diff --git a/infra/config.hcl b/infra/config.hcl index fc6f287..2b97ada 100644 --- a/infra/config.hcl +++ b/infra/config.hcl @@ -42,30 +42,6 @@ locals { } } - /* - ⋮ 22 │ eks_cluster_security_group_additional_rules = { - ⋮ 23 │ egress_nodes_ephemeral_ports_tcp = { - ⋮ 24 │ description = "Nginx validation webhook" - ⋮ 25 │ protocol = "tcp" - ⋮ 26 │ from_port = 8443 - ⋮ 27 │ to_port = 8443 - ⋮ 28 │ type = "egress" - ⋮ 29 │ source_node_security_group = true - ⋮ 30 │ } - ⋮ 31 │ } - ⋮ 32 │ - 22 ⋮ 33 │ eks_node_security_group_additional_rules = { - ⋮ 34 │ ingress_cluster_api_validation_webhooks = { - ⋮ 35 │ description = "Control Plane to validation nginx webhook" - ⋮ 36 │ protocol = "tcp" - ⋮ 37 │ from_port = 8443 - ⋮ 38 │ to_port = 8443 - ⋮ 39 │ type = "ingress" - ⋮ 40 │ source_cluster_security_group = true - ⋮ 41 │ } - - */ - eks_cluster_security_group_additional_rules = { egress_nodes_ephemeral_ports_tcp = { description = "Validation webhooks" @@ -150,6 +126,7 @@ locals { type = "nlb" proxy-protocol = "" nlb-target-type = "" + eip-allocations = "" } internal = { dns_record = "*" @@ -159,6 +136,18 @@ locals { type = "nlb" proxy-protocol = "" nlb-target-type = "" + eip-allocations = "" + } + } + } + + elastic_ips = { + "eks_public_nlb" = { + count = length(local.azs) + vpc = true + tags = { + cluster = local.eks_cluster_name + usage = "eks_public_nlb" } } } diff --git a/infra/eks-cert-manager/.terraform.lock.hcl b/infra/eks-cert-manager/.terraform.lock.hcl new file mode 100644 index 0000000..299aeb7 --- /dev/null +++ b/infra/eks-cert-manager/.terraform.lock.hcl @@ -0,0 +1,40 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.4.0" + constraints = "~> 4.4.0" + hashes = [ + "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=", + "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff", + "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f", + "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50", + "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87", + "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114", + "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d", + "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4", + "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360", + "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9", + "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758", + "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.4.1" + constraints = "2.4.1" + hashes = [ + "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=", + "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14", + "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5", + "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526", + "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772", + "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd", + "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e", + "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0", + "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3", + "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f", + "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67", + "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e", + ] +} diff --git a/infra/eks-cert-manager/terragrunt.hcl b/infra/eks-cert-manager/terragrunt.hcl new file mode 100644 index 0000000..8e485dc --- /dev/null +++ b/infra/eks-cert-manager/terragrunt.hcl @@ -0,0 +1,32 @@ +include "root" { + path = find_in_parent_folders() +} + +terraform { + source = "${get_repo_root()}//modules/eks-cert-manager" +} + +dependency "eks" { + config_path = "../eks" + + mock_outputs_allowed_terraform_commands = ["validate", "plan"] + mock_outputs = { + cluster_id = "fake-cluster-id" + cluster_endpoint = "https://fake-cluster-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE=" + } +} + +locals { + config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl")) +} + +generate = local.config_vars.generate + +inputs = { + cluster_id = dependency.eks.outputs.cluster_id + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data + namespace = "cert-manager" + create_namespace = "true" +} diff --git a/infra/eks-external-secrets/.terraform.lock.hcl b/infra/eks-external-secrets/.terraform.lock.hcl new file mode 