aws-ia / terraform-aws-eks-ack-addons Goto Github PK

View Code? Open in Web Editor NEW

33.0 10.0 17.0 142 KB

Terraform AWS module which provisions ACK addons on EKS

Home Page: https://registry.terraform.io/modules/aws-ia/eks-ack-addons/aws/latest

License: Apache License 2.0

HCL 100.00%

aws-controllers-k8s aws-eks terraform-module

terraform-aws-eks-ack-addons's Introduction

AWS EKS ACK Addons Terraform module

Terraform module which provisions AWS controllers for Kubernetes on EKS.

Usage

module "eks_ack_addons" {
  source = "aws-ia/eks-ack-addons/aws"
  
  # Cluster Info
  cluster_name      = "<cluster name>"
  cluster_endpoint  = "<cluster endpoint>"
  oidc_provider_arn = "<oidc provider arn>"

  # ECR Credentials
  ecrpublic_username = "<ecr user name>"
  ecrpublic_token    = "<ecr token>"

  # Controllers to enable
  enable_apigatewayv2      = true
  enable_dynamodb          = true
  enable_s3                = true
  enable_rds               = true
  enable_prometheusservice = true
  enable_emrcontainers     = true
  enable_sfn               = true
  enable_eventbridge       = true
  
  tags = {
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Complete

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.0
time	>= 0.8

Providers

Name	Version
aws	>= 4.0
time	>= 0.8

Modules

Name	Source	Version
apigatewayv2	aws-ia/eks-blueprints-addon/aws	1.1.1
dynamodb	aws-ia/eks-blueprints-addon/aws	1.1.1
elasticache	aws-ia/eks-blueprints-addon/aws	1.1.1
emrcontainers	aws-ia/eks-blueprints-addon/aws	1.1.1
eventbridge	aws-ia/eks-blueprints-addon/aws	1.1.1
prometheusservice	aws-ia/eks-blueprints-addon/aws	1.1.1
rds	aws-ia/eks-blueprints-addon/aws	1.1.1
s3	aws-ia/eks-blueprints-addon/aws	1.1.1
sfn	aws-ia/eks-blueprints-addon/aws	1.1.1

Resources

Name	Type
aws_iam_policy.emrcontainers	resource
aws_iam_policy.sfnpasspolicy	resource
time_sleep.this	resource
aws_iam_policy_document.emrcontainers	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
apigatewayv2	ACK API gateway v2 Helm Chart config	`any`	`{}`	no
cluster_endpoint	Endpoint for your Kubernetes API server	`string`	n/a	yes
cluster_name	Name of the EKS cluster	`string`	n/a	yes
create_delay_dependencies	Dependency attribute which must be resolved before starting the `create_delay_duration`	`list(string)`	`[]`	no
create_delay_duration	The duration to wait before creating resources	`string`	`"30s"`	no
create_kubernetes_resources	Create Kubernetes resource with Helm or Kubernetes provider	`bool`	`true`	no
dynamodb	ACK dynamodb Helm Chart config	`any`	`{}`	no
ecrpublic_token	Password decoded from the authorization token for accessing public ECR	`string`	`""`	no
ecrpublic_username	User name decoded from the authorization token for accessing public ECR	`string`	`""`	no
elasticache	ACK elasticache Helm Chart config	`any`	`{}`	no
emrcontainers	ACK EMR container Helm Chart config	`any`	`{}`	no
enable_apigatewayv2	Enable ACK API gateway v2 add-on	`bool`	`false`	no
enable_dynamodb	Enable ACK dynamodb add-on	`bool`	`false`	no
enable_elasticache	Enable ACK elasticache add-on	`bool`	`false`	no
enable_emrcontainers	Enable ACK EMR container add-on	`bool`	`false`	no
enable_eventbridge	Enable ACK EventBridge add-on	`bool`	`false`	no
enable_prometheusservice	Enable ACK prometheusservice add-on	`bool`	`false`	no
enable_rds	Enable ACK rds add-on	`bool`	`false`	no
enable_s3	Enable ACK s3 add-on	`bool`	`false`	no
enable_sfn	Enable ACK step functions add-on	`bool`	`false`	no
eventbridge	ACK EventBridge Helm Chart config	`any`	`{}`	no
oidc_provider_arn	The ARN of the cluster OIDC Provider	`string`	n/a	yes
prometheusservice	ACK prometheusservice Helm Chart config	`any`	`{}`	no
rds	ACK rds Helm Chart config	`any`	`{}`	no
s3	ACK s3 Helm Chart config	`any`	`{}`	no
sfn	ACK step functions Helm Chart config	`any`	`{}`	no
tags	Additional tags (e.g. `map('BusinessUnit`,`XYZ`)	`map(string)`	`{}`	no

