Adding a lot of stuff.

This commit is contained in:
Patrick MARIE 2022-07-12 22:32:18 +02:00
parent 188cf2679c
commit 621e04fb94
35 changed files with 704 additions and 43 deletions

View File

@ -42,30 +42,6 @@ locals {
}
}
/*
⋮ 22 │ eks_cluster_security_group_additional_rules = {
⋮ 23 │ egress_nodes_ephemeral_ports_tcp = {
⋮ 24 │ description = "Nginx validation webhook"
⋮ 25 │ protocol = "tcp"
⋮ 26 │ from_port = 8443
⋮ 27 │ to_port = 8443
⋮ 28 │ type = "egress"
⋮ 29 │ source_node_security_group = true
30 }
31 }
32
22 ⋮ 33 │ eks_node_security_group_additional_rules = {
⋮ 34 │ ingress_cluster_api_validation_webhooks = {
⋮ 35 │ description = "Control Plane to validation nginx webhook"
⋮ 36 │ protocol = "tcp"
⋮ 37 │ from_port = 8443
⋮ 38 │ to_port = 8443
⋮ 39 │ type = "ingress"
⋮ 40 │ source_cluster_security_group = true
41 }
*/
eks_cluster_security_group_additional_rules = {
egress_nodes_ephemeral_ports_tcp = {
description = "Validation webhooks"
@ -150,6 +126,7 @@ locals {
type = "nlb"
proxy-protocol = ""
nlb-target-type = ""
eip-allocations = ""
}
internal = {
dns_record = "*"
@ -159,6 +136,18 @@ locals {
type = "nlb"
proxy-protocol = ""
nlb-target-type = ""
eip-allocations = ""
}
}
}
elastic_ips = {
"eks_public_nlb" = {
count = length(local.azs)
vpc = true
tags = {
cluster = local.eks_cluster_name
usage = "eks_public_nlb"
}
}
}

View File

@ -0,0 +1,40 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.4.0"
constraints = "~> 4.4.0"
hashes = [
"h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
"zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
"zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
"zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
"zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
"zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
"zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
"zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
"zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
"zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
"zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
"zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
]
}
provider "registry.terraform.io/hashicorp/helm" {
version = "2.4.1"
constraints = "2.4.1"
hashes = [
"h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
"zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
"zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
"zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
"zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
"zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
"zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
"zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
"zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
"zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
"zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
"zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
]
}

View File

@ -0,0 +1,32 @@
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "${get_repo_root()}//modules/eks-cert-manager"
}
dependency "eks" {
config_path = "../eks"
mock_outputs_allowed_terraform_commands = ["validate", "plan"]
mock_outputs = {
cluster_id = "fake-cluster-id"
cluster_endpoint = "https://fake-cluster-endpoint.eks.amazonaws.com"
cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
}
}
locals {
config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
}
generate = local.config_vars.generate
inputs = {
cluster_id = dependency.eks.outputs.cluster_id
cluster_endpoint = dependency.eks.outputs.cluster_endpoint
cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
namespace = "cert-manager"
create_namespace = "true"
}