100644 index 0000000..512d176 --- /dev/null +++ b/infra/eks-external-secrets/.terraform.lock.hcl @@ -0,0 +1,60 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.4.0" + constraints = "~> 4.4.0" + hashes = [ + "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=", + "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff", + "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f", + "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50", + "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87", + "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114", + "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d", + "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4", + "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360", + "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9", + "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758", + "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.4.1" + constraints = "2.4.1" + hashes = [ + "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=", + "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14", + "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5", + "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526", + "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772", + "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd", + "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e", + "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0", + "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3", + "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f", + "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67", + "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.10.0" + constraints = "2.10.0" + hashes = [ + "h1:HGCh+b5R/yytVhuJoAMipLJb2wlTwNHlv3MiyHYBwzg=", + "zh:0b011e77f02bc05194062c0a39f321a4f1bea0bae61787b0c1f5808f6efb2a26", + "zh:288ad46e240c5d1218909a9100ca8bd2197c8615558bbe7b393ba35877d5e4f0", + "zh:3e5554791ed103b6190efebe332fd3722796e6a59cf081f87ef1debb4e0b6ae3", + "zh:98e42cb48624be7eb2e16b5d8fc5044d7207943b6d13905bc3d3c006aa231cc7", + "zh:b1c800fd3971051d9deb4824f933e506ae288458e425be8ea449c9d40c7b0663", + "zh:bca1802585ecbc36bfcc700b6fa7c6ff96b2b8c4aca23c58df939a5002a05b4d", + "zh:c2f6bf46cd95d00f2bb1634afff92eeb269d27d83eea80b8cfceca1afdcd3033", + "zh:d2ccfbf3a9bf2ede8be6242c023173efd85a882cd3956a941f140c5718047412", + "zh:da19cd4a124f4ffc092e19f5b7a10ac4cce98db40cf855ea0d4a682f3df83a1f", + "zh:e3a2020453a86f80ad2b3f792e91a35fe272b907485a59c02d19269a1bdfe2fd", + "zh:f0659ca86e0dc0dd76b7f4497db8e58144ee9f0943b6d14dc57193d25ee22ced", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/infra/eks-external-secrets/terragrunt.hcl b/infra/eks-external-secrets/terragrunt.hcl new file mode 100644 index 0000000..9be589d --- /dev/null +++ b/infra/eks-external-secrets/terragrunt.hcl @@ -0,0 +1,33 @@ +include "root" { + path = find_in_parent_folders() +} + +terraform { + source = "${get_repo_root()}//modules/eks-external-secrets" +} + +dependency "eks" { + config_path = "../eks" + + mock_outputs_allowed_terraform_commands = ["validate", "plan"] + mock_outputs = { + cluster_id = "fake-cluster-id" + cluster_endpoint = "https://fake-cluster-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE=" + } +} + +locals { + config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl")) +} + +generate = local.config_vars.generate + +inputs = { + cluster_id = dependency.eks.outputs.cluster_id + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data + + # Enable this only if kube-prometheus-stack is set-up on the cluster. + service_monitor = true +} diff --git a/infra/eks-kube-prometheus-stack/.terraform.lock.hcl b/infra/eks-kube-prometheus-stack/.terraform.lock.hcl new file mode 100644 index 0000000..299aeb7 --- /dev/null +++ b/infra/eks-kube-prometheus-stack/.terraform.lock.hcl @@ -0,0 +1,40 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.4.0" + constraints = "~> 4.4.0" + hashes = [ + "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=", + "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff", + "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f", + "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50", + "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87", + "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114", + "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d", + "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4", + "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360", + "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9", + "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758", + "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.4.1" + constraints = "2.4.1" + hashes = [ + "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=", + "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14", + "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5", + "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526", + "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772", + "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd", + "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e", + "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0", + "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3", + "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f", + "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67", + "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e", + ] +} diff --git a/infra/eks-kube-prometheus-stack/terragrunt.hcl b/infra/eks-kube-prometheus-stack/terragrunt.hcl new file mode 100644 index 0000000..604f4df --- /dev/null +++ b/infra/eks-kube-prometheus-stack/terragrunt.hcl @@ -0,0 +1,43 @@ +include "root" { + path = find_in_parent_folders() +} + +terraform { + source = "${get_repo_root()}//modules/eks-kube-prometheus-stack" +} + +dependency "eks" { + config_path = "../eks" + + # Configure mock outputs for the `validate` and `plan` commands that are returned when there are no outputs available + # (e.g the module hasn't been applied yet) + mock_outputs_allowed_terraform_commands = ["validate", "plan"] + mock_outputs = { + cluster_id = "fake-cluster-id" + cluster_endpoint = "https://fake-cluster-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE=" + } +} + +dependency "private_dns" { + config_path = "../dns-private" + + mock_outputs_allowed_terraform_commands = ["validate", "plan"] + mock_outputs = { + dns_zone = { + name = "fake.zone.com" + zone_id = "ZXXXXXXXXXXXXXXXXXXX" + } + } +} + +locals { + config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl")) +} + +inputs = { + cluster_id = dependency.eks.outputs.cluster_id + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data + domain = dependency.private_dns.outputs.dns_zone.name +} diff --git a/infra/eks/terragrunt.hcl b/infra/eks/terragrunt.hcl index c11dbc4..bc8590f 100644 --- a/infra/eks/terragrunt.hcl +++ b/infra/eks/terragrunt.hcl @@ -35,7 +35,7 @@ inputs = { eks_managed_node_groups = local.config_vars.locals.node_groups # Extend node-to-node security group rules - node_security_group_additional_rules = local.config_vars.locals.eks_node_security_group_additional_rules + node_security_group_additional_rules = local.config_vars.locals.eks_node_security_group_additional_rules cluster_security_group_additional_rules = local.config_vars.locals.eks_cluster_security_group_additional_rules create_cloudwatch_log_group = false diff --git a/infra/elastic-ips/.terraform.lock.hcl b/infra/elastic-ips/.terraform.lock.hcl new file mode 100644 index 0000000..2bdcf45 --- /dev/null +++ b/infra/elastic-ips/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.4.0" + constraints = "~> 4.4.0" + hashes = [ + "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=", + "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff", + "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f", + "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50", + "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87", + "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114", + "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d", + "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4", + "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360", + "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9", + "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758", + "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946", + ] +} diff --git a/infra/elastic-ips/terragrunt.hcl