Adding a lot of stuff.

infra/config.hcl

@@ -42,30 +42,6 @@ locals {
     }
   }
 
-  /*
-    ⋮ 22 │  eks_cluster_security_group_additional_rules = {
-    ⋮ 23 │    egress_nodes_ephemeral_ports_tcp = {
-    ⋮ 24 │      description                = "Nginx validation webhook"
-    ⋮ 25 │      protocol                   = "tcp"
-    ⋮ 26 │      from_port                  = 8443
-    ⋮ 27 │      to_port                    = 8443
-    ⋮ 28 │      type                       = "egress"
-    ⋮ 29 │      source_node_security_group = true
-    ⋮ 30 │    }
-    ⋮ 31 │  }
-    ⋮ 32 │
- 22 ⋮ 33 │  eks_node_security_group_additional_rules = {
-    ⋮ 34 │    ingress_cluster_api_validation_webhooks = {
-    ⋮ 35 │      description                   = "Control Plane to validation nginx webhook"
-    ⋮ 36 │      protocol                      = "tcp"
-    ⋮ 37 │      from_port                     = 8443
-    ⋮ 38 │      to_port                       = 8443
-    ⋮ 39 │      type                          = "ingress"
-    ⋮ 40 │      source_cluster_security_group = true
-    ⋮ 41 │    }
-
-  */
-
   eks_cluster_security_group_additional_rules = {
     egress_nodes_ephemeral_ports_tcp = {
       description                = "Validation webhooks"
@@ -150,6 +126,7 @@ locals {
         type                              = "nlb"
         proxy-protocol                    = ""
         nlb-target-type                   = ""
+        eip-allocations                   = ""
       }
       internal = {
         dns_record                        = "*"
@@ -159,6 +136,18 @@ locals {
         type                              = "nlb"
         proxy-protocol                    = ""
         nlb-target-type                   = ""
+        eip-allocations                   = ""
+      }
+    }
+  }
+
+  elastic_ips = {
+    "eks_public_nlb" = {
+      count = length(local.azs)
+      vpc   = true
+      tags = {
+        cluster = local.eks_cluster_name
+        usage   = "eks_public_nlb"
       }
     }
   }

infra/eks-cert-manager/.terraform.lock.hcl

@@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
+    "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
+    "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
+    "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
+    "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
+    "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
+    "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
+    "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
+    "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
+    "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
+    "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
+    "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
+  ]
+}

infra/eks-cert-manager/terragrunt.hcl

@@ -0,0 +1,32 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eks-cert-manager"
+}
+
+dependency "eks" {
+  config_path = "../eks"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    cluster_id                         = "fake-cluster-id"
+    cluster_endpoint                   = "https://fake-cluster-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
+  }
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+generate = local.config_vars.generate
+
+inputs = {
+  cluster_id                         = dependency.eks.outputs.cluster_id
+  cluster_endpoint                   = dependency.eks.outputs.cluster_endpoint
+  cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
+  namespace                          = "cert-manager"
+  create_namespace                   = "true"
+}

infra/eks-external-secrets/.terraform.lock.hcl

@@ -0,0 +1,60 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
+    "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
+    "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
+    "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
+    "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
+    "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
+    "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
+    "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
+    "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
+    "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
+    "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
+    "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.10.0"
+  constraints = "2.10.0"
+  hashes = [
+    "h1:HGCh+b5R/yytVhuJoAMipLJb2wlTwNHlv3MiyHYBwzg=",
+    "zh:0b011e77f02bc05194062c0a39f321a4f1bea0bae61787b0c1f5808f6efb2a26",
+    "zh:288ad46e240c5d1218909a9100ca8bd2197c8615558bbe7b393ba35877d5e4f0",
+    "zh:3e5554791ed103b6190efebe332fd3722796e6a59cf081f87ef1debb4e0b6ae3",
+    "zh:98e42cb48624be7eb2e16b5d8fc5044d7207943b6d13905bc3d3c006aa231cc7",
+    "zh:b1c800fd3971051d9deb4824f933e506ae288458e425be8ea449c9d40c7b0663",
+    "zh:bca1802585ecbc36bfcc700b6fa7c6ff96b2b8c4aca23c58df939a5002a05b4d",
+    "zh:c2f6bf46cd95d00f2bb1634afff92eeb269d27d83eea80b8cfceca1afdcd3033",
+    "zh:d2ccfbf3a9bf2ede8be6242c023173efd85a882cd3956a941f140c5718047412",
+    "zh:da19cd4a124f4ffc092e19f5b7a10ac4cce98db40cf855ea0d4a682f3df83a1f",
+    "zh:e3a2020453a86f80ad2b3f792e91a35fe272b907485a59c02d19269a1bdfe2fd",
+    "zh:f0659ca86e0dc0dd76b7f4497db8e58144ee9f0943b6d14dc57193d25ee22ced",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}

