Initial commit.

modules/aws-iam/outputs.tf

@@ -0,0 +1,4 @@
+output "aws_iam_roles_arns" {
+  description = "The arns of the created IAM roles"
+  value       = { for k, v in merge(aws_iam_role.self[*]...) : k => v.arn }
+}

modules/aws-iam/role.tf

@@ -0,0 +1,18 @@
+locals {
+  iam_roles = { for name, role in var.iam_roles : name => merge(var.default_iam_role, role) }
+}
+
+resource "aws_iam_role" "self" {
+  for_each             = local.iam_roles
+  name                 = each.key
+  assume_role_policy   = jsonencode(each.value.assume_role_policy)
+  permissions_boundary = each.value.permissions_boundary
+}
+
+resource "aws_iam_role_policy" "self" {
+  for_each   = { for role, role_config in local.iam_roles : role => role_config if length(role_config.policy) > 0 }
+  name       = each.key
+  role       = each.key
+  policy     = jsonencode(each.value.policy)
+  depends_on = [aws_iam_role.self]
+}

modules/aws-iam/variables.tf

@@ -0,0 +1,21 @@
+variable "default_iam_role" {
+  description = "The default parameters for and IAM Role definition"
+  type = object({
+    assume_role_policy   = any
+    permissions_boundary = any
+    policy               = any
+    tags                 = map(string)
+  })
+  default = {
+    assume_role_policy   = null
+    permissions_boundary = null
+    policy               = null
+    tags                 = {}
+  }
+}
+
+variable "iam_roles" {
+  type        = map(any)
+  default     = {}
+  description = "The list of IAM roles and their permissions. See `default_iam_role` for the list of available params"
+}

modules/dns/main.tf

@@ -0,0 +1,3 @@
+resource "aws_route53_zone" "self" {
+  name = var.dns_zone_name
+}

modules/dns/outputs.tf

@@ -0,0 +1,3 @@
+output "dns_zone" {
+  value = aws_route53_zone.self
+}

modules/dns/variables.tf

@@ -0,0 +1,4 @@
+variable "dns_zone_name" {
+  type        = string
+  description = "The name of the main DNS zone to create"
+}

modules/eks-addon-csi-ebs/data.tf

@@ -0,0 +1,28 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.eks_cluster_id
+}
+
+data "aws_iam_policy_document" "self_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.eks_cluster_oidc_issuer_url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.eks_cluster_oidc_issuer_url, "https://", "")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    principals {
+      identifiers = [
+        var.eks_oidc_provider_arn
+      ]
+      type = "Federated"
+    }
+  }
+}

modules/eks-addon-csi-ebs/eks.tf

@@ -0,0 +1,15 @@
+resource "kubernetes_storage_class" "self_encrypted" {
+  metadata {
+    name = "gp3-encrypted"
+  }
+  storage_provisioner = "ebs.csi.aws.com"
+  parameters = {
+    type      = "gp3"
+    encrypted = "true"
+  }
+
+  reclaim_policy = "Retain"
+
+  allow_volume_expansion = "true"
+  volume_binding_mode    = "WaitForFirstConsumer"
+}

modules/eks-addon-csi-ebs/main.tf

@@ -0,0 +1,17 @@
+resource "aws_iam_role" "self" {
+  assume_role_policy = data.aws_iam_policy_document.self_assume_role_policy.json
+  name               = "EksCsiEbsRole-${var.eks_cluster_id}"
+}
+
+resource "aws_iam_role_policy_attachment" "self" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  role       = aws_iam_role.self.name
+}
+
+resource "aws_eks_addon" "self" {
+  cluster_name  = var.eks_cluster_id
+  addon_name    = "aws-ebs-csi-driver"
+  addon_version = var.addon_version
+
+  service_account_role_arn = aws_iam_role.self.arn
+}

modules/eks-addon-csi-ebs/provider.tf

@@ -0,0 +1,5 @@
+provider "kubernetes" {
+  host                   = var.eks_cluster_endpoint
+  cluster_ca_certificate = base64decode(var.eks_cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.self.token
+}

modules/eks-addon-csi-ebs/variables.tf

@@ -0,0 +1,30 @@
+variable "eks_cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  description = "The EKS cluster OIDC issuer url"
+}
+
+variable "eks_oidc_provider_arn" {
+  type        = string
+  description = "The EKS cluster OIDC provider arn"
+}
+
+variable "eks_cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "eks_cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "addon_version" {
+  type        = string
+  description = "The addon version"
+  default     = "v1.5.2-eksbuild.1"
+}