b/infra/elastic-ips/terragrunt.hcl new file mode 100644 index 0000000..563776d --- /dev/null +++ b/infra/elastic-ips/terragrunt.hcl @@ -0,0 +1,17 @@ +include "root" { + path = find_in_parent_folders() +} + +terraform { + source = "${get_repo_root()}//modules/eip-set" +} + +locals { + config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl")) +} + +generate = local.config_vars.generate + +inputs = { + eips = local.config_vars.locals.elastic_ips +} diff --git a/infra/ingress-controller/terragrunt.hcl b/infra/ingress-controller/terragrunt.hcl index 24ad918..7d15d1d 100644 --- a/infra/ingress-controller/terragrunt.hcl +++ b/infra/ingress-controller/terragrunt.hcl @@ -63,6 +63,22 @@ dependency "private_dns" { } } +dependency "eips" { + config_path = "../elastic-ips" + + mock_outputs_allowed_terraform_commands = ["validate", "plan"] + mock_outputs = { + eip_groups = { + eks_public_nlb = { + eips = [ + { allocation_id = "eipalloc-xxxxxxxxxxxxxxxxx" }, + { allocation_id = "eipalloc-yyyyyyyyyyyyyyyyy" } + ] + } + } + } +} + locals { config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl")) @@ -72,17 +88,17 @@ locals { lb_config_public = merge( local.eks_ingress_controller.load_balancer_config.public, { - type = "external" - proxy-protocol = "*" - nlb-target-type = "instance" + type = "external" + enable-proxy-protocol = true + nlb-target-type = "instance" } ) lb_config_internal = merge( local.eks_ingress_controller.load_balancer_config.internal, { - type = "external" - proxy-protocol = "*" - nlb-target-type = "instance" + type = "external" + enable-proxy-protocol = true + nlb-target-type = "instance" } ) } @@ -105,6 +121,13 @@ inputs = { load_balancer_config = { public = local.lb_config_public, internal = local.lb_config_internal, + public = merge(local.lb_config_public, { + "eip-allocations" = join(", ", dependency.eips.outputs.eip_groups.eks_public_nlb.eips.*.allocation_id), + "name" = "${dependency.eks.outputs.cluster_id}-public" + }) + internal = merge(local.lb_config_internal, { + "name" = "${dependency.eks.outputs.cluster_id}-internal" + }) } enable_internal_lb = local.eks_ingress_controller.enable_internal_lb diff --git a/modules/eip-set/main.tf b/modules/eip-set/main.tf new file mode 100644 index 0000000..d2eea9c --- /dev/null +++ b/modules/eip-set/main.tf @@ -0,0 +1,8 @@ +module "eip" { + source = "../eip" + for_each = var.eips + + eip_count = each.value.count + vpc = each.value.vpc + tags = each.value.tags +} diff --git a/modules/eip-set/outputs.tf b/modules/eip-set/outputs.tf new file mode 100644 index 0000000..fac98da --- /dev/null +++ b/modules/eip-set/outputs.tf @@ -0,0 +1,3 @@ +output "eip_groups" { + value = module.eip +} diff --git a/modules/eip-set/variables.tf b/modules/eip-set/variables.tf new file mode 100644 index 0000000..d280d07 --- /dev/null +++ b/modules/eip-set/variables.tf @@ -0,0 +1,8 @@ +variable "eips" { + description = "a map of elastic ip objects" + type = map(object({ + vpc = bool + count = number + tags = map(string) + })) +} diff --git a/modules/eip-set/versions.tf b/modules/eip-set/versions.tf new file mode 100644 index 0000000..1360496 --- /dev/null +++ b/modules/eip-set/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.4.0" + } + } +} diff --git a/modules/eip/main.tf b/modules/eip/main.tf new file mode 100644 index 0000000..c75ca53 --- /dev/null +++ b/modules/eip/main.tf @@ -0,0 +1,6 @@ +resource "aws_eip" "self" { + count = var.eip_count + + vpc = var.vpc + tags = var.tags +} diff --git a/modules/eip/outputs.tf b/modules/eip/outputs.tf new file mode 100644 index 0000000..b86b036 --- /dev/null +++ b/modules/eip/outputs.tf @@ -0,0 +1,3 @@ +output "eips" { + value = aws_eip.self.