Add eks-addon module

tedilabs · Nov 10, 2023 · 192349c · 192349c
1 parent 41e2cac
commit 192349c
Show file tree

Hide file tree

Showing 9 changed files with 342 additions and 1 deletion.
diff --git a/.github/labeler.yaml b/.github/labeler.yaml
@@ -5,6 +5,9 @@
 ":floppy_disk: ecr-repository":
 - modules/ecr-repository/**/*
 
+":floppy_disk: eks-addon":
+- modules/eks-addon/**/*
+
 ":floppy_disk: eks-aws-auth":
 - modules/eks-aws-auth/**/*
 

diff --git a/.github/labels.yaml b/.github/labels.yaml
@@ -46,6 +46,9 @@
 - color: "fbca04"
   description: "This issue or pull request is related to ecr-repository module."
   name: ":floppy_disk: ecr-repository"
+- color: "fbca04"
+  description: "This issue or pull request is related to eks-addon module."
+  name: ":floppy_disk: eks-addon"
 - color: "fbca04"
   description: "This issue or pull request is related to eks-aws-auth module."
   name: ":floppy_disk: eks-aws-auth"

diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@ Terraform module which creates resources for container services on AWS.
 
 - [ecr-registry](./modules/ecr-registry)
 - [ecr-repository](./modules/ecr-repository)
+- [eks-addon](./modules/eks-addon)
 - [eks-aws-auth](./modules/eks-aws-auth)
 - [eks-cluster](./modules/eks-cluster)
 - [eks-fargate-profile](./modules/eks-fargate-profile)
@@ -27,7 +28,8 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
     - Scanning
 - **AWS EKS (Elastic Kubernetes Service)**
   - Control Plane
-  - Node Group with ASG
+  - Add-on
+  - Self-Managed Node Group (with ASG)
   - Fargate Profile
   - IRSA (IAM Role for ServiceAccount)
 