View File

@ -0,0 +1,60 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.4.0"
constraints = "~> 4.4.0"
hashes = [
"h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
"zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
"zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
"zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
"zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
"zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
"zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
"zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
"zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
"zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
"zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
"zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
]
}
provider "registry.terraform.io/hashicorp/helm" {
version = "2.4.1"
constraints = "2.4.1"
hashes = [
"h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
"zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
"zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
"zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
"zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
"zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
"zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
"zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
"zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
"zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
"zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
"zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
]
}
provider "registry.terraform.io/hashicorp/kubernetes" {
version = "2.10.0"
constraints = "2.10.0"
hashes = [
"h1:HGCh+b5R/yytVhuJoAMipLJb2wlTwNHlv3MiyHYBwzg=",
"zh:0b011e77f02bc05194062c0a39f321a4f1bea0bae61787b0c1f5808f6efb2a26",
"zh:288ad46e240c5d1218909a9100ca8bd2197c8615558bbe7b393ba35877d5e4f0",
"zh:3e5554791ed103b6190efebe332fd3722796e6a59cf081f87ef1debb4e0b6ae3",
"zh:98e42cb48624be7eb2e16b5d8fc5044d7207943b6d13905bc3d3c006aa231cc7",
"zh:b1c800fd3971051d9deb4824f933e506ae288458e425be8ea449c9d40c7b0663",
"zh:bca1802585ecbc36bfcc700b6fa7c6ff96b2b8c4aca23c58df939a5002a05b4d",
"zh:c2f6bf46cd95d00f2bb1634afff92eeb269d27d83eea80b8cfceca1afdcd3033",
"zh:d2ccfbf3a9bf2ede8be6242c023173efd85a882cd3956a941f140c5718047412",
"zh:da19cd4a124f4ffc092e19f5b7a10ac4cce98db40cf855ea0d4a682f3df83a1f",
"zh:e3a2020453a86f80ad2b3f792e91a35fe272b907485a59c02d19269a1bdfe2fd",
"zh:f0659ca86e0dc0dd76b7f4497db8e58144ee9f0943b6d14dc57193d25ee22ced",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}

View File

@ -0,0 +1,33 @@
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "${get_repo_root()}//modules/eks-external-secrets"
}
dependency "eks" {
config_path = "../eks"
mock_outputs_allowed_terraform_commands = ["validate", "plan"]
mock_outputs = {
cluster_id = "fake-cluster-id"
cluster_endpoint = "https://fake-cluster-endpoint.eks.amazonaws.com"
cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
}
}
locals {
config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
}
generate = local.config_vars.generate
inputs = {
cluster_id = dependency.eks.outputs.cluster_id
cluster_endpoint = dependency.eks.outputs.cluster_endpoint
cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
# Enable this only if kube-prometheus-stack is set-up on the cluster.
service_monitor = true
}

View File

@ -0,0 +1,40 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.4.0"
constraints = "~> 4.4.0"
hashes = [
"h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
"zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
"zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
"zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
"zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
"zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
"zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
"zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
"zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
"zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
"zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
"zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
]
}
provider "registry.terraform.io/hashicorp/helm" {
version = "2.4.1"
constraints = "2.4.1"
hashes = [
"h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
"zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
"zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
"zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
"zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
"zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
"zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
"zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
"zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
"zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
"zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
"zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
]
}

View File

@ -0,0 +1,43 @@
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "${get_repo_root()}//modules/eks-kube-prometheus-stack"
}
dependency "eks" {
config_path = "../eks"
# Configure mock outputs for the `validate` and `plan` commands that are returned when there are no outputs available
# (e.g the module hasn't been applied yet)
mock_outputs_allowed_terraform_commands = ["validate", "plan"]
mock_outputs = {
cluster_id = "fake-cluster-id"
cluster_endpoint = "https://fake-cluster-endpoint.eks.amazonaws.com"
cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
}
}
dependency "private_dns" {
config_path = "../dns-private"
mock_outputs_allowed_terraform_commands = ["validate", "plan"]
mock_outputs = {
dns_zone = {
name = "fake.zone.com"
zone_id = "ZXXXXXXXXXXXXXXXXXXX"
}
}
}
locals {
config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
}
inputs = {
cluster_id = dependency.eks.outputs.cluster_id
cluster_endpoint = dependency.eks.outputs.cluster_endpoint
cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
domain = dependency.private_dns.outputs.dns_zone.name
}

View File

@ -35,7 +35,7 @@ inputs = {
eks_managed_node_groups = local.config_vars.locals.node_groups
# Extend node-to-node security group rules
node_security_group_additional_rules = local.config_vars.locals.eks_node_security_group_additional_rules
node_security_group_additional_rules = local.config_vars.locals.eks_node_security_group_additional_rules
cluster_security_group_additional_rules = local.config_vars.locals.eks_cluster_security_group_additional_rules
create_cloudwatch_log_group = false

