From 361a12385df34460eeaed9a127d89c9299703855 Mon Sep 17 00:00:00 2001
From: Apoorva Kulkarni <kuapoorv@amazon.com>
Date: Fri, 23 Jun 2023 13:30:52 -0700
Subject: [PATCH] feat: Create a new add-on for AWS Gateway API Controller
 (#192)

---
 README.md                                 |  39 ++++----
 docs/addons/aws-gateway-api-controller.md |  82 ++++++++++++++++
 main.tf                                   | 112 ++++++++++++++++++++++
 outputs.tf                                |   5 +
 tests/complete/main.tf                    |  11 +++
 variables.tf                              |  52 ++++++----
 6 files changed, 266 insertions(+), 35 deletions(-)
 create mode 100644 docs/addons/aws-gateway-api-controller.md

diff --git a/README.md b/README.md
index d921852f..87ffff81 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,7 @@ module "eks_blueprints_addons" {
 | <a name="module_aws_efs_csi_driver"></a> [aws\_efs\_csi\_driver](#module\_aws\_efs\_csi\_driver) | aws-ia/eks-blueprints-addon/aws | 1.0.0 |
 | <a name="module_aws_for_fluentbit"></a> [aws\_for\_fluentbit](#module\_aws\_for\_fluentbit) | aws-ia/eks-blueprints-addon/aws | 1.0.0 |
 | <a name="module_aws_fsx_csi_driver"></a> [aws\_fsx\_csi\_driver](#module\_aws\_fsx\_csi\_driver) | aws-ia/eks-blueprints-addon/aws | 1.0.0 |
+| <a name="module_aws_gateway_api_controller"></a> [aws\_gateway\_api\_controller](#module\_aws\_gateway\_api\_controller) | aws-ia/eks-blueprints-addon/aws | 1.0.0 |
 | <a name="module_aws_load_balancer_controller"></a> [aws\_load\_balancer\_controller](#module\_aws\_load\_balancer\_controller) | aws-ia/eks-blueprints-addon/aws | 1.0.0 |
 | <a name="module_aws_node_termination_handler"></a> [aws\_node\_termination\_handler](#module\_aws\_node\_termination\_handler) | aws-ia/eks-blueprints-addon/aws | 1.0.0 |
 | <a name="module_aws_node_termination_handler_sqs"></a> [aws\_node\_termination\_handler\_sqs](#module\_aws\_node\_termination\_handler\_sqs) | terraform-aws-modules/sqs/aws | 4.0.1 |
@@ -130,6 +131,7 @@ module "eks_blueprints_addons" {
 | [aws_iam_policy_document.aws_efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws_fsx_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.aws_gateway_api_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.aws_privateca_issuer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -148,30 +150,31 @@ module "eks_blueprints_addons" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_argo_rollouts"></a> [argo\_rollouts](#input\_argo\_rollouts) | Argo Rollouts addon configuration values | `any` | `{}` | no |
-| <a name="input_argo_workflows"></a> [argo\_workflows](#input\_argo\_workflows) | Argo Workflows addon configuration values | `any` | `{}` | no |
-| <a name="input_argocd"></a> [argocd](#input\_argocd) | ArgoCD addon configuration values | `any` | `{}` | no |
-| <a name="input_aws_cloudwatch_metrics"></a> [aws\_cloudwatch\_metrics](#input\_aws\_cloudwatch\_metrics) | Cloudwatch Metrics addon configuration values | `any` | `{}` | no |
-| <a name="input_aws_efs_csi_driver"></a> [aws\_efs\_csi\_driver](#input\_aws\_efs\_csi\_driver) | EFS CSI Driver addon configuration values | `any` | `{}` | no |
+| <a name="input_argo_rollouts"></a> [argo\_rollouts](#input\_argo\_rollouts) | Argo Rollouts add-on configuration values | `any` | `{}` | no |
+| <a name="input_argo_workflows"></a> [argo\_workflows](#input\_argo\_workflows) | Argo Workflows add-on configuration values | `any` | `{}` | no |
+| <a name="input_argocd"></a> [argocd](#input\_argocd) | ArgoCD add-on configuration values | `any` | `{}` | no |