modules/eks-auth/data.tf

@@ -0,0 +1,3 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.cluster_id
+}

modules/eks-auth/main.tf

@@ -0,0 +1,14 @@
+locals {
+  current_roles = yamldecode(yamldecode(var.aws_auth_configmap_yaml).data.mapRoles)
+}
+
+resource "kubernetes_config_map" "aws_auth" {
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mapRoles = yamlencode(concat(local.current_roles, var.aws_auth_additional_roles))
+  }
+}

modules/eks-auth/provider.tf

@@ -0,0 +1,5 @@
+provider "kubernetes" {
+  host                   = var.cluster_endpoint
+  cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.self.token
+}

modules/eks-auth/variables.tf

@@ -0,0 +1,28 @@
+variable "aws_auth_configmap_yaml" {
+  description = "Formatted yaml for base aws-auth configmap containing roles used in cluster node groups/fargate profiles"
+  type        = string
+}
+
+variable "aws_auth_additional_roles" {
+  type = list(object({
+    rolearn  = string
+    groups   = list(string)
+    username = string
+    }
+  ))
+}
+
+variable "cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}

modules/eks-auth/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.8.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.4.0"
+    }
+  }
+}

modules/eks-aws-load-balancer-controller/data.tf

@@ -0,0 +1,3 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.cluster_id
+}

modules/eks-aws-load-balancer-controller/main.tf

@@ -0,0 +1,16 @@
+resource "helm_release" "aws_load_balancer_controller" {
+  name             = "aws-load-balancer-controller"
+  repository       = "https://aws.github.io/eks-charts"
+  chart            = "aws-load-balancer-controller"
+  version          = "1.4.2"
+  namespace        = var.namespace
+  create_namespace = var.create_namespace
+
+  values = [
+    templatefile("values.yaml", {
+      cluster_name         = var.cluster_id
+      service_account_name = var.service_account_name
+      iam_role_arn         = var.iam_role_arn
+    })
+  ]
+}

modules/eks-aws-load-balancer-controller/provider.tf

@@ -0,0 +1,7 @@
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_endpoint
+    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+    token                  = data.aws_eks_cluster_auth.self.token
+  }
+}

modules/eks-aws-load-balancer-controller/values.yaml

@@ -0,0 +1,8 @@
+clusterName: "${cluster_name}"
+
+serviceAccount:
+  create: true
+  annotations:
+    eks.amazonaws.com/role-arn: "${iam_role_arn}"
+  name: "${service_account_name}"
+  automountServiceAccountToken: true

modules/eks-aws-load-balancer-controller/variables.tf

@@ -0,0 +1,41 @@
+variable "environment" {
+  description = "Environment name, used for secret naming convention"
+  type        = string
+}
+
+variable "cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "namespace" {
+  type        = string
+  description = "The namespace where the helm chart is deployed"
+  default     = "aws-local-balancer"
+}
+
+variable "create_namespace" {
+  type        = bool
+  description = "Flag allowing to create the namespace if it does not exists"
+  default     = true
+}
+
+variable "service_account_name" {
+  type        = string
+  description = "The name of the service account used by the controller"
+}
+
+variable "iam_role_arn" {
+  type        = string
+  description = "The arn of the IAM Role that have permissions required by the controller"
+}

modules/eks-ingress-controller/data.tf

@@ -0,0 +1,15 @@
+data "aws_lb" "public" {
+  depends_on = [helm_release.nginx_ingress_contoller]
+
+  tags = merge(var.tags, { scheme = "internet-facing" })
+}
+
+data "aws_lb" "internal" {
+  depends_on = [helm_release.nginx_ingress_contoller]
+
+  tags = merge(var.tags, { scheme = "internal" })
+}
+
+data "aws_eks_cluster_auth" "self" {
+  name = var.cluster_id
+}

modules/eks-ingress-controller/main.tf

@@ -0,0 +1,52 @@
+locals {
+  string_list_tags = join(",", [for key, value in var.tags : "${key}=${value}"])
+  template_vars    = merge(var.load_balancer_config, var.ingress_config, { "tags" = local.string_list_tags })
+}
+
+resource "helm_release" "nginx_ingress_contoller" {
+  name             = "nginx-ingress-controller"
+  repository       = "https://kubernetes.github.io/ingress-nginx"
+  chart            = "ingress-nginx"
+  version          = "4.0.18"
+  namespace        = var.namespace
+  create_namespace = var.create_namespace
+
+  values = [
+    "${templatefile("values.yaml", local.template_vars)}"
+  ]
+
+  set {
+    name  = "controller.ingressClass"
+    value = var.ingress_class
+  }
+
+  set {
+    name  = "controller.service.internal.enabled"
+    value = var.enable_internal_lb
+  }
+
+  set {
+    name  = "controller.ingressClassResource.default"
+    value = var.is_default_ingress_class
+  }
+}
+
+resource "aws_route53_record" "public" {
+  zone_id = var.public_dns_record.zone_id
+  name    = var.public_dns_record.name
+  type    = "CNAME"
+  ttl     = "60"
+  records = [
+    data.aws_lb.public.dns_name
+  ]
+}
+
+resource "aws_route53_record" "internal" {
+  zone_id = var.internal_dns_record.zone_id
+  name    = var.internal_dns_record.name
+  type    = "CNAME"
+  ttl     = "60"
+  records = [
+    data.aws_lb.internal.dns_name
+  ]
+}