Outputs

Name	Description
gitops_metadata	GitOps Bridge metadata

Community

License

Apache-2.0 Licensed. See LICENSE.

terraform-aws-eks-ack-addons's People

Contributors

Stargazers

Watchers

Forkers

victorgu-github pdemagny kishorekumarchokkakula jalawala malikdraz khalidmansoori bdellegrazie kahirokunn csantanapr sharkymcdongles diogoab prjteresi allamand olisaemeka111 myintwl luong-komorebi c6ai

terraform-aws-eks-ack-addons's Issues

`Invalid index` error when emrcontainers or step functions (sfn) are not enabled

Description

If, using the existing example, you disable the emrcontainers and/or step functions as follows:

# Controllers to enable
# ... other parts elided
enable_emrcontainers = false
enable_sfn = false

Then terraform responds with the following output:

│ Error: Invalid index
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 592, in module "emrcontainers":
│  592:     AmazonEmrContainers = aws_iam_policy.emrcontainers[0].arn
│     ├────────────────
│     │ aws_iam_policy.emrcontainers is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
╷
│ Error: Invalid index
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 773, in module "sfn":
│  773:     AWSStepFunctionsIamPassRole = aws_iam_policy.sfnpasspolicy[0].arn
│     ├────────────────
│     │ aws_iam_policy.sfnpasspolicy is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.

This is always reproducible with v2.0.0 of the provider (latest at time of writing)

✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version: v2.0.0
Terraform version: 1.5.2
Provider version(s):

Terraform v1.5.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.6.2
+ provider registry.terraform.io/hashicorp/helm v2.10.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.21.1

Reproduction Code

See example above in the description.
This is verifiable with the example code in this repository.

Expected behavior

Resources to be provisioned

Actual behavior

Error reported as above.

Terminal Output Screenshot(s)

Error reported as above.

Additional context

I believe this can easily be solved by either a conditional assignment:
(e.g.)

AmazonEmrContainers = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null

or by the use of try:

AmazonEmrContainers = try(aws_iam_policy.emrcontainers[0].arn, null)

Add EKS controller support

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon Elastic Kubernetes Service controller.
This would allow users to create Amazon Elastic Kubernetes Service resources (Cluster, Addon, NodeGroup, FargateProfile) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Additional context

I'm using my fork of terraform-aws-eks-ack-addons with the terraform-aws-eks-blueprints.
You can see it's changes here, but I'll outline them in this issue too.

module "eks_blueprints_ack_addons" {
  source = "github.com/pdemagny/terraform-aws-eks-ack-addons?ref=feat-eks-support"

  cluster_id = module.eks_blueprints.eks_cluster_id
  # Wait for data plane to be ready
  data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

  enable_api_gatewayv2 = false
  enable_dynamodb      = false
  enable_s3            = false
  enable_rds           = false
  enable_amp           = false
  enable_eks           = true

  tags = local.tags
}

This controller requires to pay more attention to the iRSA settings as no single pre-existing IAM Policy covers the permissions needed to create all its resources.

The recommended inline policy from ACK is not enough either ... If you want to create NodeGroups or FargateProfiles, you need more permissions.
Hence the addition of the inline policies.

