName: $GLOBAL_TABLE_NAME 8 | replicationGroup: 9 | - regionName: $REGION_NAME -------------------------------------------------------------------------------- /service-controllers/dynamodb/v1alpha1/table.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: dynamodb.services.k8s.aws/v1alpha1 3 | kind: Table 4 | metadata: 5 | name: $TABLE_NAME 6 | spec: 7 | tableName: $TABLE_NAME 8 | attributeDefinitions: 9 | - attributeName: $ATTRIBUTE_NAME 10 | attributeType: S 11 | - attributeName: $ATTRIBUTE_NAME 12 | attributeType: S 13 | - attributeName: $ATTRIBUTE_NAME 14 | attributeType: S 15 | keySchema: 16 | - attributeName: $ATTRIBUTE_NAME 17 | keyType: HASH 18 | - attributeName: $ATTRIBUTE_NAME 19 | keyType: RANGE 20 | localSecondaryIndexes: 21 | - indexName: LastPostIndex 22 | keySchema: 23 | - attributeName: $ATTRIBUTE_NAME 24 | keyType: HASH 25 | - attributeName: $ATTRIBUTE_NAME 26 | keyType: RANGE 27 | projection: 28 | projectionType: KEYS_ONLY 29 | provisionedThroughput: 30 | readCapacityUnits: 5 31 | writeCapacityUnits: 5 32 | streamSpecification: 33 | streamEnabled: true 34 | streamViewType: "NEW_AND_OLD_IMAGES" 35 | tags: 36 | - key: $DYNAMODB_TABLE_TAG_KEY 37 | value: $DYNAMODB_TABLE_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ec2/README.md: -------------------------------------------------------------------------------- 1 | # EC2 Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating EC2 Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic VPC creation: 7 | 8 | ```yaml 9 | apiVersion: ec2.services.k8s.aws/v1alpha1 10 | kind: VPC 11 | metadata: 12 | name: $VPC_NAME 13 | spec: 14 | cidrBlock: $CIDR_BLOCK 15 | ``` 16 | 17 | ## Create the EC2 Resource 18 | 19 | ```bash 20 | kubectl apply -f #Change the file name accordingly 21 | ``` 22 | 23 | ## Delete the EC2 Resource 24 | 25 | ```bash 26 | kubectl delete vpc #Change the VPC name accordingly and also change the resource name accordingly 27 | ``` 28 | -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/dhcpoptions.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: DHCPOptions 4 | metadata: 5 | name: $DHCP_OPTIONS_NAME 6 | spec: 7 | dhcpConfigurations: 8 | - key: $DHCP_KEY_1 9 | values: 10 | - $DHCP_VAL_1 11 | tagSpecifications: 12 | - resourceType: "dhcpoptions" 13 | tags: 14 | - key: $DHCP_TAG_KEY 15 | value: $DHCP_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/elasticipaddress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: ElasticIPAddress 4 | metadata: 5 | name: $ADDRESS_NAME 6 | spec: 7 | tagSpecifications: 8 | - resourceType: "elasticipaddress" 9 | tags: 10 | - key: $EIP_TAG_KEY 11 | value: $EIP_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: Instance 4 | metadata: 5 | name: $INSTANCE_NAME 6 | spec: 7 | imageID: $INSTANCE_AMI_ID 8 | instanceType: $INSTANCE_TYPE 9 | subnetID: $INSTANCE_SUBNET_ID 10 | securityGroupIDs: 11 | - $SECURITY_GROUP_ID 12 | monitoring: 13 | enabled: false 14 | blockDeviceMappings: 15 | - deviceName: $DEVICE_NAME 16 | ebs: 17 | deleteOnTermination: true 18 | encrypted: false 19 | volumeSize: $VOLUME_SIZE 20 | volumeType: $VOLUME_TYPE -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/internetgateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: InternetGateway 4 | metadata: 5 | name: $INTERNET_GATEWAY_NAME 6 | spec: 7 | vpc: $VPC_ID -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/natgateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: NATGateway 4 | metadata: 5 | name: $NAT_GATEWAY_NAME 6 | spec: 7 | allocationID: $ALLOCATION_ID 8 | subnetID: $SUBNET_ID- 9 | connectivityType: "public" 10 | tagSpecifications: 11 | - resourceType: "natgateway" 12 | tags: 13 | - key: $NAT_GW_TAG_KEY 14 | value: $NAT_GW_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/routetable.