* +} diff --git a/modules/eip/variables.tf b/modules/eip/variables.tf new file mode 100644 index 0000000..7703c5b --- /dev/null +++ b/modules/eip/variables.tf @@ -0,0 +1,12 @@ +variable "vpc" { + type = bool + description = "Boolean if the EIP is in a VPC or not" +} +variable "eip_count" { + type = number + description = "The number of elastic ip to create" +} +variable "tags" { + type = map(string) + description = "The tags to set on the eip" +} diff --git a/modules/eks-cert-manager/data.tf b/modules/eks-cert-manager/data.tf new file mode 100644 index 0000000..e3cc1be --- /dev/null +++ b/modules/eks-cert-manager/data.tf @@ -0,0 +1,3 @@ +data "aws_eks_cluster_auth" "self" { + name = var.cluster_id +} diff --git a/modules/eks-cert-manager/main.tf b/modules/eks-cert-manager/main.tf new file mode 100644 index 0000000..3a38e79 --- /dev/null +++ b/modules/eks-cert-manager/main.tf @@ -0,0 +1,13 @@ +resource "helm_release" "cert_manager" { + name = "cert-manager" + repository = "https://charts.jetstack.io" + chart = "cert-manager" + version = "1.8.0" + namespace = var.namespace + create_namespace = var.create_namespace + + set { + name = "installCRDs" + value = true + } +} diff --git a/modules/eks-cert-manager/provider.tf b/modules/eks-cert-manager/provider.tf new file mode 100644 index 0000000..3dd1f2c --- /dev/null +++ b/modules/eks-cert-manager/provider.tf @@ -0,0 +1,7 @@ +provider "helm" { + kubernetes { + host = var.cluster_endpoint + cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.self.token + } +} diff --git a/modules/eks-cert-manager/variables.tf b/modules/eks-cert-manager/variables.tf new file mode 100644 index 0000000..2c6ddc9 --- /dev/null +++ b/modules/eks-cert-manager/variables.tf @@ -0,0 +1,24 @@ +variable "cluster_id" { + type = string + description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready" +} + +variable "cluster_endpoint" { + type = string + description = "Endpoint for your Kubernetes API server" +} + +variable "cluster_certificate_authority_data" { + type = string + description = "Base64 encoded certificate data required to communicate with the cluster" +} + +variable "namespace" { + type = string + description = "The namespace where cert-manager is deployed" +} + +variable "create_namespace" { + type = bool + description = "Flag allowing to create the namespace if it does not exists" +} diff --git a/modules/eks-cert-manager/versions.tf b/modules/eks-cert-manager/versions.tf new file mode 100644 index 0000000..bd5f11b --- /dev/null +++ b/modules/eks-cert-manager/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + helm = { + source = "hashicorp/helm" + version = "2.4.1" + } + aws = { + source = "hashicorp/aws" + version = "~> 4.4.0" + } + } +} diff --git a/modules/eks-external-secrets/data.tf b/modules/eks-external-secrets/data.tf new file mode 100644 index 0000000..e3cc1be --- /dev/null +++ b/modules/eks-external-secrets/data.tf @@ -0,0 +1,3 @@ +data "aws_eks_cluster_auth" "self" { + name = var.cluster_id +} diff --git a/modules/eks-external-secrets/main.tf b/modules/eks-external-secrets/main.tf new file mode 100644 index 0000000..a15d234 --- /dev/null +++ b/modules/eks-external-secrets/main.tf @@ -0,0 +1,53 @@ +resource "helm_release" "external_secrets" { + name = "external-secrets" + repository = "https://charts.external-secrets.io" + chart = "external-secrets" + version = "0.5.2" + namespace = var.namespace + create_namespace = var.create_namespace + + set { + name = "installCRDs" + value = true + } + + set { + name = "webhook.create" + value = true + } + + set { + name = "certController.create" + value = true + } + + set { + name = "webhook.serviceMonitor.enabled" + value = var.service_monitor + } + + set { + name = "webhook.serviceMonitor.additionalLabels.release" + value = "prometheus-community" + } + + set { + name = "serviceMonitor.enabled" + value = var.service_monitor + } + + set { + name = "serviceMonitor.additionalLabels.release" + value = "prometheus-community" + } + + set { + name = "certController.serviceMonitor.enabled" + value = var.service_monitor + } + + set { + name = "certController.serviceMonitor.additionalLabels.release" + value = "prometheus-community" + } +} diff --git a/modules/eks-external-secrets/provider.tf b/modules/eks-external-secrets/provider.tf new file mode 100644 index 0000000..ae0070a --- /dev/null +++ b/modules/eks-external-secrets/provider.tf @@ -0,0 +1,16 @@ +provider "helm" { + kubernetes { + host = var.cluster_endpoint + cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.self.token + } +} + +provider "kubernetes" { + host = var.cluster_endpoint + cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.self.token + experiments { + manifest_resource = true + } +} diff --git a/modules/eks-external-secrets/variables.tf