+| <a name="input_aws_cloudwatch_metrics"></a> [aws\_cloudwatch\_metrics](#input\_aws\_cloudwatch\_metrics) | Cloudwatch Metrics add-on configuration values | `any` | `{}` | no |
+| <a name="input_aws_efs_csi_driver"></a> [aws\_efs\_csi\_driver](#input\_aws\_efs\_csi\_driver) | EFS CSI Driver add-on configuration values | `any` | `{}` | no |
 | <a name="input_aws_for_fluentbit"></a> [aws\_for\_fluentbit](#input\_aws\_for\_fluentbit) | AWS Fluentbit add-on configurations | `any` | `{}` | no |
 | <a name="input_aws_for_fluentbit_cw_log_group"></a> [aws\_for\_fluentbit\_cw\_log\_group](#input\_aws\_for\_fluentbit\_cw\_log\_group) | AWS Fluentbit CloudWatch Log Group configurations | `any` | `{}` | no |
-| <a name="input_aws_fsx_csi_driver"></a> [aws\_fsx\_csi\_driver](#input\_aws\_fsx\_csi\_driver) | FSX CSI Driver addon configuration values | `any` | `{}` | no |
-| <a name="input_aws_load_balancer_controller"></a> [aws\_load\_balancer\_controller](#input\_aws\_load\_balancer\_controller) | AWS Load Balancer Controller addon configuration values | `any` | `{}` | no |
-| <a name="input_aws_node_termination_handler"></a> [aws\_node\_termination\_handler](#input\_aws\_node\_termination\_handler) | AWS Node Termination Handler addon configuration values | `any` | `{}` | no |
+| <a name="input_aws_fsx_csi_driver"></a> [aws\_fsx\_csi\_driver](#input\_aws\_fsx\_csi\_driver) | FSX CSI Driver add-on configuration values | `any` | `{}` | no |
+| <a name="input_aws_gateway_api_controller"></a> [aws\_gateway\_api\_controller](#input\_aws\_gateway\_api\_controller) | AWS Gateway API Controller add-on configuration values | `any` | `{}` | no |
+| <a name="input_aws_load_balancer_controller"></a> [aws\_load\_balancer\_controller](#input\_aws\_load\_balancer\_controller) | AWS Load Balancer Controller add-on configuration values | `any` | `{}` | no |
+| <a name="input_aws_node_termination_handler"></a> [aws\_node\_termination\_handler](#input\_aws\_node\_termination\_handler) | AWS Node Termination Handler add-on configuration values | `any` | `{}` | no |
 | <a name="input_aws_node_termination_handler_asg_arns"></a> [aws\_node\_termination\_handler\_asg\_arns](#input\_aws\_node\_termination\_handler\_asg\_arns) | List of Auto Scaling group ARNs that AWS Node Termination Handler will monitor for EC2 events | `list(string)` | `[]` | no |
 | <a name="input_aws_node_termination_handler_sqs"></a> [aws\_node\_termination\_handler\_sqs](#input\_aws\_node\_termination\_handler\_sqs) | AWS Node Termination Handler SQS queue configuration values | `any` | `{}` | no |
 | <a name="input_aws_privateca_issuer"></a> [aws\_privateca\_issuer](#input\_aws\_privateca\_issuer) | AWS PCA Issuer add-on configurations | `any` | `{}` | no |
-| <a name="input_cert_manager"></a> [cert\_manager](#input\_cert\_manager) | cert-manager addon configuration values | `any` | `{}` | no |
+| <a name="input_cert_manager"></a> [cert\_manager](#input\_cert\_manager) | cert-manager add-on configuration values | `any` | `{}` | no |
 | <a name="input_cert_manager_route53_hosted_zone_arns"></a> [cert\_manager\_route53\_hosted\_zone\_arns](#input\_cert\_manager\_route53\_hosted\_zone\_arns) | List of Route53 Hosted Zone ARNs that are used by cert-manager to create DNS records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
-| <a name="input_cluster_autoscaler"></a> [cluster\_autoscaler](#input\_cluster\_autoscaler) | Cluster Autoscaler addon configuration values | `any` | `{}` | no |
+| <a name="input_cluster_autoscaler"></a> [cluster\_autoscaler](#input\_cluster\_autoscaler) | Cluster Autoscaler add-on configuration values | `any` | `{}` | no |