Here is what I've come up with after testing every resources:

################################################################################
# Elastic Kubernetes Service
################################################################################

locals {
  eks_name = "ack-eks"
}

module "eks" {
  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon?ref=v4.12.2"

  count = var.enable_eks ? 1 : 0

  helm_config = merge(
    {
      name             = local.eks_name
      chart            = "eks-chart"
      repository       = "oci://public.ecr.aws/aws-controllers-k8s"
      version          = "v0.1.7"
      namespace        = local.eks_name
      create_namespace = true
      description      = "ACK eks Controller v2 Helm chart deployment configuration"
      values = [
        # shortens pod name from `ack-eks-eks-chart-xxxxxxxxxxxxx` to `ack-eks-xxxxxxxxxxxxx`
        <<-EOT
          nameOverride: ack-eks
        EOT
      ]
    },
    var.eks_helm_config
  )

  set_values = [
    {
      name  = "serviceAccount.name"
      value = local.eks_name
    },
    {
      name  = "serviceAccount.create"
      value = false
    },
    {
      name  = "aws.region"
      value = local.region
    }
  ]

  irsa_config = {
    create_kubernetes_namespace = true
    kubernetes_namespace        = try(var.eks_helm_config.namespace, local.eks_name)

    create_kubernetes_service_account = true
    kubernetes_service_account        = local.eks_name

    irsa_iam_policies = [aws_iam_policy.ack_eks_policy[0].arn, data.aws_iam_policy.eks[0].arn]
  }

  addon_context = local.addon_context
}

resource "aws_iam_policy" "ack_eks_policy" {
  count = var.enable_eks ? 1 : 0

  name        = "${local.cluster_id}-ack-eks-sa-policy"
  description = "IAM policy for ${local.eks_name} Service Account"
  path        = "/"
  policy      = data.aws_iam_policy_document.ack_eks_policy_document[0].json

  tags = local.tags
}

data "aws_iam_policy_document" "ack_eks_policy_document" {
  count = var.enable_eks ? 1 : 0

  statement {
    sid       = "ACKEKSPolicy1" # Recommended ACK inline Policy, see https://github.com/aws-controllers-k8s/eks-controller/blob/main/config/iam/recommended-inline-policy
    effect    = "Allow"
    actions   = ["eks:*"]
    resources = ["*"]
  }

  statement {
    sid    = "ACKEKSPolicy2" # iam:GetRole is required to create NodeGroups and iam:CreateServiceLinkedRole is required to create FargateProfiles
    effect = "Allow"
    actions = [
      "iam:GetRole",
      "iam:CreateServiceLinkedRole"
    ]
    resources = ["*"]
  }

  statement {
    sid       = "ACKEKSPolicy3" # Required to create NodeGroups
    effect    = "Allow"
    actions   = ["iam:PassRole"]
    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
      values   = ["eks.amazonaws.com"]
    }
  }
}

data "aws_iam_policy" "eks" {
  count = var.enable_eks ? 1 : 0

  name = "AmazonEKSServicePolicy"
}

Here are my test results:

EKS

Cluster

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Cluster
metadata:
  name: my-ack-test-cluster
spec:
  name: my-ack-test-cluster
  roleARN: arn:aws:iam::<REDACTED>:role/crossplane-ack-meetup-cluster-role
  resourcesVPCConfig:
    endpointPrivateAccess: true
    endpointPublicAccess: true
    subnetIDs:
      - "subnet-02421b2bc404c9324"
      - "subnet-0604d52bdcb46e8b6"

2022-12-01T13:37:10.936Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Cluster", "namespace": "default", "name": "my-ack-test-cluster", "is_adopted": false, "generation": 1}

Addon

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
  name: vpc-cni
spec:
  name: vpc-cni
  addonVersion: "v1.12.0-eksbuild.1"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"
---
apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
  name: coredns
spec:
  name: coredns
  addonVersion: "v1.8.7-eksbuild.3"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"
---
apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
  name: kube-proxy
spec:
  name: kube-proxy
  addonVersion: "v1.23.13-eksbuild.2"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"

2022-12-01T15:16:11.236Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "vpc-cni", "is_adopted": false, "generation": 1}
2022-12-01T15:16:11.950Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "coredns", "is_adopted": false, "generation": 1}
2022-12-01T15:16:12.802Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "kube-proxy", "is_adopted": false, "generation": 1}

NodeGroup

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Nodegroup
metadata:
  name: my-ack-test-ng
spec:
  name: my-ack-test-ng
  clusterName: my-ack-test-cluster
  subnets:
    - "subnet-02421b2bc404c9324"
    - "subnet-0604d52bdcb46e8b6"
  nodeRole: arn:aws:iam::<REDACTED>:role/crossplane-ack-meetup-cluster-role
  scalingConfig:
    minSize: 1
    maxSize: 1
    desiredSize: 1