infra/eks-external-secrets/terragrunt.hcl

@@ -0,0 +1,33 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eks-external-secrets"
+}
+
+dependency "eks" {
+  config_path = "../eks"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    cluster_id                         = "fake-cluster-id"
+    cluster_endpoint                   = "https://fake-cluster-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
+  }
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+generate = local.config_vars.generate
+
+inputs = {
+  cluster_id                         = dependency.eks.outputs.cluster_id
+  cluster_endpoint                   = dependency.eks.outputs.cluster_endpoint
+  cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
+
+  # Enable this only if kube-prometheus-stack is set-up on the cluster.
+  service_monitor = true
+}

infra/eks-kube-prometheus-stack/.terraform.lock.hcl

@@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
+    "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
+    "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
+    "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
+    "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
+    "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
+    "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
+    "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
+    "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
+    "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
+    "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
+    "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
+  ]
+}

infra/eks-kube-prometheus-stack/terragrunt.hcl

@@ -0,0 +1,43 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eks-kube-prometheus-stack"
+}
+
+dependency "eks" {
+  config_path = "../eks"
+
+  # Configure mock outputs for the `validate` and `plan` commands that are returned when there are no outputs available
+  # (e.g the module hasn't been applied yet)
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    cluster_id                         = "fake-cluster-id"
+    cluster_endpoint                   = "https://fake-cluster-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
+  }
+}
+
+dependency "private_dns" {
+  config_path = "../dns-private"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    dns_zone = {
+      name    = "fake.zone.com"
+      zone_id = "ZXXXXXXXXXXXXXXXXXXX"
+    }
+  }
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+inputs = {
+  cluster_id                         = dependency.eks.outputs.cluster_id
+  cluster_endpoint                   = dependency.eks.outputs.cluster_endpoint
+  cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
+  domain                             = dependency.private_dns.outputs.dns_zone.name
+}

infra/eks/terragrunt.hcl

@@ -35,7 +35,7 @@ inputs = {
   eks_managed_node_groups         = local.config_vars.locals.node_groups
 
   # Extend node-to-node security group rules
-  node_security_group_additional_rules = local.config_vars.locals.eks_node_security_group_additional_rules
+  node_security_group_additional_rules    = local.config_vars.locals.eks_node_security_group_additional_rules
   cluster_security_group_additional_rules = local.config_vars.locals.eks_cluster_security_group_additional_rules
 
   create_cloudwatch_log_group = false

infra/elastic-ips/.terraform.lock.hcl

@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}

infra/elastic-ips/terragrunt.hcl

@@ -0,0 +1,17 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eip-set"
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+generate = local.config_vars.generate
+
+inputs = {
+  eips = local.config_vars.locals.elastic_ips
+}

infra/ingress-controller/terragrunt.hcl

@@ -63,6 +63,22 @@ dependency "private_dns" {
   }
 }
 
+dependency "eips" {
+  config_path = "../elastic-ips"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    eip_groups = {
+      eks_public_nlb = {
+        eips = [
+          { allocation_id = "eipalloc-xxxxxxxxxxxxxxxxx" },
+          { allocation_id = "eipalloc-yyyyyyyyyyyyyyyyy" }
+        ]
+      }
+    }
+  }
+}
+
 locals {
   config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
 