b/modules/eks-external-secrets/variables.tf new file mode 100644 index 0000000..013e62d --- /dev/null +++ b/modules/eks-external-secrets/variables.tf @@ -0,0 +1,32 @@ +variable "cluster_id" { + type = string + description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready" +} + +variable "cluster_endpoint" { + type = string + description = "Endpoint for your Kubernetes API server" +} + +variable "cluster_certificate_authority_data" { + type = string + description = "Base64 encoded certificate data required to communicate with the cluster" +} + +variable "namespace" { + default = "external-secrets" + type = string + description = "The name of the namespace where the operator will be deployed" +} + +variable "create_namespace" { + default = true + type = bool + description = "If true, the namespace is create if it does not exists" +} + +variable "service_monitor" { + type = bool + default = false + description = "If true, the ServiceMonitor is created for the monitoring based on Prometheus operator" +} diff --git a/modules/eks-external-secrets/versions.tf b/modules/eks-external-secrets/versions.tf new file mode 100644 index 0000000..5e6caee --- /dev/null +++ b/modules/eks-external-secrets/versions.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + helm = { + source = "hashicorp/helm" + version = "2.4.1" + } + aws = { + source = "hashicorp/aws" + version = "~> 4.4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.10.0" + } + } +} diff --git a/modules/eks-ingress-controller/values.yaml b/modules/eks-ingress-controller/values.yaml index b634ea2..5d38f6a 100644 --- a/modules/eks-ingress-controller/values.yaml +++ b/modules/eks-ingress-controller/values.yaml @@ -5,6 +5,7 @@ controller: proxy-real-ip-cidr: ${proxy-real-ip-cidr} use-forwarded-headers: ${use-forwarded-headers} compute-full-forwarded-for: ${compute-full-forwarded-for} + service: annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ${public.backend-protocol} @@ -12,9 +13,15 @@ controller: service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${public.cross-zone-load-balancing-enabled}' service.beta.kubernetes.io/aws-load-balancer-type: ${public.type} service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internet-facing,${tags}" - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${public.proxy-protocol}" + %{~ if public.enable-proxy-protocol ~} + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + %{~ endif ~} service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + %{~ if public.eip-allocations != "" ~} + service.beta.kubernetes.io/aws-load-balancer-eip-allocations: ${public.eip-allocations} + %{~ endif ~} + service.beta.kubernetes.io/aws-load-balancer-name: "${public.name}" internal: annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" @@ -23,17 +30,20 @@ controller: service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${internal.cross-zone-load-balancing-enabled}' service.beta.kubernetes.io/aws-load-balancer-type: ${internal.type} service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internal,${tags}" - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${internal.proxy-protocol}" + %{~ if internal.enable-proxy-protocol ~} + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + %{~ endif ~} service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}" service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false + service.beta.kubernetes.io/aws-load-balancer-name: "${internal.name}" -# metrics: -# enabled: true -# serviceMonitor: -# enabled: true -# additionalLabels: -# release: prometheus-community -# namespaceSelector: -# any: true + metrics: + enabled: true + serviceMonitor: + enabled: true + additionalLabels: + release: prometheus-community + namespaceSelector: + any: true ... diff --git a/modules/eks-ingress-controller/variables.tf b/modules/eks-ingress-controller/variables.tf index fc3b9dd..e783969 100644 --- a/modules/eks-ingress-controller/variables.tf +++ b/modules/eks-ingress-controller/variables.tf @@ -5,8 +5,10 @@ variable "load_balancer_config" { cross-zone-load-balancing-enabled = bool type = string dns_record = string - proxy-protocol = string + enable-proxy-protocol = bool nlb-target-type = string + eip-allocations = string + name = string })) description = "The AWS Load Balancer(s) configuration. Map keys shall be 'public' and/or 'internal'" } @@ -98,4 +100,4 @@ variable "internal_dns_record" { variable "tags" { type = map(string) default = {} -} \ No newline at end of file +} diff --git a/modules/eks-kube-prometheus-stack/data.tf b/modules/eks-kube-prometheus-stack/data.tf new file mode 100644 index 0000000..e3cc1be --- /dev/null +++ b/modules/eks-kube-prometheus-stack/data.tf @@ -0,0 +1,3 @@ +data "aws_eks_cluster_auth" "self" { + name = var.cluster_id +} diff --git a/modules/eks-kube-prometheus-stack/main.tf b/modules/eks-kube-prometheus-stack/main.tf new file mode 100644 index 0000000..2f4e6bb --- /dev/null +++ b/modules/eks-kube-prometheus-stack/main.tf @@ -0,0 +1,41 @@ +resource "helm_release" "kube_prometheus_stack" { + name = var.prom_operator_release_name + repository = "https://prometheus-community.github.io/helm-charts" + chart = "kube-prometheus-stack" + version = "34.9.0" + namespace = var.namespace + create_namespace = var.create_namespace + + set { + name = "prometheus.ingress.enabled" + value = true + } + set { + name = "prometheus.ingress.hosts" + value = "{prometheus-operator.${var.domain}}" + } + set { + name = "alertmanager.enabled" + value = var.enable_alertmanager + } + set { + name = "alertmanager.ingress.enabled" + value = var.enable_alertmanager + } + set { + name = "alertmanager.ingress.hosts" + value = "{alertmanager.${var.domain}}" + } + set { + name = "grafana.enabled" + value = var.enable_grafana + } + set { + name = "grafana.ingress.enabled" + value = var.enable_grafana + } + set { + name = "grafana.ingress.hosts" + value = "{grafana.${var.domain}}" + } +} diff --git a/modules/eks-kube-prometheus-stack/provider.tf b/modules/eks-kube-prometheus-stack/provider.tf new file mode 100644 index 0000000..3dd1f2c --- /dev/null +++ b/modules/eks-kube-prometheus-stack/provider.tf @@ -0,0 +1,7 @@ +provider "helm" { + kubernetes { + host = var.cluster_endpoint + cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.self.token + } +} diff --git a/modules/eks-kube-prometheus-stack/variables.tf b/modules/eks-kube-prometheus-stack/variables.tf new file mode 100644 index 0000000..fdbddbb --- /dev/null +++ b/modules/eks-kube-prometheus-stack/variables.tf @@ -0,0 +1,61 @@ +variable "cluster_id" { + type = string + description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready" +} + +variable "cluster_endpoint" { + type = string + description = "Endpoint for your Kubernetes API server" +} + +variable "cluster_certificate_authority_data" { + type = string + description = "Base64 encoded certificate data required to communicate with the cluster" +} + +variable "namespace" { + type = string + description = "The namespace where the kube-prometheus-stack is deployed" + default = "monitoring" +} + +variable "create_namespace" { + type = bool + description = "Flag allowing to create the namespace if it does not exists" + default = true +} + +variable "domain" { + type = string + description = "Domain name used to setup ingress for kube-prometheus-stack" +} + +variable "prom_operator_release_name" { + type = string + description = "The name of the Helm release deploying the prometheus stack chart" + default = "prometheus-community" +} + +variable "pushgateway_release_name" { + type = string + description = "The name of the Helm release deploying the pushgateway chart" + default = "pushgateway" +} + +variable "enable_alertmanager" { + type = bool + default = true + description = "Enable alertmanager in the Prometheus Operator" +} + +variable "enable_grafana" { + type = bool + default = true + description = "Enable grafana in the Prometheus Operator" +} + +variable "enable_pushgateway" { + type = bool + default = true + description = "Enable pushgateway in the Prometheus Operator" +} diff --git a/modules/eks-kube-prometheus-stack/versions.tf b/modules/eks-kube-prometheus-stack/versions.tf new file mode 100644 index 0000000..bd5f11b --- /dev/null +++ b/modules/eks-kube-prometheus-stack/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + helm = { + source = "hashicorp/helm" + version = "2.4.1" + } + aws = { + source = "hashicorp/aws" + version = "~> 4.4.0" + } + } +}