2022-12-01T15:23:06.006Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Nodegroup", "namespace": "default", "name": "my-ack-test-ng", "is_adopted": false, "generation": 1}
2022-12-01T15:51:13.894Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Nodegroup", "namespace": "default", "name": "my-ack-test-ng", "generation": 3}

FargateProfile

❯ cat pod-execution-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:eks:eu-west-1:<REDACTED>:fargateprofile/my-ack-test-cluster/*"
        }
      },
      "Principal": {
        "Service": "eks-fargate-pods.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
❯ aws iam create-role \       
  --role-name AmazonEKSFargatePodExecutionRole \
  --assume-role-policy-document file://"pod-execution-role-trust-policy.json"
❯ aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \
  --role-name AmazonEKSFargatePodExecutionRole

apiVersion: eks.services.k8s.aws/v1alpha1
kind: FargateProfile
metadata:
  name: my-ack-test-profile
spec:
  name: my-ack-test-profile
  clusterName: my-ack-test-cluster
  podExecutionRoleARN: arn:aws:iam::<REDACTED>:role/AmazonEKSFargatePodExecutionRole
  subnets:
    - "subnet-087c10af4f1bc624b"
    - "subnet-0f29941bb08e3c58a"
  selectors:
    - namespace: default

2022-12-01T21:07:24.631Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "FargateProfile", "namespace": "default", "name": "my-ack-test-profile", "is_adopted": false, "generation": 1}
2022-12-01T21:11:29.696Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "FargateProfile", "namespace": "default", "name": "my-ack-test-profile", "generation": 2}

In the end, the created NodeGroup can't join the created Cluster because of the lacking RBAC mapping from the missing aws-auth ConfigMap, and the missing security group rules.
But stricly on the controller side, the create & delete actions are allowed with this set of IAM permissions.

I'm proposing this changes in #34

I'm also going to propose the change in recommended iam policy upstream.

Dummy issue

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]:
Terraform version:

Provider version(s):

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Terminal Output Screenshot(s)

Additional context

Add ACK ec2 controller

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Ability to install the ACK ec2 controller

This will allow to create resources

Describe the solution you would like

Follow same pattern as the other controllers

Add ACK Amazon Managed service for Prometheus controller

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon Managed service for Prometheus controller.
This would allow users to create Amazon Managed service for Prometheus resources (AlertManagerDefinition, RuleGroupsNamespace, Workspace) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Add ECR controller support

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon EC2 Container Registry controller.
This would allow users to create Amazon EC2 Container Registry resources (Repository, PullThroughCacheRule) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

ACK RDS IRSA role requires access to `alias/secretsmanager` KMS key or fails to create DB.

Description

When using the ACK Controller for RDS, I encountered a problem using the Secrets Manager feature of RDS.

In my circumstance, I was using a custom KMS key and gave, to the IRSA role, permission to create the secret,
access the KMS key and allow the associated grants as documented in AWS documentation.

However the controller still failed citing insufficient permissions on the KMS key.

Upon using CloudTrail I discovered the controller was still performing kms:DescribeKey on the default KMS key (alias/secretsmanager), even though I had supplied a specific one for secret in the resource.

Once I permitted kms:DescribeKey on the default KMS key for secrets manager, everything started working properly.

I have three questions:

Can we please update the documentation to ensure that this is reflected in the required IAM permissions for the controller to avoid others having the same issues if using SecretsManager facility.
Is this a bug of the controller? should it only perform kms:DescribeKey on the key supplied in the CRD?
If so, where should I report this?
Should an additional policy be created as an example for one that can be attached to the IAM IRSA role to fix this?

Versions

Module version 2.0.1

Steps to reproduce the behavior:

Expected behavior

CRD for dummy single instance small RDS:

---
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  name: testdb
spec:
  allocatedStorage: 10
  autoMinorVersionUpgrade: true
  backupRetentionPeriod: 1
  dbInstanceClass: db.t4g.micro
  dbInstanceIdentifier: testdb
  dbSubnetGroupName: <pre-existing-group>
  deletionProtection: false
  engine: postgres
  engineVersion: "14"
  kmsKeyID: <alias or ARN of pre-existing KMS key>
  manageMasterUserPassword: true
  masterUserSecretKMSKeyID: <alias or ARN of pre-existing KMS key>
  masterUsername: "postgres"
  multiAZ: false
  networkType: IPV4
  publiclyAccessible: false
  storageEncrypted: true
  storageType: gp2
  vpcSecurityGroupIDs:
    - <pre-existing security group ID>