 | <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint for your Kubernetes API server | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
 | <a name="input_cluster_proportional_autoscaler"></a> [cluster\_proportional\_autoscaler](#input\_cluster\_proportional\_autoscaler) | Cluster Proportional Autoscaler add-on configurations | `any` | `{}` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes `<major>.<minor>` version to use for the EKS cluster (i.e.: `1.24`) | `string` | n/a | yes |
 | <a name="input_create_delay_dependencies"></a> [create\_delay\_dependencies](#input\_create\_delay\_dependencies) | Dependency attribute which must be resolved before starting the `create_delay_duration` | `list(string)` | `[]` | no |
 | <a name="input_create_delay_duration"></a> [create\_delay\_duration](#input\_create\_delay\_duration) | The duration to wait before creating resources | `string` | `"30s"` | no |
-| <a name="input_eks_addons"></a> [eks\_addons](#input\_eks\_addons) | Map of EKS addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no |
-| <a name="input_eks_addons_timeouts"></a> [eks\_addons\_timeouts](#input\_eks\_addons\_timeouts) | Create, update, and delete timeout configurations for the EKS addons | `map(string)` | `{}` | no |
+| <a name="input_eks_addons"></a> [eks\_addons](#input\_eks\_addons) | Map of EKS add-on configurations to enable for the cluster. Add-on name can be the map keys or set with `name` | `any` | `{}` | no |
+| <a name="input_eks_addons_timeouts"></a> [eks\_addons\_timeouts](#input\_eks\_addons\_timeouts) | Create, update, and delete timeout configurations for the EKS add-ons | `map(string)` | `{}` | no |
 | <a name="input_enable_argo_rollouts"></a> [enable\_argo\_rollouts](#input\_enable\_argo\_rollouts) | Enable Argo Rollouts add-on | `bool` | `false` | no |
 | <a name="input_enable_argo_workflows"></a> [enable\_argo\_workflows](#input\_enable\_argo\_workflows) | Enable Argo workflows add-on | `bool` | `false` | no |
 | <a name="input_enable_argocd"></a> [enable\_argocd](#input\_enable\_argocd) | Enable Argo CD Kubernetes add-on | `bool` | `false` | no |
@@ -179,6 +182,7 @@ module "eks_blueprints_addons" {
 | <a name="input_enable_aws_efs_csi_driver"></a> [enable\_aws\_efs\_csi\_driver](#input\_enable\_aws\_efs\_csi\_driver) | Enable AWS EFS CSI Driver add-on | `bool` | `false` | no |
 | <a name="input_enable_aws_for_fluentbit"></a> [enable\_aws\_for\_fluentbit](#input\_enable\_aws\_for\_fluentbit) | Enable AWS for FluentBit add-on | `bool` | `false` | no |
 | <a name="input_enable_aws_fsx_csi_driver"></a> [enable\_aws\_fsx\_csi\_driver](#input\_enable\_aws\_fsx\_csi\_driver) | Enable AWS FSX CSI Driver add-on | `bool` | `false` | no |
+| <a name="input_enable_aws_gateway_api_controller"></a> [enable\_aws\_gateway\_api\_controller](#input\_enable\_aws\_gateway\_api\_controller) | Enable AWS Gateway API Controller add-on | `bool` | `false` | no |
 | <a name="input_enable_aws_load_balancer_controller"></a> [enable\_aws\_load\_balancer\_controller](#input\_enable\_aws\_load\_balancer\_controller) | Enable AWS Load Balancer Controller add-on | `bool` | `false` | no |
 | <a name="input_enable_aws_node_termination_handler"></a> [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no |
 | <a name="input_enable_aws_privateca_issuer"></a> [enable\_aws\_privateca\_issuer](#input\_enable\_aws\_privateca\_issuer) | Enable AWS PCA Issuer | `bool` | `false` | no |
@@ -197,9 +201,9 @@ module "eks_blueprints_addons" {