21
infra/elastic-ips/.terraform.lock.hcl generated Normal file
View File

@ -0,0 +1,21 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.4.0"
constraints = "~> 4.4.0"
hashes = [
"h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
"zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
"zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
"zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
"zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
"zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
"zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
"zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
"zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
"zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
"zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
"zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
]
}

View File

@ -0,0 +1,17 @@
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "${get_repo_root()}//modules/eip-set"
}
locals {
config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
}
generate = local.config_vars.generate
inputs = {
eips = local.config_vars.locals.elastic_ips
}

View File

@ -63,6 +63,22 @@ dependency "private_dns" {
}
}
dependency "eips" {
config_path = "../elastic-ips"
mock_outputs_allowed_terraform_commands = ["validate", "plan"]
mock_outputs = {
eip_groups = {
eks_public_nlb = {
eips = [
{ allocation_id = "eipalloc-xxxxxxxxxxxxxxxxx" },
{ allocation_id = "eipalloc-yyyyyyyyyyyyyyyyy" }
]
}
}
}
}
locals {
config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
@ -72,17 +88,17 @@ locals {
lb_config_public = merge(
local.eks_ingress_controller.load_balancer_config.public,
{
type = "external"
proxy-protocol = "*"
nlb-target-type = "instance"
type = "external"
enable-proxy-protocol = true
nlb-target-type = "instance"
}
)
lb_config_internal = merge(
local.eks_ingress_controller.load_balancer_config.internal,
{
type = "external"
proxy-protocol = "*"
nlb-target-type = "instance"
type = "external"
enable-proxy-protocol = true
nlb-target-type = "instance"
}
)
}
@ -105,6 +121,13 @@ inputs = {
load_balancer_config = {
public = local.lb_config_public,
internal = local.lb_config_internal,
public = merge(local.lb_config_public, {
"eip-allocations" = join(", ", dependency.eips.outputs.eip_groups.eks_public_nlb.eips.*.allocation_id),
"name" = "${dependency.eks.outputs.cluster_id}-public"
})
internal = merge(local.lb_config_internal, {
"name" = "${dependency.eks.outputs.cluster_id}-internal"
})
}
enable_internal_lb = local.eks_ingress_controller.enable_internal_lb

8
modules/eip-set/main.tf Normal file
View File

@ -0,0 +1,8 @@
module "eip" {
source = "../eip"
for_each = var.eips
eip_count = each.value.count
vpc = each.value.vpc
tags = each.value.tags
}

View File

@ -0,0 +1,3 @@
output "eip_groups" {
value = module.eip
}

View File

@ -0,0 +1,8 @@
variable "eips" {
description = "a map of elastic ip objects"
type = map(object({
vpc = bool
count = number
tags = map(string)
}))
}

View File

@ -0,0 +1,8 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.4.0"
}
}
}

6
modules/eip/main.tf Normal file
View File

@ -0,0 +1,6 @@
resource "aws_eip" "self" {
count = var.eip_count
vpc = var.vpc
tags = var.tags
}

3
modules/eip/outputs.tf Normal file
View File

@ -0,0 +1,3 @@
output "eips" {
value = aws_eip.self.*
}

12
modules/eip/variables.tf Normal file
View File

@ -0,0 +1,12 @@
variable "vpc" {
type = bool
description = "Boolean if the EIP is in a VPC or not"
}
variable "eip_count" {
type = number
description = "The number of elastic ip to create"
}
variable "tags" {
type = map(string)
description = "The tags to set on the eip"
}

View File

@ -0,0 +1,3 @@
data "aws_eks_cluster_auth" "self" {
name = var.cluster_id
}

View File

@ -0,0 +1,13 @@
resource "helm_release" "cert_manager" {
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
version = "1.8.0"
namespace = var.namespace
create_namespace = var.create_namespace
set {
name = "installCRDs"
value = true
}
}

