diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 461215c..42595bb 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -5,6 +5,9 @@ ":floppy_disk: ecr-repository": - modules/ecr-repository/**/* +":floppy_disk: eks-addon": +- modules/eks-addon/**/* + ":floppy_disk: eks-aws-auth": - modules/eks-aws-auth/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 1ae4964..e57b8ea 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -46,6 +46,9 @@ - color: "fbca04" description: "This issue or pull request is related to ecr-repository module." name: ":floppy_disk: ecr-repository" +- color: "fbca04" + description: "This issue or pull request is related to eks-addon module." + name: ":floppy_disk: eks-addon" - color: "fbca04" description: "This issue or pull request is related to eks-aws-auth module." name: ":floppy_disk: eks-aws-auth" diff --git a/README.md b/README.md index 26f9c0a..1caf574 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Terraform module which creates resources for container services on AWS. - [ecr-registry](./modules/ecr-registry) - [ecr-repository](./modules/ecr-repository) +- [eks-addon](./modules/eks-addon) - [eks-aws-auth](./modules/eks-aws-auth) - [eks-cluster](./modules/eks-cluster) - [eks-fargate-profile](./modules/eks-fargate-profile) @@ -27,7 +28,8 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Scanning - **AWS EKS (Elastic Kubernetes Service)** - Control Plane - - Node Group with ASG + - Add-on + - Self-Managed Node Group (with ASG) - Fargate Profile - IRSA (IAM Role for ServiceAccount) diff --git a/modules/eks-addon/README.md b/modules/eks-addon/README.md new file mode 100644 index 0000000..7129625 --- /dev/null +++ b/modules/eks-addon/README.md @@ -0,0 +1,66 @@ +# eks-addon + +This module creates following resources. + +- `aws_eks_addon` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 4.47 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.24.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_name](#input\_cluster\_name) | (Required) The name of the Amazon EKS cluster to add the EKS add-on to. | `string` | n/a | yes | +| [name](#input\_name) | (Required) The name of the EKS add-on. | `string` | n/a | yes | +| [addon\_version](#input\_addon\_version) | (Optional) The version of the add-on. | `string` | `null` | no | +| [configuration](#input\_configuration) | (Optional) The set of configuration values for the add-on. This JSON string value must match the JSON schema derived from `describe-addon-configuration`. | `string` | `null` | no | +| [conflict\_resolution\_strategy\_on\_create](#input\_conflict\_resolution\_strategy\_on\_create) | (Optional) How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. Valid values are `NONE` and `OVERWRITE`. Defaults to `OVERWRITE`.
`NONE` - If the self-managed version of the add-on is installed on the cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
`OVERWRITE` - If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. | `string` | `"OVERWRITE"` | no | +| [conflict\_resolution\_strategy\_on\_update](#input\_conflict\_resolution\_strategy\_on\_update) | (Optional) How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. Valid values are `NONE`, `OVERWRITE` and `PRESERVE`. Defaults to `OVERWRITE`.
`NONE` - Amazon EKS doesn't change the value. The update might fail.
`OVERWRITE` - Amazon EKS overwrites the changed value back to the Amazon EKS default value.