diff --git a/modules/eks-addon/README.md b/modules/eks-addon/README.md
@@ -0,0 +1,66 @@
+# eks-addon
+
+This module creates following resources.
+
+- `aws_eks_addon`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | (Required) The name of the Amazon EKS cluster to add the EKS add-on to. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the EKS add-on. | `string` | n/a | yes |
+| <a name="input_addon_version"></a> [addon\_version](#input\_addon\_version) | (Optional) The version of the add-on. | `string` | `null` | no |
+| <a name="input_configuration"></a> [configuration](#input\_configuration) | (Optional) The set of configuration values for the add-on. This JSON string value must match the JSON schema derived from `describe-addon-configuration`. | `string` | `null` | no |
+| <a name="input_conflict_resolution_strategy_on_create"></a> [conflict\_resolution\_strategy\_on\_create](#input\_conflict\_resolution\_strategy\_on\_create) | (Optional) How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. Valid values are `NONE` and `OVERWRITE`. Defaults to `OVERWRITE`.<br>    `NONE` - If the self-managed version of the add-on is installed on the cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.<br>    `OVERWRITE` - If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value. | `string` | `"OVERWRITE"` | no |
+| <a name="input_conflict_resolution_strategy_on_update"></a> [conflict\_resolution\_strategy\_on\_update](#input\_conflict\_resolution\_strategy\_on\_update) | (Optional) How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. Valid values are `NONE`, `OVERWRITE` and `PRESERVE`. Defaults to `OVERWRITE`.<br>    `NONE` - Amazon EKS doesn't change the value. The update might fail.<br>    `OVERWRITE` - Amazon EKS overwrites the changed value back to the Amazon EKS default value.<br>    `PRESERVE` - Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on the production cluster. | `string` | `"OVERWRITE"` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_preserve_on_delete"></a> [preserve\_on\_delete](#input\_preserve\_on\_delete) | (Optional) Whether to preserve the created Kubernetes resources on the cluster when deleting the EKS add-on. Defaults to `false`. | `bool` | `false` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_service_account_role"></a> [service\_account\_role](#input\_service\_account\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the EKS Fargate Profile to be created/updated/deleted. | <pre>object({<br>    create = optional(string, "20m")<br>    update = optional(string, "20m")<br>    delete = optional(string, "40m")<br>  })</pre> | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_addon_version"></a> [addon\_version](#output\_addon\_version) | The version of the EKS add-on. |
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the EKS add-on. |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster. |
+| <a name="output_conflict_resolution_strategy_on_create"></a> [conflict\_resolution\_strategy\_on\_create](#output\_conflict\_resolution\_strategy\_on\_create) | How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. |
+| <a name="output_conflict_resolution_strategy_on_update"></a> [conflict\_resolution\_strategy\_on\_update](#output\_conflict\_resolution\_strategy\_on\_update) | How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. |
+| <a name="output_created_at"></a> [created\_at](#output\_created\_at) | Date and time in RFC3339 format that the EKS add-on was created. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the EKS add-on. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the EKS add-on. |
+| <a name="output_service_account_role"></a> [service\_account\_role](#output\_service\_account\_role) | The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account |
+| <a name="output_updated_at"></a> [updated\_at](#output\_updated\_at) | Date and time in RFC3339 format that the EKS add-on was updated. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/eks-addon/main.tf b/modules/eks-addon/main.tf
@@ -0,0 +1,49 @@
+locals {
+  metadata = {
+    package = "terraform-aws-container"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+
+###################################################
+# EKS Addon
+###################################################
+
+resource "aws_eks_addon" "this" {
+  cluster_name = var.cluster_name
+
+  addon_name    = var.name
+  addon_version = var.addon_version
+
+  configuration_values = var.configuration
+
+  service_account_role_arn = var.service_account_role
+
+  resolve_conflicts_on_create = var.conflict_resolution_strategy_on_create
+  resolve_conflicts_on_update = var.conflict_resolution_strategy_on_update
+  preserve                    = var.preserve_on_delete
+
+  timeouts {
+    create = var.timeouts.create
+    update = var.timeouts.update
+    delete = var.timeouts.delete
+  }
+
+  tags = merge(
+    {
+      "Name" = var.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
diff --git a/modules/eks-addon/outputs.tf b/modules/eks-addon/outputs.tf
@@ -0,0 +1,49 @@
+output "cluster_name" {
+  description = "The name of the EKS cluster."
+  value       = aws_eks_addon.this.cluster_name
+}
+
+output "name" {
+  description = "The name of the EKS add-on."
+  value       = aws_eks_addon.this.addon_name
+}
+
+output "addon_version" {
+  description = "The version of the EKS add-on."
+  value       = aws_eks_addon.this.addon_version
+}
+
+output "id" {
+  description = "The ID of the EKS add-on."
+  value       = aws_eks_addon.this.id
+}
+
+output "arn" {
+  description = "The ARN of the EKS add-on."
+  value       = aws_eks_addon.this.arn
+}
+
+output "created_at" {
+  description = "Date and time in RFC3339 format that the EKS add-on was created."
+  value       = aws_eks_addon.this.created_at
+}
+
+output "updated_at" {
+  description = "Date and time in RFC3339 format that the EKS add-on was updated."