@@ -72,17 +88,17 @@ locals {
   lb_config_public = merge(
     local.eks_ingress_controller.load_balancer_config.public,
     {
-      type            = "external"
+      type                   = "external"
-      proxy-protocol  = "*"
+      enable-proxy-protocol  = true
-      nlb-target-type = "instance"
+      nlb-target-type        = "instance"
     }
   )
   lb_config_internal = merge(
     local.eks_ingress_controller.load_balancer_config.internal,
     {
-      type            = "external"
+      type                   = "external"
-      proxy-protocol  = "*"
+      enable-proxy-protocol  = true
-      nlb-target-type = "instance"
+      nlb-target-type        = "instance"
     }
   )
 }
@@ -105,6 +121,13 @@ inputs = {
   load_balancer_config = {
     public   = local.lb_config_public,
     internal = local.lb_config_internal,
+    public = merge(local.lb_config_public, {
+      "eip-allocations" = join(", ", dependency.eips.outputs.eip_groups.eks_public_nlb.eips.*.allocation_id),
+      "name"            = "${dependency.eks.outputs.cluster_id}-public"
+    })
+    internal = merge(local.lb_config_internal, {
+      "name" = "${dependency.eks.outputs.cluster_id}-internal"
+    })
   }
 
   enable_internal_lb = local.eks_ingress_controller.enable_internal_lb

modules/eip-set/main.tf

@@ -0,0 +1,8 @@
+module "eip" {
+  source   = "../eip"
+  for_each = var.eips
+
+  eip_count = each.value.count
+  vpc       = each.value.vpc
+  tags      = each.value.tags
+}

modules/eip-set/outputs.tf

@@ -0,0 +1,3 @@
+output "eip_groups" {
+  value = module.eip
+}

modules/eip-set/variables.tf

@@ -0,0 +1,8 @@
+variable "eips" {
+  description = "a map of elastic ip objects"
+  type = map(object({
+    vpc   = bool
+    count = number
+    tags  = map(string)
+  }))
+}

modules/eip-set/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.4.0"
+    }
+  }
+}

modules/eip/main.tf

@@ -0,0 +1,6 @@
+resource "aws_eip" "self" {
+  count = var.eip_count
+
+  vpc  = var.vpc
+  tags = var.tags
+}

modules/eip/outputs.tf

@@ -0,0 +1,3 @@
+output "eips" {
+  value = aws_eip.self.*
+}

modules/eip/variables.tf

@@ -0,0 +1,12 @@
+variable "vpc" {
+  type        = bool
+  description = "Boolean if the EIP is in a VPC or not"
+}
+variable "eip_count" {
+  type        = number
+  description = "The number of elastic ip to create"
+}
+variable "tags" {
+  type        = map(string)
+  description = "The tags to set on the eip"
+}

modules/eks-cert-manager/data.tf

@@ -0,0 +1,3 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.cluster_id
+}

modules/eks-cert-manager/main.tf

@@ -0,0 +1,13 @@
+resource "helm_release" "cert_manager" {
+  name             = "cert-manager"
+  repository       = "https://charts.jetstack.io"
+  chart            = "cert-manager"
+  version          = "1.8.0"
+  namespace        = var.namespace
+  create_namespace = var.create_namespace
+
+  set {
+    name  = "installCRDs"
+    value = true
+  }
+}

modules/eks-cert-manager/provider.tf

@@ -0,0 +1,7 @@
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_endpoint
+    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+    token                  = data.aws_eks_cluster_auth.self.token
+  }
+}

modules/eks-cert-manager/variables.tf

@@ -0,0 +1,24 @@
+variable "cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "namespace" {
+  type        = string
+  description = "The namespace where cert-manager is deployed"
+}
+
+variable "create_namespace" {
+  type        = bool
+  description = "Flag allowing to create the namespace if it does not exists"
+}

modules/eks-cert-manager/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.4.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.4.0"
+    }
+  }
+}