View File

@ -0,0 +1,7 @@
provider "helm" {
kubernetes {
host = var.cluster_endpoint
cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.self.token
}
}

View File

@ -0,0 +1,24 @@
variable "cluster_id" {
type = string
description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
}
variable "cluster_endpoint" {
type = string
description = "Endpoint for your Kubernetes API server"
}
variable "cluster_certificate_authority_data" {
type = string
description = "Base64 encoded certificate data required to communicate with the cluster"
}
variable "namespace" {
type = string
description = "The namespace where cert-manager is deployed"
}
variable "create_namespace" {
type = bool
description = "Flag allowing to create the namespace if it does not exists"
}

View File

@ -0,0 +1,12 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "2.4.1"
}
aws = {
source = "hashicorp/aws"
version = "~> 4.4.0"
}
}
}

View File

@ -0,0 +1,3 @@
data "aws_eks_cluster_auth" "self" {
name = var.cluster_id
}

View File

@ -0,0 +1,53 @@
resource "helm_release" "external_secrets" {
name = "external-secrets"
repository = "https://charts.external-secrets.io"
chart = "external-secrets"
version = "0.5.2"
namespace = var.namespace
create_namespace = var.create_namespace
set {
name = "installCRDs"
value = true
}
set {
name = "webhook.create"
value = true
}
set {
name = "certController.create"
value = true
}
set {
name = "webhook.serviceMonitor.enabled"
value = var.service_monitor
}
set {
name = "webhook.serviceMonitor.additionalLabels.release"
value = "prometheus-community"
}
set {
name = "serviceMonitor.enabled"
value = var.service_monitor
}
set {
name = "serviceMonitor.additionalLabels.release"
value = "prometheus-community"
}
set {
name = "certController.serviceMonitor.enabled"
value = var.service_monitor
}
set {
name = "certController.serviceMonitor.additionalLabels.release"
value = "prometheus-community"
}
}

View File

@ -0,0 +1,16 @@
provider "helm" {
kubernetes {
host = var.cluster_endpoint
cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.self.token
}
}
provider "kubernetes" {
host = var.cluster_endpoint
cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.self.token
experiments {
manifest_resource = true
}
}

View File

@ -0,0 +1,32 @@
variable "cluster_id" {
type = string
description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
}
variable "cluster_endpoint" {
type = string
description = "Endpoint for your Kubernetes API server"
}
variable "cluster_certificate_authority_data" {
type = string
description = "Base64 encoded certificate data required to communicate with the cluster"
}
variable "namespace" {
default = "external-secrets"
type = string
description = "The name of the namespace where the operator will be deployed"
}
variable "create_namespace" {
default = true
type = bool
description = "If true, the namespace is create if it does not exists"
}
variable "service_monitor" {
type = bool
default = false
description = "If true, the ServiceMonitor is created for the monitoring based on Prometheus operator"
}

View File

@ -0,0 +1,16 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "2.4.1"
}
aws = {
source = "hashicorp/aws"
version = "~> 4.4.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.10.0"
}
}
}

View File

@ -5,6 +5,7 @@ controller:
proxy-real-ip-cidr: ${proxy-real-ip-cidr}
use-forwarded-headers: ${use-forwarded-headers}
compute-full-forwarded-for: ${compute-full-forwarded-for}
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ${public.backend-protocol}
@ -12,9 +13,15 @@ controller:
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${public.cross-zone-load-balancing-enabled}'
service.beta.kubernetes.io/aws-load-balancer-type: ${public.type}
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internet-facing,${tags}"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${public.proxy-protocol}"
%{~ if public.enable-proxy-protocol ~}
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
%{~ endif ~}
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
%{~ if public.eip-allocations != "" ~}
service.beta.kubernetes.io/aws-load-balancer-eip-allocations: ${public.eip-allocations}
%{~ endif ~}
service.beta.kubernetes.io/aws-load-balancer-name: "${public.name}"
internal:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
@ -23,17 +30,20 @@ controller:
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: '${internal.cross-zone-load-balancing-enabled}'
service.beta.kubernetes.io/aws-load-balancer-type: ${internal.type}
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "scheme=internal,${tags}"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "${internal.proxy-protocol}"
%{~ if internal.enable-proxy-protocol ~}
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
%{~ endif ~}
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "${public.nlb-target-type}"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false
service.beta.kubernetes.io/aws-load-balancer-name: "${internal.name}"
# metrics:
# enabled: true
# serviceMonitor:
# enabled: true
# additionalLabels:
# release: prometheus-community
# namespaceSelector:
# any: true
metrics:
enabled: true
serviceMonitor:
enabled: true
additionalLabels:
release: prometheus-community
namespaceSelector:
any: true
...