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: RouteTable 4 | metadata: 5 | name: $ROUTE_TABLE_NAME 6 | spec: 7 | routes: 8 | - destinationCIDRBlock: $DEST_CIDR_BLOCK 9 | gatewayID: $IGW_ID 10 | - destinationCIDRBlock: $DEST_CIDR_BLOCK 11 | natGatewayID: $NGW_ID 12 | vpcID: $VPC_ID 13 | tagSpecifications: 14 | - resourceType: "routetable" 15 | tags: 16 | - key: $ROUTE_TABLE_TAG_KEY 17 | value: $ROUTE_TABLE_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/securitygroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: SecurityGroup 4 | metadata: 5 | name: $SECURITY_GROUP_NAME 6 | spec: 7 | description: $SECURITY_GROUP_DESCRIPTION 8 | name: $SECURITY_GROUP_NAME 9 | vpcID: $VPC_ID 10 | tagSpecifications: 11 | - resourceType: "securitygroup" 12 | tags: 13 | - key: $SECURITY_GROUP_TAG_KEY 14 | value: $SECURITY_GROUP_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/subnet.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: Subnet 4 | metadata: 5 | name: $SUBNET_NAME 6 | spec: 7 | cidrBlock: $CIDR_BLOCK 8 | vpcID: $VPC_ID 9 | availabilityZone: $AZ 10 | routeTables: 11 | - $ROUTE_TABLE_ID -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/transitgateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: TransitGateway 4 | metadata: 5 | name: $TGW_NAME 6 | spec: 7 | description: $TGW_DESCRIPTION 8 | options: 9 | dnsSupport: $DNS_SUPPORT 10 | defaultRouteTableAssociation: $ROUTE_TABLE_ASSOCIATION 11 | transitGatewayCIDRBlocks: 12 | - $CIDR_BLOCK -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/vpc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: VPC 4 | metadata: 5 | name: $VPC_NAME 6 | spec: 7 | cidrBlock: $CIDR_BLOCK 8 | enableDNSSupport: true 9 | enableDNSHostnames: true 10 | instanceTenancy: "default" -------------------------------------------------------------------------------- /service-controllers/ec2/v1alpha1/vpcendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ec2.services.k8s.aws/v1alpha1 3 | kind: VPCEndpoint 4 | metadata: 5 | name: $VPC_ENDPOINT_NAME 6 | spec: 7 | serviceName: $SERVICE_NAME 8 | vpcID: $VPC_ID 9 | routeTableIDs: 10 | - $ROUTE_TABLE_ID 11 | securityGroupIDs: 12 | - $SECURITY_GROUP_ID 13 | subnetIDs: 14 | - $SUBNET_ID 15 | tagSpecifications: 16 | - resourceType: "vpcendpoint" 17 | tags: 18 | - key: $VPC_ENDPOINT_TAG_KEY 19 | value: $VPC_ENDPOINT_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/ecr/README.md: -------------------------------------------------------------------------------- 1 | # ECR Service Controller Examples 2 | 3 | In this folder you can find general examples for creating ECR Resources from 4 | your Kubernetes Cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic ECR creation: 7 | 8 | ```yaml 9 | apiVersion: ecr.services.k8s.aws/v1alpha1 10 | kind: Repository 11 | metadata: 12 | name: $REPOSITORY_NAME 13 | spec: 14 | name: $REPOSITORY_NAME 15 | ``` 16 | 17 | ## Create the ECR Repository 18 | 19 | ```bash 20 | kubectl apply -f #Change the file name accordingly 21 | ``` 22 | 23 | ## Delete the ECR Repository 24 | 25 | ```bash 26 | kubectl delete repository #Change the repository name accordingly 27 | ``` 28 | -------------------------------------------------------------------------------- /service-controllers/ecr/v1alpha1/repository-with-image-scanning.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ecr.services.k8s.aws/v1alpha1 3 | kind: Repository 4 | metadata: 5 | name: $REPOSITORY_NAME 6 | spec: 7 | name: $REPOSITORY_NAME 8 | imageScanningConfiguration: 9 | scanOnPush: true 10 | -------------------------------------------------------------------------------- /service-controllers/ecr/v1alpha1/repository-with-image-tag-mutability.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ecr.services.k8s.aws/v1alpha1 3 | kind: Repository 4 | metadata: 5 | name: $REPOSITORY_NAME 6 | spec: 7 | name: $REPOSITORY_NAME 8 | imageTagMutability: IMMUTABLE 9 | -------------------------------------------------------------------------------- /service-controllers/ecr/v1alpha1/repository-with-lifecycle-rule.yaml: -------------------------------------------------------------------------------- 1 | #This Lifecycle Rule expires images older than 14 days 2 | --- 3 | apiVersion: ecr.services.k8s.aws/v1alpha1 4 | kind: Repository 5 | metadata: 6 | name: $REPOSITORY_NAME 7 | spec: 8 | name: $REPOSITORY_NAME 9 | lifecyclePolicy: '{"rules":[{"rulePriority":1,"description":"Expire images older than 14 days","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":14},"action":{"type":"expire"}}]}' 10 | -------------------------------------------------------------------------------- /service-controllers/ecr/v1alpha1/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ecr.services.k8s.aws/v1alpha1 3 | kind: Repository 4 | metadata: 5 | name: $REPOSITORY_NAME 6 | spec: 7 | name: $REPOSITORY_NAME 8 | -------------------------------------------------------------------------------- /service-controllers/eks/README.md: -------------------------------------------------------------------------------- 1 | # EKS Service Controller Examples 2 | 3 | In this folder you can find general examples for creating EKS Resources from 4 | your Kubernetes Cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic EKS creation: 7 | 8 | ```yaml 9 | apiVersion: eks.services.k8s.aws/v1alpha1 10 | kind: Cluster 11 | metadata: 12 | name: $CLUSTER_NAME 13 | spec: 14 | name: $CLUSTER_NAME 15 | roleARN: $CLUSTER_ROLE 16 | resourcesVPCConfig: 17 | endpointPrivateAccess: true 18 | endpointPublicAccess: false 19 | subnetIDs: 20 | - "$PUBLIC_SUBNET_1" 21 | - "$PUBLIC_SUBNET_2" 22 | version: $KUBERNETES_VERSION 23 | ``` 24 | 25 | ## Create the EKS Repository 26 | 27 | ```bash 28 | kubectl apply -f #Change the file name accordingly 29 | ``` 30 | 31 | ## Delete the EKS Repository 32 | 33 | ```bash 34 | kubectl delete cluster #Change the cluster name accordingly 35 | ``` 36 | -------------------------------------------------------------------------------- /service-controllers/eks/v1alpha1/addon.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: eks.services.k8s.aws/v1alpha1 3 | kind: Addon 4 | metadata: 5 | name: $ADDON_NAME 6 | spec: 7 | name: $ADDON_NAME 8 | addonVersion: $ADDON_VERSION 9 | #https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeAddonVersions.html 10 | clusterName: $CLUSTER_NAME 11 | -------------------------------------------------------------------------------- /service-controllers/eks/v1alpha1/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: eks.services.k8s.aws/v1alpha1 3 | kind: Cluster 4 | metadata: 5 | name: $CLUSTER_NAME 6 | spec: 7 | name: $CLUSTER_NAME 8 | roleARN: $CLUSTER_ROLE 9 | resourcesVPCConfig: 10 | endpointPrivateAccess: true 11 | endpointPublicAccess: false 12 | subnetIDs: 13 | - "$PUBLIC_SUBNET_1" 14 | - "$PUBLIC_SUBNET_2" 15 | version: $KUBERNETES_VERSION -------------------------------------------------------------------------------- /service-controllers/eks/v1alpha1/fargateprofile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: eks.services.k8s.aws/v1alpha1 3 | kind: FargateProfile 4 | metadata: 5 | name: $PROFILE_NAME 6 | spec: 7 | name: $PROFILE_NAME 8 | clusterName: $CLUSTER_NAME 9 | podExecutionRoleARN: $FARGATE_POD_ROLE 10 | subnets: 11 | - "$PRIVATE_SUBNET_1" 12 | - "$PRIVATE_SUBNET_2" 13 | selectors: 14 | labels: {} 15 | namespace: $NAMESPACE 16 | -------------------------------------------------------------------------------- /service-controllers/eks/v1alpha1/nodegroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: eks.services.k8s.aws/v1alpha1 3 | kind: Nodegroup 4 | metadata: 5 | name: $NODEGROUP_NAME 6 | spec: 7 | name: $NODEGROUP_NAME 8 | clusterName: $CLUSTER_NAME 9 | amiType: $AMI_TYPE 10 | diskSize: $DISK_SIZE 11 | instanceTypes: 12 | - $INSTANCE_TYPE 13 | #https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html#managed-node-group-capacity-types 14 | subnets: 15 | - "$PUBLIC_SUBNET_1" 16 | - "$PUBLIC_SUBNET_2" 17 | scalingConfig: 18 | minSize: 1 19 | maxSize: 1 20 | desiredSize: 1 21 | updateConfig: 22 | maxUnavailable: $NUMBER_OF_NODES 23 | maxUnavailablePercentage: $NUMBER_OF_PERCENTAGE 24 | -------------------------------------------------------------------------------- /service-controllers/emrcontainers/README.md: -------------------------------------------------------------------------------- 