Skip to content

Terraform Module for EKS with istio, cert-manager and external-dns

Notifications You must be signed in to change notification settings

philstevenson/tfm_aws_eks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS EKS Terraform module

This module will deploy Kubernetes utils on an already-existing EKS cluster, those are the following components:

Features:

  • SSM Session Manager access instead of Bastion host access. (Not sure it works anymore)
  • Cloudwatch alarms for EFS-related metrics (including loss of credits)
  • Cloudwatch alarms for Tx instance type loss of credits.
  • Autoscaling operations notifications to Slack.

Infrastructure requirements

EKS version v1.18+

Software requirements

Inputs

These are the parameters supported by this module

Name Type Default Description Required
cluster_name string Name of the EKS cluster. Also used as a prefix in names of related resources. yes
vpc_id string ID of the VPC this project is going to be deployed on yes
oidc_provider_arn string ARN of the OIDC provider of the K8s cluster. Used for authentication. This value is given by the EKS creation process and it's used for IAM role creation yes
cluster_oidc_issuer_url string URL of the OIDC issuer of the K8s cluster, Used for authentication. This value is given by the EKS creation process and it's used for IAM role creation. yes
cluster_endpoint string The endpoint for your EKS Kubernetes API. yes
kubeconfig_filename string The filename of the generated kubectl config. yes
dns_public_zone_names list(string) [] The zone names of AWS route53 zones that external-dns, cert-manager, base services use. First in the list is the Primary for internal services no
dns_private_suffix string internal Private dns zone suffix for the cluster ({cluster_name}.{dns_private_suffix}) no
cert_manager_enabled bool false deploy cert-manager (https://github.com/jetstack/cert-manager) no
cert_manager_chart_version string v1.0.3 The Helm chart version of cert-manager (chart repo: https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager) no
cert_manager_lets_encrypt_cluster_issuer_enabled bool true Create default Lets encrypt cluster issuers no
cert_manager_lets_encrypt_notification_email string "" Lets encrypt certificate email notifications. default LetsEncrypt cluster issuers will not get created without this no
cert_manager_lets_encrypt_default_certificate_type string staging default cluster issuer type this can be staging or production no
aws_lb_ingress_enabled bool false Additional IAM roles to add to the aws-auth configmap. See examples/basiπc/variables.tf for example format. no
aws_lb_ingress_chart_version string Check defaults in variables.tf The Helm chart version of aws-alb-ingress-controller (chart repo: https://aws.github.io/eks-charts) no
aws_lb_ingress_app_version string Check defaults in variables.tf The version of aws-alb-ingress-controller (repo: https://github.com/kubernetes-sigs/aws-load-balancer-controller)group. yes
cluster_autoscaler_enabled bool false Deploy Cluster Autoscaler (https://github.com/kubernetes/autoscaler/) group. yes
cluster_autoscaler_chart_version string Check defaults in variables.tf The Helm chart version of Cluster Autoscaler (chart repo: https://github.com/kubernetes/autoscaler/ no
cluster_autoscaler_image_tag string Check defaults in variables.tf The version of Cluster Autoscaler (repo: https://github.com/kubernetes/autoscaler/) no
cluster_autoscaler_extra_arguments string "" Additional container arguments for K8s Autoscaler in an HCL map. Changes how Autoscaler takes decisions. Possible values at https://github.com/kubernetes/autoscaler/blob/master/charts/cluster-autoscaler-chart/values.yaml no
external_dns_enabled bool false Deploy external_dns (https://github.com/kubernetes-sigs/external-dns) no
external_dns_chart_version string Check defaults in variables.tf The Helm chart version of external_dns (chart repo: https://github.com/bitnami/charts/tree/master/bitnami/external-dns) no
istio_enabled bool false Deploy istio (https://istio.io) no
