├── examples ├── argocd │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── karpenter │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── stateful │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── external-secrets │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── ipv6-eks-cluster │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── fargate-serverless │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── fully-private-cluster │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── agones-game-controller │ ├── variables.tf │ ├── outputs.tf │ ├── test │ │ ├── xonotic │ │ │ ├── gameserver.yaml │ │ │ ├── fleetautoscaler.yaml │ │ │ ├── gameserverallocator.yaml │ │ │ └── fleet.yaml │ │ └── sample-game-server │ │ │ ├── gameserver.yaml │ │ │ └── fleet.yaml │ └── versions.tf ├── ipv4-prefix-delegation │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── multi-tenancy-with-teams │ ├── variables.tf │ ├── versions.tf │ └── outputs.tf ├── vpc-cni-custom-networking │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── eks-efa │ ├── .gitignore │ ├── outputs.tf │ ├── variables.tf │ └── providers.tf ├── blue-green-upgrade │ ├── static │ │ ├── eks-argo.png │ │ ├── archi-blue.png │ │ ├── archi-green.png │ │ ├── archi-blue-green.png │ │ ├── burnham-records.png │ │ ├── burnham-records2.png │ │ ├── burnham-records3.png │ │ └── github-ssh-secret.png │ ├── modules │ │ └── eks_cluster │ │ │ ├── versions.tf │ │ │ └── outputs.tf │ ├── core-infra │ │ ├── versions.tf │ │ └── outputs.tf │ ├── eks-blue │ │ ├── outputs.tf │ │ └── providers.tf │ ├── eks-green │ │ ├── outputs.tf │ │ └── providers.tf │ ├── kubernetes │ │ ├── team-riker │ │ │ └── limit-range.yaml │ │ ├── team-burnham │ │ │ └── limit-range.yaml │ │ ├── ecsdemo-crystal │ │ │ └── limit-range.yaml │ │ ├── ecsdemo-frontend │ │ │ └── limit-range.yaml │ │ └── ecsdemo-nodejs │ │ │ └── limit-range.yaml │ └── tear-down.sh ├── wireguard-with-cilium │ ├── variables.tf │ ├── outputs.tf │ └── versions.tf ├── appmesh-mtls │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── tls-with-aws-pca-issuer │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf └── amp-amg-opensearch │ ├── helm_values │ └── aws-for-fluentbit-values.yaml │ ├── versions.tf │ └── outputs.tf ├── docs ├── internal │ └── .pages ├── add-ons │ ├── .pages │ ├── fargate-fluent-bit.md │ ├── datadog-operator.md │ ├── cert-manager-istio-csr.md │ ├── thanos.md │ └── csi-secrets-store-provider-aws.md ├── advanced │ └── .pages └── .pages ├── modules ├── kubernetes-addons │ ├── app-2048 │ │ ├── outputs.tf │ │ ├── variables.tf │ │ ├── README.md │ │ └── versions.tf │ ├── portworx │ │ ├── outputs.tf │ │ ├── README.md │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── aws-kube-proxy │ │ ├── outputs.tf │ │ ├── versions.tf │ │ └── variables.tf │ ├── fargate-fluentbit │ │ ├── outputs.tf │ │ ├── versions.tf │ │ └── variables.tf │ ├── aws-cloudwatch-metrics │ │ ├── values.yaml │ │ ├── main.tf │ │ ├── versions.tf │ │ └── outputs.tf │ ├── calico │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── cilium │ │ ├── versions.tf │ │ └── outputs.tf │ ├── consul │ │ ├── versions.tf │ │ ├── values.yaml │ │ ├── outputs.tf │ │ ├── main.tf │ │ └── locals.tf │ ├── kyverno │ │ ├── versions.tf │ │ └── outputs.tf │ ├── chaos-mesh │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── gatekeeper │ │ ├── versions.tf │ │ └── outputs.tf │ ├── kubecost │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── values.yaml │ ├── promtail │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── reloader │ │ ├── versions.tf │ │ └── outputs.tf │ ├── datadog-operator │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── kube-state-metrics │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── smb-csi-driver │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── cert-manager-istio-csr │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── nvidia-device-plugin │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── locals.tf │ │ └── outputs.tf │ ├── spark-history-server │ │ ├── versions.tf │ │ ├── values.yaml │ │ ├── main.tf │ │ └── outputs.tf │ ├── strimzi-kafka-operator │ │ ├── versions.tf │ │ ├── values.yaml │ │ └── outputs.tf │ ├── cert-manager-csi-driver │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── local-volume-provisioner │ │ ├── local-static-provisioner │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ └── serviceaccount.yaml │ │ │ └── Chart.yaml │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── locals.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── cluster-proportional-autoscaler │ │ ├── versions.tf │ │ ├── outputs.tf │ │ └── main.tf │ ├── cert-manager │ │ ├── values.yaml │ │ ├── cert-manager-letsencrypt │ │ │ ├── values.yaml │ │ │ └── Chart.yaml │ │ ├── cert-manager-ca │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ │ ├── clusterissuers.yaml │ │ │ │ └── certificate.yaml │ │ │ └── values.yaml │ │ └── versions.tf │ ├── agones │ │ ├── data.tf │ │ ├── versions.tf │ │ ├── values.yaml │ │ └── outputs.tf │ ├── aws-load-balancer-controller │ │ ├── values.yaml │ │ ├── versions.tf │ │ └── main.tf │ ├── sysdig │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── versions.tf │ │ ├── values-sysdig.yaml │ │ └── locals.tf │ ├── tetrate-istio │ │ ├── versions.tf │ │ ├── outputs.tf │ │ └── locals_tid.tf │ ├── adot-collector-haproxy │ │ ├── otel-config │ │ │ ├── Chart.yaml │ │ │ ├── values.yaml │ │ │ └── templates │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ └── clusterrole.yaml │ │ ├── versions.tf │ │ └── outputs.tf │ ├── adot-collector-java │ │ ├── otel-config │ │ │ ├── Chart.yaml │ │ │ ├── values.yaml │ │ │ └── templates │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ └── clusterrole.yaml │ │ ├── versions.tf │ │ └── outputs.tf │ ├── adot-collector-nginx │ │ ├── otel-config │ │ │ ├── Chart.yaml │ │ │ ├── values.yaml │ │ │ └── templates │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ └── clusterrole.yaml │ │ ├── versions.tf │ │ └── outputs.tf │ ├── keda │ │ ├── values.yaml │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── adot-collector-memcached │ │ ├── otel-config │ │ │ ├── Chart.yaml │ │ │ ├── values.yaml │ │ │ └── templates │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ └── clusterrole.yaml │ │ ├── versions.tf │ │ └── outputs.tf │ ├── aws-for-fluentbit │ │ ├── values.yaml │ │ └── versions.tf │ ├── aws-node-termination-handler │ │ ├── values.yaml │ │ ├── versions.tf │ │ └── outputs.tf │ ├── ondat │ │ ├── outputs.tf │ │ ├── versions.tf │ │ └── values.yaml │ ├── grafana │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── karpenter │ │ └── versions.tf │ ├── velero │ │ ├── versions.tf │ │ ├── values.yaml │ │ └── outputs.tf │ ├── argocd │ │ ├── argocd-application │ │ │ └── helm │ │ │ │ ├── Chart.yaml │ │ │ │ └── values.yaml │ │ ├── values.yaml │ │ ├── versions.tf │ │ ├── outputs.tf │ │ └── data.tf │ ├── aws-vpc-cni │ │ ├── versions.tf │ │ └── outputs.tf │ ├── external-dns │ │ ├── versions.tf │ │ ├── data.tf │ │ └── outputs.tf │ ├── helm-addon │ │ └── versions.tf │ ├── appmesh-controller │ │ ├── versions.tf │ │ └── outputs.tf │ ├── aws-ebs-csi-driver │ │ ├── versions.tf │ │ └── outputs.tf │ ├── aws-efs-csi-driver │ │ └── versions.tf │ ├── aws-fsx-csi-driver │ │ ├── versions.tf │ │ └── outputs.tf │ ├── cluster-autoscaler │ │ ├── versions.tf │ │ ├── values.yaml │ │ └── outputs.tf │ ├── external-secrets │ │ ├── versions.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── vpa │ │ ├── versions.tf │ │ └── outputs.tf │ ├── aws-privateca-issuer │ │ ├── versions.tf │ │ ├── data.tf │ │ ├── main.tf │ │ └── outputs.tf │ ├── crossplane │ │ ├── aws-provider │ │ │ ├── aws-provider-config.yaml │ │ │ ├── jet-aws-provider-config.yaml │ │ │ ├── jet-aws-provider.yaml │ │ │ ├── aws-provider.yaml │ │ │ ├── upbound-aws-provider-config.yaml │ │ │ ├── aws-controller-config.yaml │ │ │ ├── jet-aws-controller-config.yaml │ │ │ ├── upbound-aws-provider.yaml │ │ │ └── upbound-aws-controller-config.yaml │ │ ├── helm-provider │ │ │ ├── helm-controller-config.yaml │ │ │ ├── helm-provider.yaml │ │ │ ├── helm-provider-config.yaml │ │ │ └── helm-provider-clusterrolebinding.yaml │ │ ├── kubernetes-provider │ │ │ ├── kubernetes-controller-config.yaml │ │ │ ├── kubernetes-provider-config.yaml │ │ │ ├── kubernetes-provider.yaml │ │ │ └── kubernetes-controller-clusterrolebinding.yaml │ │ ├── versions.tf │ │ ├── outputs.tf │ │ └── data.tf │ ├── thanos │ │ ├── versions.tf │ │ ├── README.md │ │ ├── main.tf │ │ └── outputs.tf │ ├── traefik │ │ ├── versions.tf │ │ └── outputs.tf │ ├── yunikorn │ │ ├── versions.tf │ │ ├── values.yaml │ │ ├── main.tf │ │ ├── locals.tf │ │ └── outputs.tf │ ├── argo-rollouts │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── locals.tf │ │ └── outputs.tf │ ├── ingress-nginx │ │ ├── versions.tf │ │ └── outputs.tf │ ├── metrics-server │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── locals.tf │ │ └── outputs.tf │ ├── kuberay-operator │ │ ├── versions.tf │ │ ├── kuberay-operator-config │ │ │ ├── Chart.yaml │ │ │ └── templates │ │ │ │ ├── serviceaccount.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── leader-rolebinding.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ └── leader-role.yaml │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── main.tf │ ├── kubernetes-dashboard │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── locals.tf │ │ └── outputs.tf │ ├── spark-k8s-operator │ │ ├── versions.tf │ │ └── outputs.tf │ ├── kube-prometheus-stack │ │ ├── versions.tf │ │ ├── README.md │ │ └── outputs.tf │ ├── secrets-store-csi-driver │ │ ├── versions.tf │ │ ├── main.tf │ │ ├── locals.tf │ │ └── outputs.tf │ ├── csi-secrets-store-provider-aws │ │ ├── versions.tf │ │ └── outputs.tf │ ├── versions.tf │ ├── airflow │ │ ├── versions.tf │ │ ├── values.yaml │ │ ├── outputs.tf │ │ └── variables.tf │ ├── emr-on-eks │ │ └── versions.tf │ ├── argo-workflows │ │ ├── versions.tf │ │ └── outputs.tf │ ├── prometheus │ │ ├── versions.tf │ │ └── outputs.tf │ ├── opentelemetry-operator │ │ ├── versions.tf │ │ └── outputs.tf │ ├── aws-coredns │ │ ├── versions.tf │ │ └── outputs.tf │ └── data.tf ├── aws-kms │ ├── versions.tf │ ├── outputs.tf │ └── main.tf ├── launch-templates │ ├── versions.tf │ ├── templates │ │ └── userdata-bottlerocket.tpl │ └── variables.tf ├── aws-eks-fargate-profiles │ ├── versions.tf │ ├── variables.tf │ └── outputs.tf ├── aws-eks-managed-node-groups │ ├── versions.tf │ ├── templates │ │ └── userdata-bottlerocket.tpl │ └── data.tf ├── aws-eks-self-managed-node-groups │ └── versions.tf ├── irsa │ ├── versions.tf │ └── outputs.tf ├── emr-on-eks │ ├── outputs.tf │ ├── data.tf │ ├── locals.tf │ ├── versions.tf │ └── variables.tf └── aws-eks-teams │ ├── versions.tf │ └── locals.tf ├── CODEOWNERS ├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ └── question.md ├── workflows │ ├── linkcheck.json │ ├── pr-title.yml │ └── markdown-link-check.yml └── scripts │ ├── delete-log-groups.py │ └── plan-examples.py ├── CODE_OF_CONDUCT.md ├── NOTICE.txt ├── mkdocs.yml ├── tfsec.yaml └── versions.tf /examples/argocd/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/karpenter/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/stateful/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/internal/.pages: -------------------------------------------------------------------------------- 1 | hide: true 2 | -------------------------------------------------------------------------------- /examples/external-secrets/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/ipv6-eks-cluster/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/fargate-serverless/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/fully-private-cluster/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/agones-game-controller/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/ipv4-prefix-delegation/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/multi-tenancy-with-teams/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/vpc-cni-custom-networking/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/app-2048/outputs.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/app-2048/variables.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/portworx/outputs.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-kube-proxy/outputs.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @aws-ia/internal-terraform-eks-admins 2 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/fargate-fluentbit/outputs.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /docs/add-ons/.pages: -------------------------------------------------------------------------------- 1 | nav: 2 | - Overview: index.md 3 | - ... 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-cloudwatch-metrics/values.yaml: -------------------------------------------------------------------------------- 1 | clusterName: ${eks_cluster_id} 2 | -------------------------------------------------------------------------------- /examples/eks-efa/.gitignore: -------------------------------------------------------------------------------- 1 | tfplan 2 | *.tfstate 3 | *.backup 4 | TODO*.* 5 | .terraform 6 | *.hcl 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/calico/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cilium/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/consul/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kyverno/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/chaos-mesh/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/gatekeeper/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubecost/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/promtail/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/reloader/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/consul/values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | name: consul 3 | 4 | server: 5 | replicas: 3 6 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/datadog-operator/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kube-state-metrics/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/smb-csi-driver/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager-istio-csr/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/nvidia-device-plugin/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/spark-history-server/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/strimzi-kafka-operator/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager-csi-driver/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/local-static-provisioner/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | provisioner installed 2 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cluster-proportional-autoscaler/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/values.yaml: -------------------------------------------------------------------------------- 1 | extraArgs: 2 | - --enable-certificate-owner-ref=true 3 | 4 | installCRDs: true 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/agones/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_security_group" "eks_worker_group" { 2 | id = var.eks_worker_security_group_id 3 | } 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/app-2048/README.md: -------------------------------------------------------------------------------- 1 | # App [2048](https://play2048.co/) 2 | 3 | Sample application for demonstrating and testing Kubernetes. 