1 | # EMR Containers Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating EMR Container Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic EMR Container Virtual Cluster creation: 7 | 8 | ```yaml 9 | apiVersion: emrcontainers.services.k8s.aws/v1alpha1 10 | kind: VirtualCluster 11 | metadata: 12 | name: $VIRTUALCLUSTER_NAME 13 | spec: 14 | name: $VIRTUALCLUSTER_NAME 15 | containerProvider: 16 | id: $EKS_CLUSTER_NAME 17 | type_: EKS 18 | info: 19 | eksInfo: 20 | namespace: $KUBERNETES_NAMESPACE 21 | ``` 22 | 23 | ## Create the EMR Container Virtual Cluster 24 | 25 | ```bash 26 | kubectl apply -f #Change the file name accordingly 27 | ``` 28 | 29 | ## Delete the EMR Container Virtual Cluster 30 | 31 | ```bash 32 | kubectl delete virtualcluster #Change the Virtual Cluster name accordingly 33 | ``` 34 | -------------------------------------------------------------------------------- /service-controllers/emrcontainers/v1alpha1/virtualcluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: emrcontainers.services.k8s.aws/v1alpha1 3 | kind: VirtualCluster 4 | metadata: 5 | name: $VIRTUALCLUSTER_NAME 6 | spec: 7 | name: $VIRTUALCLUSTER_NAME 8 | containerProvider: 9 | id: $EKS_CLUSTER_NAME 10 | type_: EKS 11 | info: 12 | eksInfo: 13 | namespace: $KUBERNETES_NAMESPACE 14 | tags: 15 | - key: $VIRTUAL_CLUSTER_TAG_KEY 16 | value: $VIRTUAL_CLUSTER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/iam/README.md: -------------------------------------------------------------------------------- 1 | # IAM Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating IAM Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic IAM Role creation: 7 | 8 | ```yaml 9 | apiVersion: iam.services.k8s.aws/v1alpha1 10 | kind: Role 11 | metadata: 12 | name: $ROLE_NAME 13 | spec: 14 | name: $ROLE_NAME 15 | description: $ROLE_DESCRIPTION 16 | assumeRolePolicyDocument: > 17 | { 18 | "Version":"2012-10-17", 19 | "Statement": [{ 20 | "Effect":"Allow", 21 | "Principal": { 22 | "Service": [ 23 | "ec2.amazonaws.com" 24 | ] 25 | }, 26 | "Action": ["sts:AssumeRole"] 27 | }] 28 | } 29 | tags: 30 | - key: $IAM_ROLE_TAG_KEY 31 | value: $IAM_ROLE_TAG_VALUE 32 | ``` 33 | 34 | ## Create the IAM Resource 35 | 36 | ```bash 37 | kubectl apply -f #Change the file name accordingly 38 | ``` 39 | 40 | ## Delete the IAM Resource 41 | 42 | ```bash 43 | kubectl delete role #Change the role name accordingly and also change the resource name accordingly 44 | ``` 45 | -------------------------------------------------------------------------------- /service-controllers/iam/v1alpha1/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: iam.services.k8s.aws/v1alpha1 3 | kind: Policy 4 | metadata: 5 | name: $POLICY_NAME 6 | spec: 7 | name: $POLICY_NAME 8 | description: $POLICY_DESCRIPTION 9 | #This example Policy allows to list all S3 Buckets 10 | policyDocument: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"arn:aws:s3:::*"},{"Effect":"Allow","Action":["s3:List*"],"Resource":["*"]}]}' 11 | tags: 12 | - key: $IAM_ROLE_TAG_KEY 13 | value: $IAM_ROLE_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/iam/v1alpha1/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: iam.services.k8s.aws/v1alpha1 3 | kind: Role 4 | metadata: 5 | name: $ROLE_NAME 6 | spec: 7 | name: $ROLE_NAME 8 | description: $ROLE_DESCRIPTION 9 | maxSessionDuration: $MAX_SESSION_DURATION 10 | policies: 11 | - $IAM_POLICY_NAME 12 | assumeRolePolicyDocument: > 13 | { 14 | "Version":"2012-10-17", 15 | "Statement": [{ 16 | "Effect":"Allow", 17 | "Principal": { 18 | "Service": [ 19 | "ec2.amazonaws.com" 20 | ] 21 | }, 22 | "Action": ["sts:AssumeRole"] 23 | }] 24 | } 25 | tags: 26 | - key: $IAM_ROLE_TAG_KEY 27 | value: $IAM_ROLE_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/kms/README.md: -------------------------------------------------------------------------------- 1 | # KMS Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating KMS Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic KMS Key creation: 7 | 8 | ```yaml 9 | apiVersion: kms.services.k8s.aws/v1alpha1 10 | kind: Key 11 | metadata: 12 | name: $KEY_NAME 13 | spec: 14 | description: "This is an example Key created with ACK Examples" 15 | ``` 16 | 17 | ## Create the KMS Key 18 | 19 | ```bash 20 | kubectl apply -f #Change the file name accordingly 21 | ``` 22 | 23 | ## Delete the KMS Key 24 | 25 | ```bash 26 | kubectl delete key #Change the key name accordingly 27 | ``` 28 | -------------------------------------------------------------------------------- /service-controllers/kms/v1alpha1/alias.