diff --git a/_examples/basic/main.tf b/_examples/basic/main.tf index 9ee285c..8f39049 100644 --- a/_examples/basic/main.tf +++ b/_examples/basic/main.tf @@ -166,12 +166,13 @@ module "addons" { aws_node_termination_handler = true aws_efs_csi_driver = true aws_ebs_csi_driver = true - karpenter = false - calico_tigera = false + kube_state_metrics = true + karpenter = false # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform. + calico_tigera = true + new_relic = true kubeclarity = true ingress_nginx = true fluent_bit = true - velero = true keda = true certification_manager = true @@ -181,7 +182,9 @@ module "addons" { kiali_server = true kiali_manifests = var.kiali_manifests external_secrets = true + velero = true + velero_extra_configs = { + bucket_name = "velero-addons" + } - # -- Extra helm_release attributes - velero_extra_configs = var.velero_extra_configs } diff --git a/_examples/basic/variables.tf b/_examples/basic/variables.tf index d2c333f..267b127 100644 --- a/_examples/basic/variables.tf +++ b/_examples/basic/variables.tf @@ -22,14 +22,4 @@ variable "kiali_manifests" { kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml" } description = "Path to VirtualService manifest for kiali-dashboard" -} - -#------------ EXTRA CONFIGS ----------- -variable "velero_extra_configs" { - type = any - default = { - timeout = 300 - atomic = true - bucket_name = "velero-addons" - } } \ No newline at end of file diff --git a/_examples/complete/config/external-secret/external-secret.yaml b/_examples/complete/config/external-secret/external-secret.yaml index a614a1f..edc6218 100644 --- a/_examples/complete/config/external-secret/external-secret.yaml +++ b/_examples/complete/config/external-secret/external-secret.yaml @@ -9,10 +9,10 @@ spec: name: external-secrets-store # -- Provide previously created secret store name kind: SecretStore target: - name: externalsecret-data # -- Name of secret which will contain data specified below + name: externalsecret-data # -- Name of Kubernetes secret which will contain data specified below creationPolicy: Owner data: - - secretKey: do_not_delete_this_key # -- AWS Secret-Manager secret key + - secretKey: external_secret_key # -- Kubernetes Secret `externalsecret-data` KEY name remoteRef: - key: external_secrets # -- Same as 'externalsecrets_manifest["secret_manager_name"] - property: do_not_delete_this_key # -- AWS Secret-Manager secret key \ No newline at end of file + key: external_secrets_addon # -- AWS Secret Name, same as `var.external_secrets_extra_configs.secret_manager_name` + property: external_secret # -- AWS Secret-Manager secret key \ No newline at end of file diff --git a/_examples/complete/custom-iam-policies/external-secrets.json b/_examples/complete/custom-iam-policies/external-secrets.json new file mode 100644 index 0000000..6ecfff9 --- /dev/null +++ b/_examples/complete/custom-iam-policies/external-secrets.json @@ -0,0 +1,14 @@ +{ + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ], + "Effect": "Allow", + "Resource": "*", + "Sid": "ExternalSecretsDefault" + } + ], + "Version": "2012-10-17" +} \ No newline at end of file diff --git a/_examples/complete/main.tf b/_examples/complete/main.tf index 783b800..a2878d9 100644 --- a/_examples/complete/main.tf +++ b/_examples/complete/main.tf @@ -217,30 +217,11 @@ module "addons" { kube_state_metrics_extra_configs = var.kube_state_metrics_extra_configs keda_extra_configs = var.keda_extra_configs certification_manager_extra_configs = var.certification_manager_extra_configs - - external_secrets_extra_configs = { - irsa_assume_role_policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Effect" : "Allow", - "Principal" : { - "Federated" : module.eks.oidc_provider_arn - }, - "Action" : "sts:AssumeRoleWithWebIdentity", - "Condition" : { - "StringLike" : { - "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com" - } - } - } - ] - }) - secret_manager_name = "external_secrets_addon" - } + external_secrets_extra_configs = var.external_secrets_extra_configs # -- Custom IAM Policy Json for Addon's ServiceAccount cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json") + external_secrets_iampolicy_json_content = file("./custom-iam-policies/external-secrets.json") } module "addons-internal" { diff --git a/_examples/complete/outputs.tf b/_examples/complete/outputs.tf index 16df25d..aaa8146 100644 --- a/_examples/complete/outputs.tf +++ b/_examples/complete/outputs.tf @@ -15,4 +15,8 @@ output "update_kubeconfig" { output "velero_post_installation" { value = indent(2, "Once velero server is up and running you need the client before you can use it - \n 1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz \n 2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client") +} + +output "istio-ingress" { + value = indent(2, "Istio does not support the installation of istio-helmchart in a namespace other than istio-system. We have provided a namespace feature in case Istio-helmchart maintainers fix this issue.") } \ No newline at end of file diff --git a/_examples/complete/variables.tf b/_examples/complete/variables.tf index a1a2d6d..7a73cb5 100644 --- a/_examples/complete/variables.tf +++ b/_examples/complete/variables.tf @@ -145,13 +145,11 @@ variable "istio_manifests_internal" { variable "istio_ingress_extra_configs_internal" { type = any default = { - name = "istio-ingress-internal" - namespace = "istio-system" - istiobase_release_name = "base-internal" - istiod_release_name = "istiod-internal" - create_namespace = true - install_istiobase = false - install_istiod = false + name = "istio-ingress-internal" + namespace = "istio-system" + create_namespace = false + install_istiobase = false + install_istiod = false } } @@ -168,4 +166,12 @@ variable "kiali_manifests" { variable "kiali_server_extra_configs" { type = any default = {} +} + +# ------------------ EXTERNAL SECRETS ------------------------------------------ +variable "external_secrets_extra_configs" { + type = any + default = { + secret_manager_name = "external_secrets_addon" + } } \ No newline at end of file diff --git a/addons/aws-ebs-csi-driver/locals.tf b/addons/aws-ebs-csi-driver/locals.tf index 0b7d0a8..f11d937 100644 --- a/addons/aws-ebs-csi-driver/locals.tf +++ b/addons/aws-ebs-csi-driver/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.aws_ebs_csi_driver_extra_configs.lint, "false") repository_key_file = try(var.aws_ebs_csi_driver_extra_configs.repository_key_file, "") repository_cert_file = try(var.aws_ebs_csi_driver_extra_configs.repository_cert_file, "") - repository_username = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "") + repository_username = try(var.aws_ebs_csi_driver_extra_configs.repository_username, "") repository_password = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "") verify = try(var.aws_ebs_csi_driver_extra_configs.verify, "false") keyring = try(var.aws_ebs_csi_driver_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.aws_ebs_csi_driver_extra_configs.replace, "false") } - aws_ebs_csi_driver_extra_configs = var.aws_ebs_csi_driver_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.aws_ebs_csi_driver_extra_configs ) } diff --git a/addons/aws-ebs-csi-driver/main.tf b/addons/aws-ebs-csi-driver/main.tf index 2c4b451..9aaba35 100644 --- a/addons/aws-ebs-csi-driver/main.tf +++ b/addons/aws-ebs-csi-driver/main.tf @@ -5,7 +5,6 @@ module "helm_addon" { helm_config = local.helm_config addon_context = var.addon_context - depends_on = [kubernetes_namespace_v1.this] set_values = [ { name = "controller.serviceAccount.create" @@ -59,12 +58,4 @@ resource "aws_iam_policy" "policy" { ] } EOT -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } -} +} \ No newline at end of file diff --git a/addons/aws-efs-csi-driver/locals.tf b/addons/aws-efs-csi-driver/locals.tf index 2d87f9c..300af00 100644 --- a/addons/aws-efs-csi-driver/locals.tf +++ b/addons/aws-efs-csi-driver/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.aws_efs_csi_driver_extra_configs.lint, "false") repository_key_file = try(var.aws_efs_csi_driver_extra_configs.repository_key_file, "") repository_cert_file = try(var.aws_efs_csi_driver_extra_configs.repository_cert_file, "") - repository_username = try(var.aws_efs_csi_driver_extra_configs.repository_password, "") + repository_username = try(var.aws_efs_csi_driver_extra_configs.repository_username, "") repository_password = try(var.aws_efs_csi_driver_extra_configs.repository_password, "") verify = try(var.aws_efs_csi_driver_extra_configs.verify, "false") keyring = try(var.aws_efs_csi_driver_extra_configs.keyring, "") diff --git a/addons/aws-efs-csi-driver/main.tf b/addons/aws-efs-csi-driver/main.tf index 905822e..36a236f 100644 --- a/addons/aws-efs-csi-driver/main.tf +++ b/addons/aws-efs-csi-driver/main.tf @@ -5,7 +5,6 @@ module "helm_addon" { helm_config = local.helm_config addon_context = var.addon_context - depends_on = [kubernetes_namespace_v1.this] set_values = [ { name = "image.repository" @@ -93,12 +92,4 @@ resource "aws_iam_policy" "policy" { ] } EOT -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } -} +} \ No newline at end of file diff --git a/addons/aws-load-balancer-controller/locals.tf b/addons/aws-load-balancer-controller/locals.tf index 5f057a9..4e95e0f 100644 --- a/addons/aws-load-balancer-controller/locals.tf +++ b/addons/aws-load-balancer-controller/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.aws_load_balancer_controller_extra_configs.lint, "false") repository_key_file = try(var.aws_load_balancer_controller_extra_configs.repository_key_file, "") repository_cert_file = try(var.aws_load_balancer_controller_extra_configs.repository_cert_file, "") - repository_username = try(var.aws_load_balancer_controller_extra_configs.repository_password, "") + repository_username = try(var.aws_load_balancer_controller_extra_configs.repository_username, "") repository_password = try(var.aws_load_balancer_controller_extra_configs.repository_password, "") verify = try(var.aws_load_balancer_controller_extra_configs.verify, "false") keyring = try(var.aws_load_balancer_controller_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.aws_load_balancer_controller_extra_configs.replace, "false") } - aws_load_balancer_controller_extra_configs = var.aws_load_balancer_controller_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.aws_load_balancer_controller_extra_configs ) } diff --git a/addons/aws-load-balancer-controller/main.tf b/addons/aws-load-balancer-controller/main.tf index 83b168e..e82364c 100644 --- a/addons/aws-load-balancer-controller/main.tf +++ b/addons/aws-load-balancer-controller/main.tf @@ -5,7 +5,6 @@ module "helm_addon" { helm_config = local.helm_config addon_context = var.addon_context - depends_on = [kubernetes_namespace_v1.this] set_values = [ { name = "clusterName" @@ -289,12 +288,4 @@ resource "aws_iam_policy" "policy" { ] } EOT -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } -} +} \ No newline at end of file diff --git a/addons/aws-node-termination-handler/locals.tf b/addons/aws-node-termination-handler/locals.tf index 7078b1b..8aef89d 100644 --- a/addons/aws-node-termination-handler/locals.tf +++ b/addons/aws-node-termination-handler/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.aws_node_termination_handler_extra_configs.lint, "false") repository_key_file = try(var.aws_node_termination_handler_extra_configs.repository_key_file, "") repository_cert_file = try(var.aws_node_termination_handler_extra_configs.repository_cert_file, "") - repository_username = try(var.aws_node_termination_handler_extra_configs.repository_password, "") + repository_username = try(var.aws_node_termination_handler_extra_configs.repository_username, "") repository_password = try(var.aws_node_termination_handler_extra_configs.repository_password, "") verify = try(var.aws_node_termination_handler_extra_configs.verify, "false") keyring = try(var.aws_node_termination_handler_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.aws_node_termination_handler_extra_configs.replace, "false") } - aws_node_termination_handler_extra_configs = var.aws_node_termination_handler_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.aws_node_termination_handler_extra_configs ) } diff --git a/addons/aws-node-termination-handler/main.tf b/addons/aws-node-termination-handler/main.tf index ff859df..7c7af3d 100644 --- a/addons/aws-node-termination-handler/main.tf +++ b/addons/aws-node-termination-handler/main.tf @@ -4,14 +4,4 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops helm_config = local.helm_config addon_context = var.addon_context - - depends_on = [kubernetes_namespace_v1.this] -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } } diff --git a/addons/calico-tigera/locals.tf b/addons/calico-tigera/locals.tf index