Update EKS basic components (cloudposse/terraform-aws-components#509)

Nuru · web-flow · commit 35ee2fb8647e · 2022-10-19T00:27:50.000-07:00
diff --git a/src/README.md b/src/README.md
@@ -1,8 +1,10 @@
-# Component: `alb-controller`
+# Component: `eks/alb-controller`
 
 This component creates a Helm release for [alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) on an EKS cluster.
 
-[alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) is a Kubernetes addon that, in the context of AWS, provisions and manages ALBs and NLBs based on Service and Ingress annotations.
+[alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) is a Kubernetes addon that,
+in the context of AWS, provisions and manages ALBs and NLBs based on Service and Ingress annotations.
+This module also can (and is recommended to) provision a default IngressClass.
 
 ## Usage
 
@@ -21,9 +23,21 @@ The default catalog values `e.g. stacks/catalog/eks/alb-controller.yaml`
 ```yaml
 components:
   terraform:
-    alb-controller:
+    eks/alb-controller:
       vars:
-        enabled: true
+        chart: aws-load-balancer-controller
+        chart_repository: https://aws.github.io/eks-charts
+        chart_version: "1.4.5"
+        create_namespace: true
+        kubernetes_namespace: alb-controller
+        # this feature causes inconsistent final plans
+        # see https://github.com/hashicorp/terraform-provider-helm/issues/711#issuecomment-836192991
+        helm_manifest_experiment_enabled: false
+
+        default_ingress_class_name: default
+        default_ingress_group: common
+        default_ingress_ip_address_type: ipv4
+        default_ingress_scheme: internet-facing
         # You can use `chart_values` to set any other chart options. Treat `chart_values` as the root of the doc.
         #
         # # For example
@@ -39,30 +53,29 @@ components:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.14.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_alb_controller"></a> [alb\_controller](#module\_alb\_controller) | cloudposse/helm-release/aws | 0.5.0 |
-| <a name="module_eks"></a> [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.4 |
+| <a name="module_alb_controller"></a> [alb\_controller](#module\_alb\_controller) | cloudposse/helm-release/aws | 0.7.0 |
+| <a name="module_eks"></a> [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.3.1 |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [kubernetes_namespace.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
 
 ## Inputs
@@ -80,6 +93,13 @@ components:
 | <a name="input_cleanup_on_fail"></a> [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Create the namespace if it does not yet exist. Defaults to `false`. | `bool` | `null` | no |
+| <a name="input_default_ingress_additional_tags"></a> [default\_ingress\_additional\_tags](#input\_default\_ingress\_additional\_tags) | Additional tags to apply to the ingress load balancer. | `map(string)` | `{}` | no |
+| <a name="input_default_ingress_class_name"></a> [default\_ingress\_class\_name](#input\_default\_ingress\_class\_name) | Class name for default ingress | `string` | `"default"` | no |
+| <a name="input_default_ingress_enabled"></a> [default\_ingress\_enabled](#input\_default\_ingress\_enabled) | Set `true` to deploy a default IngressClass. There should only be one default per cluster. | `bool` | `true` | no |
+| <a name="input_default_ingress_group"></a> [default\_ingress\_group](#input\_default\_ingress\_group) | Group name for default ingress | `string` | `"common"` | no |
+| <a name="input_default_ingress_ip_address_type"></a> [default\_ingress\_ip\_address\_type](#input\_default\_ingress\_ip\_address\_type) | IP address type for default ingress, one of `ipv4` or `dualstack`. | `string` | `"dualstack"` | no |
+| <a name="input_default_ingress_load_balancer_attributes"></a> [default\_ingress\_load\_balancer\_attributes](#input\_default\_ingress\_load\_balancer\_attributes) | A list of load balancer attributes to apply to the default ingress load balancer.<br>See [Load Balancer Attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes). | `list(object({ key = string, value = string }))` | `[]` | no |
+| <a name="input_default_ingress_scheme"></a> [default\_ingress\_scheme](#input\_default\_ingress\_scheme) | Scheme for default ingress, one of `internet-facing` or `internal`. | `string` | `"internet-facing"` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_eks_component_name"></a> [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no |
diff --git a/src/default.auto.tfvars b/src/default.auto.tfvars
diff --git a/src/main.tf b/src/main.tf
@@ -2,33 +2,23 @@ locals {
   enabled = module.this.enabled
 }
 
-resource "kubernetes_namespace" "default" {
-  count = local.enabled && var.create_namespace ? 1 : 0
-
-  metadata {
-    name = var.kubernetes_namespace
-
-    annotations = {}
-
-    labels = module.this.tags
-  }
-}
-
 module "alb_controller" {
   source  = "cloudposse/helm-release/aws"
-  version = "0.5.0"
+  version = "0.7.0"
+
+  name            = "" # avoids hitting length restrictions on IAM Role names
+  chart           = var.chart
+  repository      = var.chart_repository
+  description     = var.chart_description
+  chart_version   = var.chart_version
+  wait            = true # required for installing IngressClassParams
+  atomic          = var.atomic
+  cleanup_on_fail = var.cleanup_on_fail
+  timeout         = var.timeout
 
-  name                 = "" # avoids hitting length restrictions on IAM Role names
-  chart                = var.chart
-  repository           = var.chart_repository
-  description          = var.chart_description
-  chart_version        = var.chart_version
-  kubernetes_namespace = join("", kubernetes_namespace.default.*.id)