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kms.services.k8s.aws/v1alpha1 3 | kind: Alias 4 | metadata: 5 | name: $ALIAS_NAME 6 | spec: 7 | name: alias/$ALIAS_NAME 8 | targetKeyID: $TARGET_KEY_ID -------------------------------------------------------------------------------- /service-controllers/kms/v1alpha1/customkeystore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kms.services.k8s.aws/v1alpha1 3 | kind: CustomKeyStore 4 | metadata: 5 | name: $CUSTOM_KEY_STORE_NAME 6 | spec: 7 | cloudHsmClusterID: $CLOUD_HSM_CLUSTER_ID 8 | keyStorePassword: $KEY_STORE_PASSWORD 9 | name: $CUSTOM_KEY_STORE_NAME 10 | trustAnchorCertificate: $TRUST_ANCHOR_CERTIFICATE -------------------------------------------------------------------------------- /service-controllers/kms/v1alpha1/key.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kms.services.k8s.aws/v1alpha1 3 | kind: Key 4 | metadata: 5 | name: $KEY_NAME 6 | spec: 7 | bypassPolicyLockoutSafetyCheck: false 8 | description: "Key created by ACK tests" 9 | multiRegion: false 10 | tags: 11 | - tagKey: $KMS_KEY_TAG_KEY 12 | tagValue: $KMS_KEY_TAG_VALUE 13 | -------------------------------------------------------------------------------- /service-controllers/memorydb/README.md: -------------------------------------------------------------------------------- 1 | # MemoryDB Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating MemoryDB Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic MemoryDB Cluster creation: 7 | 8 | ```yaml 9 | apiVersion: memorydb.services.k8s.aws/v1alpha1 10 | kind: Cluster 11 | metadata: 12 | name: $CLUSTER_NAME 13 | spec: 14 | name: $CLUSTER_NAME 15 | aclName: $ACL_NAME 16 | nodeType: $NODE_TYPE 17 | tags: 18 | - key: $CLUSTER_TAG_KEY 19 | value: $CLUSTER_TAG_VALUE 20 | ``` 21 | 22 | ## Create the MemoryDB Resource 23 | 24 | ```bash 25 | kubectl apply -f #Change the file name accordingly 26 | ``` 27 | 28 | ## Delete the MemoryDB Resource 29 | 30 | ```bash 31 | kubectl delete cluster #Change the Topic name accordingly and also change the resource name accordingly 32 | ``` 33 | -------------------------------------------------------------------------------- /service-controllers/memorydb/v1alpha1/acl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: memorydb.services.k8s.aws/v1alpha1 3 | kind: ACL 4 | metadata: 5 | name: $ACL_NAME 6 | spec: 7 | name: $ACL_NAME 8 | tags: 9 | - key: $ACL_TAG_KEY 10 | value: $ACL_TAG_VALUE 11 | userNames: 12 | - $USER_NAME -------------------------------------------------------------------------------- /service-controllers/memorydb/v1alpha1/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: memorydb.services.k8s.aws/v1alpha1 3 | kind: Cluster 4 | metadata: 5 | name: $CLUSTER_NAME 6 | spec: 7 | name: $CLUSTER_NAME 8 | aclName: $ACL_NAME 9 | nodeType: $NODE_TYPE 10 | engineVersion: $ENGINE_VERSION 11 | autoMinorVersionUpgrade: true 12 | numReplicasPerShard: $REPLICAS_PER_SHARD 13 | numShards: $SHARDS 14 | parameterGroupName: $PARAMETER_GROUP_NAME 15 | port: $PORT 16 | securityGroupIDs: 17 | - $SECURITY_GROUP_ID 18 | subnetGroupName: $SUBNET_GROUP 19 | tlsEnabled: false 20 | tags: 21 | - key: $CLUSTER_TAG_KEY 22 | value: $CLUSTER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/memorydb/v1alpha1/parametergroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: memorydb.services.k8s.aws/v1alpha1 3 | kind: ParameterGroup 4 | metadata: 5 | name: $PARAMETER_GROUP_NAME 6 | spec: 7 | description: $DESCRIPTION 8 | family: $FAMILY 9 | name: $PARAMETER_GROUP_NAME 10 | parameterNameValues: 11 | - parameterName: $PARAMETER_NAME 12 | parameterValue: $PARAMETER_VALUE 13 | tags: 14 | - key: $PARAMETER_GROUP_TAG_KEY 15 | value: $PARAMETER_GROUP_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/memorydb/v1alpha1/snapshot.