modules/eks-external-secrets/data.tf

@@ -0,0 +1,3 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.cluster_id
+}

modules/eks-external-secrets/main.tf

@@ -0,0 +1,53 @@
+resource "helm_release" "external_secrets" {
+  name             = "external-secrets"
+  repository       = "https://charts.external-secrets.io"
+  chart            = "external-secrets"
+  version          = "0.5.2"
+  namespace        = var.namespace
+  create_namespace = var.create_namespace
+
+  set {
+    name  = "installCRDs"
+    value = true
+  }
+
+  set {
+    name  = "webhook.create"
+    value = true
+  }
+
+  set {
+    name  = "certController.create"
+    value = true
+  }
+
+  set {
+    name  = "webhook.serviceMonitor.enabled"
+    value = var.service_monitor
+  }
+
+  set {
+    name  = "webhook.serviceMonitor.additionalLabels.release"
+    value = "prometheus-community"
+  }
+
+  set {
+    name  = "serviceMonitor.enabled"
+    value = var.service_monitor
+  }
+
+  set {
+    name  = "serviceMonitor.additionalLabels.release"
+    value = "prometheus-community"
+  }
+
+  set {
+    name  = "certController.serviceMonitor.enabled"
+    value = var.service_monitor
+  }
+
+  set {
+    name  = "certController.serviceMonitor.additionalLabels.release"
+    value = "prometheus-community"
+  }
+}

modules/eks-external-secrets/provider.tf

@@ -0,0 +1,16 @@
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_endpoint
+    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+    token                  = data.aws_eks_cluster_auth.self.token
+  }
+}
+
+provider "kubernetes" {
+  host                   = var.cluster_endpoint
+  cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.self.token
+  experiments {
+    manifest_resource = true
+  }
+}

modules/eks-external-secrets/variables.tf

@@ -0,0 +1,32 @@
+variable "cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "namespace" {
+  default     = "external-secrets"
+  type        = string
+  description = "The name of the namespace where the operator will be deployed"
+}
+
+variable "create_namespace" {
+  default     = true
+  type        = bool
+  description = "If true, the namespace is create if it does not exists"
+}
+
+variable "service_monitor" {
+  type        = bool
+  default     = false
+  description = "If true, the ServiceMonitor is created for the monitoring based on Prometheus operator"
+}

modules/eks-external-secrets/versions.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.4.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.4.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.10.0"
+    }
+  }
+}

modules/eks-ingress-controller/values.yaml

@@ -5,6 +5,7 @@ controller:
     proxy-real-ip-cidr: ${proxy-real-ip-cidr}
     use-forwarded-headers: ${use-forwarded-headers}
     compute-full-forwarded-for: ${compute-full-forwarded-for}
+
   service:
     annotations:
       service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ${public.backend-protocol}
@@ -12,9 +13,15 @@ controller:
       service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${public.cross-zone-load-balancing-enabled}'
       service.beta.kubernetes.io/aws-load-balancer-type: ${public.type}
       service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internet-facing,${tags}"
-      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${public.proxy-protocol}"
+      %{~ if public.enable-proxy-protocol ~}
+      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+      %{~ endif ~}
       service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}"
       service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+      %{~ if public.eip-allocations != "" ~}
+      service.beta.kubernetes.io/aws-load-balancer-eip-allocations: ${public.eip-allocations}
+      %{~ endif ~}
+      service.beta.kubernetes.io/aws-load-balancer-name: "${public.name}"
     internal:
       annotations:
         service.beta.kubernetes.io/aws-load-balancer-internal: "true"
@@ -23,17 +30,20 @@ controller:
         service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${internal.cross-zone-load-balancing-enabled}'
         service.beta.kubernetes.io/aws-load-balancer-type: ${internal.type}
         service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internal,${tags}"
-        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${internal.proxy-protocol}"
+        %{~ if internal.enable-proxy-protocol ~}
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        %{~ endif ~}
         service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}"
         service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
         service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false
+        service.beta.kubernetes.io/aws-load-balancer-name: "${internal.name}"
 