 | <a name="input_enable_secrets_store_csi_driver_provider_aws"></a> [enable\_secrets\_store\_csi\_driver\_provider\_aws](#input\_enable\_secrets\_store\_csi\_driver\_provider\_aws) | Enable AWS CSI Secrets Store Provider | `bool` | `false` | no |
 | <a name="input_enable_velero"></a> [enable\_velero](#input\_enable\_velero) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no |
 | <a name="input_enable_vpa"></a> [enable\_vpa](#input\_enable\_vpa) | Enable Vertical Pod Autoscaler add-on | `bool` | `false` | no |
-| <a name="input_external_dns"></a> [external\_dns](#input\_external\_dns) | external-dns addon configuration values | `any` | `{}` | no |
+| <a name="input_external_dns"></a> [external\_dns](#input\_external\_dns) | external-dns add-on configuration values | `any` | `{}` | no |
 | <a name="input_external_dns_route53_zone_arns"></a> [external\_dns\_route53\_zone\_arns](#input\_external\_dns\_route53\_zone\_arns) | List of Route53 zones ARNs which external-dns will have access to create/manage records (if using Route53) | `list(string)` | `[]` | no |
-| <a name="input_external_secrets"></a> [external\_secrets](#input\_external\_secrets) | External Secrets addon configuration values | `any` | `{}` | no |
+| <a name="input_external_secrets"></a> [external\_secrets](#input\_external\_secrets) | External Secrets add-on configuration values | `any` | `{}` | no |
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
@@ -208,7 +212,7 @@ module "eks_blueprints_addons" {
 | <a name="input_gatekeeper"></a> [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `any` | `{}` | no |
 | <a name="input_helm_releases"></a> [helm\_releases](#input\_helm\_releases) | A map of Helm releases to create. This provides the ability to pass in an arbitrary map of Helm chart definitions to create | `any` | `{}` | no |
 | <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
-| <a name="input_karpenter"></a> [karpenter](#input\_karpenter) | Karpenter addon configuration values | `any` | `{}` | no |
+| <a name="input_karpenter"></a> [karpenter](#input\_karpenter) | Karpenter add-on configuration values | `any` | `{}` | no |
 | <a name="input_karpenter_enable_spot_termination"></a> [karpenter\_enable\_spot\_termination](#input\_karpenter\_enable\_spot\_termination) | Determines whether to enable native node termination handling | `bool` | `true` | no |
 | <a name="input_karpenter_node"></a> [karpenter\_node](#input\_karpenter\_node) | Karpenter IAM role and IAM instance profile configuration values | `any` | `{}` | no |
 | <a name="input_karpenter_sqs"></a> [karpenter\_sqs](#input\_karpenter\_sqs) | Karpenter SQS queue for native node termination handling configuration values | `any` | `{}` | no |
@@ -218,8 +222,8 @@ module "eks_blueprints_addons" {
 | <a name="input_secrets_store_csi_driver"></a> [secrets\_store\_csi\_driver](#input\_secrets\_store\_csi\_driver) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no |
 | <a name="input_secrets_store_csi_driver_provider_aws"></a> [secrets\_store\_csi\_driver\_provider\_aws](#input\_secrets\_store\_csi\_driver\_provider\_aws) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
-| <a name="input_velero"></a> [velero](#input\_velero) | Velero addon configuration values | `any` | `{}` | no |
-| <a name="input_vpa"></a> [vpa](#input\_vpa) | Vertical Pod Autoscaler addon configuration values | `any` | `{}` | no |
+| <a name="input_velero"></a> [velero](#input\_velero) | Velero add-on configuration values | `any` | `{}` | no |
+| <a name="input_vpa"></a> [vpa](#input\_vpa) | Vertical Pod Autoscaler add-on configuration values | `any` | `{}` | no |
 