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-load-balancer-controller/values.yaml: -------------------------------------------------------------------------------- 1 | clusterName: ${eks_cluster_id} 2 | region: ${aws_region} 3 | image: 4 | repository: ${repository} 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/cert-manager-letsencrypt/values.yaml: -------------------------------------------------------------------------------- 1 | # email: user@example.com 2 | 3 | # region: global 4 | 5 | # dnsZones: 6 | # - domain.name 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/sysdig/README.md: -------------------------------------------------------------------------------- 1 | # Sysdig Addon for EKS Blueprints 2 | 3 | Locally copy of https://github.com/sysdiglabs/terraform-eksblueprints-sysdig-addon 4 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/tetrate-istio/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 2 | 3 | terraform { 4 | required_version = ">= 1.0.0" 5 | } 6 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/eks-argo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/eks-argo.png -------------------------------------------------------------------------------- /modules/kubernetes-addons/portworx/README.md: -------------------------------------------------------------------------------- 1 | # Portworx add-on for EKS Blueprints 2 | 3 | Local copy of https://github.com/portworx/terraform-eksblueprints-portworx-addon 4 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/archi-blue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/archi-blue.png -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/archi-green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/archi-green.png -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/archi-blue-green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/archi-blue-green.png -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/burnham-records.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/burnham-records.png -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/burnham-records2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/burnham-records2.png -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/burnham-records3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/burnham-records3.png -------------------------------------------------------------------------------- /examples/blue-green-upgrade/static/github-ssh-secret.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tetratelabs/aws-eks-accelerator-for-terraform/main/examples/blue-green-upgrade/static/github-ssh-secret.png -------------------------------------------------------------------------------- /modules/kubernetes-addons/spark-history-server/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | sparkHistoryOpts: "-Dspark.history.fs.logDirectory="${s3a_path} 3 | 4 | nodeSelector: 5 | kubernetes.io/os: ${operating_system} 6 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | helm_config = local.helm_config 4 | addon_context = var.addon_context 5 | } 6 | -------------------------------------------------------------------------------- /modules/aws-kms/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/sysdig/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | addon_context = var.addon_context 5 | set_values = local.set_values 6 | helm_config = local.helm_config 7 | } 8 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-haproxy/otel-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: opentelemetry 3 | description: A Helm chart to install otel operator 4 | type: application 5 | version: 0.2.0 6 | appVersion: v0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-java/otel-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: opentelemetry 3 | description: A Helm chart to install otel operator 4 | type: application 5 | version: 0.2.0 6 | appVersion: v0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-nginx/otel-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: opentelemetry 3 | description: A Helm chart to install otel operator 4 | type: application 5 | version: 0.2.0 6 | appVersion: v0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/cert-manager-ca/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cert-manager-ca 3 | description: A Helm chart to install a Cert Manager CA 4 | type: application 5 | version: 0.2.0 6 | appVersion: v0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/keda/values.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | limits: 3 | cpu: 1 4 | memory: 1000Mi 5 | requests: 6 | cpu: 100m 7 | memory: 100Mi 8 | 9 | nodeSelector: 10 | kubernetes.io/os: linux 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/portworx/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | addon_context = var.addon_context 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | } 8 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/sysdig/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-memcached/otel-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: opentelemetry 3 | description: A Helm chart to install otel operator 4 | type: application 5 | version: 0.2.0 6 | appVersion: v0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-for-fluentbit/values.yaml: -------------------------------------------------------------------------------- 1 | serviceAccount: 2 | create: false 3 | name: ${service_account} 4 | 5 | cloudWatchLogs: 6 | enabled: true 7 | region: ${aws_region} 8 | logGroupName: ${log_group_name} 9 | -------------------------------------------------------------------------------- /modules/launch-templates/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /examples/wireguard-with-cilium/variables.tf: -------------------------------------------------------------------------------- 1 | # tflint-ignore: terraform_unused_declarations 2 | variable "enable_example" { 3 | description = "Enable example to test this blueprint" 4 | type = bool 5 | default = true 6 | } 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-node-termination-handler/values.yaml: -------------------------------------------------------------------------------- 1 | enableSqsTerminationDraining: true 2 | enablePrometheusServer: true 3 | %{ if length(autoscaling_group_names) == 0 ~} 4 | checkASGTagBeforeDraining: false 5 | %{ endif ~} 6 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/consul/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/keda/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/ondat/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | -------------------------------------------------------------------------------- /modules/aws-eks-fargate-profiles/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/aws-eks-managed-node-groups/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/grafana/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/karpenter/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/strimzi-kafka-operator/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for strimzi-kafka-operator. 2 | 3 | resources: 4 | limits: 5 | memory: 1Gi 6 | cpu: 1000m 7 | requests: 8 | memory: 1Gi 9 | cpu: 1000m 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/velero/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/aws-eks-self-managed-node-groups/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argocd/argocd-application/helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: argo-application 3 | description: A Helm chart that installs an ArgoCD Application resource. 4 | type: application 5 | version: 0.1.0 6 | appVersion: 0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-kube-proxy/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-vpc-cni/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/consul/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | helm_config = local.helm_config 4 | manage_via_gitops = var.manage_via_gitops 5 | addon_context = var.addon_context 6 | } 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/external-dns/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/helm-addon/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | helm = { 6 | source = "hashicorp/helm" 7 | version = ">= 2.4.1" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/modules/eks_cluster/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/appmesh-controller/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-ebs-csi-driver/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-efs-csi-driver/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-for-fluentbit/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-fsx-csi-driver/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cluster-autoscaler/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/external-secrets/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/ondat/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.6.1" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/vpa/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/launch-templates/templates/userdata-bottlerocket.tpl: -------------------------------------------------------------------------------- 1 | ${pre_userdata} 2 | [settings.kubernetes] 3 | api-server = "${cluster_endpoint}" 4 | cluster-certificate = "${cluster_ca_base64}" 5 | cluster-name = "${eks_cluster_id}" 6 | ${post_userdata} 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/app-2048/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-privateca-issuer/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/aws-provider-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: aws.crossplane.io/v1beta1 3 | kind: ProviderConfig 4 | metadata: 5 | name: ${aws-provider-config} 6 | spec: 7 | credentials: 8 | source: InjectedIdentity 9 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/thanos/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/traefik/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/yunikorn/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/aws-eks-managed-node-groups/templates/userdata-bottlerocket.tpl: -------------------------------------------------------------------------------- 1 | ${pre_userdata} 2 | [settings.kubernetes] 3 | api-server = "${cluster_endpoint}" 4 | cluster-certificate = "${cluster_ca_base64}" 5 | cluster-name = "${eks_cluster_id}" 6 | ${post_userdata} 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argo-rollouts/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-load-balancer-controller/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-node-termination-handler/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/helm-provider/helm-controller-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pkg.crossplane.io/v1alpha1 2 | kind: ControllerConfig 3 | metadata: 4 | name: ${helm-controller-config} 5 | spec: 6 | serviceAccountName: ${helm-serviceaccount-name} 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/ingress-nginx/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/metrics-server/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/nvidia-device-plugin/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | helm_config = local.helm_config 5 | addon_context = var.addon_context 6 | } 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: aws.jet.crossplane.io/v1alpha1 3 | kind: ProviderConfig 4 | metadata: 5 | name: jet-aws-provider-config 6 | spec: 7 | credentials: 8 | source: InjectedIdentity 9 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/fargate-fluentbit/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubernetes-dashboard/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/spark-k8s-operator/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kube-prometheus-stack/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/secrets-store-csi-driver/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/csi-secrets-store-provider-aws/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | kubernetes = { 6 | source = "hashicorp/kubernetes" 7 | version = ">= 2.10" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pkg.crossplane.io/v1alpha1 2 | kind: ControllerConfig 3 | metadata: 4 | name: ${kubernetes-controller-config} 5 | spec: 6 | serviceAccountName: ${kubernetes-serviceaccount-name} 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/cert-manager-letsencrypt/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cert-manager-letsencrypt 3 | description: Cert Manager Cluster Issuers for Let's Encrypt certificates with DNS01 protocol 4 | type: application 5 | version: 0.1.0 6 | appVersion: v0.1.0 7 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kubernetes.crossplane.io/v1alpha1 3 | kind: ProviderConfig 4 | metadata: 5 | name: ${kubernetes-provider-config} 6 | spec: 7 | credentials: 8 | source: InjectedIdentity 9 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/core-infra/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72.0" 8 | } 9 | random = { 10 | version = ">= 3" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/tetrate-istio/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 2 | 3 | output "argocd_gitops_config" { 4 | description = "Configuration used for managing the add-on with ArgoCD" 5 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 6 | } 7 | -------------------------------------------------------------------------------- /docs/advanced/.pages: -------------------------------------------------------------------------------- 1 | nav: 2 | - Bottlerocket: bottlerocket.md 3 | - Cluster Upgrades: cluster-upgrades.md 4 | - ECR Instructions: ecr-instructions.md 5 | - GitOps with Flux: gitops-with-flux.md 6 | - Multi-cluster: multi-cluster.md 7 | - Private Clusters: private-clusters.md 8 | - ... 9 | -------------------------------------------------------------------------------- /modules/aws-kms/outputs.tf: -------------------------------------------------------------------------------- 1 | output "key_id" { 2 | description = "The globally unique identifier for the key." 3 | value = aws_kms_key.this.key_id 4 | } 5 | 6 | output "key_arn" { 7 | description = "The Amazon Resource Name (ARN) of the key." 8 | value = aws_kms_key.this.arn 9 | } 10 | -------------------------------------------------------------------------------- /examples/argocd/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/karpenter/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/stateful/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/kuberay-operator-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: "1.0" 3 | description: A Helm chart for Kubernetes 4 | name: kuberay-operator 5 | version: 0.1.0 6 | icon: https://github.com/ray-project/ray/raw/master/doc/source/images/ray_header_logo.png 7 | type: application 8 | -------------------------------------------------------------------------------- /docs/.pages: -------------------------------------------------------------------------------- 1 | nav: 2 | - Overview: index.md 3 | - Getting Started: getting-started.md 4 | - Core Concepts: core-concepts.md 5 | - IAM: iam 6 | - Teams: teams.md 7 | - Modules: modules 8 | - Add-ons: add-ons 9 | - Advanced: advanced 10 | - Extensibility: extensibility.md 11 | - ... 12 | -------------------------------------------------------------------------------- /examples/appmesh-mtls/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/external-secrets/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/fargate-serverless/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/ipv6-eks-cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /modules/irsa/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/jet-aws-provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pkg.crossplane.io/v1 3 | kind: Provider 4 | metadata: 5 | name: ${aws-provider-name} 6 | spec: 7 | package: crossplane/provider-jet-aws:${provider-aws-version} 8 | controllerConfigRef: 9 | name: jet-aws-controller-config 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | time = { 10 | source = "hashicorp/time" 11 | version = ">= 0.8" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /examples/agones-game-controller/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/fully-private-cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/ipv4-prefix-delegation/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/tls-with-aws-pca-issuer/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /examples/wireguard-with-cilium/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/thanos/README.md: -------------------------------------------------------------------------------- 1 | # thanos Helm Chart 2 | 3 | ## Introduction 4 | 5 | [thanos](https://github.com/bitnami/charts/tree/main/bitnami/thanos) Thanos is a highly available metrics system that can be added on top of existing Prometheus deployments, providing a global query view across all Prometheus installations. 