af782ae..3ecfbf2 100644 --- a/addons/calico-tigera/locals.tf +++ b/addons/calico-tigera/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.calico_tigera_extra_configs.lint, "false") repository_key_file = try(var.calico_tigera_extra_configs.repository_key_file, "") repository_cert_file = try(var.calico_tigera_extra_configs.repository_cert_file, "") - repository_username = try(var.calico_tigera_extra_configs.repository_password, "") + repository_username = try(var.calico_tigera_extra_configs.repository_username, "") repository_password = try(var.calico_tigera_extra_configs.repository_password, "") verify = try(var.calico_tigera_extra_configs.verify, "false") keyring = try(var.calico_tigera_extra_configs.keyring, "") @@ -34,11 +34,8 @@ locals { replace = try(var.calico_tigera_extra_configs.replace, "false") } - calico_tigera_extra_configs = var.calico_tigera_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.calico_tigera_extra_configs ) } \ No newline at end of file diff --git a/addons/calico-tigera/main.tf b/addons/calico-tigera/main.tf index dab205d..ff73b9f 100644 --- a/addons/calico-tigera/main.tf +++ b/addons/calico-tigera/main.tf @@ -4,17 +4,6 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops helm_config = local.helm_config addon_context = var.addon_context - - depends_on = [kubernetes_namespace.this] - -} - -resource "kubernetes_namespace" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } } resource "kubectl_manifest" "calico_node" { diff --git a/addons/cert-manager/locals.tf b/addons/cert-manager/locals.tf index e4eb3c6..bd2261e 100644 --- a/addons/cert-manager/locals.tf +++ b/addons/cert-manager/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.certification_manager_extra_configs.lint, "false") repository_key_file = try(var.certification_manager_extra_configs.repository_key_file, "") repository_cert_file = try(var.certification_manager_extra_configs.repository_cert_file, "") - repository_username = try(var.certification_manager_extra_configs.repository_password, "") + repository_username = try(var.certification_manager_extra_configs.repository_username, "") repository_password = try(var.certification_manager_extra_configs.repository_password, "") verify = try(var.certification_manager_extra_configs.verify, "false") keyring = try(var.certification_manager_extra_configs.keyring, "") diff --git a/addons/cluster-autoscaler/locals.tf b/addons/cluster-autoscaler/locals.tf index 142004b..5232fcc 100644 --- a/addons/cluster-autoscaler/locals.tf +++ b/addons/cluster-autoscaler/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.cluster_autoscaler_extra_configs.lint, "false") repository_key_file = try(var.cluster_autoscaler_extra_configs.repository_key_file, "") repository_cert_file = try(var.cluster_autoscaler_extra_configs.repository_cert_file, "") - repository_username = try(var.cluster_autoscaler_extra_configs.repository_password, "") + repository_username = try(var.cluster_autoscaler_extra_configs.repository_username, "") repository_password = try(var.cluster_autoscaler_extra_configs.repository_password, "") verify = try(var.cluster_autoscaler_extra_configs.verify, "false") keyring = try(var.cluster_autoscaler_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.cluster_autoscaler_extra_configs.replace, "false") } - cluster_autoscaler_extra_configs = var.cluster_autoscaler_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.cluster_autoscaler_extra_configs ) } diff --git a/addons/cluster-autoscaler/main.tf b/addons/cluster-autoscaler/main.tf index 1e008bd..e006b8a 100644 --- a/addons/cluster-autoscaler/main.tf +++ b/addons/cluster-autoscaler/main.tf @@ -5,7 +5,6 @@ module "helm_addon" { helm_config = local.helm_config addon_context = var.addon_context - depends_on = [kubernetes_namespace_v1.this] set_values = [ { name = "awsRegion" @@ -59,12 +58,4 @@ resource "aws_iam_policy" "policy" { "Version": "2012-10-17" } EOT -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } } \ No newline at end of file diff --git a/addons/external-secrets/data.tf b/addons/external-secrets/data.tf index ed47092..05809aa 100644 --- a/addons/external-secrets/data.tf +++ b/addons/external-secrets/data.tf @@ -1,6 +1,5 @@ +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} data "aws_eks_cluster" "eks_cluster" { - # this makes downstream resources wait for data plane to be ready name = var.eks_cluster_name -} - -data "aws_region" "current" {} \ No newline at end of file +} \ No newline at end of file diff --git a/addons/external-secrets/locals.tf b/addons/external-secrets/locals.tf index f25113e..78f7700 100644 --- a/addons/external-secrets/locals.tf +++ b/addons/external-secrets/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.external_secrets_extra_configs.lint, "false") repository_key_file = try(var.external_secrets_extra_configs.repository_key_file, "") repository_cert_file = try(var.external_secrets_extra_configs.repository_cert_file, "") - repository_username = try(var.external_secrets_extra_configs.repository_password, "") + repository_username = try(var.external_secrets_extra_configs.repository_username, "") repository_password = try(var.external_secrets_extra_configs.repository_password, "") verify = try(var.external_secrets_extra_configs.verify, "false") keyring = try(var.external_secrets_extra_configs.keyring, "") @@ -34,11 +34,8 @@ locals { replace = try(var.external_secrets_extra_configs.replace, "false") } - external_secrets_extra_configs = var.external_secrets_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.external_secrets_extra_configs ) } diff --git a/addons/external-secrets/main.tf b/addons/external-secrets/main.tf index bf27916..e15e036 100644 --- a/addons/external-secrets/main.tf +++ b/addons/external-secrets/main.tf @@ -44,31 +44,45 @@ module "helm_addon" { account_id = var.account_id } - irsa_assume_role_policy = var.external_secrets_extra_configs.irsa_assume_role_policy - + irsa_assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")}" + }, + "Action" : "sts:AssumeRoleWithWebIdentity", + "Condition" : { + "StringLike" : { + "${replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")}:aud" : "sts.amazonaws.com" + } + } + } + ] + }) } resource "aws_iam_policy" "policy" { name = "${local.name}-${var.eks_cluster_name}" path = "/" description = "IAM Policy used by ${local.name}-${var.eks_cluster_name} IAM Role" - policy = data.aws_iam_policy_document.iam-policy.json -} - -data "aws_iam_policy_document" "iam-policy" { - version = "2012-10-17" - - statement { - sid = "VisualEditor0" - effect = "Allow" - actions = [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - ] - resources = [ - "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${var.external_secrets_extra_configs.secret_manager_name}*", - ] - } + policy = var.iampolicy_json_content != null ? var.iampolicy_json_content : <<-EOT +{ + "Statement": [ + { + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ], + "Effect": "Allow", + "Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${try(var.external_secrets_extra_configs.secret_manager_name, "external_secrets_addon")}*", + "Sid": "ExternalSecretsDefault" + } + ], + "Version": "2012-10-17" +} + EOT } module "secrets_manager" { @@ -79,10 +93,10 @@ module "secrets_manager" { name = "secrets-manager" secrets = [ { - name = try(var.external_secrets_extra_configs.secret_manager_name, "external_secret") + name = try(var.external_secrets_extra_configs.secret_manager_name, "external_secrets_addon") description = try(var.external_secrets_extra_configs.secret_manager_description, "AWS EKS external-secrets helm addon.") secret_key_value = { - external_secret = "external_secret_addon" + external_secret = "external_secret_addon_data" } recovery_window_in_days = try(var.external_secrets_extra_configs.recovery_window_in_days, 7) } diff --git a/addons/external-secrets/variables.tf b/addons/external-secrets/variables.tf index 9ea9bb7..a591b4e 100644 --- a/addons/external-secrets/variables.tf +++ b/addons/external-secrets/variables.tf @@ -39,4 +39,10 @@ variable "external_secrets_extra_configs" { description = "Override attributes of helm_release terraform resource" type = any default = {} +} + +variable "iampolicy_json_content" { + description = "Custom IAM Policy for External-Secrets IRSA" + type = string + default = null } \ No newline at end of file diff --git a/addons/fluent-bit/locals.tf b/addons/fluent-bit/locals.tf index f9329a1..82d7d1c 100644 --- a/addons/fluent-bit/locals.tf +++ b/addons/fluent-bit/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.fluent_bit_extra_configs.lint, "false") repository_key_file = try(var.fluent_bit_extra_configs.repository_key_file, "") repository_cert_file = try(var.fluent_bit_extra_configs.repository_cert_file, "") - repository_username = try(var.fluent_bit_extra_configs.repository_password, "") + repository_username = try(var.fluent_bit_extra_configs.repository_username, "") repository_password = try(var.fluent_bit_extra_configs.repository_password, "") verify = try(var.fluent_bit_extra_configs.verify, "false") keyring = try(var.fluent_bit_extra_configs.keyring, "") @@ -34,11 +34,8 @@ locals { replace = try(var.fluent_bit_extra_configs.replace, "false") } - fluent_bit_extra_configs = var.fluent_bit_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.fluent_bit_extra_configs ) } diff --git a/addons/ingress-nginx/locals.tf b/addons/ingress-nginx/locals.tf index 66cdc12..d5f7350 100644 --- a/addons/ingress-nginx/locals.tf +++ b/addons/ingress-nginx/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.ingress_nginx_extra_configs.lint, "false") repository_key_file = try(var.ingress_nginx_extra_configs.repository_key_file, "") repository_cert_file = try(var.ingress_nginx_extra_configs.repository_cert_file, "") - repository_username = try(var.ingress_nginx_extra_configs.repository_password, "") + repository_username = try(var.ingress_nginx_extra_configs.repository_username, "") repository_password = try(var.ingress_nginx_extra_configs.repository_password, "") verify = try(var.ingress_nginx_extra_configs.verify, "false") keyring = try(var.ingress_nginx_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.ingress_nginx_extra_configs.replace, "false") } - ingress_nginx_extra_configs = var.ingress_nginx_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.ingress_nginx_extra_configs ) } \ No newline at end of file diff --git a/addons/ingress-nginx/main.tf b/addons/ingress-nginx/main.tf index 09896d6..1c7f1a8 100644 --- a/addons/ingress-nginx/main.tf +++ b/addons/ingress-nginx/main.tf @@ -4,14 +4,4 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops helm_config = local.helm_config addon_context = var.addon_context - - depends_on = [kubernetes_namespace_v1.this] -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } } \ No newline at end of file diff --git a/addons/istio-ingress/locals.tf b/addons/istio-ingress/locals.tf index 8ca4f96..d35883c 100644 --- a/addons/istio-ingress/locals.tf +++ b/addons/istio-ingress/locals.tf @@ -35,7 +35,7 @@ locals { lint = try(var.istio_ingress_extra_configs.lint, "false") repository_key_file = try(var.istio_ingress_extra_configs.repository_key_file, "") repository_cert_file = try(var.istio_ingress_extra_configs.repository_cert_file, "") - repository_username = try(var.istio_ingress_extra_configs.repository_password, "") + repository_username = try(var.istio_ingress_extra_configs.repository_username, "") repository_password = try(var.istio_ingress_extra_configs.repository_password, "") verify = try(var.istio_ingress_extra_configs.verify, "false") keyring = try(var.istio_ingress_extra_configs.keyring, "") @@ -56,11 +56,8 @@ locals { replace = try(var.istio_ingress_extra_configs.replace, "false") } - istio_ingress_extra_configs = var.istio_ingress_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.istio_ingress_extra_configs ) } diff --git a/addons/karpenter/locals.tf b/addons/karpenter/locals.tf index fab7de1..81e2d79 100644 --- a/addons/karpenter/locals.tf +++ b/addons/karpenter/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.karpenter_extra_configs.lint, "false") repository_key_file = try(var.karpenter_extra_configs.repository_key_file, "") repository_cert_file = try(var.karpenter_extra_configs.repository_cert_file, "") - repository_username = try(var.karpenter_extra_configs.repository_password, "") + repository_username = try(var.karpenter_extra_configs.repository_username, "") repository_password = try(var.karpenter_extra_configs.repository_password, "") verify = try(var.karpenter_extra_configs.verify, "false") keyring = try(var.karpenter_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.karpenter_extra_configs.replace, "false") } - karpenter_extra_configs = var.karpenter_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.karpenter_extra_configs ) } diff --git a/addons/karpenter/main.tf b/addons/karpenter/main.tf index 7cd29c1..cbad60a 100644 --- a/addons/karpenter/main.tf +++ b/addons/karpenter/main.tf @@ -5,7 +5,6 @@ module "helm_addon" { helm_config = local.helm_config addon_context = var.addon_context - depends_on = [kubernetes_namespace_v1.this] set_values = [ { name = "serviceAccount.create" @@ -83,12 +82,4 @@ resource "aws_iam_policy" "policy" { "Version": "2012-10-17" } EOT -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } -} +} \ No newline at end of file diff --git a/addons/keda/main.tf b/addons/keda/main.tf index d9d1876..1c7f1a8 100644 --- a/addons/keda/main.tf +++ b/addons/keda/main.tf @@ -4,5 +4,4 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops helm_config = local.helm_config addon_context = var.addon_context - } \ No newline at end of file diff --git a/addons/kiali-server/locals.tf b/addons/kiali-server/locals.tf index 3d541fe..6c4d6c5 100644 --- a/addons/kiali-server/locals.tf +++ b/addons/kiali-server/locals.tf @@ -12,7 +12,7 @@ locals { lint = try(var.kiali_server_extra_configs.lint, "false") repository_key_file = try(var.kiali_server_extra_configs.repository_key_file, "") repository_cert_file = try(var.kiali_server_extra_configs.repository_cert_file, "") - repository_username = try(var.kiali_server_extra_configs.repository_password, "") + repository_username = try(var.kiali_server_extra_configs.repository_username, "") repository_password = try(var.kiali_server_extra_configs.repository_password, "") verify = try(var.kiali_server_extra_configs.verify, "false") keyring = try(var.kiali_server_extra_configs.keyring, "") @@ -33,11 +33,8 @@ locals { replace = try(var.kiali_server_extra_configs.replace, "false") } - kiali_server_extra_configs = var.kiali_server_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.kiali_server_extra_configs ) } diff --git a/addons/kube-state-metrics/locals.tf b/addons/kube-state-metrics/locals.tf index a7ff591..7657bc9 100644 --- a/addons/kube-state-metrics/locals.tf +++ b/addons/kube-state-metrics/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.kube_state_metrics_extra_configs.lint, "false") repository_key_file = try(var.kube_state_metrics_extra_configs.repository_key_file, "") repository_cert_file = try(var.kube_state_metrics_extra_configs.repository_cert_file, "") - repository_username = try(var.kube_state_metrics_extra_configs.repository_password, "") + repository_username = try(var.kube_state_metrics_extra_configs.repository_username, "") repository_password = try(var.kube_state_metrics_extra_configs.repository_password, "") verify = try(var.kube_state_metrics_extra_configs.verify, "false") keyring = try(var.kube_state_metrics_extra_configs.keyring, "") diff --git a/addons/kubeclarity/locals.tf b/addons/kubeclarity/locals.tf index ff9740a..9c002ce 100644 --- a/addons/kubeclarity/locals.tf +++ b/addons/kubeclarity/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.kubeclarity_extra_configs.lint, "false") repository_key_file = try(var.kubeclarity_extra_configs.repository_key_file, "") repository_cert_file = try(var.kubeclarity_extra_configs.repository_cert_file, "") - repository_username = try(var.kubeclarity_extra_configs.repository_password, "") + repository_username = try(var.kubeclarity_extra_configs.repository_username, "") repository_password = try(var.kubeclarity_extra_configs.repository_password, "") verify = try(var.kubeclarity_extra_configs.verify, "false") keyring = try(var.kubeclarity_extra_configs.keyring, "") @@ -34,11 +34,8 @@ locals { replace = try(var.kubeclarity_extra_configs.replace, "false") } - kubeclarity_extra_configs = var.kubeclarity_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.kubeclarity_extra_configs ) } diff --git a/addons/metrics-server/locals.tf b/addons/metrics-server/locals.tf index 05a6ff5..2eaa736 100644 --- a/addons/metrics-server/locals.tf +++ b/addons/metrics-server/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.metrics_server_extra_configs.lint, "false") repository_key_file = try(var.metrics_server_extra_configs.repository_key_file, "") repository_cert_file = try(var.metrics_server_extra_configs.repository_cert_file, "") - repository_username = try(var.metrics_server_extra_configs.repository_password, "") + repository_username = try(var.metrics_server_extra_configs.repository_username, "") repository_password = try(var.metrics_server_extra_configs.repository_password, "") verify = try(var.metrics_server_extra_configs.verify, "false") keyring = try(var.metrics_server_extra_configs.keyring, "") @@ -34,11 +34,8 @@ locals { replace = try(var.metrics_server_extra_configs.replace, "false") } - metrics_server_extra_configs = var.metrics_server_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.metrics_server_extra_configs ) } diff --git a/addons/metrics-server/main.tf b/addons/metrics-server/main.tf index ff859df..7c7af3d 100644 --- a/addons/metrics-server/main.tf +++ b/addons/metrics-server/main.tf @@ -4,14 +4,4 @@ module "helm_addon" { manage_via_gitops = var.manage_via_gitops helm_config = local.helm_config addon_context = var.addon_context - - depends_on = [kubernetes_namespace_v1.this] -} - -resource "kubernetes_namespace_v1" "this" { - count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0 - - metadata { - name = local.helm_config["namespace"] - } } diff --git a/addons/nri-bundle/locals.tf b/addons/nri-bundle/locals.tf index 2e72eac..817fba4 100644 --- a/addons/nri-bundle/locals.tf +++ b/addons/nri-bundle/locals.tf @@ -14,7 +14,7 @@ locals { lint = try(var.new_relic_extra_configs.lint, "false") repository_key_file = try(var.new_relic_extra_configs.repository_key_file, "") repository_cert_file = try(var.new_relic_extra_configs.repository_cert_file, "") - repository_username = try(var.new_relic_extra_configs.repository_password, "") + repository_username = try(var.new_relic_extra_configs.repository_username, "") repository_password = try(var.new_relic_extra_configs.repository_password, "") verify = try(var.new_relic_extra_configs.verify, "false") keyring = try(var.new_relic_extra_configs.keyring, "") @@ -35,11 +35,8 @@ locals { replace = try(var.new_relic_extra_configs.replace, "false") } - new_relic_extra_configs = var.new_relic_extra_configs - helm_config = merge( local.default_helm_config, var.helm_config, - local.new_relic_extra_configs ) } diff --git a/addons/velero/locals.tf b/addons/velero/locals.tf index 29b97dc..81fa31e 100644 --- a/addons/velero/locals.tf +++ b/addons/velero/locals.tf @@ -13,7 +13,7 @@ locals { lint = try(var.velero_extra_configs.lint, "false") repository_key_file = try(var.velero_extra_configs.repository_key_file, "") repository_cert_file = try(var.velero_extra_configs.repository_cert_file, "") - repository_username = try(var.velero_extra_configs.repository_password, "") + repository_username = try(var.velero_extra_configs.repository_username, "") repository_password = try(var.velero_extra_configs.repository_password, "") verify = try(var.velero_extra_configs.verify, "false") keyring = try(var.velero_extra_configs.keyring, "") diff --git a/main.tf b/main.tf index bdd729c..2f921d7 100644 --- a/main.tf +++ b/main.tf @@ -117,6 +117,7 @@ module "external_secrets" { eks_cluster_name = data.aws_eks_cluster.eks_cluster.name account_id = data.aws_caller_identity.current.account_id external_secrets_extra_configs = var.external_secrets_extra_configs + iampolicy_json_content = var.external_secrets_iampolicy_json_content } module "ingress_nginx" { diff --git a/outputs.tf b/outputs.tf index 1a7a2ba..d002e94 100644 --- a/outputs.tf +++ b/outputs.tf @@ -159,6 +159,10 @@ output "external_secrets_repository" { value = module.ingress_nginx[*].repository description = "helm repository url of external-secrets" } +output "external_secrets_iam_policy" { + value = module.external_secrets[*].iam_policy + description = "Name of IAM Policy used in external-secrets irsa" +} #----------- INGRESS NGINX --------------------- output "ingress_nginx_namespace" { diff --git a/variables.tf b/variables.tf index ad21daf..b7842c9 100644 --- a/variables.tf +++ b/variables.tf @@ -260,6 +260,12 @@ variable "external_secrets_extra_configs" { default = {} } +variable "external_secrets_iampolicy_json_content" { + description = "Custom IAM Policy for External-Secrets IRSA" + type = string + default = null +} + #------------------ INGRESS NGINX ------------------------- variable "ingress_nginx" { description = "Enable ingress nginx add-on"