Istio Main Gateway (#220)

terraform-modules/aws/istio-networking/main-gateway/README.md

@@ -0,0 +1,43 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubectl_manifest.certificate](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.gateway](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+| [template_file.certificate](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.gateway](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cert_common_name"></a> [cert\_common\_name](#input\_cert\_common\_name) | The common name for the certificate | `string` | n/a | yes |
+| <a name="input_cert_dns_name"></a> [cert\_dns\_name](#input\_cert\_dns\_name) | The dns name for the certificate | `string` | n/a | yes |
+| <a name="input_cluster_ca_certificate"></a> [cluster\_ca\_certificate](#input\_cluster\_ca\_certificate) | The eks kubernetes cluster\_ca\_certificate | `string` | n/a | yes |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | n/a | yes |
+| <a name="input_issue_ref_group"></a> [issue\_ref\_group](#input\_issue\_ref\_group) | n/a | `string` | `"cert-manager.io"` | no |
+| <a name="input_issue_ref_kind"></a> [issue\_ref\_kind](#input\_issue\_ref\_kind) | n/a | `string` | `"ClusterIssuer"` | no |
+| <a name="input_issue_ref_name"></a> [issue\_ref\_name](#input\_issue\_ref\_name) | n/a | `string` | `"letsencrypt-prod-dns01"` | no |
+| <a name="input_kubernetes_api_host"></a> [kubernetes\_api\_host](#input\_kubernetes\_api\_host) | The eks kubernetes api host endpoint | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | The kubernetes namespace to deploy into | `string` | `"istio-system"` | no |
+
+## Outputs
+
+No outputs.

terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml

@@ -0,0 +1,19 @@
+# This certificate created in this namespace and the nginx-ingress uses it
+# This requires a functioning cert-manager
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: domain-wildcard
+  namespace: ${namespace}
+spec:
+  secretName: domain-wildcard # use this secret name in the nginx-ingress definition
+  commonName: "${cert_common_name}"
+  dnsNames:
+  - "${cert_dns_name}"
+  issuerRef:
+    name: ${issue_ref_name}
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ${issue_ref_kind}
+    group: ${issue_ref_group}

terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: main-gateway
+  namespace: ${namespace}
+spec:
+  selector:
+    # use Istio default gateway implementation
+    app: istio-ingressgateway
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      credentialName: domain-wildcard # This should match the Certificate secretName
+    hosts:
+    - "*" # This should match a DNS name in the Certificate

terraform-modules/aws/istio-networking/main-gateway/main.tf

@@ -0,0 +1,42 @@
+data "aws_eks_cluster_auth" "main" {
+  name = var.cluster_name
+}
+
+provider "kubectl" {
+  host                   = var.kubernetes_api_host
+  cluster_ca_certificate = base64decode(var.cluster_ca_certificate)
+  token                  = data.aws_eks_cluster_auth.main.token
+  load_config_file       = false
+}
+
+# file templating
+data "template_file" "gateway" {
+  template = file("${path.module}/gateway.tpl.yaml")
+
+  vars = {
+    namespace  = var.namespace
+  }
+}
+
+resource "kubectl_manifest" "gateway" {
+  yaml_body = data.template_file.gateway.rendered
+}
+
+# file templating
+data "template_file" "certificate" {
+  template = file("${path.module}/certificate.tpl.yaml")
+
+  vars = {
+    namespace  = var.namespace
+    cert_common_name = var.cert_common_name
+    cert_dns_name = var.cert_dns_name
+    issue_ref_name = var.issue_ref_name
+    issue_ref_name = var.issue_ref_name
+    issue_ref_kind = var.issue_ref_kind
+    issue_ref_group = var.issue_ref_group
+  }
+}
+
+resource "kubectl_manifest" "certificate" {
+  yaml_body = data.template_file.certificate.rendered
+}

terraform-modules/aws/istio-networking/main-gateway/variables.tf

@@ -0,0 +1,42 @@
+variable "cluster_name" {
+  type = string
+  description = "The name of the EKS cluster"
+}
+
+variable "kubernetes_api_host" {
+  type = string
+  description = "The eks kubernetes api host endpoint"
+}
+
+variable "cluster_ca_certificate" {
+  type = string
+  description = "The eks kubernetes cluster_ca_certificate"
+}
+
+variable "namespace" {
+  type = string
+  description = "The kubernetes namespace to deploy into"
+  default = "istio-system"
+}
+
+variable "cert_common_name" {
+  type = string
+  description = "The common name for the certificate"
+}
+
+variable "cert_dns_name" {
+  type = string
+  description = "The dns name for the certificate"
+}
+
+variable "issue_ref_name" {
+  default = "letsencrypt-prod-dns01"
+}
+
+variable "issue_ref_kind" {
+  default = "ClusterIssuer"
+}
+
+variable "issue_ref_group" {
+  default = "cert-manager.io"
+}