6 | -------------------------------------------------------------------------------- /examples/vpc-cni-custom-networking/outputs.tf: -------------------------------------------------------------------------------- 1 | output "configure_kubectl" { 2 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 4 | } 5 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-java/otel-config/values.yaml: -------------------------------------------------------------------------------- 1 | ampurl: ${amp_url} 2 | region: ${region} 3 | prometheusMetricsEndpoint: ${prometheus_metrics_endpoint} 4 | prometheusMetricsPort: ${prometheus_metrics_port} 5 | scrapeInterval: ${scrape_interval} 6 | scrapeTimeout: ${scrape_timeout} 7 | scrapeSampleLimit: ${scrape_sample_limit} 8 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-nginx/otel-config/values.yaml: -------------------------------------------------------------------------------- 1 | ampurl: ${amp_url} 2 | region: ${region} 3 | prometheusMetricsEndpoint: ${prometheus_metrics_endpoint} 4 | prometheusMetricsPort: ${prometheus_metrics_port} 5 | scrapeInterval: ${scrape_interval} 6 | scrapeTimeout: ${scrape_timeout} 7 | scrapeSampleLimit: ${scrape_sample_limit} 8 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-cloudwatch-metrics/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | set_values = local.set_values 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.10" 8 | } 9 | helm = { 10 | source = "hashicorp/helm" 11 | version = ">= 2.4.1" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/aws-provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pkg.crossplane.io/v1 3 | kind: Provider 4 | metadata: 5 | name: ${aws-provider-name} 6 | spec: 7 | package: xpkg.upbound.io/crossplane-contrib/provider-aws:${provider-aws-version} 8 | controllerConfigRef: 9 | name: ${aws-controller-config} 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/kuberay-operator-config/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "kuberay-operator.serviceAccountName" . }} 6 | labels: 7 | {{ include "kuberay-operator.labels" . | indent 4 }} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/spark-history-server/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | helm_config = local.helm_config 5 | set_values = local.set_values 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-haproxy/otel-config/values.yaml: -------------------------------------------------------------------------------- 1 | ampurl: ${amp_url} 2 | region: ${region} 3 | prometheusMetricsEndpoint: ${prometheus_metrics_endpoint} 4 | prometheusMetricsPort: ${prometheus_metrics_port} 5 | scrapeInterval: ${scrape_interval} 6 | scrapeTimeout: ${scrape_timeout} 7 | scrapeSampleLimit: ${scrape_sample_limit} 8 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-memcached/otel-config/values.yaml: -------------------------------------------------------------------------------- 1 | ampurl: ${amp_url} 2 | region: ${region} 3 | prometheusMetricsEndpoint: ${prometheus_metrics_endpoint} 4 | prometheusMetricsPort: ${prometheus_metrics_port} 5 | scrapeInterval: ${scrape_interval} 6 | scrapeTimeout: ${scrape_timeout} 7 | scrapeSampleLimit: ${scrape_sample_limit} 8 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/agones/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/airflow/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/helm-provider/helm-provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pkg.crossplane.io/v1 3 | kind: Provider 4 | metadata: 5 | name: ${helm-provider-name} 6 | spec: 7 | package: xpkg.upbound.io/crossplane-contrib/provider-helm:${provider-helm-version} 8 | controllerConfigRef: 9 | name: ${helm-controller-config} 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/emr-on-eks/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.13" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/sysdig/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argo-workflows/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/prometheus/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/emr-on-eks/outputs.tf: -------------------------------------------------------------------------------- 1 | output "emr_on_eks_role_arn" { 2 | description = "IAM execution role ARN for EMR on EKS" 3 | value = aws_iam_role.emr_on_eks_execution[*].arn 4 | } 5 | 6 | output "emr_on_eks_role_id" { 7 | description = "IAM execution role ID for EMR on EKS" 8 | value = aws_iam_role.emr_on_eks_execution[*].id 9 | } 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-java/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-haproxy/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-memcached/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-nginx/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/upbound-aws-provider-config.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-providerconfig 2 | --- 3 | apiVersion: aws.upbound.io/v1beta1 4 | kind: ProviderConfig 5 | metadata: 6 | name: ${upbound-aws-provider-config} 7 | spec: 8 | credentials: 9 | source: IRSA 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/opentelemetry-operator/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /examples/tls-with-aws-pca-issuer/variables.tf: -------------------------------------------------------------------------------- 1 | variable "certificate_name" { 2 | type = string 3 | description = "name for the certificate" 4 | default = "example" 5 | } 6 | 7 | variable "certificate_dns" { 8 | type = string 9 | description = "CommonName used in the Certificate, usually DNS " 10 | default = "example.com" 11 | } 12 | -------------------------------------------------------------------------------- /modules/aws-eks-managed-node-groups/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_iam_policy_document" "managed_ng_assume_role_policy" { 2 | statement { 3 | sid = "EKSWorkerAssumeRole" 4 | 5 | actions = [ 6 | "sts:AssumeRole", 7 | ] 8 | 9 | principals { 10 | type = "Service" 11 | identifiers = [local.ec2_principal] 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/aws-controller-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pkg.crossplane.io/v1alpha1 3 | kind: ControllerConfig 4 | metadata: 5 | name: ${aws-controller-config} 6 | annotations: 7 | eks.amazonaws.com/role-arn: ${iam-role-arn} 8 | spec: 9 | podSecurityContext: 10 | fsGroup: 2000 11 | args: 12 | - --debug 13 | -------------------------------------------------------------------------------- /modules/emr-on-eks/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" {} 2 | 3 | data "aws_iam_policy_document" "emr_assume_role" { 4 | statement { 5 | sid = "" 6 | effect = "Allow" 7 | actions = ["sts:AssumeRole"] 8 | 9 | principals { 10 | type = "Service" 11 | identifiers = ["elasticmapreduce.amazonaws.com"] 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/jet-aws-controller-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pkg.crossplane.io/v1alpha1 3 | kind: ControllerConfig 4 | metadata: 5 | name: jet-aws-controller-config 6 | annotations: 7 | eks.amazonaws.com/role-arn: ${iam-role-arn} 8 | spec: 9 | podSecurityContext: 10 | fsGroup: 2000 11 | args: 12 | - --debug 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-vpc-cni/outputs.tf: -------------------------------------------------------------------------------- 1 | output "irsa_arn" { 2 | description = "IAM role ARN for the service account" 3 | value = try(module.irsa_addon[0].irsa_iam_role_arn, null) 4 | } 5 | 6 | output "irsa_name" { 7 | description = "IAM role name for the service account" 8 | value = try(module.irsa_addon[0].irsa_iam_role_name, null) 9 | } 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-privateca-issuer/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_iam_policy_document" "aws_privateca_issuer" { 2 | statement { 3 | effect = "Allow" 4 | resources = [var.aws_privateca_acmca_arn] 5 | actions = [ 6 | "acm-pca:DescribeCertificateAuthority", 7 | "acm-pca:GetCertificate", 8 | "acm-pca:IssueCertificate", 9 | ] 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cluster-autoscaler/values.yaml: -------------------------------------------------------------------------------- 1 | awsRegion: ${aws_region} 2 | 3 | autoDiscovery: 4 | clusterName: ${eks_cluster_id} 5 | extraArgs: 6 | aws-use-static-instance-list: true 7 | 8 | image: 9 | tag: ${image_tag} 10 | 11 | resources: 12 | limits: 13 | cpu: 200m 14 | memory: 512Mi 15 | requests: 16 | cpu: 200m 17 | memory: 512Mi 18 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pkg.crossplane.io/v1 3 | kind: Provider 4 | metadata: 5 | name: ${kubernetes-provider-name} 6 | spec: 7 | package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:${provider-kubernetes-version} 8 | controllerConfigRef: 9 | name: ${kubernetes-controller-config} 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/helm-provider/helm-provider-config.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/crossplane-contrib/provider-helm/blob/master/examples/provider-config/provider-config-incluster.yaml 2 | --- 3 | apiVersion: helm.crossplane.io/v1beta1 4 | kind: ProviderConfig 5 | metadata: 6 | name: ${helm-provider-config} 7 | spec: 8 | credentials: 9 | source: InjectedIdentity 10 | -------------------------------------------------------------------------------- /modules/emr-on-eks/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | 3 | default_emr_eks_team = { 4 | namespace = "emr-on-eks-spark" 5 | job_execution_role = "emr-on-eks-job-role" 6 | additional_iam_policies = [] 7 | } 8 | 9 | emr_on_eks_team = merge( 10 | local.default_emr_eks_team, 11 | var.emr_on_eks_teams 12 | ) 13 | 14 | emr_service_name = "emr-containers" 15 | } 16 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/cert-manager-ca/templates/clusterissuers.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.clusterIssuers }} 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: {{ .name }} 7 | spec: 8 | {{- if eq .type "selfSigned" }} 9 | selfSigned: {} 10 | {{- else if eq .type "CA" }} 11 | ca: 12 | secretName: {{ .secretName }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/sysdig/values-sysdig.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | kspm: 3 | deploy: true 4 | agent: 5 | sysdig: 6 | settings: 7 | collector_port: 6443 8 | nodeAnalyzer: 9 | nodeAnalyzer: 10 | benchmarkRunner: 11 | deploy: false 12 | runtimeScanner: 13 | settings: 14 | eveEnabled: true 15 | secure: 16 | vulnerabilityManagement: 17 | newEngineOnly: true 18 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/portworx/variables.tf: -------------------------------------------------------------------------------- 1 | variable "helm_config" { 2 | description = "Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs" 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "addon_context" { 8 | description = "Input configuration for the addon" 9 | type = any 10 | default = {} 11 | } 12 | -------------------------------------------------------------------------------- /modules/emr-on-eks/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | null = { 14 | source = "hashicorp/null" 15 | version = ">= 3.1" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/cert-manager-ca/values.yaml: -------------------------------------------------------------------------------- 1 | clusterIssuers: 2 | - name: cert-manager-selfsigned 3 | type: selfSigned 4 | - name: cert-manager-ca 5 | type: CA 6 | secretName: cert-manager-ca-root 7 | privateKey: 8 | algorithm: ECDSA 9 | size: 256 10 | issuer: 11 | name: cert-manager-selfsigned 12 | kind: ClusterIssuer 13 | group: cert-manager.io 14 | -------------------------------------------------------------------------------- /docs/add-ons/fargate-fluent-bit.md: -------------------------------------------------------------------------------- 1 | ## Fluent Bit for Fargate 2 | 3 | [Fluent Bit for Fargate](https://aws.amazon.com/blogs/containers/fluent-bit-for-amazon-eks-on-aws-fargate-is-here/) configures Fluent Bit to forward Fargate Container logs to CloudWatch. 4 | 5 | ### Usage 6 | 7 | Fluent Bit for Fargate can be deployed by enabling the add-on via the following. 8 | 9 | ```hcl 10 | enable_fargate_fluentbit = true 11 | ``` 12 | -------------------------------------------------------------------------------- /modules/launch-templates/variables.tf: -------------------------------------------------------------------------------- 1 | variable "launch_template_config" { 2 | description = "Launch template configuration" 3 | type = any 4 | } 5 | 6 | variable "eks_cluster_id" { 7 | description = "EKS Cluster ID" 8 | type = string 9 | } 10 | 11 | variable "tags" { 12 | description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)" 13 | type = map(string) 14 | default = {} 15 | } 16 | -------------------------------------------------------------------------------- /examples/agones-game-controller/test/xonotic/gameserver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "agones.dev/v1" 2 | kind: GameServer 3 | metadata: 4 | name: "xonotic" 5 | spec: 6 | ports: 7 | - name: default 8 | containerPort: 26000 9 | template: 10 | spec: 11 | containers: 12 | - name: xonotic 13 | image: gcr.io/agones-images/xonotic-example:0.8 14 | # imagePullPolicy: Always # add for development 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-coredns/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.10" 8 | } 9 | null = { 10 | source = "hashicorp/null" 11 | version = ">= 3.0" 12 | } 13 | time = { 14 | source = "hashicorp/time" 15 | version = ">= 0.8" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/core-infra/outputs.tf: -------------------------------------------------------------------------------- 1 | output "vpc_id" { 2 | description = "The ID of the VPC" 3 | value = module.vpc.vpc_id 4 | } 5 | 6 | output "aws_route53_zone" { 7 | description = "The new Route53 Zone" 8 | value = aws_route53_zone.sub.name 9 | } 10 | 11 | output "aws_acm_certificate_status" { 12 | description = "Status of Certificate" 13 | value = module.acm.acm_certificate_status 14 | } 15 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/eks-blue/outputs.tf: -------------------------------------------------------------------------------- 1 | output "eks_cluster_id" { 2 | description = "The name of the EKS cluster." 3 | value = module.eks_cluster.eks_cluster_id 4 | } 5 | 6 | output "configure_kubectl" { 7 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 8 | value = module.eks_cluster.configure_kubectl 9 | } 10 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/eks-green/outputs.tf: -------------------------------------------------------------------------------- 1 | output "eks_cluster_id" { 2 | description = "The name of the EKS cluster." 3 | value = module.eks_cluster.eks_cluster_id 4 | } 5 | 6 | output "configure_kubectl" { 7 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 8 | value = module.eks_cluster.configure_kubectl 9 | } 10 | -------------------------------------------------------------------------------- /modules/aws-eks-teams/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | kubectl = { 14 | source = "gavinbunney/kubectl" 15 | version = ">= 1.14" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/helm-provider/helm-provider-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: "provider-helm-admin-binding" 5 | subjects: 6 | - kind: ServiceAccount 7 | name: ${helm-serviceaccount-name} 8 | namespace: ${namespace} 9 | roleRef: 10 | kind: ClusterRole 11 | name: ${cluster-role} 12 | apiGroup: rbac.authorization.k8s.io 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/portworx/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.67" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | random = { 14 | source = "hashicorp/random" 15 | version = ">= 3.0" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-java/otel-config/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: otel-prometheus-role-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: otel-prometheus-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: adot-collector-java 12 | namespace: adot-collector-java 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-nginx/otel-config/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: otel-prometheus-role-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: otel-prometheus-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: adot-collector-nginx 12 | namespace: adot-collector-nginx 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/velero/values.yaml: -------------------------------------------------------------------------------- 1 | initContainers: 2 | - name: velero-plugin-for-aws 3 | image: velero/velero-plugin-for-aws:v1.5.0 4 | volumeMounts: 5 | - mountPath: /target 6 | name: plugins 7 | 8 | configuration: 9 | provider: aws 10 | backupStorageLocation: 11 | bucket: ${bucket} 12 | volumeSnapshotLocation: 13 | config: 14 | region: ${region} 15 | 16 | credentials: 17 | useSecret: false 18 | -------------------------------------------------------------------------------- /examples/eks-efa/outputs.tf: -------------------------------------------------------------------------------- 1 | output "eks_cluster_id" { 2 | description = "The name of the EKS cluster." 