 ## Outputs
 
@@ -232,6 +236,7 @@ module "eks_blueprints_addons" {
 | <a name="output_aws_efs_csi_driver"></a> [aws\_efs\_csi\_driver](#output\_aws\_efs\_csi\_driver) | Map of attributes of the Helm release and IRSA created |
 | <a name="output_aws_for_fluentbit"></a> [aws\_for\_fluentbit](#output\_aws\_for\_fluentbit) | Map of attributes of the Helm release and IRSA created |
 | <a name="output_aws_fsx_csi_driver"></a> [aws\_fsx\_csi\_driver](#output\_aws\_fsx\_csi\_driver) | Map of attributes of the Helm release and IRSA created |
+| <a name="output_aws_gateway_api_controller"></a> [aws\_gateway\_api\_controller](#output\_aws\_gateway\_api\_controller) | Map of attributes of the Helm release and IRSA created |
 | <a name="output_aws_load_balancer_controller"></a> [aws\_load\_balancer\_controller](#output\_aws\_load\_balancer\_controller) | Map of attributes of the Helm release and IRSA created |
 | <a name="output_aws_node_termination_handler"></a> [aws\_node\_termination\_handler](#output\_aws\_node\_termination\_handler) | Map of attributes of the Helm release and IRSA created |
 | <a name="output_aws_privateca_issuer"></a> [aws\_privateca\_issuer](#output\_aws\_privateca\_issuer) | Map of attributes of the Helm release and IRSA created |
diff --git a/docs/addons/aws-gateway-api-controller.md b/docs/addons/aws-gateway-api-controller.md
new file mode 100644
index 00000000..9a631484
--- /dev/null
+++ b/docs/addons/aws-gateway-api-controller.md
@@ -0,0 +1,82 @@
+# AWS Gateway API Controller
+
+[AWS Gateway API Controller](https://www.gateway-api-controller.eks.aws.dev/) lets you connect services across multiple Kubernetes clusters through the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) interface. It is also designed to connect services running on EC2 instances, containers, and as serverless functions. It does this by leveraging [Amazon VPC Lattice](https://aws.amazon.com/vpc/lattice/), which works with Kubernetes Gateway API calls to manage Kubernetes objects.
+
+## Usage
+
+AWS Gateway API Controller can be deployed by enabling the add-on via the following.
+
+```hcl
+  enable_aws_gateway_api_controller = true
+  aws_gateway_api_controller = {
+    repository_username = data.aws_ecrpublic_authorization_token.token.user_name
+    repository_password = data.aws_ecrpublic_authorization_token.token.password
+    set = [{
+      name  = "clusterVpcId"
+      value = "vpc-12345abcd"
+    }]
+}
+```
+
+You can optionally customize the Helm chart that deploys AWS Gateway API Controller via the following configuration.
+
+```hcl
+  enable_aws_gateway_api_controller = true
+  aws_gateway_api_controller = {
+    name                = "aws-gateway-api-controller"
+    chart_version       = "v0.0.12"
+    repository          = "oci://public.ecr.aws/aws-application-networking-k8s"
+    repository_username = data.aws_ecrpublic_authorization_token.token.user_name
+    repository_password = data.aws_ecrpublic_authorization_token.token.password
+    namespace           = "aws-application-networking-system"
+    values              = [templatefile("${path.module}/values.yaml", {})]
+    set = [{
+      name  = "clusterVpcId"
+      value = "vpc-12345abcd"
+    }]
+  }
+```
+
+Verify aws-gateway-api-controller pods are running.
+
+```sh
+$ kubectl get pods -n aws-application-networking-system
+NAME                                                               READY   STATUS    RESTARTS   AGE
+aws-gateway-api-controller-aws-gateway-controller-chart-8f42q426   1/1     Running   0          40s
+aws-gateway-api-controller-aws-gateway-controller-chart-8f4tbl9g   1/1     Running   0          71s
+```
+
+Deploy example GatewayClass
+
+```sh
+$ kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/examples/gatewayclass.yaml
+gatewayclass.gateway.networking.k8s.io/amazon-vpc-lattice created
+```
+
+Describe GatewayClass
+
+```sh
+$ kubectl describe gatewayclass
+Name:         amazon-vpc-lattice
+Namespace:
+Labels:       <none>
+Annotations:  <none>
+API Version:  gateway.networking.k8s.io/v1beta1
+Kind:         GatewayClass
+Metadata:
+  Creation Timestamp:  2023-06-22T22:33:32Z
+  Generation:          1
+  Resource Version:    819021
+  UID:                 aac59195-8f37-4c23-a2a5-b0f363deda77
+Spec:
+  Controller Name:  application-networking.k8s.aws/gateway-api-controller
+Status:
+  Conditions:
+    Last Transition Time:  2023-06-22T22:33:32Z
+    Message:               Accepted
+    Observed Generation:   1
+    Reason:                Accepted
+    Status:                True
+    Type:                  Accepted
+Events:                    <none>
+```
diff --git a/main.tf b/main.tf
index 855872c3..40d2f8a3 100644
--- a/main.tf
+++ b/main.tf
@@ -3067,3 +3067,115 @@ module "vpa" {
 
