From 1025090595551f78b8d462a86696c4f36b4649a9 Mon Sep 17 00:00:00 2001 From: riqardos Date: Tue, 28 Nov 2023 11:10:01 +0100 Subject: [PATCH 1/4] rename addon --- README.md | 24 ++++++++++++------------ argo-helm.tf | 2 +- examples/basic/base.tf | 2 +- iam.tf | 4 ++-- outputs.tf | 2 +- variables.tf | 20 ++++++++++---------- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index d2529b2..ef24540 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# AWS EKS <$addon-name> Terraform module +# AWS EKS Kube Green Terraform module [](https://lablabs.io/) @@ -6,12 +6,12 @@ We help companies build, run, deploy and scale software and infrastructure by em --- -[![Terraform validate](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/validate.yaml) -[![pre-commit](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/pre-commit.yml) +[![Terraform validate](https://github.com/lablabs/terraform-aws-eks-kube-green/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-kube-green/actions/workflows/validate.yaml) +[![pre-commit](https://github.com/lablabs/terraform-aws-eks-kube-green/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-kube-green/actions/workflows/pre-commit.yml) ## Description -A Terraform module to deploy the <$addon-name> on Amazon EKS cluster. +A Terraform module to deploy the kube-green on Amazon EKS cluster. ## Related Projects @@ -111,7 +111,7 @@ No modules. | [aws\_partition](#input\_aws\_partition) | AWS partition in which the resources are located. Available values are `aws`, `aws-cn`, `aws-us-gov` | `string` | `"aws"` | no | | [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no | | [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no | -| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"<$addon-name>"` | no | +| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"kube-green"` | no | | [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `""` | no | | [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no | | [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist | `bool` | `true` | no | @@ -127,7 +127,7 @@ No modules. | [helm\_postrender](#input\_helm\_postrender) | Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents | `map(any)` | `{}` | no | | [helm\_recreate\_pods](#input\_helm\_recreate\_pods) | Perform pods restart during helm upgrade/rollback | `bool` | `false` | no | | [helm\_release\_max\_history](#input\_helm\_release\_max\_history) | Maximum number of release versions stored per release | `number` | `0` | no | -| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"<$addon-name>"` | no | +| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"kube-green"` | no | | [helm\_render\_subchart\_notes](#input\_helm\_render\_subchart\_notes) | If set, render helm subchart notes along with the parent | `bool` | `true` | no | | [helm\_replace](#input\_helm\_replace) | Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production | `bool` | `false` | no | | [helm\_repo\_ca\_file](#input\_helm\_repo\_ca\_file) | Helm repositories cert file | `string` | `""` | no | @@ -148,14 +148,14 @@ No modules. | [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by irsa\_assume\_role\_arn. | `bool` | `false` | no | | [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`. | `bool` | `true` | no | | [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no | -| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for <$addon-name> | `string` | `"<$addon-name>-irsa"` | no | +| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for kube-green | `string` | `"kube-green-irsa"` | no | | [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no | -| [namespace](#input\_namespace) | The K8s namespace in which the <$addon-name> service account has been created | `string` | `"<$addon-name>"` | no | +| [namespace](#input\_namespace) | The K8s namespace in which the kube-green service account has been created | `string` | `"kube-green"` | no | | [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources | `bool` | `true` | no | | [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account | `bool` | `true` | no | -| [service\_account\_name](#input\_service\_account\_name) | The k8s <$addon-name> service account name | `string` | `"<$addon-name>"` | no | -| [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/<$addon-name> | `map(any)` | `{}` | no | -| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/<$addon-name> | `string` | `""` | no | +| [service\_account\_name](#input\_service\_account\_name) | The k8s kube-green service account name | `string` | `"kube-green"` | no | +| [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/kube-green | `map(any)` | `{}` | no | +| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/kube-green | `string` | `""` | no | ## Outputs @@ -163,7 +163,7 @@ No modules. |------|-------------| | [helm\_release\_application\_metadata](#output\_helm\_release\_application\_metadata) | Argo