3 | value = module.eks.cluster_id 4 | } 5 | 6 | output "configure_kubectl" { 7 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 8 | value = "aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_name}" 9 | } 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-haproxy/otel-config/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: otel-prometheus-role-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: otel-prometheus-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: adot-collector-haproxy 12 | namespace: adot-collector-haproxy 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-cloudwatch-metrics/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/upbound-aws-provider.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-provider 2 | --- 3 | apiVersion: pkg.crossplane.io/v1 4 | kind: Provider 5 | metadata: 6 | name: ${upbound-aws-provider-name} 7 | spec: 8 | package: xpkg.upbound.io/upbound/provider-aws:${upbound-provider-aws-version} 9 | controllerConfigRef: 10 | name: ${upbound-aws-controller-config} 11 | -------------------------------------------------------------------------------- /examples/agones-game-controller/test/xonotic/fleetautoscaler.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # A FleetAutoscaler is used to scale the fleet automatically 3 | # up and down depending on usage 4 | # 5 | 6 | apiVersion: "autoscaling.agones.dev/v1" 7 | kind: FleetAutoscaler 8 | metadata: 9 | name: xonotic-autoscaler 10 | spec: 11 | fleetName: xonotic 12 | policy: 13 | type: Buffer 14 | buffer: 15 | bufferSize: 2 16 | minReplicas: 0 17 | maxReplicas: 10 18 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-memcached/otel-config/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: otel-prometheus-role-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: otel-prometheus-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: adot-collector-memcached 12 | namespace: adot-collector-memcached 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: ${kubernetes-serviceaccount-name} 5 | subjects: 6 | - kind: ServiceAccount 7 | name: ${kubernetes-serviceaccount-name} 8 | namespace: ${namespace} 9 | roleRef: 10 | kind: ClusterRole 11 | name: ${cluster-role} 12 | apiGroup: rbac.authorization.k8s.io 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argocd/values.yaml: -------------------------------------------------------------------------------- 1 | redis-ha: 2 | enabled: true 3 | 4 | controller: 5 | enableStatefulSet: true 6 | 7 | server: 8 | autoscaling: 9 | enabled: true 10 | minReplicas: 2 11 | 12 | repoServer: 13 | autoscaling: 14 | enabled: true 15 | minReplicas: 2 16 | 17 | configs: 18 | cm: 19 | #use annotation for tracking but keep labels for compatibility with other tools 20 | application.resourceTrackingMethod: annotation+label 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/yunikorn/values.yaml: -------------------------------------------------------------------------------- 1 | operatorPlugins: general,spark-k8s-operator 2 | 3 | service: 4 | type: ClusterIP 5 | port: 9080 6 | port_web: 9889 7 | 8 | # When this flag is true, the admission controller will be installed along with the scheduler. 9 | # When this flag is false, the admission controller will not be installed. 10 | # Once the admission controller is installed, all traffic will be routing to yunikorn. 11 | embedAdmissionController: false 12 | -------------------------------------------------------------------------------- /examples/amp-amg-opensearch/helm_values/aws-for-fluentbit-values.yaml: -------------------------------------------------------------------------------- 1 | serviceAccount: 2 | create: false 3 | name: "aws-for-fluent-bit-sa" 4 | 5 | elasticsearch: 6 | enabled: true 7 | match: "*" 8 | awsRegion: ${aws_region} 9 | host: ${host} 10 | 11 | # These plugins are not used in this example. They are enabled by default if not explicitly disabled 12 | firehose: 13 | enabled: false 14 | 15 | kinesis: 16 | enabled: false 17 | 18 | cloudWatch: 19 | enabled: false 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/aws-provider/upbound-aws-controller-config.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-controllerconfig 2 | --- 3 | apiVersion: pkg.crossplane.io/v1alpha1 4 | kind: ControllerConfig 5 | metadata: 6 | name: ${upbound-aws-controller-config} 7 | annotations: 8 | eks.amazonaws.com/role-arn: ${upbound-iam-role-arn} 9 | spec: 10 | podSecurityContext: 11 | fsGroup: 2000 12 | args: 13 | - --debug 14 | -------------------------------------------------------------------------------- /examples/fully-private-cluster/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | } 10 | 11 | # ## Used for end-to-end testing on project; update to suit your needs 12 | # backend "s3" { 13 | # bucket = "terraform-ssp-github-actions-state" 14 | # region = "us-west-2" 15 | # key = "e2e/fully-private-cluster/terraform.tfstate" 16 | # } 17 | } 18 | -------------------------------------------------------------------------------- /modules/aws-kms/main.tf: -------------------------------------------------------------------------------- 1 | # Create a KMS customer managed key 2 | resource "aws_kms_key" "this" { 3 | description = var.description 4 | policy = var.policy 5 | enable_key_rotation = var.enable_key_rotation 6 | deletion_window_in_days = var.deletion_window_in_days 7 | tags = var.tags 8 | } 9 | 10 | # Assign an alias to the key 11 | resource "aws_kms_alias" "this" { 12 | name = var.alias 13 | target_key_id = aws_kms_key.this.key_id 14 | } 15 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/thanos/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | helm_config = local.helm_config 4 | set_values = local.set_values 5 | irsa_config = local.irsa_config 6 | manage_via_gitops = var.manage_via_gitops 7 | addon_context = var.addon_context 8 | } 9 | 10 | resource "kubernetes_namespace_v1" "thanos" { 11 | count = local.create_namespace ? 1 : 0 12 | 13 | metadata { 14 | name = local.namespace_name 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /examples/appmesh-mtls/variables.tf: -------------------------------------------------------------------------------- 1 | variable "eks_cluster_domain" { 2 | description = "Route53 domain for the cluster" 3 | type = string 4 | default = "example.com" 5 | } 6 | 7 | variable "certificate_name" { 8 | description = "name for the certificate" 9 | type = string 10 | default = "example" 11 | } 12 | 13 | variable "certificate_dns" { 14 | description = "CommonName used in the Certificate, usually DNS" 15 | type = string 16 | default = "example.com" 17 | } 18 | -------------------------------------------------------------------------------- /examples/eks-efa/variables.tf: -------------------------------------------------------------------------------- 1 | variable "aws_region" { 2 | description = "AWS Region" 3 | type = string 4 | default = "us-east-1" 5 | } 6 | 7 | variable "cluster_name" { 8 | description = "EKS Cluster Name" 9 | type = string 10 | default = "eks-efa" 11 | } 12 | 13 | variable "cluster_enabled_log_types" { 14 | description = "EKS Cluster Control Plane Logging" 15 | type = list(any) 16 | default = ["api", "authenticator", "audit", "scheduler", "controllerManager"] 17 | } 18 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | default_helm_config = { 3 | name = "local-static-provisioner" 4 | chart = "${path.module}/local-static-provisioner" 5 | version = "2.6.0-alpha.1" 6 | namespace = "local-static-provisioner" 7 | create_namespace = true 8 | description = "local provisioner helm chart configuration" 9 | } 10 | 11 | helm_config = merge( 12 | local.default_helm_config, 13 | var.helm_config 14 | ) 15 | } 16 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argocd/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 3.72" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | kubectl = { 14 | source = "gavinbunney/kubectl" 15 | version = ">= 1.14" 16 | } 17 | time = { 18 | source = "hashicorp/time" 19 | version = ">= 0.7" 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /docs/add-ons/datadog-operator.md: -------------------------------------------------------------------------------- 1 | # Datadog Operator 2 | The [Datadog Operator](https://github.com/DataDog/datadog-operator) is a Kubernetes add-on that can automate the deployment of a best-practice Datadog monitoring agent on a Kubernetes cluster. 3 | 4 | ## Usage 5 | The Datadog Operator can be deployed by enabling the add-on via the following. 6 | 7 | ```hcl 8 | enable_datadog_operator = true 9 | ``` 10 | 11 | Once the operator is provisioned, the Datadog Agent can be deployed by creating a `DatadogAgent` resource and supplying an API key. 12 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/eks-blue/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.1" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.16.1" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8.0" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/eks-green/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.1" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.16.1" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8.0" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /examples/agones-game-controller/test/xonotic/gameserverallocator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "allocation.agones.dev/v1" 2 | kind: GameServerAllocation 3 | spec: 4 | # GameServer selector from which to choose GameServers from. 5 | # GameServers still have the hard requirement to be `Ready` to be allocated from 6 | # however we can also make available `matchExpressions` for even greater 7 | # flexibility. 8 | # Below is an example of a GameServer allocated against a given fleet. 9 | required: 10 | matchLabels: 11 | agones.dev/fleet: xonotic 12 | -------------------------------------------------------------------------------- /modules/aws-eks-fargate-profiles/variables.tf: -------------------------------------------------------------------------------- 1 | variable "fargate_profile" { 2 | description = "Map of maps of `eks_node_groups` to create" 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "context" { 8 | description = "Input configuration for Fargate" 9 | type = object({ 10 | eks_cluster_id = string 11 | aws_partition_id = string 12 | iam_role_path = string 13 | iam_role_permissions_boundary = string 14 | tags = map(string) 15 | }) 16 | } 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argo-rollouts/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | manage_via_gitops = var.manage_via_gitops 5 | helm_config = local.helm_config 6 | addon_context = var.addon_context 7 | 8 | depends_on = [kubernetes_namespace_v1.this] 9 | } 10 | 11 | resource "kubernetes_namespace_v1" "this" { 12 | count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 13 | metadata { 14 | name = local.helm_config["namespace"] 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/external-dns/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_iam_policy_document" "external_dns_iam_policy_document" { 2 | statement { 3 | effect = "Allow" 4 | resources = distinct(concat( 5 | [data.aws_route53_zone.selected.arn], 6 | var.route53_zone_arns 7 | )) 8 | actions = ["route53:ChangeResourceRecordSets"] 9 | } 10 | 11 | statement { 12 | effect = "Allow" 13 | resources = ["*"] 14 | actions = [ 15 | "route53:ListHostedZones", 16 | "route53:ListResourceRecordSets", 17 | ] 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/yunikorn/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | manage_via_gitops = var.manage_via_gitops 5 | helm_config = local.helm_config 6 | addon_context = var.addon_context 7 | 8 | depends_on = [kubernetes_namespace_v1.yunikorn] 9 | } 10 | 11 | resource "kubernetes_namespace_v1" "yunikorn" { 12 | count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 13 | metadata { 14 | name = local.helm_config["namespace"] 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/airflow/values.yaml: -------------------------------------------------------------------------------- 1 | securityContext: 2 | fsGroup: 65534 3 | 4 | executor: "KubernetesExecutor" 5 | 6 | workers: 7 | replicas: 0 8 | 9 | postgresql: 10 | enabled: true 11 | 12 | scheduler: 13 | replicas: 1 14 | waitForMigrations: 15 | enabled: false 16 | 17 | webserver: 18 | replicas: 1 19 | waitForMigrations: 20 | enabled: false 21 | 22 | migrateDatabaseJob: 23 | enabled: true 24 | 25 | triggerer: 26 | enabled: true 27 | waitForMigrations: 28 | enabled: false 29 | 30 | redis: 31 | enabled: false 32 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/metrics-server/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | manage_via_gitops = var.manage_via_gitops 5 | helm_config = local.helm_config 6 | addon_context = var.addon_context 7 | 8 | depends_on = [kubernetes_namespace_v1.this] 9 | } 10 | 11 | resource "kubernetes_namespace_v1" "this" { 12 | count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 13 | 14 | metadata { 15 | name = local.helm_config["namespace"] 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/kubernetes/team-riker/limit-range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'v1' 2 | kind: 'LimitRange' 3 | metadata: 4 | name: 'resource-limits' 5 | namespace: team-riker 6 | spec: 7 | limits: 8 | - type: 'Container' 9 | max: 10 | cpu: '2' 11 | memory: '1Gi' 12 | min: 13 | cpu: '50m' 14 | memory: '4Mi' 15 | default: 16 | cpu: '300m' 17 | memory: '200Mi' 18 | defaultRequest: 19 | cpu: '200m' 20 | memory: '100Mi' 21 | maxLimitRequestRatio: 22 | cpu: '10' 23 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/kubernetes/team-burnham/limit-range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'v1' 2 | kind: 'LimitRange' 3 | metadata: 4 | name: 'resource-limits' 5 | namespace: team-burnham 6 | spec: 7 | limits: 8 | - type: 'Container' 9 | max: 10 | cpu: '2' 11 | memory: '1Gi' 12 | min: 13 | cpu: '50m' 14 | memory: '4Mi' 15 | default: 16 | cpu: '300m' 17 | memory: '200Mi' 18 | defaultRequest: 19 | cpu: '200m' 20 | memory: '100Mi' 21 | maxLimitRequestRatio: 22 | cpu: '10' 23 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/kubernetes/ecsdemo-crystal/limit-range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'v1' 2 | kind: 'LimitRange' 3 | metadata: 4 | name: 'resource-limits' 5 | namespace: ecsdemo-crystal 6 | spec: 7 | limits: 8 | - type: 'Container' 9 | max: 10 | cpu: '2' 11 | memory: '1Gi' 12 | min: 13 | cpu: '50m' 14 | memory: '4Mi' 15 | default: 16 | cpu: '300m' 17 | memory: '200Mi' 18 | defaultRequest: 19 | cpu: '200m' 20 | memory: '100Mi' 21 | maxLimitRequestRatio: 22 | cpu: '10' 23 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/kubernetes/ecsdemo-frontend/limit-range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'v1' 2 | kind: 'LimitRange' 3 | metadata: 4 | name: 'resource-limits' 5 | namespace: ecsdemo-frontend 6 | spec: 7 | limits: 8 | - type: 'Container' 9 | max: 10 | cpu: '2' 11 | memory: '1Gi' 12 | min: 13 | cpu: '50m' 14 | memory: '4Mi' 15 | default: 16 | cpu: '300m' 17 | memory: '200Mi' 18 | defaultRequest: 19 | cpu: '200m' 20 | memory: '100Mi' 21 | maxLimitRequestRatio: 22 | cpu: '10' 23 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/kubernetes/ecsdemo-nodejs/limit-range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'v1' 2 | kind: 'LimitRange' 3 | metadata: 4 | name: 'resource-limits' 5 | namespace: ecsdemo-nodejs 6 | spec: 7 | limits: 8 | - type: 'Container' 9 | max: 10 | cpu: '2' 11 | memory: '1Gi' 12 | min: 13 | cpu: '50m' 14 | memory: '4Mi' 15 | default: 16 | cpu: '300m' 17 | memory: '200Mi' 18 | defaultRequest: 19 | cpu: '200m' 20 | memory: '100Mi' 21 | maxLimitRequestRatio: 22 | cpu: '10' 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/secrets-store-csi-driver/main.