Extra IAM policy added to IRSA role:

data "aws_iam_policy_document" "this" {
  statement {
    sid = "AllowKMSUseByRDS"
    actions = [
      "kms:CreateGrant",
      "kms:DescribeKey",
      "kms:ListGrants",
      "kms:RevokeGrant",
    ]

    resources = local.kms_keys  # array of both custom KMS keys for EBS and secrets manager

    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = local.rds_services
    }
  }

  statement {
    sid = "AllowKMSUseForSMByIRSA"
    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:CreateGrant",
    ]

    resources = var.secretsmanager_kms_keys
  }

  statement {
    sid = "AllowSMUseByIRSA"
    actions = [
      "secretsmanager:CreateSecret",
      "secretsmanager:DeleteSecret",
      "secretsmanager:RotateSecret",
      "secretsmanager:TagResource",
    ]
    resources = [local.account_sm_arn]
  }
}

Expects to create DB and create a secret with the postgres randomly generated password.

Actual behavior

Fails with insufficient permissions for KMS key (KMS key ARN for custom secrets manager KMS key)

Additional context

Further examination in CloudTrail sees the a failure on kms:DescribeKey but for the default KMS key alias for secrets manager (alias/secretsmanager)

Modifying the policy to allow access (full or just kms:DescribeKey) to the default KMS key results in success, an example such statement is below:

  # Must grant DescribeKey to all KMS keys or ACK controller fails, even if the default KMS key is not used
  statement {
    sid = "AllowKMSDescribeKeyForRDS"
    actions = [
      "kms:DescribeKey",
    ]

    resources = ["arn:${local.partition}:kms:*:${local.account_id}:key/*"]

    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = local.rds_services
    }
  }

Note 1: I tried using ResourceAliases condition to limit the kms:DescribeKey permission to just the default secretsmanager KMS key but that, surprisingly, didn't work.

Add support for GitOps-Bridge

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Ability to include ACK Addons when using the EKS Blueprints GitOps-Bridge

Describe the solution you would like

Implement similar support as the EKS Blueprints GitOps-Bridge like aws-ia/terraform-aws-eks-blueprints-addons#209

Describe alternatives you have considered

N/A

Additional context

This have being implemented in ArgoCD on Amazon EKS Workshop here https://github.com/aws-samples/argocd-on-amazon-eks-workshop/blob/riv23/terraform/spokes/main.tf#L229-L254

The integration will look like this with the new variable create_kubernetes_resources = false

################################################################################
# EKS ACK Addons
################################################################################
module "eks_ack_addons" {
  source = "github.com/csantanapr/terraform-aws-eks-ack-addons?ref=gitops-bridge"


  cluster_name      = module.eks.cluster_name
  cluster_endpoint  = module.eks.cluster_endpoint
  oidc_provider_arn = module.eks.oidc_provider_arn

  # Using GitOps Bridge
  create_kubernetes_resources = false

  # ACK Controllers to enable
  enable_apigatewayv2      = try(local.aws_addons.enable_ack_apigatewayv2, false)
  enable_dynamodb          = try(local.aws_addons.enable_ack_dynamodb, false)
  enable_s3                = try(local.aws_addons.enable_ack_s3, false)
  enable_rds               = try(local.aws_addons.enable_ack_rds, false)
  enable_prometheusservice = try(local.aws_addons.enable_ack_prometheusservice, false)
  enable_emrcontainers     = try(local.aws_addons.enable_ack_emrcontainers, false)
  enable_sfn               = try(local.aws_addons.enable_ack_sfn, false)
  enable_eventbridge       = try(local.aws_addons.enable_ack_eventbridge, false)

  tags = local.tags
}

[feat] Add architecture diagram microservices-application example

It would be good to add an architecture diagram for the example microservices-applicatio

Having a picture on (api gateway -> sample app -> dynamodb) with what's running in the cluster and outside managed services

ack apigateway role_policies default

Description

Trying to customize apigatewayv2 helm installation and irsa role creation with minimal configuration fails on the IRSA role_policies as the lookup default value does not match the key type.

role_policies = lookup(var.apigatewayv2, "role_policies", {
    AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
    AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
  })

The default is an object {} while the map element role_policies is not defined afaik.