   tags = var.tags
 }
+
+################################################################################
+# AWS Gateway API Controller
+################################################################################
+
+locals {
+  aws_gateway_api_controller_service_account = try(var.aws_gateway_api_controller.service_account_name, "gateway-api-controller")
+}
+
+data "aws_iam_policy_document" "aws_gateway_api_controller" {
+  count = var.enable_aws_gateway_api_controller ? 1 : 0
+
+  statement {
+    actions = [
+      "vpc-lattice:*",
+      "iam:CreateServiceLinkedRole",
+      "ec2:DescribeVpcs",
+      "ec2:DescribeSubnets"
+    ]
+    resources = ["*"]
+  }
+}
+
+module "aws_gateway_api_controller" {
+  source  = "aws-ia/eks-blueprints-addon/aws"
+  version = "1.0.0"
+
+  create = var.enable_aws_gateway_api_controller
+
+  # https://github.com/aws/aws-application-networking-k8s/blob/main/helm/Chart.yaml
+  name             = try(var.aws_gateway_api_controller.name, "aws-gateway-api-controller")
+  description      = try(var.aws_gateway_api_controller.description, "A Helm chart to deploy aws-gateway-api-controller")
+  namespace        = try(var.aws_gateway_api_controller.namespace, "aws-application-networking-system")
+  create_namespace = try(var.aws_gateway_api_controller.create_namespace, true)
+  chart            = "aws-gateway-controller-chart"
+  chart_version    = try(var.aws_gateway_api_controller.chart_version, "v0.0.12")
+  repository       = try(var.aws_gateway_api_controller.repository, "oci://public.ecr.aws/aws-application-networking-k8s")
+  values           = try(var.aws_gateway_api_controller.values, [])
+
+  timeout                    = try(var.aws_gateway_api_controller.timeout, null)
+  repository_key_file        = try(var.aws_gateway_api_controller.repository_key_file, null)
+  repository_cert_file       = try(var.aws_gateway_api_controller.repository_cert_file, null)
+  repository_ca_file         = try(var.aws_gateway_api_controller.repository_ca_file, null)
+  repository_username        = try(var.aws_gateway_api_controller.repository_username, null)
+  repository_password        = try(var.aws_gateway_api_controller.repository_password, null)
+  devel                      = try(var.aws_gateway_api_controller.devel, null)
+  verify                     = try(var.aws_gateway_api_controller.verify, null)
+  keyring                    = try(var.aws_gateway_api_controller.keyring, null)
+  disable_webhooks           = try(var.aws_gateway_api_controller.disable_webhooks, null)
+  reuse_values               = try(var.aws_gateway_api_controller.reuse_values, null)
+  reset_values               = try(var.aws_gateway_api_controller.reset_values, null)
+  force_update               = try(var.aws_gateway_api_controller.force_update, null)
+  recreate_pods              = try(var.aws_gateway_api_controller.recreate_pods, null)
+  cleanup_on_fail            = try(var.aws_gateway_api_controller.cleanup_on_fail, null)
+  max_history                = try(var.aws_gateway_api_controller.max_history, null)
+  atomic                     = try(var.aws_gateway_api_controller.atomic, null)
+  skip_crds                  = try(var.aws_gateway_api_controller.skip_crds, null)
+  render_subchart_notes      = try(var.aws_gateway_api_controller.render_subchart_notes, null)
+  disable_openapi_validation = try(var.aws_gateway_api_controller.disable_openapi_validation, null)
+  wait                       = try(var.aws_gateway_api_controller.wait, false)
+  wait_for_jobs              = try(var.aws_gateway_api_controller.wait_for_jobs, null)
+  dependency_update          = try(var.aws_gateway_api_controller.dependency_update, null)
+  replace                    = try(var.aws_gateway_api_controller.replace, null)
+  lint                       = try(var.aws_gateway_api_controller.lint, null)
+
+  postrender = try(var.aws_gateway_api_controller.postrender, [])
+  set = concat([
+    {
+      name  = "serviceAccount.name"
+      value = local.aws_gateway_api_controller_service_account
+      }, {
+      name  = "awsRegion"
+      value = local.region
+      }, {
+      name  = "awsAccountId"
+      value = local.account_id
+    }],
+    try(var.aws_gateway_api_controller.set, [])
+  )
+  set_sensitive = try(var.aws_gateway_api_controller.set_sensitive, [])
+
+  # IAM role for service account (IRSA)
+  set_irsa_names                = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
+  create_role                   = try(var.aws_gateway_api_controller.create_role, true)
+  role_name                     = try(var.aws_gateway_api_controller.role_name, "aws-gateway-api-controller")
+  role_name_use_prefix          = try(var.aws_gateway_api_controller.role_name_use_prefix, true)
+  role_path                     = try(var.aws_gateway_api_controller.role_path, "/")
+  role_permissions_boundary_arn = lookup(var.aws_gateway_api_controller, "role_permissions_boundary_arn", null)
+  role_description              = try(var.aws_gateway_api_controller.role_description, "IRSA for aws-gateway-api-controller")
+  role_policies                 = lookup(var.aws_gateway_api_controller, "role_policies", {})
+
+  source_policy_documents = compact(concat(
+    data.aws_iam_policy_document.aws_gateway_api_controller[*].json,
+    lookup(var.aws_gateway_api_controller, "source_policy_documents", [])
+  ))
+  override_policy_documents = lookup(var.aws_gateway_api_controller, "override_policy_documents", [])
+  policy_statements         = lookup(var.aws_gateway_api_controller, "policy_statements", [])
+  policy_name               = try(var.aws_gateway_api_controller.policy_name, null)
+  policy_name_use_prefix    = try(var.aws_gateway_api_controller.policy_name_use_prefix, true)
+  policy_path               = try(var.aws_gateway_api_controller.policy_path, null)
+  policy_description        = try(var.aws_gateway_api_controller.policy_description, "IAM Policy for aws-gateway-api-controller")
+
+  oidc_providers = {
+    this = {
+      provider_arn = local.oidc_provider_arn
+      # namespace is inherited from chart
+      service_account = local.aws_gateway_api_controller_service_account
+    }
+  }
+
+  tags = var.tags
+}
diff --git a/outputs.tf b/outputs.tf
index 4de7a702..8d962228 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -143,6 +143,11 @@ output "vpa" {
   value       = module.vpa
 }
 