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_namespace_v1" "secrets_store_csi_driver" { 2 | metadata { 3 | name = local.name 4 | 5 | labels = { 6 | "app.kubernetes.io/managed-by" = "terraform-aws-eks-blueprints" 7 | } 8 | } 9 | } 10 | 11 | module "helm_addon" { 12 | source = "../helm-addon" 13 | manage_via_gitops = var.manage_via_gitops 14 | helm_config = local.helm_config 15 | addon_context = var.addon_context 16 | 17 | depends_on = [kubernetes_namespace_v1.secrets_store_csi_driver] 18 | } 19 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/kuberay-operator-config/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "kuberay-operator.fullname" . }} 5 | labels: 6 | {{ include "kuberay-operator.labels" . | indent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | app.kubernetes.io/name: {{ include "kuberay-operator.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/local-static-provisioner/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.common.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "provisioner.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | helm.sh/chart: {{ template "provisioner.chart" . }} 9 | app.kubernetes.io/name: {{ template "provisioner.name" . }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: I have a Question 4 | --- 5 | 6 | - [ ] ✋ I have searched the open/closed issues and my issue is not listed. 7 | 8 | #### Please describe your question here 9 | 10 | 11 | 12 | #### Provide a link to the example/module related to the question 13 | 14 | 15 | 16 | #### Additional context 17 | 18 | 19 | -------------------------------------------------------------------------------- /modules/aws-eks-fargate-profiles/outputs.tf: -------------------------------------------------------------------------------- 1 | output "eks_fargate_profile_arn" { 2 | description = "Amazon Resource Name (ARN) of the EKS Fargate Profile" 3 | value = aws_eks_fargate_profile.eks_fargate.arn 4 | } 5 | 6 | output "eks_fargate_profile_role_name" { 7 | description = "Name of the EKS Fargate Profile IAM role" 8 | value = try(aws_iam_role.fargate[0].name, null) 9 | } 10 | 11 | output "eks_fargate_profile_id" { 12 | description = "EKS Cluster name and EKS Fargate Profile name separated by a colon" 13 | value = aws_eks_fargate_profile.eks_fargate.id 14 | } 15 | -------------------------------------------------------------------------------- /modules/aws-eks-teams/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | partition = data.aws_partition.current.partition 3 | account_id = data.aws_caller_identity.current.account_id 4 | eks_oidc_issuer_url = replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "") 5 | eks_oidc_provider_arn = "arn:${local.partition}:iam::${local.account_id}:oidc-provider/${local.eks_oidc_issuer_url}" 6 | 7 | team_manifests = flatten([ 8 | for team_name, team_data in var.application_teams : 9 | try(fileset(path.root, "${team_data.manifests_dir}/*"), []) 10 | ]) 11 | 12 | } 13 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager/cert-manager-ca/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.clusterIssuers }} 2 | {{- if eq .type "CA" }} 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: {{ .name }} 7 | namespace: {{ $.Release.Namespace }} 8 | spec: 9 | isCA: true 10 | commonName: {{ .name }} 11 | secretName: {{ .secretName }} 12 | {{- with .privateKey }} 13 | privateKey: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- with .issuer }} 17 | issuerRef: 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/kuberay-operator-config/templates/leader-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbacEnable }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | {{ include "kuberay-operator.labels" . | indent 4 }} 7 | name: {{ include "kuberay-operator.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ .Values.serviceAccount.name }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: Role 14 | name: {{ include "kuberay-operator.fullname" . }} 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/grafana/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | set_values = local.set_values 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | 10 | resource "aws_iam_policy" "grafana" { 11 | description = "IAM policy for Grafana Pod" 12 | name = "${var.addon_context.eks_cluster_id}-grafana" 13 | path = var.addon_context.irsa_iam_role_path 14 | policy = data.aws_iam_policy_document.this.json 15 | } 16 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/kuberay-operator-config/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbacEnable }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | {{ include "kuberay-operator.labels" . | indent 4 }} 7 | name: {{ include "kuberay-operator.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ .Values.serviceAccount.name }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: ClusterRole 14 | name: {{ include "kuberay-operator.fullname" . }} 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /examples/agones-game-controller/test/sample-game-server/gameserver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "agones.dev/v1" 2 | kind: GameServer 3 | metadata: 4 | generateName: "simple-game-server-" 5 | spec: 6 | ports: 7 | - name: default 8 | portPolicy: Dynamic 9 | containerPort: 7654 10 | template: 11 | spec: 12 | containers: 13 | - name: simple-game-server 14 | image: gcr.io/agones-images/simple-game-server:0.3 15 | resources: 16 | requests: 17 | memory: "64Mi" 18 | cpu: "20m" 19 | limits: 20 | memory: "64Mi" 21 | cpu: "20m" 22 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/agones/values.yaml: -------------------------------------------------------------------------------- 1 | agones: 2 | ping: 3 | http: 4 | annotations: 5 | service.beta.kubernetes.io/aws-load-balancer-internal: "false" 6 | service.beta.kubernetes.io/aws-load-balancer-type: "nlb" 7 | udp: 8 | annotations: 9 | service.beta.kubernetes.io/aws-load-balancer-internal: "false" 10 | service.beta.kubernetes.io/aws-load-balancer-type: "nlb" 11 | allocator: 12 | http: 13 | annotations: 14 | service.beta.kubernetes.io/aws-load-balancer-internal: "false" 15 | service.beta.kubernetes.io/aws-load-balancer-type: "nlb" 16 | -------------------------------------------------------------------------------- /examples/eks-efa/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.1" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.16.1" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8.0" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | http = { 22 | source = "hashicorp/http" 23 | version = ">= 2.2.0" 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kube-prometheus-stack/README.md: -------------------------------------------------------------------------------- 1 | # kube-prometheus-stack Helm Chart 2 | 3 | ## Introduction 4 | 5 | [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) is a a collection of Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. 6 | 7 | The default values.yaml file in this add-on has disabled the components that are unreachable in EKS environments, and an EBS Volume for Persistent Storage. 8 | -------------------------------------------------------------------------------- /.github/workflows/linkcheck.json: -------------------------------------------------------------------------------- 1 | { 2 | "timeout": "5s", 3 | "retryOn429": true, 4 | "retryCount": 5, 5 | "fallbackRetryDelay": "30s", 6 | "aliveStatusCodes": [200, 206], 7 | "httpHeaders": [ 8 | { 9 | "urls": ["https://help.github.com/"], 10 | "headers": { 11 | "Accept-Encoding": "zstd, br, gzip, deflate" 12 | } 13 | } 14 | ], 15 | "ignorePatterns": [ 16 | { 17 | "pattern": [ 18 | "localhost" 19 | ] 20 | }, 21 | { 22 | "pattern": [ 23 | "127.0.0.1" 24 | ] 25 | } 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argo-rollouts/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "argo-rollouts" 3 | 4 | # https://github.com/argoproj/argo-helm/blob/main/charts/argo-rollouts/Chart.yaml 5 | default_helm_config = { 6 | name = local.name 7 | chart = local.name 8 | repository = "https://argoproj.github.io/argo-helm" 9 | version = "2.21.1" 10 | namespace = local.name 11 | description = "Argo Rollouts AddOn Helm Chart" 12 | } 13 | 14 | helm_config = merge( 15 | local.default_helm_config, 16 | var.helm_config 17 | ) 18 | 19 | argocd_gitops_config = { 20 | enable = true 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argocd/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_partition" "current" {} 2 | data "aws_caller_identity" "current" {} 3 | data "aws_region" "current" {} 4 | 5 | resource "time_sleep" "dataplane" { 6 | create_duration = "10s" 7 | 8 | triggers = { 9 | data_plane_wait_arn = var.data_plane_wait_arn # this waits for the data plane to be ready 10 | eks_cluster_id = var.eks_cluster_id # this ties it to downstream resources 11 | } 12 | } 13 | 14 | data "aws_eks_cluster" "eks_cluster" { 15 | # this makes downstream resources wait for data plane to be ready 16 | name = time_sleep.dataplane.triggers["eks_cluster_id"] 17 | } 18 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/airflow/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: Amazon EKS Blueprints for Terraform 2 | repo_name: "aws-ia/terraform-aws-eks-blueprints" 3 | repo_url: "https://github.com/aws-ia/terraform-aws-eks-blueprints" 4 | edit_uri: "edit/main/docs/" 5 | docs_dir: "docs" 6 | theme: 7 | name: material 8 | features: 9 | - tabs 10 | markdown_extensions: 11 | - def_list 12 | - pymdownx.highlight 13 | - pymdownx.superfences 14 | - pymdownx.inlinehilite 15 | - pymdownx.tasklist: 16 | custom_checkbox: true 17 | - toc: 18 | permalink: true 19 | plugins: 20 | - search 21 | - awesome-pages 22 | - include-markdown 23 | extra: 24 | version: 25 | provider: mike 26 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-java/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-nginx/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/appmesh-controller/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-haproxy/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-memcached/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager-istio-csr/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | helm_config = merge( 4 | { 5 | name = "cert-manager-istio-csr" 6 | chart = "cert-manager-istio-csr" 7 | repository = "https://charts.jetstack.io" 8 | version = "v0.5.0" 9 | namespace = "cert-manager" 10 | create_namespace = false 11 | description = "Cert-manager-istio-csr Helm Chart deployment configuration" 12 | }, 13 | var.helm_config 14 | ) 15 | manage_via_gitops = var.manage_via_gitops 16 | addon_context = var.addon_context 17 | } 18 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/consul/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "consul" 3 | 4 | default_helm_config = { 5 | name = local.name 6 | chart = local.name 7 | repository = "https://helm.releases.hashicorp.com" 8 | version = "1.0.1" 9 | namespace = local.name 10 | create_namespace = true 11 | description = "Consul helm Chart deployment configuration" 12 | values = [templatefile("${path.module}/values.yaml", {})] 13 | } 14 | 15 | helm_config = merge(local.default_helm_config, var.helm_config) 16 | 17 | argocd_gitops_config = { 18 | enable = true 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/crossplane/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_iam_policy_document" "s3_policy" { 2 | statement { 3 | sid = "VisualEditor0" 4 | effect = "Allow" 5 | resources = ["arn:${var.addon_context.aws_partition_id}:s3:::*"] 6 | 7 | actions = [ 8 | "s3:CreateBucket", 9 | "s3:DeleteBucket", 10 | "s3:DeleteObject", 11 | "s3:DeleteObjectVersion", 12 | "s3:Get*", 13 | "s3:ListBucket", 14 | "s3:Put*", 15 | ] 16 | } 17 | 18 | statement { 19 | sid = "VisualEditor1" 20 | effect = "Allow" 21 | resources = ["*"] 22 | actions = ["s3:ListAllMyBuckets"] 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-java/otel-config/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: otel-prometheus-role 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - nodes 10 | - nodes/proxy 11 | - services 12 | - endpoints 13 | - pods 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | - apiGroups: 19 | - extensions 20 | resources: 21 | - ingresses 22 | verbs: 23 | - get 24 | - list 25 | - watch 26 | - nonResourceURLs: 27 | - /metrics 28 | verbs: 29 | - get 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-nginx/otel-config/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: otel-prometheus-role 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - nodes 10 | - nodes/proxy 11 | - services 12 | - endpoints 13 | - pods 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | - apiGroups: 19 | - extensions 20 | resources: 21 | - ingresses 22 | verbs: 23 | - get 24 | - list 25 | - watch 26 | - nonResourceURLs: 27 | - /metrics 28 | verbs: 29 | - get 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-load-balancer-controller/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | set_values = local.set_values 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | 10 | resource "aws_iam_policy" "aws_load_balancer_controller" { 11 | name = "${var.addon_context.eks_cluster_id}-lb-irsa" 12 | description = "Allows lb controller to manage ALB and NLB" 13 | policy = data.aws_iam_policy_document.aws_lb.json 14 | tags = var.addon_context.tags 15 | } 16 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-haproxy/otel-config/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: otel-prometheus-role 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - nodes 10 | - nodes/proxy 11 | - services 12 | - endpoints 13 | - pods 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | - apiGroups: 19 | - extensions 20 | resources: 21 | - ingresses 22 | verbs: 23 | - get 24 | - list 25 | - watch 26 | - nonResourceURLs: 27 | - /metrics 28 | verbs: 29 | - get 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/adot-collector-memcached/otel-config/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: otel-prometheus-role 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - nodes 10 | - nodes/proxy 11 | - services 12 | - endpoints 13 | - pods 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | - apiGroups: 19 | - extensions 20 | resources: 21 | - ingresses 22 | verbs: 23 | - get 24 | - list 25 | - watch 26 | - nonResourceURLs: 27 | - /metrics 28 | verbs: 29 | - get 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-privateca-issuer/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | set_values = local.set_values 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | 10 | resource "aws_iam_policy" "aws_privateca_issuer" { 11 | description = "AWS PCA issuer IAM policy" 12 | name = "${var.addon_context.eks_cluster_id}-${local.helm_config["name"]}-irsa" 13 | policy = data.aws_iam_policy_document.aws_privateca_issuer.json 14 | tags = var.addon_context.tags 15 | } 16 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubernetes-dashboard/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | manage_via_gitops = var.manage_via_gitops 5 | helm_config = local.helm_config 6 | addon_context = var.addon_context 7 | 8 | depends_on = [kubernetes_namespace_v1.this] 9 | } 10 | 11 | resource "kubernetes_namespace_v1" "this" { 12 | count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 13 | 14 | metadata { 15 | name = local.helm_config["namespace"] 16 | labels = { 17 | "app.kubernetes.io/managed-by" = "terraform-aws-eks-blueprints" 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kyverno/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.kyverno_helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.kyverno_helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.kyverno_helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.kyverno_helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /.github/scripts/delete-log-groups.py: -------------------------------------------------------------------------------- 1 | import os 2 | import boto3 3 | 4 | REGION = os.environ.get('AWS_DEFAULT_REGION', 'us-west-2') 5 | CLIENT = boto3.client('logs', region_name=REGION) 6 | 7 | def delete_log_groups(): 8 | """Delete all log groups in the region that start with `/aws/eks/`""" 9 | response = CLIENT.describe_log_groups( 10 | logGroupNamePrefix='/aws/eks/', 11 | limit=50 12 | ) 13 | 14 | for log_group in [log.get('logGroupName') for log in response.get('logGroups', {})]: 15 | CLIENT.delete_log_group( 16 | logGroupName=log_group 17 | ) 18 | 19 | 20 | if __name__ == '__main__': 21 | delete_log_groups() 22 | -------------------------------------------------------------------------------- /modules/irsa/outputs.tf: -------------------------------------------------------------------------------- 1 | output "irsa_iam_role_arn" { 2 | description = "IAM role ARN for your service account" 3 | value = try(aws_iam_role.irsa[0].arn, null) 4 | } 5 | 6 | output "irsa_iam_role_name" { 7 | description = "IAM role name for your service account" 8 | value = try(aws_iam_role.irsa[0].name, null) 9 | } 10 | 11 | output "namespace" { 12 | description = "IRSA Namespace" 13 | value = try(kubernetes_namespace_v1.irsa[0].id, var.kubernetes_namespace) 14 | } 15 | 16 | output "service_account" { 17 | description = "IRSA Service Account" 18 | value = try(kubernetes_service_account_v1.irsa[0].id, var.kubernetes_service_account) 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager-csi-driver/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/cert-manager/csi-driver/blob/main/deploy/charts/csi-driver/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "cert-manager-csi-driver" 8 | chart = "cert-manager-csi-driver" 9 | repository = "https://charts.jetstack.io" 10 | version = "v0.4.2" 11 | namespace = "cert-manager" 12 | description = "Cert Manager CSI Driver Add-on" 13 | }, 14 | var.helm_config 15 | ) 16 | 17 | manage_via_gitops = var.manage_via_gitops 18 | addon_context = var.addon_context 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubernetes-dashboard/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "kubernetes-dashboard" 3 | 4 | # https://github.com/kubernetes/dashboard/blob/master/charts/helm-chart/kubernetes-dashboard/Chart.yaml 5 | default_helm_config = { 6 | name = local.name 7 | chart = local.name 8 | repository = "https://kubernetes.github.io/dashboard/" 9 | version = "5.11.0" 10 | namespace = local.name 11 | description = "Kubernetes Dashboard Helm Chart" 12 | } 13 | 14 | helm_config = merge( 15 | local.default_helm_config, 16 | var.helm_config 17 | ) 18 | 19 | argocd_gitops_config = { 20 | enable = true 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cilium/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/metrics-server/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "metrics-server" 3 | 4 | # https://github.com/kubernetes-sigs/metrics-server/blob/master/charts/metrics-server/Chart.yaml 5 | default_helm_config = { 6 | name = local.name 7 | chart = local.name 8 | repository = "https://kubernetes-sigs.github.io/metrics-server/" 9 | version = "3.8.2" 10 | namespace = "kube-system" 11 | description = "Metric server helm Chart deployment configuration" 12 | } 13 | 14 | helm_config = merge( 15 | local.default_helm_config, 16 | var.helm_config 17 | ) 18 | 19 | argocd_gitops_config = { 20 | enable = true 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /examples/agones-game-controller/test/xonotic/fleet.yaml: -------------------------------------------------------------------------------- 1 | # Usually you would define a Fleet rather than a GameServerSet 2 | # directly. This is here mostly for testing purposes 3 | 4 | apiVersion: "agones.dev/v1" 5 | kind: Fleet 6 | metadata: 7 | name: xonotic 8 | spec: 9 | replicas: 2 10 | strategy: 11 | type: Recreate 12 | template: 13 | spec: 14 | ports: 15 | - name: default 16 | containerPort: 26000 17 | health: 18 | initialDelaySeconds: 30 19 | periodSeconds: 60 20 | template: 21 | spec: 22 | containers: 23 | - name: xonotic 24 | image: gcr.io/agones-images/xonotic-example:0.8 25 | -------------------------------------------------------------------------------- /examples/ipv6-eks-cluster/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | } 18 | 19 | # ## Used for end-to-end testing on project; update to suit your needs 20 | # backend "s3" { 21 | # bucket = "terraform-ssp-github-actions-state" 22 | # region = "us-west-2" 23 | # key = "e2e/ipv6-eks-cluster/terraform.tfstate" 24 | # } 25 | } 26 | -------------------------------------------------------------------------------- /examples/agones-game-controller/test/sample-game-server/fleet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "agones.dev/v1" 2 | kind: Fleet 3 | metadata: 4 | name: simple-game-server 5 | spec: 6 | replicas: 2 7 | template: 8 | spec: 9 | ports: 10 | - name: default 11 | containerPort: 7654 12 | template: 13 | spec: 14 | containers: 15 | - name: simple-game-server 16 | image: gcr.io/agones-images/simple-game-server:0.3 17 | resources: 18 | requests: 19 | memory: "64Mi" 20 | cpu: "20m" 21 | limits: 22 | memory: "64Mi" 23 | cpu: "20m" 24 | -------------------------------------------------------------------------------- /examples/fargate-serverless/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | } 18 | 19 | # ## Used for end-to-end testing on project; update to suit your needs 20 | # backend "s3" { 21 | # bucket = "terraform-ssp-github-actions-state" 22 | # region = "us-west-2" 23 | # key = "e2e/fargate-serverless/terraform.tfstate" 24 | # } 25 | } 26 | -------------------------------------------------------------------------------- /examples/agones-game-controller/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | } 18 | 19 | # ## Used for end-to-end testing on project; update to suit your needs 20 | # backend "s3" { 21 | # bucket = "terraform-ssp-github-actions-state" 22 | # region = "us-west-2" 23 | # key = "e2e/agones-game-controller/terraform.tfstate" 24 | # } 25 | } 26 | -------------------------------------------------------------------------------- /examples/ipv4-prefix-delegation/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | } 18 | 19 | # ## Used for end-to-end testing on project; update to suit your needs 20 | # backend "s3" { 21 | # bucket = "terraform-ssp-github-actions-state" 22 | # region = "us-west-2" 23 | # key = "e2e/ipv4-prefix-delegation/terraform.tfstate" 24 | # } 25 | } 26 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-coredns/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = try(module.helm_addon[0].release_metadata, null) 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = try(module.helm_addon[0].irsa_arn, null) 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = try(module.helm_addon[0].irsa_name, null) 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = try(module.helm_addon[0].service_account, null) 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/promtail/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/grafana/helm-charts/blob/main/charts/promtail/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "promtail" 8 | chart = "promtail" 9 | repository = "https://grafana.github.io/helm-charts" 10 | version = "6.6.0" 11 | namespace = "promtail" 12 | create_namespace = true 13 | description = "Promtail helm Chart deployment configuration" 14 | }, 15 | var.helm_config 16 | ) 17 | 18 | manage_via_gitops = var.manage_via_gitops 19 | addon_context = var.addon_context 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-ebs-csi-driver/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = try(module.helm_addon[0].release_metadata, null) 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = try(module.helm_addon[0].irsa_arn, null) 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = try(module.helm_addon[0].irsa_name, null) 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = try(module.helm_addon[0].service_account, null) 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/keda/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | set_values = local.set_values 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | 10 | resource "aws_iam_policy" "keda_irsa" { 11 | description = "KEDA IAM role policy for SQS and CloudWatch" 12 | name = "${var.addon_context.eks_cluster_id}-${local.helm_config["name"]}-irsa" 13 | path = var.addon_context.irsa_iam_role_path 14 | policy = data.aws_iam_policy_document.keda_irsa.json 15 | tags = var.addon_context.tags 16 | } 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/chaos-mesh/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/chaos-mesh/chaos-mesh/blob/master/helm/chaos-mesh/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "chaos-mesh" 8 | chart = "chaos-mesh" 9 | repository = "https://charts.chaos-mesh.org" 10 | version = "2.4.1" 11 | namespace = "chaos-testing" 12 | create_namespace = true 13 | description = "chaos mesh helm Chart deployment configuration" 14 | }, 15 | var.helm_config 16 | ) 17 | 18 | manage_via_gitops = var.manage_via_gitops 19 | addon_context = var.addon_context 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/opentelemetry-operator/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = try(module.helm_addon[0].release_metadata, null) 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = try(module.helm_addon[0].irsa_arn, null) 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = try(module.helm_addon[0].irsa_name, null) 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = try(module.helm_addon[0].service_account, null) 19 | } 20 | -------------------------------------------------------------------------------- /docs/add-ons/cert-manager-istio-csr.md: -------------------------------------------------------------------------------- 1 | # cert-manager-istio-csr 2 | 3 | istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager. 4 | 5 | For complete project documentation, please visit the [cert-manager documentation site](https://cert-manager.io/docs/usage/istio/). 6 | 7 | ## Usage 8 | 9 | cert-manger-istio-csr can be deployed by enabling the add-on via the following. 10 | 11 | ```hcl 12 | enable_cert_manager_istio_csr = true 13 | ``` 14 | 15 | ### GitOps Configuration 16 | 17 | The following properties are made available for use when managing the add-on via GitOps. 18 | 19 | ``` 20 | 21 | certManagerIstioCsr = { 22 | enable = true 23 | } 24 | ``` 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/smb-csi-driver/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/kubernetes-csi/csi-driver-smb/blob/master/charts/latest/csi-driver-smb/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "csi-driver-smb" 8 | chart = "csi-driver-smb" 9 | repository = "https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts" 10 | version = "v1.9.0" 11 | namespace = "kube-system" 12 | description = "SMB CSI driver helm Chart deployment configuration" 13 | }, 14 | var.helm_config 15 | ) 16 | 17 | manage_via_gitops = var.manage_via_gitops 18 | addon_context = var.addon_context 19 | } 20 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/tear-down.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # First tear down Applications 5 | kubectl delete application workloads -n argocd || (echo "error deleting workloads application"; exit -1) 6 | kubectl delete application ecsdemo -n argocd || (echo "error deleting ecsdemo application" && exit -1) 7 | 8 | # Then Tear down the cluster 9 | terraform apply -destroy -target="module.kubernetes_addons" -auto-approve || (echo "error deleting module.kubernetes_addons" && exit -1) 10 | terraform apply -destroy -target="module.eks_blueprints" -auto-approve || (echo "error deleting eks-blueprint" && exit -1) 11 | terraform apply -destroy -auto-approve || (echo "error deleting terraform" && exit -1) 12 | 13 | echo "Tear Down OK" 14 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/datadog-operator/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "datadog-operator" 3 | } 4 | 5 | module "helm_addon" { 6 | source = "../helm-addon" 7 | 8 | # https://github.com/DataDog/helm-charts/blob/main/charts/datadog-operator/Chart.yaml 9 | helm_config = merge( 10 | { 11 | name = local.name 12 | chart = local.name 13 | repository = "https://helm.datadoghq.com" 14 | version = "1.0.2" 15 | namespace = local.name 16 | create_namespace = true 17 | description = "Datadog Operator" 18 | }, 19 | var.helm_config 20 | ) 21 | manage_via_gitops = var.manage_via_gitops 22 | 23 | addon_context = var.addon_context 24 | } 25 | -------------------------------------------------------------------------------- /modules/emr-on-eks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "eks_cluster_id" { 2 | description = "EKS Cluster ID" 3 | type = string 4 | } 5 | 6 | variable "tags" { 7 | description = "Common Tags for AWS resources" 8 | type = map(string) 9 | } 10 | 11 | variable "emr_on_eks_teams" { 12 | description = "EMR on EKS Teams configuration" 13 | type = any 14 | default = {} 15 | } 16 | 17 | variable "iam_role_path" { 18 | description = "IAM role path" 19 | type = string 20 | default = "/" 21 | } 22 | 23 | variable "iam_role_permissions_boundary" { 24 | description = "ARN of the policy that is used to set the permissions boundary for the IAM role" 25 | type = string 26 | default = null 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/external-secrets/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | manage_via_gitops = var.manage_via_gitops 4 | set_values = local.set_values 5 | helm_config = local.helm_config 6 | irsa_config = local.irsa_config 7 | addon_context = var.addon_context 8 | } 9 | 10 | resource "aws_iam_policy" "external_secrets" { 11 | name = "${var.addon_context.eks_cluster_id}-${local.helm_config["name"]}-irsa" 12 | path = var.addon_context.irsa_iam_role_path 13 | description = "Provides permissions to for External Secrets to retrieve secrets from AWS SSM and AWS Secrets Manager" 14 | policy = data.aws_iam_policy_document.external_secrets.json 15 | } 16 | -------------------------------------------------------------------------------- /docs/add-ons/thanos.md: -------------------------------------------------------------------------------- 1 | # Thanos 2 | 3 | Thanos is a highly available metrics system that can be added on top of existing Prometheus deployments, providing a global query view across all Prometheus installations. 4 | 5 | For complete project documentation, please visit the [Thanos documentation site](https://thanos.io/tip/thanos/getting-started.md/). 6 | 7 | ## Usage 8 | 9 | [Thanos](https://github.com/bitnami/charts/tree/main/bitnami/thanos) can be deployed by enabling the add-on via the following. 