Versions

Module version: 2.2.0
Terraform version: 1.6.6
Provider version(s):

provider registry.terraform.io/gavinbunney/kubectl v1.14.0
provider registry.terraform.io/hashicorp/aws v5.8.0
provider registry.terraform.io/hashicorp/helm v2.13.1
provider registry.terraform.io/hashicorp/kubernetes v2.29.0
provider registry.terraform.io/hashicorp/random v3.4.3
provider registry.terraform.io/hashicorp/time v0.11.1
provider registry.terraform.io/viktorradnai/bcrypt v0.1.2

Reproduction Code [Required]

main.tf:

module "eks_ack_addons" {
  count              = var.enable_eks_ack_addons ? 1 : 0
  source             = "aws-ia/eks-ack-addons/aws"
  version            = "2.2.0"

  # Cluster Info
  cluster_name       = var.eks_cluster_name
  cluster_endpoint = data.aws_eks_cluster.cluster.endpoint
  oidc_provider_arn = var.eks_oidc_provider_arn

  # ECR Credentials
  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password


  enable_apigatewayv2 = var.enable_ack_api_gatewayv2_controller

  apigatewayv2 = var.apigatewayv2

  tags = var.tags
}

apigatewayv2 variable:

apigatewayv2 = {
    chart_version = "1.1.0"
    skip_crds = false
  }

Steps to reproduce the behavior:

terraform plan (with valid variables for eks cluster required vars)

Expected behavior

Helm chart is installed using chart_version, and IRSA role is created with default policies

Actual behavior

Terraform plan fails as the lookup for role policies for apigatewayv2 default return does not match the role_policies key type

Terminal Output Screenshot(s)

╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 118, in module "apigatewayv2":
│  118:   role_policies = lookup(var.apigatewayv2, "role_policies", {
│  119:     AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
│  120:     AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
│  121:   })
│     ├────────────────
│     │ while calling lookup(inputMap, key, default...)
│     │ local.iam_role_policy_prefix is "arn:aws:iam::aws:policy"
│ 
│ Invalid value for "default" parameter: the default value must have the same
│ type as the map elements.

Additional context

Add link to source code of sample application container

Description

Document the location of the source code for the sample application
There is a container victorgucanada/new-dynamo-nodejs:latest being reference, but no link to a github repo that contains the code.
If the code is a couple of lines I would just embed the code into the deployment yaml

✋ I have searched the open/closed issues and my issue is not listed.

Add KMS controller support

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK AWS Key Management Service (KMS) controller.
This would allow users to create AWS Key Management Service (KMS) resources (Key, Alias, Grant) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Additional context

I'm using my fork of terraform-aws-eks-ack-addons with the terraform-aws-eks-blueprints.
You can see it's changes here, but I'll outline them in this issue too.

module "eks_blueprints_ack_addons" {
  source = "github.com/pdemagny/terraform-aws-eks-ack-addons?ref=feat-kms-support"

  cluster_id = module.eks_blueprints.eks_cluster_id
  # Wait for data plane to be ready
  data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

  enable_api_gatewayv2 = false
  enable_dynamodb      = false
  enable_s3            = false
  enable_rds           = false
  enable_amp           = false
  enable_kms           = true

  tags = local.tags
}

This controller requires to pay more attention to the iRSA settings as no single pre-existing IAM Policy covers the permissions needed to create all its resources.

The recommended inline policy from ACK is not enough ... If you want to Delete or Rotate Keys, or Create and Revoke Grants, you need more permissions.
Hence the addition of the inline policies.