View File

@ -5,8 +5,10 @@ variable "load_balancer_config" {
cross-zone-load-balancing-enabled = bool
type = string
dns_record = string
proxy-protocol = string
enable-proxy-protocol = bool
nlb-target-type = string
eip-allocations = string
name = string
}))
description = "The AWS Load Balancer(s) configuration. Map keys shall be 'public' and/or 'internal'"
}

View File

@ -0,0 +1,3 @@
data "aws_eks_cluster_auth" "self" {
name = var.cluster_id
}

View File

@ -0,0 +1,41 @@
resource "helm_release" "kube_prometheus_stack" {
name = var.prom_operator_release_name
repository = "https://prometheus-community.github.io/helm-charts"
chart = "kube-prometheus-stack"
version = "34.9.0"
namespace = var.namespace
create_namespace = var.create_namespace
set {
name = "prometheus.ingress.enabled"
value = true
}
set {
name = "prometheus.ingress.hosts"
value = "{prometheus-operator.${var.domain}}"
}
set {
name = "alertmanager.enabled"
value = var.enable_alertmanager
}
set {
name = "alertmanager.ingress.enabled"
value = var.enable_alertmanager
}
set {
name = "alertmanager.ingress.hosts"
value = "{alertmanager.${var.domain}}"
}
set {
name = "grafana.enabled"
value = var.enable_grafana
}
set {
name = "grafana.ingress.enabled"
value = var.enable_grafana
}
set {
name = "grafana.ingress.hosts"
value = "{grafana.${var.domain}}"
}
}

View File

@ -0,0 +1,7 @@
provider "helm" {
kubernetes {
host = var.cluster_endpoint
cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.self.token
}
}

View File

@ -0,0 +1,61 @@
variable "cluster_id" {
type = string
description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
}
variable "cluster_endpoint" {
type = string
description = "Endpoint for your Kubernetes API server"
}
variable "cluster_certificate_authority_data" {
type = string
description = "Base64 encoded certificate data required to communicate with the cluster"
}
variable "namespace" {
type = string
description = "The namespace where the kube-prometheus-stack is deployed"
default = "monitoring"
}
variable "create_namespace" {
type = bool
description = "Flag allowing to create the namespace if it does not exists"
default = true
}
variable "domain" {
type = string
description = "Domain name used to setup ingress for kube-prometheus-stack"
}
variable "prom_operator_release_name" {
type = string
description = "The name of the Helm release deploying the prometheus stack chart"
default = "prometheus-community"
}
variable "pushgateway_release_name" {
type = string
description = "The name of the Helm release deploying the pushgateway chart"
default = "pushgateway"
}
variable "enable_alertmanager" {
type = bool
default = true
description = "Enable alertmanager in the Prometheus Operator"
}
variable "enable_grafana" {
type = bool
default = true
description = "Enable grafana in the Prometheus Operator"
}
variable "enable_pushgateway" {
type = bool
default = true
description = "Enable pushgateway in the Prometheus Operator"
}

View File

@ -0,0 +1,12 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "2.4.1"
}
aws = {
source = "hashicorp/aws"
version = "~> 4.4.0"
}
}
}