10 | 11 | ```hcl 12 | enable_thanos = true 13 | ``` 14 | 15 | ### GitOps Configuration 16 | 17 | The following properties are made available for use when managing the add-on via GitOps 18 | 19 | ``` 20 | thanos = { 21 | enable = true 22 | } 23 | ``` 24 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argocd/data.tf: -------------------------------------------------------------------------------- 1 | # --------------------------------------------------------------------------------------------------------------------- 2 | # SSH Key 3 | # --------------------------------------------------------------------------------------------------------------------- 4 | 5 | data "aws_secretsmanager_secret" "ssh_key" { 6 | for_each = { for k, v in var.applications : k => v if try(v.ssh_key_secret_name, null) != null } 7 | name = each.value.ssh_key_secret_name 8 | } 9 | 10 | data "aws_secretsmanager_secret_version" "ssh_key_version" { 11 | for_each = { for k, v in var.applications : k => v if try(v.ssh_key_secret_name, null) != null } 12 | secret_id = data.aws_secretsmanager_secret.ssh_key[each.key].id 13 | } 14 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/kuberay-operator-config/templates/leader-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbacEnable }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | {{ include "kuberay-operator.labels" . | indent 4 }} 7 | name: {{ include "kuberay-operator.fullname" . }} 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - configmaps 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | - create 18 | - update 19 | - patch 20 | - delete 21 | - apiGroups: 22 | - "" 23 | resources: 24 | - configmaps/status 25 | verbs: 26 | - get 27 | - update 28 | - patch 29 | - apiGroups: 30 | - "" 31 | resources: 32 | - events 33 | verbs: 34 | - create 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/secrets-store-csi-driver/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "secrets-store-csi-driver" 3 | 4 | # https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/main/charts/secrets-store-csi-driver/Chart.yaml 5 | default_helm_config = { 6 | name = "csi-secrets-store" 7 | chart = local.name 8 | repository = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts" 9 | version = "1.3.1" 10 | namespace = local.name 11 | description = "A Helm chart to install the Secrets Store CSI Driver" 12 | } 13 | 14 | helm_config = merge( 15 | local.default_helm_config, 16 | var.helm_config 17 | ) 18 | 19 | argocd_gitops_config = { 20 | enable = true 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/fargate-fluentbit/variables.tf: -------------------------------------------------------------------------------- 1 | variable "addon_config" { 2 | description = "Fargate fluentbit configuration" 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "addon_context" { 8 | description = "Input configuration for the addon" 9 | type = object({ 10 | aws_caller_identity_account_id = string 11 | aws_caller_identity_arn = string 12 | aws_eks_cluster_endpoint = string 13 | aws_partition_id = string 14 | aws_region_name = string 15 | eks_cluster_id = string 16 | eks_oidc_issuer_url = string 17 | eks_oidc_provider_arn = string 18 | tags = map(string) 19 | }) 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argocd/argocd-application/helm/values.yaml: -------------------------------------------------------------------------------- 1 | # Application Name 2 | name: "" 3 | 4 | # The ArgoCD Project the Application belongs to. 5 | project: "default" 6 | 7 | # Source config for the Application 8 | source: 9 | 10 | # Git Repo the Application points to. 11 | repoUrl: "" 12 | 13 | # Target revision for the repo. 14 | targetRevision: "HEAD" 15 | 16 | # Path in the repo Argo should look for manifests. 17 | path: "" 18 | 19 | # Helm configuration. 20 | helm : 21 | values: "" 22 | 23 | # Destination cluster. 24 | destination: 25 | server: "https://kubernetes.default.svc" 26 | 27 | ignoreDifferences: 28 | # - group: argoproj.io 29 | # kind: Application 30 | # jsonPointers: 31 | # - /spec/syncPolicy 32 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-kube-proxy/variables.tf: -------------------------------------------------------------------------------- 1 | variable "addon_config" { 2 | description = "Amazon EKS Managed Add-on config for Kube Proxy" 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "addon_context" { 8 | description = "Input configuration for the addon" 9 | type = object({ 10 | aws_caller_identity_account_id = string 11 | aws_caller_identity_arn = string 12 | aws_eks_cluster_endpoint = string 13 | aws_partition_id = string 14 | aws_region_name = string 15 | eks_cluster_id = string 16 | eks_oidc_issuer_url = string 17 | eks_oidc_provider_arn = string 18 | tags = map(string) 19 | }) 20 | } 21 | -------------------------------------------------------------------------------- /examples/stateful/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | random = { 18 | source = "hashicorp/random" 19 | version = ">= 3.0" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/stateful/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cluster-autoscaler/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { 4 | enable = true 5 | serviceAccountName = local.service_account 6 | } : null 7 | } 8 | 9 | output "release_metadata" { 10 | description = "Map of attributes of the Helm release metadata" 11 | value = module.helm_addon.release_metadata 12 | } 13 | 14 | output "irsa_arn" { 15 | description = "IAM role ARN for the service account" 16 | value = module.helm_addon.irsa_arn 17 | } 18 | 19 | output "service_account" { 20 | description = "Name of Kubernetes service account" 21 | value = module.helm_addon.service_account 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/variables.tf: -------------------------------------------------------------------------------- 1 | variable "helm_config" { 2 | description = "Helm Config for local volume provisioner" 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "addon_context" { 8 | description = "Input configuration for the addon" 9 | type = object({ 10 | aws_caller_identity_account_id = string 11 | aws_caller_identity_arn = string 12 | aws_eks_cluster_endpoint = string 13 | aws_partition_id = string 14 | aws_region_name = string 15 | eks_cluster_id = string 16 | eks_oidc_issuer_url = string 17 | eks_oidc_provider_arn = string 18 | tags = map(string) 19 | }) 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/nvidia-device-plugin/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "nvidia-device-plugin" 3 | 4 | # https://github.com/NVIDIA/k8s-device-plugin/blob/master/deployments/helm/nvidia-device-plugin/Chart.yaml 5 | default_helm_config = { 6 | name = local.name 7 | chart = local.name 8 | repository = "https://nvidia.github.io/k8s-device-plugin" 9 | version = "0.12.3" 10 | namespace = local.name 11 | description = "nvidia-device-plugin Helm Chart deployment configuration" 12 | create_namespace = true 13 | } 14 | 15 | helm_config = merge( 16 | local.default_helm_config, 17 | var.helm_config 18 | ) 19 | 20 | argocd_gitops_config = { 21 | enable = true 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /examples/karpenter/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/karpenter/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/yunikorn/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "yunikorn" 3 | 4 | # https://github.com/apache/yunikorn-release/blob/master/helm-charts/yunikorn/Chart.yaml 5 | default_helm_config = { 6 | name = local.name 7 | chart = local.name 8 | repository = "https://apache.github.io/yunikorn-release" 9 | version = "1.1.0" 10 | namespace = local.name 11 | description = "Apache YuniKorn (Incubating) is a light-weight, universal resource scheduler for container orchestrator systems" 12 | values = [file("${path.module}/values.yaml")] 13 | } 14 | 15 | helm_config = merge( 16 | local.default_helm_config, 17 | var.helm_config 18 | ) 19 | 20 | argocd_gitops_config = { 21 | enable = true 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /tfsec.yaml: -------------------------------------------------------------------------------- 1 | exclude: 2 | - aws-iam-no-policy-wildcards # Wildcards required in addon IAM policies 3 | - aws-vpc-no-excessive-port-access # VPC settings left up to user implementation for recommended practices 4 | - aws-vpc-no-public-ingress-acl # VPC settings left up to user implementation for recommended practices 5 | - aws-eks-no-public-cluster-access-to-cidr # Public access enabled for better example usability, users are recommended to disable if possible 6 | - aws-eks-no-public-cluster-access # Public access enabled for better example usability, users are recommended to disable if possible 7 | - aws-eks-encrypt-secrets # Module defaults to encrypting secrets with CMK, but this is not hardcoded and therefore a spurious error 8 | - aws-vpc-no-public-egress-sgr # Added in v1.22 9 | -------------------------------------------------------------------------------- /examples/appmesh-mtls/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/appmesh-mtls/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubecost/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "kubecost" 8 | chart = "cost-analyzer" 9 | repository = "oci://public.ecr.aws/kubecost" 10 | version = "1.103.3" 11 | namespace = "kubecost" 12 | values = [file("${path.module}/values.yaml")] 13 | create_namespace = true 14 | description = "Kubecost Helm Chart deployment configuration" 15 | }, 16 | var.helm_config 17 | ) 18 | 19 | manage_via_gitops = var.manage_via_gitops 20 | addon_context = var.addon_context 21 | } 22 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/local-volume-provisioner/local-static-provisioner/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: provisioner 3 | description: local provisioner chart 4 | keywords: 5 | - storage 6 | - local 7 | 8 | # This is the chart version. This version number should be incremented each time you make changes 9 | # to the chart and its templates, including the app version. 10 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 11 | version: 2.6.0-alpha.1 12 | 13 | # This is the version number of the application being deployed. This version number should be 14 | # incremented each time you make changes to the application. Versions are not expected to 15 | # follow Semantic Versioning. They should reflect the version the application is using. 16 | appVersion: 2.4.0 17 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/ondat/values.yaml: -------------------------------------------------------------------------------- 1 | ondat-operator: 2 | serviceAccount: 3 | create: false 4 | name: ${ondat_service_account_name} 5 | cluster: 6 | create: true 7 | secretRefName: ${ondat_credential_secret_name} 8 | admin: 9 | username: ${ondat_admin_username} 10 | password: ${ondat_admin_password} 11 | kvBackend: 12 | address: ${etcd_address} 13 | nodeSelectorTerm: 14 | key: ${ondat_nodeselectorterm_key} 15 | value: ${ondat_nodeselectorterm_value} 16 | etcd-cluster-operator: 17 | cluster: 18 | replicas: 5 19 | storage: 15Gi 20 | storageclass: etcd 21 | nodeSelectorTerm: 22 | key: ${etcd_nodeselectorterm_key} 23 | value: ${etcd_nodeselectorterm_value} 24 | ondat: 25 | namespace: storageos 26 | -------------------------------------------------------------------------------- /examples/amp-amg-opensearch/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | grafana = { 18 | source = "grafana/grafana" 19 | version = ">= 1.34" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/amp-amg-opensearch/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /examples/external-secrets/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/complete-kubernetes-addons/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /examples/tls-with-aws-pca-issuer/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/tls-with-aws-pca-issuer/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /examples/wireguard-with-cilium/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/wireguard-with-cilium/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | local = { 18 | source = "hashicorp/local" 19 | version = ">= 2.1" 20 | } 21 | null = { 22 | source = "hashicorp/null" 23 | version = ">= 3.1" 24 | } 25 | http = { 26 | source = "terraform-aws-modules/http" 27 | version = "2.4.1" 28 | } 29 | kubectl = { 30 | source = "gavinbunney/kubectl" 31 | version = ">= 1.14" 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /examples/multi-tenancy-with-teams/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/multi-tenancy-with-teams/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /examples/vpc-cni-custom-networking/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.10" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.4.1" 16 | } 17 | kubectl = { 18 | source = "gavinbunney/kubectl" 19 | version = ">= 1.14" 20 | } 21 | } 22 | 23 | # ## Used for end-to-end testing on project; update to suit your needs 24 | # backend "s3" { 25 | # bucket = "terraform-ssp-github-actions-state" 26 | # region = "us-west-2" 27 | # key = "e2e/vpc-cni-custom-networking/terraform.tfstate" 28 | # } 29 | } 30 | -------------------------------------------------------------------------------- /.github/workflows/pr-title.yml: -------------------------------------------------------------------------------- 1 | name: 'PR title' 2 | 3 | on: 4 | pull_request_target: 5 | types: 6 | - opened 7 | - edited 8 | - synchronize 9 | 10 | jobs: 11 | main: 12 | name: Validate PR title 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: amannn/action-semantic-pull-request@v5.0.2 16 | env: 17 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 18 | with: 19 | requireScope: false 20 | subjectPattern: ^[A-Z].+$ 21 | subjectPatternError: | 22 | The subject "{subject}" found in the pull request title "{title}" 23 | didn't match the configured pattern. Please ensure that the subject 24 | starts with an uppercase character. 25 | wip: true 26 | validateSingleCommit: false 27 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kube-state-metrics/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "kube-state-metrics" 3 | } 4 | 5 | module "helm_addon" { 6 | source = "../helm-addon" 7 | 8 | # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-state-metrics/Chart.yaml 9 | helm_config = merge( 10 | { 11 | name = local.name 12 | chart = local.name 13 | repository = "https://prometheus-community.github.io/helm-charts" 14 | version = "4.29.0" 15 | namespace = local.name 16 | create_namespace = true 17 | description = "Kube State Metrics helm Chart deployment configuration" 18 | }, 19 | var.helm_config 20 | ) 21 | 22 | addon_context = var.addon_context 23 | manage_via_gitops = var.manage_via_gitops 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/sysdig/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "sysdig" 3 | namespace = "sysdig" 4 | 5 | set_values = [] 6 | 7 | default_helm_config = { 8 | name = local.name 9 | chart = "sysdig-deploy" 10 | repository = "https://charts.sysdig.com" 11 | version = "1.5.71" 12 | namespace = local.namespace 13 | create_namespace = true 14 | values = local.default_helm_values 15 | set = [] 16 | description = "Sysdig HelmChart Sysdig-Deploy configuration" 17 | wait = false 18 | } 19 | 20 | helm_config = merge( 21 | local.default_helm_config, 22 | var.helm_config 23 | ) 24 | 25 | default_helm_values = [templatefile("${path.module}/values-sysdig.yaml", {}, )] 26 | 27 | } 28 | -------------------------------------------------------------------------------- /docs/add-ons/csi-secrets-store-provider-aws.md: -------------------------------------------------------------------------------- 1 | # secrets-store-csi-driver-provider-aws 2 | 3 | AWS Secrets Manager and Config Provider for Secret Store CSI Driver allows you to get secret contents stored in AWS Key Management Service instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. For detailed architectual overview, refer [How to use AWS Secrets & Configuration Provider with your Kubernetes Secrets Store CSI driver] (https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/) 4 | 5 | ## Usage 6 | 7 | csi-secrets-store-provider-aws can be deployed by enabling the add-ons via the following. 8 | 9 | ```hcl 10 | enable_secrets_store_csi_driver = true 11 | enable_secrets_store_csi_driver_provider_aws = true 12 | ``` 13 | -------------------------------------------------------------------------------- /examples/blue-green-upgrade/modules/eks_cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | output "eks_cluster_id" { 2 | description = "The name of the EKS cluster." 