+output "aws_gateway_api_controller" {
+  description = "Map of attributes of the Helm release and IRSA created"
+  value       = module.aws_gateway_api_controller
+}
+
 ################################################################################
 # (Generic) Helm Release
 ################################################################################
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 83f6ddbf..5d180fe4 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -168,6 +168,17 @@ module "eks_blueprints_addons" {
     s3_backup_location = "${module.velero_backup_s3_bucket.s3_bucket_arn}/backups"
   }
 
+  enable_aws_gateway_api_controller = true
+  # ECR login required
+  aws_gateway_api_controller = {
+    repository_username = data.aws_ecrpublic_authorization_token.token.user_name
+    repository_password = data.aws_ecrpublic_authorization_token.token.password
+    set = [{
+      name  = "clusterVpcId"
+      value = module.vpc.vpc_id
+    }]
+  }
+
   # Pass in any number of Helm charts to be created for those that are not natively supported
   helm_releases = {
     prometheus-adapter = {
diff --git a/variables.tf b/variables.tf
index 25971e51..44608608 100644
--- a/variables.tf
+++ b/variables.tf
@@ -57,7 +57,7 @@ variable "enable_argo_rollouts" {
 }
 
 variable "argo_rollouts" {
-  description = "Argo Rollouts addon configuration values"
+  description = "Argo Rollouts add-on configuration values"
   type        = any
   default     = {}
 }
@@ -73,7 +73,7 @@ variable "enable_argo_workflows" {
 }
 
 variable "argo_workflows" {
-  description = "Argo Workflows addon configuration values"
+  description = "Argo Workflows add-on configuration values"
   type        = any
   default     = {}
 }
@@ -89,7 +89,7 @@ variable "enable_argocd" {
 }
 
 variable "argocd" {
-  description = "ArgoCD addon configuration values"
+  description = "ArgoCD add-on configuration values"
   type        = any
   default     = {}
 }
@@ -105,7 +105,7 @@ variable "enable_aws_cloudwatch_metrics" {
 }
 