application helm release attributes | | [helm\_release\_metadata](#output\_helm\_release\_metadata) | Helm release attributes | -| [iam\_role\_attributes](#output\_iam\_role\_attributes) | <$addon-name> IAM role atributes | +| [iam\_role\_attributes](#output\_iam\_role\_attributes) | Kube green IAM role atributes | | [kubernetes\_application\_attributes](#output\_kubernetes\_application\_attributes) | Argo kubernetes manifest attributes | diff --git a/argo-helm.tf b/argo-helm.tf index b4d0b19..df3e263 100644 --- a/argo-helm.tf +++ b/argo-helm.tf @@ -115,7 +115,7 @@ resource "kubernetes_job" "helm_argo_application_wait" { image = "bitnami/kubectl:latest" command = ["/bin/bash", "-ecx"] # Waits for ArgoCD Application to be "Healthy", see https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#wait - # i.e. kubectl wait --for=jsonpath='{.status.sync.status}'=Healthy application.argoproj.io <$addon-name> + # i.e. kubectl wait --for=jsonpath='{.status.sync.status}'=Healthy application.argoproj.io kube-green args = [ <<-EOT kubectl wait \ diff --git a/examples/basic/base.tf b/examples/basic/base.tf index 25ad652..1469557 100644 --- a/examples/basic/base.tf +++ b/examples/basic/base.tf @@ -2,7 +2,7 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "4.0.0" - name = "<$addon-name>-vpc" + name = "kube-green-vpc" cidr = "10.0.0.0/16" azs = ["eu-central-1a", "eu-central-1b"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] diff --git a/iam.tf b/iam.tf index 4e26c64..e864497 100644 --- a/iam.tf +++ b/iam.tf @@ -21,7 +21,7 @@ data "aws_iam_policy_document" "this_assume" { count = local.irsa_role_create && var.irsa_assume_role_enabled ? 1 : 0 statement { - sid = "AllowAssume<$addon-name>Role" + sid = "AllowAssumeKubeGreenRole" effect = "Allow" actions = [ "sts:AssumeRole" @@ -37,7 +37,7 @@ resource "aws_iam_policy" "this" { name = "${var.irsa_role_name_prefix}-${var.helm_chart_name}" # tflint-ignore: aws_iam_policy_invalid_name path = "/" - description = "Policy for <$addon-name> service" + description = "Policy for kube-green service" policy = var.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[0].json : data.aws_iam_policy_document.this[0].json tags = var.irsa_tags diff --git a/outputs.tf b/outputs.tf index 9a231e6..4a71b1c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -14,6 +14,6 @@ output "kubernetes_application_attributes" { } output "iam_role_attributes" { - description = "<$addon-name> IAM role atributes" + description = "Kube green IAM role atributes" value = try(aws_iam_role.this[0], {}) } diff --git a/variables.tf b/variables.tf index 7930a21..2e752b6 100644 --- a/variables.tf +++ b/variables.tf @@ -18,7 +18,7 @@ variable "cluster_identity_oidc_issuer_arn" { variable "helm_chart_name" { type = string - default = "<$addon-name>" + default = "kube-green" description = "Helm chart name to be installed" } @@ -30,7 +30,7 @@ variable "helm_chart_version" { variable "helm_release_name" { type = string - default = "<$addon-name>" + default = "kube-green" description = "Helm release name" } @@ -48,20 +48,20 @@ variable "helm_create_namespace" { variable "namespace" { type = string - default = "<$addon-name>" - description = "The K8s namespace in which the <$addon-name> service account has been created" + default = "kube-green" + description = "The K8s namespace in which the kube-green service account has been created" } variable "settings" { type = map(any) default = {} - description = "Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/<$addon-name>" + description = "Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/kube-green" } variable "values" { type = string default = "" - description = "Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/<$addon-name>" + description = "Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/kube-green" } # ================ IRSA variables (optional) ================ @@ -80,8 +80,8 @@ variable "service_account_create" { variable "service_account_name" { type = string - default = "<$addon-name>" - description = "The k8s <$addon-name> service account name" + default = "kube-green" + description = "The k8s kube-green service account name" } variable "irsa_role_create" { @@ -116,8 +116,8 @@ variable "irsa_additional_policies" { variable "irsa_role_name_prefix" { type = string - default = "<$addon-name>-irsa" - description = "The IRSA role name prefix for <$addon-name>" + default = "kube-green-irsa" + description = "The IRSA role name prefix for kube-green" } variable "irsa_tags" { From d38ac9cf4be7654ece063d88a28c8380f48a7e05 Mon Sep 17 00:00:00 2001 From: riqardos Date: Tue, 28 Nov 2023 11:45:47 +0100 Subject: [PATCH 2/4] set helmchart var --- README.md | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ef24540..299f671 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ No modules. | [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no | | [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no | | [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"kube-green"` | no | -| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `""` | no | +| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `"0.0.11"` | no | | [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no | | [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist | `bool` | `true` | no | | [helm\_dependency\_update](#input\_helm\_dependency\_update) | Runs helm dependency update before installing the chart | `bool` | `false` | no | @@ -134,7 +134,7 @@ No modules. | [helm\_repo\_cert\_file](#input\_helm\_repo\_cert\_file) | Helm repositories cert file | `string` | `""` | no | | [helm\_repo\_key\_file](#input\_helm\_repo\_key\_file) | Helm repositories cert key file | `string` | `""` | no | | [helm\_repo\_password](#input\_helm\_repo\_password) | Password for HTTP basic authentication against the helm repository | `string` | `""` | no | -| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `""` | no | +| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `"https://kube-green.additi.fr/"` | no | | [helm\_repo\_username](#input\_helm\_repo\_username) | Username for HTTP basic authentication against the helm repository | `string` | `""` | no | | [helm\_reset\_values](#input\_helm\_reset\_values) | When upgrading, reset the values to the ones built into the helm chart | `bool` | `false` | no | | [helm\_reuse\_values](#input\_helm\_reuse\_values) | When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm\_reset\_values' is specified, this is ignored | `bool` | `false` | no | diff --git a/variables.tf b/variables.tf index 2e752b6..06f3b31 100644 --- a/variables.tf +++ b/variables.tf @@ -24,7 +24,7 @@ variable "helm_chart_name" { variable "helm_chart_version" { type = string - default = "" + default = "0.0.11" description = "Version of the Helm chart" } @@ -36,7 +36,7 @@ variable "helm_release_name" { variable "helm_repo_url" { type = string - default = "" + default = "https://kube-green.additi.fr/" description = "Helm repository" } From 3405a62bbb86fedf0c31bb09bb7ce059eacf0a5f Mon Sep 17 00:00:00 2001 From: riqardos Date: Thu, 30 Nov 2023 11:59:38 +0100 Subject: [PATCH 3/4] remove not used variables --- README.md | 21 ---------- examples/basic/main.tf | 11 ------ iam.tf | 88 ------------------------------------------ outputs.tf | 5 --- variables.tf | 78 ------------------------------------- 5 files changed, 203 deletions(-) delete mode 100644 iam.tf diff --git a/README.md b/README.md index 299f671..bea684b 100644 --- a/README.md +++ b/README.md @@ -66,10 +66,6 @@ No modules. | Name | Type | |------|------| -| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.this_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [helm_release.argo_application](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_job.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job) | resource | @@ -77,9 +73,6 @@ No modules. | [kubernetes_role.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | | [kubernetes_role_binding.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_service_account.helm_argo_application_wait](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | -| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [utils_deep_merge_yaml.argo_helm_values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | | [utils_deep_merge_yaml.values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | @@ -87,8 +80,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cluster\_identity\_oidc\_issuer](#input\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster | `string` | n/a | yes | -| [cluster\_identity\_oidc\_issuer\_arn](#input\_cluster\_identity\_oidc\_issuer\_arn) | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account | `string` | n/a | yes | | [argo\_apiversion](#input\_argo\_apiversion) | ArgoCD Appliction apiVersion | `string` | `"argoproj.io/v1alpha1"` | no | | [argo\_destination\_server](#input\_argo\_destination\_server) | Destination server for ArgoCD Application | `string` | `"https://kubernetes.default.svc"` | no | | [argo\_enabled](#input\_argo\_enabled) | If set to true, the module will be deployed as ArgoCD application, otherwise it will be deployed as a Helm release | `bool` | `false` | no | @@ -108,7 +99,6 @@ No modules. | [argo\_project](#input\_argo\_project) | ArgoCD Application project | `string` | `"default"` | no | | [argo\_spec](#input\_argo\_spec) | ArgoCD Application spec configuration. Override or create additional spec parameters | `any` | `{}` | no | | [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter | `any` | `{}` | no | -| [aws\_partition](#input\_aws\_partition) | AWS partition in which the resources are located. Available values are `aws`, `aws-cn`, `aws-us-gov` | `string` | `"aws"` | no | | [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no | | [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no | | [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"kube-green"` | no | @@ -143,17 +133,7 @@ No modules. | [helm\_timeout](#input\_helm\_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks) | `number` | `300` | no | | [helm\_wait](#input\_helm\_wait) | Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no | | [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no | -| [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy arn. | `map(string)` | `{}` | no | -| [irsa\_assume\_role\_arn](#input\_irsa\_assume\_role\_arn) | Assume role arn. Assume role must be enabled. | `string` | `""` | no | -| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by irsa\_assume\_role\_arn. | `bool` | `false` | no | -| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`. | `bool` | `true` | no | -| [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no | -| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for kube-green | `string` | `"kube-green-irsa"` | no | -| [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no | | [namespace](#input\_namespace) | The K8s namespace in which the kube-green service account has been created | `string` | `"kube-green"` | no | -| [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources | `bool` | `true` | no | -| [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account | `bool` | `true` | no | -| [service\_account\_name](#input\_service\_account\_name) | The k8s kube-green service account name | `string` | `"kube-green"` | no | | [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/kube-green | `map(any)` | `{}` | no | | [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/kube-green | `string` | `""` | no | @@ -163,7 +143,6 @@ No modules. |------|-------------| | [helm\_release\_application\_metadata](#output\_helm\_release\_application\_metadata) | Argo application helm release attributes | | [helm\_release\_metadata](#output\_helm\_release\_metadata) | Helm release attributes | -| [iam\_role\_attributes](#output\_iam\_role\_attributes) | Kube green IAM role atributes | | [kubernetes\_application\_attributes](#output\_kubernetes\_application\_attributes) | Argo kubernetes manifest attributes | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 3577d99..08405f0 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -3,8 +3,6 @@ module "addon_installation_disabled" { enabled = false - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn } module "addon_installation_helm" { @@ -14,9 +12,6 @@ module "addon_installation_helm" { argo_enabled = false argo_helm_enabled = false - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - values = yamlencode({ # insert sample values here }) @@ -30,9 +25,6 @@ module "addon_installation_argo_kubernetes" { argo_enabled = true argo_helm_enabled = false - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - values = yamlencode({ # insert sample values here }) @@ -51,9 +43,6 @@ module "addon_installation_argo_helm" { argo_enabled = true argo_helm_enabled = true - cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer - cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - argo_sync_policy = { "automated" : {} "syncOptions" = ["CreateNamespace=true"] diff --git a/iam.tf b/iam.tf deleted file mode 100644 index e864497..0000000 --- a/iam.tf +++ /dev/null @@ -1,88 +0,0 @@ -locals { - irsa_role_create = var.enabled && var.rbac_create && var.service_account_create && var.irsa_role_create -} - -data "aws_iam_policy_document" "this" { - count = local.irsa_role_create && var.irsa_policy_enabled && !var.irsa_assume_role_enabled ? 1 : 0 - - # Example statement (modify it before using this module) - # Use var.aws_partition if ARN is specified in resources section - statement { - effect = "Allow" - actions = [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ] - resources = ["arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"] - } -} - -data "aws_iam_policy_document" "this_assume" { - count = local.irsa_role_create && var.irsa_assume_role_enabled ? 1 : 0 - - statement { - sid = "AllowAssumeKubeGreenRole" - effect = "Allow" - actions = [ - "sts:AssumeRole" - ] - resources = [ - var.irsa_assume_role_arn - ] - } -} - -resource "aws_iam_policy" "this" { - count = local.irsa_role_create && (var.irsa_policy_enabled || var.irsa_assume_role_enabled) ? 1 : 0 - - name = "${var.irsa_role_name_prefix}-${var.helm_chart_name}" # tflint-ignore: aws_iam_policy_invalid_name - path = "/" - description = "Policy for kube-green service" - policy = var.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[0].json : data.aws_iam_policy_document.this[0].json - - tags = var.irsa_tags -} - -data "aws_iam_policy_document" "this_irsa" { - count = local.irsa_role_create ? 