Here is what I've come up with after testing every resources:

################################################################################
# Key Management Service
################################################################################

locals {
  kms_name = "ack-kms"
}

module "kms" {
  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon?ref=v4.12.2"

  count = var.enable_kms ? 1 : 0

  helm_config = merge(
    {
      name             = local.kms_name
      chart            = "kms-chart"
      repository       = "oci://public.ecr.aws/aws-controllers-k8s"
      version          = "v0.1.3"
      namespace        = local.kms_name
      create_namespace = true
      description      = "ACK kms Controller v2 Helm chart deployment configuration"
      values = [
        # shortens pod name from `ack-kms-kms-chart-xxxxxxxxxxxxx` to `ack-kms-xxxxxxxxxxxxx`
        <<-EOT
          nameOverride: ack-kms
        EOT
      ]
    },
    var.kms_helm_config
  )

  set_values = [
    {
      name  = "serviceAccount.name"
      value = local.kms_name
    },
    {
      name  = "serviceAccount.create"
      value = false
    },
    {
      name  = "aws.region"
      value = local.region
    }
  ]

  irsa_config = {
    create_kubernetes_namespace = true
    kubernetes_namespace        = try(var.kms_helm_config.namespace, local.kms_name)

    create_kubernetes_service_account = true
    kubernetes_service_account        = local.kms_name

    irsa_iam_policies = [aws_iam_policy.ack_kms_policy[0].arn, data.aws_iam_policy.kms[0].arn]
  }

  addon_context = local.addon_context
}

resource "aws_iam_policy" "ack_kms_policy" {
  count = var.enable_kms ? 1 : 0

  name        = "${local.cluster_id}-ack-kms-sa-policy"
  description = "IAM policy for ${local.kms_name} Service Account"
  path        = "/"
  policy      = data.aws_iam_policy_document.ack_kms_policy_document[0].json

  tags = local.tags
}

data "aws_iam_policy_document" "ack_kms_policy_document" {
  count = var.enable_kms ? 1 : 0

  statement {
    sid    = "ACKKMSPolicy"
    effect = "Allow"
    actions = [
      "kms:ScheduleKeyDeletion",
      "kms:EnableKeyRotation",
      "kms:CreateGrant",
      "kms:RevokeGrant"
    ]
    resources = ["*"]
  }
}

data "aws_iam_policy" "kms" {
  count = var.enable_kms ? 1 : 0

  name = "AWSKeyManagementServicePowerUser"
}

Here are my test results:

KMS

Key

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Key
metadata:
  name: my-ack-test-key
spec:
  description: a kms key
  enableKeyRotation: true

2022-12-09T13:40:03.389Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Key", "namespace": "default", "name": "my-ack-test-key", "is_adopted": false, "generation": 1}
2022-12-09T14:22:03.949Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Key", "namespace": "default", "name": "my-ack-test-key", "generation": 3}

Alias

---
apiVersion: kms.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  name: my-ack-test-key-alias
spec:
  name: alias/my-ack-test-key-alias
  targetKeyRef:
    from:
      name: my-ack-test-key

2022-12-09T13:40:03.547Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Alias", "namespace": "default", "name": "my-ack-test-key-alias", "is_adopted": false, "generation": 1}
2022-12-09T14:22:03.936Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Alias", "namespace": "default", "name": "my-ack-test-key-alias", "generation": 2}

Grant

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Grant
metadata:
  name: my-ack-test-grant
spec:
  granteePrincipal: arn:aws:iam::<REDACTED>:user/<REDACTED>
  keyID: <REDACTED>
  name: my-ack-test-grant
  operations:
    - Encrypt
  retiringPrincipal: arn:aws:iam::<REDACTED>:user/<REDACTED>

2022-12-09T14:05:21.758Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Grant", "namespace": "default", "name": "my-ack-test-grant", "is_adopted": false, "generation": 1}
2022-12-09T14:11:07.860Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Grant", "namespace": "default", "name": "my-ack-test-grant", "generation": 3}

I'm proposing this change in #35

I'm also going to propose the change in recommended iam policy upstream.

Support ElastiCache Controller

What is the outcome that you are trying to reach?

Add ElastiCache and an enablement variable similar to other controllers e.g.

enable_rds = true

Describe the solution you would like

Same behavior as the other controllers.

Describe alternatives you have considered

I can probably do this on my own using aws-ia/eks-blueprints-addon/aws, but it'd be nice if it supported it already. 👯

Add ACK mq controller

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Ability to install the ACK mq controller

This will allow to create Amazon MQ brokers (rabbitmq or activemq)

Describe the solution you would like

Follow same pattern as the other controllers

sample app doesn't have health endpoint

Description

When inspecting the target group for the load balancer, I noticed that the pod is unhealthy

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.