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: memorydb.services.k8s.aws/v1alpha1 3 | kind: Snapshot 4 | metadata: 5 | name: $SNAPSHOT_NAME 6 | spec: 7 | clusterName: $CLUSTER_NAME 8 | kmsKeyID: $KMS_KEY_ID 9 | name: $SNAPSHOT_NAME 10 | sourceSnapshotName: $SOURCE_SNAPSHOT_NAME 11 | tags: 12 | - key: $SNAPSHOT_TAG_KEY 13 | value: $SNAPSHOT_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/memorydb/v1alpha1/subnetgroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: memorydb.services.k8s.aws/v1alpha1 3 | kind: SubnetGroup 4 | metadata: 5 | name: $SUBNET_GROUP_NAME 6 | spec: 7 | name: $SUBNET_GROUP_NAME 8 | description: $DESCRIPTION 9 | subnetIDs: 10 | - $SUBNET_ID 11 | tags: 12 | - key: $SUBNET_GROUP_TAG_KEY 13 | value: $SUBNET_GROUP_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/memorydb/v1alpha1/user.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: memorydb.services.k8s.aws/v1alpha1 3 | kind: User 4 | metadata: 5 | name: $USER_NAME 6 | spec: 7 | accessString: $ACCESS_STRING 8 | authenticationMode: 9 | passwords: 10 | - key: $PASSWORD_KEY 11 | name: $NAME 12 | namespace: $NAMESPACE 13 | type_: $TYPE 14 | name: $USER_NAME 15 | tags: 16 | - key: $USER_TAG_KEY 17 | value: $USER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/rds/README.md: -------------------------------------------------------------------------------- 1 | # RDS Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating RDS Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic RDS DB Instance creation: 7 | 8 | ```yaml 9 | apiVersion: rds.services.k8s.aws/v1alpha1 10 | kind: DBInstance 11 | metadata: 12 | name: $DB_INSTANCE_ID 13 | spec: 14 | allocatedStorage: 5 15 | dbInstanceClass: db.t3.micro 16 | dbInstanceIdentifier: $DB_INSTANCE_ID 17 | dbSubnetGroupName: $DB_SUBNET_GROUP_NAME 18 | engine: postgres 19 | engineVersion: "14.1" 20 | masterUsername: root 21 | masterUserPassword: 22 | namespace: $MASTER_USER_PASS_SECRET_NAMESPACE 23 | name: $MASTER_USER_PASS_SECRET_NAME 24 | key: $MASTER_USER_PASS_SECRET_KEY 25 | multiAZ: False 26 | ``` 27 | 28 | ## Create the RDS Resource 29 | 30 | ```bash 31 | kubectl apply -f #Change the file name accordingly 32 | ``` 33 | 34 | ## Delete the RDS Resource 35 | 36 | ```bash 37 | kubectl delete dbinstance #Change the db instance name accordingly and also change the resource name accordingly 38 | ``` 39 | -------------------------------------------------------------------------------- /service-controllers/rds/v1alpha1/dbcluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rds.services.k8s.aws/v1alpha1 3 | kind: DBCluster 4 | metadata: 5 | name: $DB_CLUSTER_ID 6 | spec: 7 | availabilityZones: 8 | - $AZ_A 9 | $AZ_B 10 | $AZ_C 11 | backupRetentionPeriod: 14 12 | dbClusterIdentifier: $DB_CLUSTER_ID 13 | databaseName: $DB_NAME 14 | engine: aurora-mysql 15 | engineMode: serverless 16 | deletionProtection: false 17 | engineVersion: "5.7.12" 18 | storageEncrypted: false 19 | scalingConfiguration: 20 | autoPause: true 21 | maxCapacity: 5 22 | minCapacity: 1 23 | masterUsername: root 24 | masterUserPassword: 25 | namespace: $MASTER_USER_PASS_SECRET_NAMESPACE 26 | name: $MASTER_USER_PASS_SECRET_NAME 27 | key: $MASTER_USER_PASS_SECRET_KEY 28 | tags: 29 | - key: $DB_CLUSTER_TAG_KEY 30 | value: $DB_CLUSTER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/rds/v1alpha1/dbclusterparametergroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rds.services.k8s.aws/v1alpha1 3 | kind: DBClusterParameterGroup 4 | metadata: 5 | name: $DB_CLUSTER_PARAMETER_GROUP_NAME 6 | spec: 7 | name: $DB_CLUSTER_PARAMETER_GROUP_NAME 8 | description: $DB_CLUSTER_PARAMETER_GROUP_DESC 9 | family: "aurora-mysql5.7" 10 | #parameters: 11 | #- allowedValues: string 12 | # applyMethod: string 13 | # applyType: string 14 | # dataType: string 15 | # description: string 16 | # isModifiable: boolean 17 | # minimumEngineVersion: string 18 | # parameterName: string 19 | # parameterValue: string 20 | # source: string 21 | # supportedEngineModes: 22 | # - string 23 | tags: 24 | - key: $DB_CLUSTER_TAG_KEY 25 | value: $DB_CLUSTER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/rds/v1alpha1/dbinstance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rds.services.k8s.aws/v1alpha1 3 | kind: DBInstance 4 | metadata: 5 | name: $DB_INSTANCE_ID 6 | spec: 7 | allocatedStorage: 5 8 | autoMinorVersionUpgrade: false 9 | availabilityZone: eu-west-1a 10 | backupRetentionPeriod: 14 11 | copyTagsToSnapshot: false 12 | dbInstanceClass: db.t3.micro 13 | dbInstanceIdentifier: $DB_INSTANCE_ID 14 | dbName: $DB_NAME 15 | dbSubnetGroupName: $DB_SUBNET_GROUP_NAME 16 | engine: postgres 17 | engineVersion: "14.1" 18 | deletionProtection: true 19 | storageEncrypted: false 20 | masterUsername: root 21 | masterUserPassword: 22 | namespace: $MASTER_USER_PASS_SECRET_NAMESPACE 23 | name: $MASTER_USER_PASS_SECRET_NAME 24 | key: $MASTER_USER_PASS_SECRET_KEY 25 | multiAZ: False -------------------------------------------------------------------------------- /service-controllers/rds/v1alpha1/dbparametergroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rds.services.k8s.aws/v1alpha1 3 | kind: DBParameterGroup 4 | metadata: 5 | name: $DB_PARAMETER_GROUP_NAME 6 | spec: 7 | name: $DB_PARAMETER_GROUP_NAME 8 | description: $DB_PARAMETER_GROUP_DESC 9 | family: postgres 10 | #parameters: 11 | #- allowedValues: string 12 | # applyMethod: string 13 | # applyType: string 14 | # dataType: string 15 | # description: string 16 | # isModifiable: boolean 17 | # minimumEngineVersion: string 18 | # parameterName: string 19 | # parameterValue: string 20 | # source: string 21 | # supportedEngineModes: 22 | # - string 23 | tags: 24 | - key: $DB_CLUSTER_TAG_KEY 25 | value: $DB_CLUSTER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/rds/v1alpha1/dbsubnetgroup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rds.services.k8s.aws/v1alpha1 3 | kind: DBSubnetGroup 4 | metadata: 5 | name: $DB_SUBNET_GROUP_NAME 6 | spec: 7 | name: $DB_SUBNET_GROUP_NAME 8 | description: $DB_SUBNET_GROUP_DESC 9 | subnetIDs: 10 | - $SUBNET_AZ1 11 | - $SUBNET_AZ2 12 | tags: 13 | - key: $DB_CLUSTER_TAG_KEY 14 | value: $DB_CLUSTER_TAG_VALUE -------------------------------------------------------------------------------- /service-controllers/s3/README.md: -------------------------------------------------------------------------------- 1 | # S3 Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating S3 Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic S3 Bucket creation: 7 | 8 | ```yaml 9 | apiVersion: s3.services.k8s.aws/v1alpha1 10 | kind: Bucket 11 | metadata: 12 | name: $BUCKET_NAME 13 | spec: 14 | name: $BUCKET_NAME 15 | ``` 16 | 17 | ## Create the S3 Bucket 18 | 19 | ```bash 20 | kubectl apply -f #Change the file name accordingly 21 | ``` 22 | 23 | ## Delete the S3 Bucket 24 | 25 | ```bash 26 | kubectl delete bucket #Change the bucket name accordingly 27 | ``` 28 | -------------------------------------------------------------------------------- /service-controllers/s3/v1alpha1/bucket-with-encryption.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: s3.services.k8s.aws/v1alpha1 3 | kind: Bucket 4 | metadata: 5 | name: $BUCKET_NAME 6 | spec: 7 | name: $BUCKET_NAME 8 | encryption: 9 | rules: 10 | - bucketKeyEnabled: false 11 | applyServerSideEncryptionByDefault: 12 | sseAlgorithm: AES256 13 | -------------------------------------------------------------------------------- /service-controllers/s3/v1alpha1/bucket-with-lifecycle-rule.yaml: -------------------------------------------------------------------------------- 1 | #This rule moves objects to Glacier after 60 days 2 | --- 3 | apiVersion: s3.services.k8s.aws/v1alpha1 4 | kind: Bucket 5 | metadata: 6 | name: $BUCKET_NAME 7 | spec: 8 | name: $BUCKET_NAME 9 | lifecycle: 10 | rules: 11 | - id: "Move to Glacier after sixty days" 12 | prefix: "/" 13 | status: "Enabled" 14 | transitions: 15 | - days: 60 16 | storageClass: "GLACIER" 17 | -------------------------------------------------------------------------------- /service-controllers/s3/v1alpha1/bucket-with-tags.