From 03c35152eae2e85c2fab14ca53fadbe7ebb32bea Mon Sep 17 00:00:00 2001
From: Garland Kan <garland@managedkube.com>
Date: Thu, 7 Oct 2021 13:07:10 -0700
Subject: [PATCH] External-dns helm module (#198)

---
 .../helm/external-dns/helm_values.tpl.yaml    | 11 +++
 .../aws/helm/external-dns/main.tf             | 76 +++++++++++++++++++
 .../aws/helm/external-dns/variables.tf        | 49 ++++++++++++
 3 files changed, 136 insertions(+)
 create mode 100644 terraform-modules/aws/helm/external-dns/helm_values.tpl.yaml
 create mode 100644 terraform-modules/aws/helm/external-dns/main.tf
 create mode 100644 terraform-modules/aws/helm/external-dns/variables.tf

diff --git a/terraform-modules/aws/helm/external-dns/helm_values.tpl.yaml b/terraform-modules/aws/helm/external-dns/helm_values.tpl.yaml
new file mode 100644
index 000000000..5d26a7802
--- /dev/null
+++ b/terraform-modules/aws/helm/external-dns/helm_values.tpl.yaml
@@ -0,0 +1,11 @@
+---
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations:
+    # This value should match the ARN of the role created by module.iam_assumable_role_admin in irsa.tf
+    eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/${chartName}-${clusterName}"
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ${serviceAccountName}
diff --git a/terraform-modules/aws/helm/external-dns/main.tf b/terraform-modules/aws/helm/external-dns/main.tf
new file mode 100644
index 000000000..cb59f408d
--- /dev/null
+++ b/terraform-modules/aws/helm/external-dns/main.tf
@@ -0,0 +1,76 @@
+locals {
+  helm_repository = "https://kubernetes-sigs.github.io/external-dns/"
+  official_chart_name = "external-dns"
+}
+module "iam_assumable_role_admin" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.6.0"
+  create_role                   = true
+  role_name                     = "${local.official_chart_name}-${var.cluster_name}"
+  provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns              = [aws_iam_policy.iam_policy.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${local.official_chart_name}"]
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  name_prefix = "${local.official_chart_name}-${var.cluster_name}"
+  description = "EKS ${local.official_chart_name} policy for cluster ${var.eks_cluster_id}"
+  policy      = data.aws_iam_policy_document.iam_policy_document.json
+}
+
+# IAM Role policy doc: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md
+data "aws_iam_policy_document" "iam_policy_document" {
+  statement {
+    sid    = "k8sExternalDNS"
+    effect = "Allow"
+
+    actions = [
+      "route53:ChangeResourceRecordSets",
+    ]
+
+    resources = ["arn:aws:route53:::hostedzone/${var.route53_hosted_zones}"]
+  }
+
+  statement {
+    sid    = "k8sExternalDNS2"
+    effect = "Allow"
+
+    actions = [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+#
+# Helm values
+#
+data "template_file" "helm_values" {
+  template = file("${path.module}/helm_values.tpl.yaml")
+  vars = {
+    awsAccountID       = data.aws_caller_identity.current.account_id
+    clusterName        = var.cluster_name
+    serviceAccountName = local.official_chart_name
+    chartName          = local.official_chart_name
+  }
+}
+
+module "external-dns" {
+  source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.27"
+
+  repository          = local.helm_repository
+  official_chart_name = local.official_chart_name
+  user_chart_name     = var.user_chart_name
+  helm_version        = var.helm_chart_version
+  namespace           = var.k8s_namespace
+  helm_values         = data.template_file.helm_values.rendered
+  helm_values_2       = var.helm_values_2
+
+  depends_on = [
+    module.iam_assumable_role_admin
+  ]
+}
diff --git a/terraform-modules/aws/helm/external-dns/variables.tf b/terraform-modules/aws/helm/external-dns/variables.tf
new file mode 100644
index 000000000..22c1558b2
--- /dev/null
+++ b/terraform-modules/aws/helm/external-dns/variables.tf
@@ -0,0 +1,49 @@
+variable "aws_region" {
+  type        = string
+  default     = "us-east-1"
+  description = "AWS region"
+}
+
+variable "cluster_name" {
+  type        = string
+  default     = "cluster"
+  description = "EKS cluster name"
+}
+
+variable "eks_cluster_id" {
+  type        = string
+  default     = ""
+  description = "EKS cluster ID"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  default     = ""
+  description = "EKS cluster oidc issuer url"
+}
+
+variable "user_chart_name" {
+  default = "external-dns"
+  description = "The Helm name to install this chart under"
+}
+
+variable "helm_chart_version" {
+  default = "1.2.0"
+  description = "The version of this helm chart to use"
+}
+
+variable "k8s_namespace" {
+  default = "external-dns"
+}
+
+variable "helm_values_2" {
+  type = string
+  default = ""
+  description = "Helm values that will overwrite the helm chart defaults and this modules default for further user customization"
+}
+
+variable "route53_hosted_zones" {
+  type = string
+  default = "*"
+  description = "The hosted zone permissions granted to: arn:aws:route53:::hostedzone/<route53_hosted_zones ID"
+}