 variable "aws_cloudwatch_metrics" {
-  description = "Cloudwatch Metrics addon configuration values"
+  description = "Cloudwatch Metrics add-on configuration values"
   type        = any
   default     = {}
 }
@@ -121,7 +121,7 @@ variable "enable_aws_efs_csi_driver" {
 }
 
 variable "aws_efs_csi_driver" {
-  description = "EFS CSI Driver addon configuration values"
+  description = "EFS CSI Driver add-on configuration values"
   type        = any
   default     = {}
 }
@@ -159,7 +159,7 @@ variable "enable_aws_fsx_csi_driver" {
 }
 
 variable "aws_fsx_csi_driver" {
-  description = "FSX CSI Driver addon configuration values"
+  description = "FSX CSI Driver add-on configuration values"
   type        = any
   default     = {}
 }
@@ -175,7 +175,7 @@ variable "enable_aws_load_balancer_controller" {
 }
 
 variable "aws_load_balancer_controller" {
-  description = "AWS Load Balancer Controller addon configuration values"
+  description = "AWS Load Balancer Controller add-on configuration values"
   type        = any
   default     = {}
 }
@@ -191,7 +191,7 @@ variable "enable_aws_node_termination_handler" {
 }
 
 variable "aws_node_termination_handler" {
-  description = "AWS Node Termination Handler addon configuration values"
+  description = "AWS Node Termination Handler add-on configuration values"
   type        = any
   default     = {}
 }
@@ -235,7 +235,7 @@ variable "enable_cert_manager" {
 }
 
 variable "cert_manager" {
-  description = "cert-manager addon configuration values"
+  description = "cert-manager add-on configuration values"
   type        = any
   default     = {}
 }
@@ -257,7 +257,7 @@ variable "enable_cluster_autoscaler" {
 }
 
 variable "cluster_autoscaler" {
-  description = "Cluster Autoscaler addon configuration values"
+  description = "Cluster Autoscaler add-on configuration values"
   type        = any
   default     = {}
 }
@@ -279,17 +279,17 @@ variable "cluster_proportional_autoscaler" {
 }
 
 ################################################################################
-# EKS Addons
+# EKS Add-ons
 ################################################################################
 
 variable "eks_addons" {
-  description = "Map of EKS addon configurations to enable for the cluster. Addon name can be the map keys or set with `name`"
+  description = "Map of EKS add-on configurations to enable for the cluster. Add-on name can be the map keys or set with `name`"
   type        = any
   default     = {}
 }
 
 variable "eks_addons_timeouts" {
-  description = "Create, update, and delete timeout configurations for the EKS addons"
+  description = "Create, update, and delete timeout configurations for the EKS add-ons"
   type        = map(string)
   default     = {}
 }
@@ -305,7 +305,7 @@ variable "enable_external_dns" {
 }
 
 variable "external_dns" {
-  description = "external-dns addon configuration values"
+  description = "external-dns add-on configuration values"
   type        = any
   default     = {}
 }
@@ -327,7 +327,7 @@ variable "enable_external_secrets" {
 }
 
 variable "external_secrets" {
-  description = "External Secrets addon configuration values"
+  description = "External Secrets add-on configuration values"
   type        = any
   default     = {}
 }
@@ -415,7 +415,7 @@ variable "enable_karpenter" {
 }
 
 variable "karpenter" {
-  description = "Karpenter addon configuration values"
+  description = "Karpenter add-on configuration values"
   type        = any
   default     = {}
 }
@@ -513,7 +513,7 @@ variable "enable_velero" {
 }
 
 variable "velero" {
-  description = "Velero addon configuration values"
+  description = "Velero add-on configuration values"
   type        = any
   default     = {}
 }
@@ -529,7 +529,23 @@ variable "enable_vpa" {
 }
 
 variable "vpa" {
-  description = "Vertical Pod Autoscaler addon configuration values"
+  description = "Vertical Pod Autoscaler add-on configuration values"
+  type        = any
+  default     = {}
+}
+
+################################################################################
+#  AWS Gateway API Controller
+################################################################################
+
+variable "enable_aws_gateway_api_controller" {
+  description = "Enable AWS Gateway API Controller add-on"
+  type        = bool
+  default     = false
+}
+
+variable "aws_gateway_api_controller" {
+  description = "AWS Gateway API Controller add-on configuration values"
   type        = any
   default     = {}
 }