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: s3.services.k8s.aws/v1alpha1 3 | kind: Bucket 4 | metadata: 5 | name: $BUCKET_NAME 6 | spec: 7 | name: $BUCKET_NAME 8 | tagging: 9 | tagSet: 10 | - key: "FirstTagKey" 11 | value: "FirstTagValue" 12 | - key: "SecondTagKey" 13 | value: "SecondTagValue" 14 | -------------------------------------------------------------------------------- /service-controllers/s3/v1alpha1/bucket-with-versioning.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: s3.services.k8s.aws/v1alpha1 3 | kind: Bucket 4 | metadata: 5 | name: $BUCKET_NAME 6 | spec: 7 | name: $BUCKET_NAME 8 | versioning: 9 | status: Enabled 10 | -------------------------------------------------------------------------------- /service-controllers/s3/v1alpha1/bucket.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: s3.services.k8s.aws/v1alpha1 3 | kind: Bucket 4 | metadata: 5 | name: $BUCKET_NAME 6 | spec: 7 | name: $BUCKET_NAME 8 | -------------------------------------------------------------------------------- /service-controllers/sns/README.md: -------------------------------------------------------------------------------- 1 | # SNS Service Controller Examples 2 | 3 | In this folder, you can find general examples for creating SNS Resources from your 4 | Kubernetes cluster with ACK (AWS Controllers for Kubernetes). 5 | 6 | Basic SNS Topic creation: 7 | 8 | ```yaml 9 | apiVersion: sns.services.k8s.aws/v1alpha1 10 | kind: Topic 11 | metadata: 12 | name: $TOPIC_NAME 13 | spec: 14 | name: $TOPIC_NAME 15 | displayName: $DISPLAY_NAME 16 | tags: 17 | - key: $TOPIC_TAG_KEY 18 | value: $TOPIC_TAG_VALUE 19 | ``` 20 | 21 | ## Create the SNS Resource 22 | 23 | ```bash 24 | kubectl apply -f #Change the file name accordingly 25 | ``` 26 | 27 | ## Delete the SNS Resource 28 | 29 | ```bash 30 | kubectl delete topic #Change the Topic name accordingly and also change the resource name accordingly 31 | ``` 32 | -------------------------------------------------------------------------------- /service-controllers/sns/v1alpha1/platformapplication.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: sns.services.k8s.aws/v1alpha1 3 | kind: PlatformApplication 4 | metadata: 5 | name: $PLATFORM_APPLICATION_NAME 6 | spec: 7 | eventDeliveryFailure: $EVENT_DELIVERY_FAILURE 8 | eventEndpointCreated: $EVENT_ENDPOINT_CREATED 9 | eventEndpointDeleted: $EVENT_ENDPOINT_DELETED 10 | eventEndpointUpdated: $EVENT_ENDPOINT_UPDATED 11 | failureFeedbackRoleARN: $FAILURE_FEEDBACK_ROLE_ARN 12 | name: $PLATFORM_APPLICATION_NAME 13 | platform: $PLATFORM 14 | platformCredential: $CREDENTIAL 15 | platformPrincipal: $PRINCIPAL 16 | successFeedbackRoleARN: $SUCCESS_FEEDBACK_ROLE_ARN 17 | successFeedbackSampleRate: $SAMPLE_RATE -------------------------------------------------------------------------------- /service-controllers/sns/v1alpha1/platformendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: sns.services.k8s.aws/v1alpha1 3 | kind: PlatformEndpoint 4 | metadata: 5 | name: $PLATFORM_ENDPOINT_NAME 6 | spec: 7 | attributes: {} 8 | customUserData: $USER_DATA 9 | platformApplicationARN: $PLATFORM_APPLICATION_ARN 10 | token: $TOKEN -------------------------------------------------------------------------------- /service-controllers/sns/v1alpha1/topic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: sns.services.k8s.aws/v1alpha1 3 | kind: Topic 4 | metadata: 5 | name: $TOPIC_NAME 6 | spec: 7 | name: $TOPIC_NAME 8 | displayName: $DISPLAY_NAME 9 | deliveryPolicy: $DELIVERY_POLICY 10 | kmsMasterKeyID: $KMS_KEY_ID 11 | policy: $POLICY 12 | tags: 13 | - key: $TOPIC_TAG_KEY 14 | value: $TOPIC_TAG_VALUE --------------------------------------------------------------------------------