3 | value = module.eks_blueprints.eks_cluster_id 4 | } 5 | 6 | output "configure_kubectl" { 7 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 8 | value = module.eks_blueprints.configure_kubectl 9 | } 10 | 11 | output "eks_cluster_endpoint" { 12 | description = "The endpoint of the EKS cluster." 13 | value = module.eks_blueprints.eks_cluster_endpoint 14 | } 15 | 16 | output "eks_cluster_certificate_authority_data" { 17 | description = "eks_cluster_certificate_authority_data" 18 | value = module.eks_blueprints.eks_cluster_certificate_authority_data 19 | } 20 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/calico/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/projectcalico/calico/blob/master/charts/tigera-operator/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "calico" 8 | chart = "tigera-operator" 9 | repository = "https://docs.projectcalico.org/charts" 10 | version = "v3.24.3" 11 | namespace = "tigera-operator" 12 | values = [ 13 | <<-EOT 14 | installation: 15 | kubernetesProvider: "EKS" 16 | EOT 17 | ] 18 | create_namespace = true 19 | description = "calico helm Chart deployment configuration" 20 | }, 21 | var.helm_config 22 | ) 23 | manage_via_gitops = var.manage_via_gitops 24 | addon_context = var.addon_context 25 | } 26 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/vpa/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/calico/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubecost/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/promtail/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/traefik/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/chaos-mesh/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/ingress-nginx/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/keda/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubecost/values.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/kubecost/cost-analyzer-helm-chart/blob/master/cost-analyzer/values-eks-cost-monitoring.yaml 2 | global: 3 | grafana: 4 | enabled: false 5 | proxy: false 6 | 7 | imageVersion: prod-1.103.3 8 | kubecostFrontend: 9 | image: public.ecr.aws/kubecost/frontend 10 | 11 | kubecostModel: 12 | image: public.ecr.aws/kubecost/cost-model 13 | 14 | kubecostMetrics: 15 | emitPodAnnotations: true 16 | emitNamespaceAnnotations: true 17 | 18 | prometheus: 19 | server: 20 | image: 21 | repository: public.ecr.aws/kubecost/prometheus 22 | tag: v2.35.0 23 | 24 | configmapReload: 25 | prometheus: 26 | image: 27 | repository: public.ecr.aws/bitnami/configmap-reload 28 | tag: 0.7.1 29 | 30 | reporting: 31 | productAnalytics: false 32 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/agones/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/airflow/variables.tf: -------------------------------------------------------------------------------- 1 | variable "helm_config" { 2 | description = "Helm provider config for the airflow." 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "addon_context" { 8 | description = "Input configuration for the addon" 9 | type = object({ 10 | aws_caller_identity_account_id = string 11 | aws_caller_identity_arn = string 12 | aws_eks_cluster_endpoint = string 13 | aws_partition_id = string 14 | aws_region_name = string 15 | eks_cluster_id = string 16 | eks_oidc_issuer_url = string 17 | eks_oidc_provider_arn = string 18 | tags = map(string) 19 | irsa_iam_role_path = string 20 | irsa_iam_permissions_boundary = string 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/datadog-operator/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/grafana/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kube-state-metrics/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/reloader/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/smb-csi-driver/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/spark-k8s-operator/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/thanos/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/velero/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/yunikorn/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argo-rollouts/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/argo-workflows/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager-csi-driver/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cert-manager-istio-csr/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/external-dns/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with GitOps" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/gatekeeper/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/variables.tf: -------------------------------------------------------------------------------- 1 | variable "helm_config" { 2 | description = "Helm Config for KubeRay Operator" 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "addon_context" { 8 | description = "Input configuration for the addon" 9 | type = object({ 10 | aws_caller_identity_account_id = string 11 | aws_caller_identity_arn = string 12 | aws_eks_cluster_endpoint = string 13 | aws_partition_id = string 14 | aws_region_name = string 15 | eks_cluster_id = string 16 | eks_oidc_issuer_url = string 17 | eks_oidc_provider_arn = string 18 | irsa_iam_permissions_boundary = string 19 | irsa_iam_role_path = string 20 | tags = map(string) 21 | }) 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/metrics-server/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/strimzi-kafka-operator/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /.github/workflows/markdown-link-check.yml: -------------------------------------------------------------------------------- 1 | name: Check Markdown links 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - "**/*.md" 9 | 10 | pull_request: 11 | branches: 12 | - main 13 | paths: 14 | - "**/*.md" 15 | 16 | jobs: 17 | markdown-link-check: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - uses: actions/checkout@v3 21 | - uses: actions/setup-node@v3 22 | with: 23 | node-version: '16.x' 24 | - name: install markdown-link-check 25 | run: npm install -g markdown-link-check@3.10.2 26 | - name: markdown-link-check version 27 | run: npm list -g markdown-link-check 28 | - name: Run markdown-link-check on MD files 29 | run: find docs -name "*.md" | xargs -n 1 markdown-link-check -q -c .github/workflows/linkcheck.json 30 | -------------------------------------------------------------------------------- /examples/amp-amg-opensearch/outputs.tf: -------------------------------------------------------------------------------- 1 | output "opensearch_pw" { 2 | description = "Amazon OpenSearch Service Domain password" 3 | value = var.opensearch_dashboard_pw 4 | sensitive = true 5 | } 6 | 7 | output "opensearch_user" { 8 | description = "Amazon OpenSearch Service Domain username" 9 | value = var.opensearch_dashboard_user 10 | } 11 | 12 | output "opensearch_vpc_endpoint" { 13 | description = "Amazon OpenSearch Service Domain-specific endpoint" 14 | value = aws_elasticsearch_domain.opensearch.endpoint 15 | } 16 | 17 | output "configure_kubectl" { 18 | description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 19 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}" 20 | } 21 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-fsx-csi-driver/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/external-secrets/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-cloudwatch-metrics/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-privateca-issuer/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cluster-proportional-autoscaler/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/csi-secrets-store-provider-aws/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? { enable = true } : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kube-prometheus-stack/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | 21 | output "argocd_gitops_config" { 22 | description = "Configuration used for managing the add-on with ArgoCD" 23 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kuberay-operator/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "kuberay-operator" 3 | namespace = try(var.helm_config.namespace, local.name) 4 | } 5 | 6 | resource "kubernetes_namespace_v1" "this" { 7 | metadata { 8 | name = local.namespace 9 | } 10 | } 11 | 12 | module "helm_addon" { 13 | source = "../helm-addon" 14 | 15 | # https://github.com/ray-project/kuberay/blob/master/helm-chart/kuberay-operator/Chart.yaml 16 | helm_config = merge( 17 | { 18 | name = local.name 19 | chart = "${path.module}/kuberay-operator-config" 20 | version = "0.3.0" 21 | namespace = kubernetes_namespace_v1.this.metadata[0].name 22 | description = "KubeRay Operator Helm Chart deployment configuration" 23 | }, 24 | var.helm_config 25 | ) 26 | 27 | addon_context = var.addon_context 28 | } 29 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/kubernetes-dashboard/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/nvidia-device-plugin/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/secrets-store-csi-driver/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/spark-history-server/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 4 | } 5 | 6 | output "release_metadata" { 7 | description = "Map of attributes of the Helm release metadata" 8 | value = module.helm_addon.release_metadata 9 | } 10 | 11 | output "irsa_arn" { 12 | description = "IAM role ARN for the service account" 13 | value = module.helm_addon.irsa_arn 14 | } 15 | 16 | output "irsa_name" { 17 | description = "IAM role name for the service account" 18 | value = module.helm_addon.irsa_name 19 | } 20 | 21 | output "service_account" { 22 | description = "Name of Kubernetes service account" 23 | value = module.helm_addon.service_account 24 | } 25 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/tetrate-istio/locals_tid.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) Tetrate, Inc 2022 All Rights Reserved. 2 | 3 | locals { 4 | tetrate_istio_distribution_helm_config = { 5 | description = "Tetrate Istio Distribution - Simple, safe enterprise-grade Istio distribution" 6 | } 7 | 8 | tetrate_istio_distribution_helm_values = { 9 | cni = tolist([yamlencode({ 10 | "global" : { 11 | "hub" : "containers.istio.tetratelabs.com", 12 | "tag" : "${lookup(var.cni_helm_config, "version", local.default_helm_config.version)}-tetrate-v0", 13 | } 14 | })]) 15 | istiod = tolist([yamlencode({ 16 | "global" : { 17 | "hub" : "containers.istio.tetratelabs.com", 18 | "tag" : "${lookup(var.istiod_helm_config, "version", local.default_helm_config.version)}-tetrate-v0", 19 | } 20 | })]) 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/aws-node-termination-handler/outputs.tf: -------------------------------------------------------------------------------- 1 | output "release_metadata" { 2 | description = "Map of attributes of the Helm release metadata" 3 | value = module.helm_addon.release_metadata 4 | } 5 | 6 | output "irsa_arn" { 7 | description = "IAM role ARN for the service account" 8 | value = module.helm_addon.irsa_arn 9 | } 10 | 11 | output "irsa_name" { 12 | description = "IAM role name for the service account" 13 | value = module.helm_addon.irsa_name 14 | } 15 | 16 | output "service_account" { 17 | description = "Name of Kubernetes service account" 18 | value = module.helm_addon.service_account 19 | } 20 | 21 | output "argocd_gitops_config" { 22 | description = "Configuration used for managing the add-on with ArgoCD" 23 | value = var.manage_via_gitops ? local.argocd_gitops_config : null 24 | } 25 | -------------------------------------------------------------------------------- /.github/scripts/plan-examples.py: -------------------------------------------------------------------------------- 1 | import json 2 | import glob 3 | import re 4 | 5 | 6 | def get_examples(): 7 | """ 8 | Get all Terraform example root directories using their respective `versions.tf`; 9 | returning a string formatted json array of the example directories minus those that are excluded 10 | """ 11 | exclude = { 12 | 'examples/appmesh-mtls', # excluded until Rout53 is setup 13 | 'examples/blue-green-upgrade/core-infra', 14 | 'examples/blue-green-upgrade/modules/eks_cluster' 15 | } 16 | 17 | projects = { 18 | x.replace('/versions.tf', '') 19 | for x in glob.glob('examples/**/versions.tf', recursive=True) 20 | if not re.match(r'^.+/_', x) 21 | } 22 | 23 | print(json.dumps(list(projects.difference(exclude)))) 24 | 25 | 26 | if __name__ == '__main__': 27 | get_examples() 28 | -------------------------------------------------------------------------------- /examples/argocd/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.47" 8 | } 9 | kubernetes = { 10 | source = "hashicorp/kubernetes" 11 | version = ">= 2.17" 12 | } 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.8" 16 | } 17 | random = { 18 | source = "hashicorp/random" 19 | version = "3.3.2" 20 | } 21 | bcrypt = { 22 | source = "viktorradnai/bcrypt" 23 | version = ">= 0.1.2" 24 | } 25 | } 26 | 27 | # ## Used for end-to-end testing on project; update to suit your needs 28 | # backend "s3" { 29 | # bucket = "terraform-ssp-github-actions-state" 30 | # region = "us-west-2" 31 | # key = "e2e/argocd/terraform.tfstate" 32 | # } 33 | } 34 | -------------------------------------------------------------------------------- /examples/multi-tenancy-with-teams/outputs.tf: -------------------------------------------------------------------------------- 1 | output "eks_blueprints_admin_team_configure_kubectl" { 2 | description = "Configure kubectl for each Platform Team: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 3 | value = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name} --role-arn ${module.eks_blueprints_admin_team.iam_role_arn}" 4 | } 5 | 6 | output "eks_blueprints_dev_teams_configure_kubectl" { 7 | description = "Configure kubectl for each Application Teams: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" 8 | value = [for team in module.eks_blueprints_dev_teams : "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name} --role-arn ${team.iam_role_arn}"] 9 | } 10 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/prometheus/outputs.tf: -------------------------------------------------------------------------------- 1 | output "argocd_gitops_config" { 2 | description = "Configuration used for managing the add-on with ArgoCD" 3 | value = var.manage_via_gitops ? merge( 4 | { enable = true }, 5 | local.amp_gitops_config 6 | ) : null 7 | } 8 | 9 | output "release_metadata" { 10 | description = "Map of attributes of the Helm release metadata" 11 | value = module.helm_addon.release_metadata 12 | } 13 | 14 | output "irsa_arn" { 15 | description = "IAM role ARN for the service account" 16 | value = module.helm_addon.irsa_arn 17 | } 18 | 19 | output "irsa_name" { 20 | description = "IAM role name for the service account" 21 | value = module.helm_addon.irsa_name 22 | } 23 | 24 | output "service_account" { 25 | description = "Name of Kubernetes service account" 26 | value = module.helm_addon.service_account 27 | } 28 | -------------------------------------------------------------------------------- /modules/kubernetes-addons/cluster-proportional-autoscaler/main.tf: -------------------------------------------------------------------------------- 1 | module "helm_addon" { 2 | source = "../helm-addon" 3 | 4 | # https://github.com/kubernetes-sigs/cluster-proportional-autoscaler/blob/master/charts/cluster-proportional-autoscaler/Chart.yaml 5 | helm_config = merge( 6 | { 7 | name = "cluster-proportional-autoscaler" 8 | chart = "cluster-proportional-autoscaler" 9 | repository = "https://kubernetes-sigs.github.io/cluster-proportional-autoscaler" 10 | version = "1.0.1" 11 | namespace = "kube-system" 12 | values = [templatefile("${path.module}/values.yaml", { 13 | operating_system = "linux" 14 | })] 15 | description = "Cluster Proportional Autoscaler Helm Chart" 16 | }, 17 | var.helm_config 18 | ) 19 | 20 | manage_via_gitops = var.manage_via_gitops 21 | addon_context = var.addon_context 22 | } 23 | --------------------------------------------------------------------------------