+  value       = aws_eks_addon.this.modified_at
+}
+
+output "service_account_role" {
+  description = "The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account"
+  value       = aws_eks_addon.this.service_account_role_arn
+}
+
+output "conflict_resolution_strategy_on_create" {
+  description = "How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on."
+  value       = aws_eks_addon.this.resolve_conflicts_on_create
+}
+
+output "conflict_resolution_strategy_on_update" {
+  description = "How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value."
+  value       = aws_eks_addon.this.resolve_conflicts_on_update
+}
diff --git a/modules/eks-addon/resource-group.tf b/modules/eks-addon/resource-group.tf
@@ -0,0 +1,31 @@
+locals {
+  resource_group_name = (var.resource_group_name != ""
+    ? var.resource_group_name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+}
+
+
+module "resource_group" {
+  source  = "tedilabs/misc/aws//modules/resource-group"
+  version = "~> 0.10.0"
+
+  count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0
+
+  name        = local.resource_group_name
+  description = var.resource_group_description
+
+  query = {
+    resource_tags = local.module_tags
+  }
+
+  module_tags_enabled = false
+  tags = merge(
+    local.module_tags,
+    var.tags,
+  )
+}
diff --git a/modules/eks-addon/variables.tf b/modules/eks-addon/variables.tf
@@ -0,0 +1,128 @@
+variable "cluster_name" {
+  description = "(Required) The name of the Amazon EKS cluster to add the EKS add-on to."
+  type        = string
+  nullable    = false
+}
+
+variable "name" {
+  description = "(Required) The name of the EKS add-on."
+  type        = string
+  nullable    = false
+}
+
+variable "addon_version" {
+  description = "(Optional) The version of the add-on."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+variable "configuration" {
+  description = "(Optional) The set of configuration values for the add-on. This JSON string value must match the JSON schema derived from `describe-addon-configuration`."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+variable "service_account_role" {
+  description = <<EOF
+  (Optional) The ARN (Amazon Resource Name) of the IAM Role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role.
+  EOF
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+variable "conflict_resolution_strategy_on_create" {
+  description = <<EOF
+  (Optional) How to resolve field value conflicts when migrating a self-managed add-on to an EKS add-on. Valid values are `NONE` and `OVERWRITE`. Defaults to `OVERWRITE`.
+    `NONE` - If the self-managed version of the add-on is installed on the cluster, Amazon EKS doesn't change the value. Creation of the add-on might fail.
+    `OVERWRITE` - If the self-managed version of the add-on is installed on your cluster and the Amazon EKS default value is different than the existing value, Amazon EKS changes the value to the Amazon EKS default value.
+  EOF
+  type        = string
+  default     = "OVERWRITE"
+  nullable    = false
+
+  validation {
+    condition     = contains(["NONE", "OVERWRITE"], var.conflict_resolution_strategy_on_create)
+    error_message = "Valid values for `conflict_resolution_strategy_on_create` are `NONE` and `OVERWRITE`."
+  }
+}
+
+variable "conflict_resolution_strategy_on_update" {
+  description = <<EOF
+  (Optional) How to resolve field value conflicts for an EKS add-on if you've changed a value from the EKS default value. Valid values are `NONE`, `OVERWRITE` and `PRESERVE`. Defaults to `OVERWRITE`.
+    `NONE` - Amazon EKS doesn't change the value. The update might fail.
+    `OVERWRITE` - Amazon EKS overwrites the changed value back to the Amazon EKS default value.
+    `PRESERVE` - Amazon EKS preserves the value. If you choose this option, we recommend that you test any field and value changes on a non-production cluster before updating the add-on on the production cluster.
+
+  EOF
+  type        = string
+  default     = "OVERWRITE"
+  nullable    = false
+
+  validation {
+    condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.conflict_resolution_strategy_on_update)
+    error_message = "Valid values for `conflict_resolution_strategy_on_update` are `NONE`, `OVERWRITE` and `PRESERVE`."
+  }
+}
+
+variable "preserve_on_delete" {
+  description = <<EOF
+  (Optional) Whether to preserve the created Kubernetes resources on the cluster when deleting the EKS add-on. Defaults to `false`.
+  EOF
+  type        = bool
+  default     = false
+  nullable    = false
+}
+
+variable "timeouts" {
+  description = "(Optional) How long to wait for the EKS Fargate Profile to be created/updated/deleted."
+  type = object({
+    create = optional(string, "20m")
+    update = optional(string, "20m")
+    delete = optional(string, "40m")
+  })
+  default  = {}
+  nullable = false
+}
+
+variable "tags" {
+  description = "(Optional) A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "module_tags_enabled" {
+  description = "(Optional) Whether to create AWS Resource Tags for the module informations."
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
+
+###################################################
+# Resource Group
+###################################################
+
+variable "resource_group_enabled" {
+  description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
+variable "resource_group_name" {
+  description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
+  type        = string
+  default     = ""
+  nullable    = false
+}
+
+variable "resource_group_description" {
+  description = "(Optional) The description of Resource Group."
+  type        = string
+  default     = "Managed by Terraform."
+  nullable    = false
+}
diff --git a/modules/eks-addon/versions.tf b/modules/eks-addon/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.47"
+    }
+  }
+}