1 : 0 - - statement { - actions = ["sts:AssumeRoleWithWebIdentity"] - - principals { - type = "Federated" - identifiers = [var.cluster_identity_oidc_issuer_arn] - } - - condition { - test = "StringEquals" - variable = "${replace(var.cluster_identity_oidc_issuer, "https://", "")}:sub" - - values = [ - "system:serviceaccount:${var.namespace}:${var.service_account_name}", - ] - } - - effect = "Allow" - } -} - -resource "aws_iam_role" "this" { - count = local.irsa_role_create ? 1 : 0 - name = "${var.irsa_role_name_prefix}-${var.helm_chart_name}" # tflint-ignore: aws_iam_role_invalid_name - assume_role_policy = data.aws_iam_policy_document.this_irsa[0].json - tags = var.irsa_tags -} - -resource "aws_iam_role_policy_attachment" "this" { - count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0 - role = aws_iam_role.this[0].name - policy_arn = aws_iam_policy.this[0].arn -} - -resource "aws_iam_role_policy_attachment" "this_additional" { - for_each = local.irsa_role_create ? var.irsa_additional_policies : {} - - role = aws_iam_role.this[0].name - policy_arn = each.value -} diff --git a/outputs.tf b/outputs.tf index 4a71b1c..17d94f0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -12,8 +12,3 @@ output "kubernetes_application_attributes" { description = "Argo kubernetes manifest attributes" value = try(kubernetes_manifest.this[0], {}) } - -output "iam_role_attributes" { - description = "Kube green IAM role atributes" - value = try(aws_iam_role.this[0], {}) -} diff --git a/variables.tf b/variables.tf index 06f3b31..eaee5aa 100644 --- a/variables.tf +++ b/variables.tf @@ -4,16 +4,6 @@ variable "enabled" { description = "Variable indicating whether deployment is enabled" } -variable "cluster_identity_oidc_issuer" { - type = string - description = "The OIDC Identity issuer for the cluster" -} - -variable "cluster_identity_oidc_issuer_arn" { - type = string - description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account" -} - # ================ common variables (required) ================ variable "helm_chart_name" { @@ -64,74 +54,6 @@ variable "values" { description = "Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/kube-green" } -# ================ IRSA variables (optional) ================ - -variable "rbac_create" { - type = bool - default = true - description = "Whether to create and use RBAC resources" -} - -variable "service_account_create" { - type = bool - default = true - description = "Whether to create Service Account" -} - -variable "service_account_name" { - type = string - default = "kube-green" - description = "The k8s kube-green service account name" -} - -variable "irsa_role_create" { - type = bool - default = true - description = "Whether to create IRSA role and annotate service account" -} - -variable "irsa_policy_enabled" { - type = bool - default = true - description = "Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`." -} - -variable "irsa_assume_role_enabled" { - type = bool - default = false - description = "Whether IRSA is allowed to assume role defined by irsa_assume_role_arn." -} - -variable "irsa_assume_role_arn" { - type = string - default = "" - description = "Assume role arn. Assume role must be enabled." -} - -variable "irsa_additional_policies" { - type = map(string) - default = {} - description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy arn." -} - -variable "irsa_role_name_prefix" { - type = string - default = "kube-green-irsa" - description = "The IRSA role name prefix for kube-green" -} - -variable "irsa_tags" { - type = map(string) - default = {} - description = "IRSA resources tags" -} - -variable "aws_partition" { - type = string - default = "aws" - description = "AWS partition in which the resources are located. Available values are `aws`, `aws-cn`, `aws-us-gov`" -} - # ================ argo variables (required) ================ variable "argo_namespace" { From 304e5637c4d8fefb0dd03e9bfd9c66101869b4f3 Mon Sep 17 00:00:00 2001 From: Martin Dojcak Date: Mon, 26 Feb 2024 21:09:50 +0100 Subject: [PATCH 4/4] fix: include helm parameters when not empty --- argo.tf | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/argo.tf b/argo.tf index 0ce0334..5b597c5 100644 --- a/argo.tf +++ b/argo.tf @@ -10,11 +10,15 @@ locals { "repoURL" : var.helm_repo_url "chart" : var.helm_chart_name "targetRevision" : var.helm_chart_version - "helm" : { - "releaseName" : var.helm_release_name - "parameters" : [for k, v in var.settings : tomap({ "forceString" : true, "name" : k, "value" : v })] - "values" : var.enabled ? data.utils_deep_merge_yaml.values[0].output : "" - } + "helm" : merge( + { + "releaseName" : var.helm_release_name + "values" : var.enabled ? data.utils_deep_merge_yaml.values[0].output : "" + }, + length(var.settings) > 0 ? { + "parameters" : [for k, v in var.settings : tomap({ "forceString" : true, "name" : k, "value" : v })] + } : {} + ) } "destination" : { "server" : var.argo_destination_server