-#  metrics:
+  metrics:
-#    enabled: true
+    enabled: true
-#    serviceMonitor:
+    serviceMonitor:
-#      enabled: true
+      enabled: true
-#      additionalLabels:
+      additionalLabels:
-#        release: prometheus-community
+        release: prometheus-community
-#      namespaceSelector:
+      namespaceSelector:
-#        any: true
+        any: true
 ...

modules/eks-ingress-controller/variables.tf

@@ -5,8 +5,10 @@ variable "load_balancer_config" {
     cross-zone-load-balancing-enabled = bool
     type                              = string
     dns_record                        = string
-    proxy-protocol                    = string
+    enable-proxy-protocol             = bool
     nlb-target-type                   = string
+    eip-allocations                   = string
+    name                              = string
   }))
   description = "The AWS Load Balancer(s) configuration. Map keys shall be 'public' and/or 'internal'"
 }
@@ -98,4 +100,4 @@ variable "internal_dns_record" {
 variable "tags" {
   type    = map(string)
   default = {}
-}
+}

modules/eks-kube-prometheus-stack/data.tf

@@ -0,0 +1,3 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.cluster_id
+}

modules/eks-kube-prometheus-stack/main.tf

@@ -0,0 +1,41 @@
+resource "helm_release" "kube_prometheus_stack" {
+  name             = var.prom_operator_release_name
+  repository       = "https://prometheus-community.github.io/helm-charts"
+  chart            = "kube-prometheus-stack"
+  version          = "34.9.0"
+  namespace        = var.namespace
+  create_namespace = var.create_namespace
+
+  set {
+    name  = "prometheus.ingress.enabled"
+    value = true
+  }
+  set {
+    name  = "prometheus.ingress.hosts"
+    value = "{prometheus-operator.${var.domain}}"
+  }
+  set {
+    name  = "alertmanager.enabled"
+    value = var.enable_alertmanager
+  }
+  set {
+    name  = "alertmanager.ingress.enabled"
+    value = var.enable_alertmanager
+  }
+  set {
+    name  = "alertmanager.ingress.hosts"
+    value = "{alertmanager.${var.domain}}"
+  }
+  set {
+    name  = "grafana.enabled"
+    value = var.enable_grafana
+  }
+  set {
+    name  = "grafana.ingress.enabled"
+    value = var.enable_grafana
+  }
+  set {
+    name  = "grafana.ingress.hosts"
+    value = "{grafana.${var.domain}}"
+  }
+}

modules/eks-kube-prometheus-stack/provider.tf

@@ -0,0 +1,7 @@
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_endpoint
+    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
+    token                  = data.aws_eks_cluster_auth.self.token
+  }
+}

modules/eks-kube-prometheus-stack/variables.tf

@@ -0,0 +1,61 @@
+variable "cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "namespace" {
+  type        = string
+  description = "The namespace where the kube-prometheus-stack is deployed"
+  default     = "monitoring"
+}
+
+variable "create_namespace" {
+  type        = bool
+  description = "Flag allowing to create the namespace if it does not exists"
+  default     = true
+}
+
+variable "domain" {
+  type        = string
+  description = "Domain name used to setup ingress for kube-prometheus-stack"
+}
+
+variable "prom_operator_release_name" {
+  type        = string
+  description = "The name of the Helm release deploying the prometheus stack chart"
+  default     = "prometheus-community"
+}
+
+variable "pushgateway_release_name" {
+  type        = string
+  description = "The name of the Helm release deploying the pushgateway chart"
+  default     = "pushgateway"
+}
+
+variable "enable_alertmanager" {
+  type        = bool
+  default     = true
+  description = "Enable alertmanager in the Prometheus Operator"
+}
+
+variable "enable_grafana" {
+  type        = bool
+  default     = true
+  description = "Enable grafana in the Prometheus Operator"
+}
+
+variable "enable_pushgateway" {
+  type        = bool
+  default     = true
+  description = "Enable pushgateway in the Prometheus Operator"
+}

modules/eks-kube-prometheus-stack/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.4.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.4.0"
+    }
+  }
+}