`PRESERVE` - Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on the production cluster. | `string` | `"OVERWRITE"` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [preserve\_on\_delete](#input\_preserve\_on\_delete) | (Optional) Whether to preserve the created Kubernetes resources on the cluster when deleting the EKS add-on. Defaults to `false`. | `bool` | `false` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [service\_account\_role](#input\_service\_account\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. | `string` | `null` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the EKS Fargate Profile to be created/updated/deleted. |
object({
create = optional(string, "20m")
update = optional(string, "20m")
delete = optional(string, "40m")
})
| `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [addon\_version](#output\_addon\_version) | The version of the EKS add-on. | +| [arn](#output\_arn) | The ARN of the EKS add-on. | +| [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster. | +| [conflict\_resolution\_strategy\_on\_create](#output\_conflict\_resolution\_strategy\_on\_create) | How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. | +| [conflict\_resolution\_strategy\_on\_update](#output\_conflict\_resolution\_strategy\_on\_update) | How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. | +| [created\_at](#output\_created\_at) | Date and time in RFC3339 format that the EKS add-on was created. | +| [id](#output\_id) | The ID of the EKS add-on. | +| [name](#output\_name) | The name of the EKS add-on. | +| [service\_account\_role](#output\_service\_account\_role) | The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account | +| [updated\_at](#output\_updated\_at) | Date and time in RFC3339 format that the EKS add-on was updated. | + diff --git a/modules/eks-addon/main.tf b/modules/eks-addon/main.tf new file mode 100644 index 0000000..7c9ea31 --- /dev/null +++ b/modules/eks-addon/main.tf @@ -0,0 +1,49 @@ +locals { + metadata = { + package = "terraform-aws-container" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + + +################################################### +# EKS Addon +################################################### + +resource "aws_eks_addon" "this" { + cluster_name = var.cluster_name + + addon_name = var.name + addon_version = var.addon_version + + configuration_values = var.configuration + + service_account_role_arn = var.service_account_role + + resolve_conflicts_on_create = var.conflict_resolution_strategy_on_create + resolve_conflicts_on_update = var.conflict_resolution_strategy_on_update + preserve = var.preserve_on_delete + + timeouts { + create = var.timeouts.create + update = var.timeouts.update + delete = var.timeouts.delete + } + + tags = merge( + { + "Name" = var.name + }, + local.module_tags, + var.tags, + ) +} diff --git a/modules/eks-addon/outputs.tf b/modules/eks-addon/outputs.tf new file mode 100644 index 0000000..e58263c --- /dev/null +++ b/modules/eks-addon/outputs.tf @@ -0,0 +1,49 @@ +output "cluster_name" { + description = "The name of the EKS cluster." + value = aws_eks_addon.this.cluster_name +} + +output "name" { + description = "The name of the EKS add-on." + value = aws_eks_addon.this.addon_name +} + +output "addon_version" { + description = "The version of the EKS add-on." + value = aws_eks_addon.this.addon_version +} + +output "id" { + description = "The ID of the EKS add-on." + value = aws_eks_addon.this.id +} + +output "arn" { + description = "The ARN of the EKS add-on." + value = aws_eks_addon.this.arn +} + +output "created_at" { + description = "Date and time in RFC3339 format that the EKS add-on was created." + value = aws_eks_addon.this.created_at +} + +output "updated_at" { + description = "Date and time in RFC3339 format that the EKS add-on was updated." + value = aws_eks_addon.this.modified_at +} + +output "service_account_role" { + description = "The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account" + value = aws_eks_addon.this.service_account_role_arn +} + +output "conflict_resolution_strategy_on_create" { + description = "How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on." + value = aws_eks_addon.this.resolve_conflicts_on_create +} + +output "conflict_resolution_strategy_on_update" { + description = "How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value." + value = aws_eks_addon.this.resolve_conflicts_on_update +} diff --git a/modules/eks-addon/resource-group.tf b/modules/eks-addon/resource-group.tf new file mode 100644 index 0000000..7487ba0 --- /dev/null +++ b/modules/eks-addon/resource-group.tf @@ -0,0 +1,31 @@ +locals { + resource_group_name = (var.resource_group_name != "" + ? var.resource_group_name + : join(".", [ + local.metadata.package, + local.metadata.module, + replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), + ]) + ) +} + + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + + name = local.resource_group_name + description = var.resource_group_description + + query = { + resource_tags = local.module_tags + } + + module_tags_enabled = false + tags = merge( + local.module_tags, + var.tags, + ) +} diff --git a/modules/eks-addon/variables.tf b/modules/eks-addon/variables.tf new file mode 100644 index 0000000..f3fabec --- /dev/null +++ b/modules/eks-addon/variables.tf @@ -0,0 +1,128 @@ +variable "cluster_name" { + description = "(Required) The name of the Amazon EKS cluster to add the EKS add-on to." + type = string + nullable = false +} + +variable "name" { + description = "(Required) The name of the EKS add-on." + type = string + nullable = false +} + +variable "addon_version" { + description = "(Optional) The version of the add-on." + type = string + default = null + nullable = true +} + +variable "configuration" { + description = "(Optional) The set of configuration values for the add-on. This JSON string value must match the JSON schema derived from `describe-addon-configuration`." + type = string + default = null + nullable = true +} + +variable "service_account_role" { + description = <