istio_version string Check defaults in variables.tf The version of Istio to deploy. This is pass as the docker tag no
istio_request_auth_enabled bool false Create RequestAuthentication resource and limits to tokens with cluster audiences no
istio_oauth_issuer string "" The OAuth issuer for token verification. For auth0 this is the tennant URL no
istio_oauth_jwks_uri string "" The OAuth JWKS url for token verification against issuer public key no
knative_enabled bool false Deploy knative (https://knative.dev) no
knative_version string Check defaults in variables.tf The version of knative no
kong_ingress_enabled bool false Deploy kong_ingress (https://github.com/Kong/kubernetes-ingress-controller) no
kong_ingress_chart_version string Check defaults in variables.tf The Helm chart version of kong_ingress (chart repo: https://github.com/Kong/charts/tree/master/charts/kong) no
ambassador_ingress_enabled bool false Deploy Ambassador Ingress (https://www.getambassador.io/) no
ambassador_ingress_chart_version string Check defaults in variables.tf The Helm chart version of Ambassador Ingress (chart repo: https://github.com/datawire/ambassador-chart) no
ambassador_oauth_enabled bool false Enable an Oauth2 filter on the Ambassador Ingress controller no
ambassador_oauth_protected_hosts list(any) [""] List of hostnames protected by oauth filter. no
ambassador_oauth_url string "" OAuth root url. For Auth0 this is https://{tentant}.eu.auth0.com no
ambassador_oauth_client_id string "" OAuth Client ID no
ambassador_oauth_client_secret string "" OAuth Client Secret no
kubernetes_dashboard_enabled bool "" Deploy Kubernetes Dashboard (https://github.com/kubernetes/dashboard) no
kubernetes_dashboard_chart_version string Check defaults in variables.tf The Helm chart version of Kubernetes Dashboard (chart repo: https://github.com/kubernetes/dashboard/tree/master/aio/deploy/helm-chart/kubernetes-dashboard) no
kubernetes_dashboard_ingress_enabled bool false Enable ingress for Kubernetes Dashboard. no
kubernetes_dashboard_ingress_class string ambassador Ingress class for Kubernetes Dashboard. no
kubernetes_dashboard_ingress_hostname string "" Ingress hostname for Kubernetes Dashboard. no
efs_enabled bool false Deploy AWS EFS CSI driver (https://github.com/kubernetes-sigs/aws-efs-csi-driver) no
aws_efs_chart_version string Check defaults in variables.tf The Helm chart version of AWS EFS CSI driver (chart repo: https://github.com/kubernetes-sigs/aws-efs-csi-driver/helm) no
fluentbit_cloudwatchlogs_enabled bool false Deploy fluent bit for EKS (https://github.com/aws/aws-for-fluent-bit) no
fluentbit_cloudwatchlogs_chart_version string Check defaults in variables.tf The Helm chart version of AWS for fluent bit Helm chart (https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit) no
fluentbit_cloudwatchlogs_image_tag string Check defaults in variables.tf The app version of AWS for fluent bit (https://github.com/aws/aws-for-fluent-bit) no
fluentbit_cloudwatchlogs_log_group_name string "" The name of the Log Group used to store all the logs in Cloudwatch Logs yes (if installed)
fluentbit_cloudwatchlogs_retention_in_days number Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. yes (if installed)
fluentbit_cloudwatchlogs_toleration_noschedule list(string) [] List of keys to add to pod tolerations (e.g.: mycompany.com/compute_profile). It will be added as 'operator: Exists' and 'effect: NoSchedule' no
cloudwatch_metrics_enabled bool false Deploy AWS Cloudwatch metrics agent for EKS (https://github.com/aws/amazon-cloudwatch-agent) no
cloudwatch_metrics_chart_version string Check defaults in variables.tf The Helm chart version of aws-cloudwatch-metrics Helm chart (https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics). no
cloudwatch_metrics_image_tag string Check defaults in variables.tf The app version of AWS Cloudwatch metrics agent for EKS (https://github.com/aws/amazon-cloudwatch-agent). no

For a complete list please check in the variables.tf file

Outputs

The module outputs the following:

Name Description