modules/eks-ingress-controller/outputs.tf

@@ -0,0 +1,9 @@
+output "public_ingress_load_balancer" {
+  description = "The internet facing Load Balancer object created by the ingress controller deployment"
+  value       = data.aws_lb.public
+}
+
+output "internal_ingress_load_balancer" {
+  description = "The internal Load Balancer object created by the ingress controller deployment"
+  value       = data.aws_lb.internal
+}

modules/eks-ingress-controller/provider.tf

@@ -0,0 +1,7 @@
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_endpoint
+    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+    token                  = data.aws_eks_cluster_auth.self.token
+  }
+}

modules/eks-ingress-controller/values.yaml

@@ -0,0 +1,39 @@
+---
+controller:
+  config:
+    use-proxy-protocol: ${use-proxy-protocol}
+    proxy-real-ip-cidr: ${proxy-real-ip-cidr}
+    use-forwarded-headers: ${use-forwarded-headers}
+    compute-full-forwarded-for: ${compute-full-forwarded-for}
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ${public.backend-protocol}
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '${public.connection-idle-timeout}'
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${public.cross-zone-load-balancing-enabled}'
+      service.beta.kubernetes.io/aws-load-balancer-type: ${public.type}
+      service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internet-facing,${tags}"
+      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${public.proxy-protocol}"
+      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}"
+      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    internal:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ${internal.backend-protocol}
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '${internal.connection-idle-timeout}'
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${internal.cross-zone-load-balancing-enabled}'
+        service.beta.kubernetes.io/aws-load-balancer-type: ${internal.type}
+        service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internal,${tags}"
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${internal.proxy-protocol}"
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false
+
+#  metrics:
+#    enabled: true
+#    serviceMonitor:
+#      enabled: true
+#      additionalLabels:
+#        release: prometheus-community
+#      namespaceSelector:
+#        any: true
+...

modules/eks-ingress-controller/variables.tf

@@ -0,0 +1,101 @@
+variable "load_balancer_config" {
+  type = map(object({
+    backend-protocol                  = string
+    connection-idle-timeout           = string
+    cross-zone-load-balancing-enabled = bool
+    type                              = string
+    dns_record                        = string
+    proxy-protocol                    = string
+    nlb-target-type                   = string
+  }))
+  description = "The AWS Load Balancer(s) configuration. Map keys shall be 'public' and/or 'internal'"
+}
+
+variable "ingress_config" {
+  type = object({
+    use-proxy-protocol         = bool
+    proxy-real-ip-cidr         = string
+    use-forwarded-headers      = bool
+    compute-full-forwarded-for = bool
+  })
+  description = "Ingress level configuration"
+  default = {
+    use-proxy-protocol         = false
+    proxy-real-ip-cidr         = "0.0.0.0/0"
+    use-forwarded-headers      = false
+    compute-full-forwarded-for = false
+  }
+}
+
+variable "cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "ingress_class" {
+  type        = string
+  default     = "nginx"
+  description = "A class for the Ingress controller"
+}
+
+variable "is_default_ingress_class" {
+  type        = bool
+  description = "Flag allowing to define this ingress controller ingress class as the default one"
+  default     = true
+}
+
+variable "enable_internal_lb" {
+  type    = bool
+  default = false
+}
+
+variable "namespace" {
+  type        = string
+  description = "The namespace where the ingress controller is deployed"
+  default     = "nginx-ingress"
+}
+
+variable "create_namespace" {
+  type        = bool
+  description = "Flag allowing to create the namespace if it does not exists"
+  default     = true
+}
+
+variable "public_dns_record" {
+  type = object({
+    zone_id = string
+    name    = string
+  })
+  default = {
+    zone_id = ""
+    name    = ""
+  }
+  description = "Public DNS zone and record name where to register the ingress load balancer"
+}
+
+variable "internal_dns_record" {
+  type = object({
+    zone_id = string
+    name    = string
+  })
+  default = {
+    zone_id = ""
+    name    = ""
+  }
+  description = "Private DNS zone and record name where to register the ingress load balancer"
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}

modules/eks-ingress-controller/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.4.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.4.0"
+    }
+  }
+}