-  create_namespace     = false
-  wait                 = var.wait
-  atomic               = var.atomic
-  cleanup_on_fail      = var.cleanup_on_fail
-  timeout              = var.timeout
+  create_namespace_with_kubernetes = var.create_namespace
+  kubernetes_namespace             = var.kubernetes_namespace
+  kubernetes_namespace_labels      = merge(module.this.tags, { name = var.kubernetes_namespace })
 
   eks_cluster_oidc_issuer_url = replace(module.eks.outputs.eks_cluster_identity_oidc_issuer, "https://", "")
 
@@ -311,7 +301,24 @@ module "alb_controller" {
       aws = {
         region = var.region
       }
-      clusterName = module.eks.outputs.eks_cluster_id
+      clusterName                = module.eks.outputs.eks_cluster_id
+      createIngressClassResource = var.default_ingress_enabled
+      ingressClass               = var.default_ingress_class_name
+      ingressClassParams = {
+        name    = var.default_ingress_class_name
+        create  = var.default_ingress_enabled
+        default = true
+        spec = {
+          group = {
+            name = var.default_ingress_group
+          }
+          scheme                 = var.default_ingress_scheme
+          ipAddressType          = var.default_ingress_ip_address_type
+          tags                   = [for k, v in merge(module.this.tags, var.default_ingress_additional_tags) : { key = k, value = v }]
+          loadBalancerAttributes = var.default_ingress_load_balancer_attributes
+        }
+      }
+      defaultTags = module.this.tags
     }),
     # additional values
     yamlencode(var.chart_values)
diff --git a/src/provider-helm.tf b/src/provider-helm.tf
@@ -2,6 +2,12 @@
 #
 # This file is a drop-in to provide a helm provider.
 #
+# It depends on 2 standard Cloud Posse data source modules to be already
+# defined in the same component:
+#
+#   1. module.iam_roles to provide the AWS profile or Role ARN to use to access the cluster
+#   2. module.eks to provide the EKS cluster information
+#
 # All the following variables are just about configuring the Kubernetes provider
 # to be able to modify EKS cluster. The reason there are so many options is
 # because at various times, each one of them has had problems, so we give you a choice.
@@ -100,9 +106,11 @@ locals {
     "--role-arn", local.kube_exec_auth_role_arn
   ] : []
 
-  certificate_authority_data = module.eks.outputs.eks_cluster_certificate_authority_data
-  eks_cluster_id             = module.eks.outputs.eks_cluster_id
-  eks_cluster_endpoint       = module.eks.outputs.eks_cluster_endpoint
+  # Provide dummy configuration for the case where the EKS cluster is not available.
+  certificate_authority_data = try(module.eks.outputs.eks_cluster_certificate_authority_data, "")
+  # Use coalesce+try to handle both the case where the output is missing and the case where it is empty.
+  eks_cluster_id       = coalesce(try(module.eks.outputs.eks_cluster_id, ""), "missing")
+  eks_cluster_endpoint = try(module.eks.outputs.eks_cluster_endpoint, "")
 }
 
 data "aws_eks_cluster_auth" "eks" {
@@ -114,14 +122,14 @@ provider "helm" {
   kubernetes {
     host                   = local.eks_cluster_endpoint
     cluster_ca_certificate = base64decode(local.certificate_authority_data)
-    token                  = local.kube_data_auth_enabled ? data.aws_eks_cluster_auth.eks[0].token : null
+    token                  = local.kube_data_auth_enabled ? one(data.aws_eks_cluster_auth.eks[*].token) : null
     # The Kubernetes provider will use information from KUBECONFIG if it exists, but if the default cluster
     # in KUBECONFIG is some other cluster, this will cause problems, so we override it always.
     config_path    = local.kubeconfig_file_enabled ? var.kubeconfig_file : ""
     config_context = var.kubeconfig_context
 
     dynamic "exec" {
-      for_each = local.kube_exec_auth_enabled ? ["exec"] : []
+      for_each = local.kube_exec_auth_enabled && length(local.certificate_authority_data) > 0 ? ["exec"] : []
       content {
         api_version = local.kubeconfig_exec_auth_api_version
         command     = "aws"
@@ -132,21 +140,21 @@ provider "helm" {
     }
   }
   experiments {
-    manifest = var.helm_manifest_experiment_enabled
+    manifest = var.helm_manifest_experiment_enabled && module.this.enabled
   }
 }
 
 provider "kubernetes" {
   host                   = local.eks_cluster_endpoint
   cluster_ca_certificate = base64decode(local.certificate_authority_data)
-  token                  = local.kube_data_auth_enabled ? data.aws_eks_cluster_auth.eks[0].token : null
+  token                  = local.kube_data_auth_enabled ? one(data.aws_eks_cluster_auth.eks[*].token) : null
   # The Kubernetes provider will use information from KUBECONFIG if it exists, but if the default cluster
   # in KUBECONFIG is some other cluster, this will cause problems, so we override it always.
   config_path    = local.kubeconfig_file_enabled ? var.kubeconfig_file : ""
   config_context = var.kubeconfig_context
 
   dynamic "exec" {
-    for_each = local.kube_exec_auth_enabled ? ["exec"] : []
+    for_each = local.kube_exec_auth_enabled && length(local.certificate_authority_data) > 0 ? ["exec"] : []
     content {
       api_version = local.kubeconfig_exec_auth_api_version
       command     = "aws"
diff --git a/src/remote-state.tf b/src/remote-state.tf
@@ -1,6 +1,6 @@
 module "eks" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
-  version = "0.22.4"
+  version = "1.3.1"
 
   component = var.eks_component_name
 
diff --git a/src/variables.tf b/src/variables.tf
@@ -91,3 +91,60 @@ variable "eks_component_name" {
   description = "The name of the eks component"
   default     = "eks/cluster"
 }
+
+####### Configure default Ingress Class #######
+
+variable "default_ingress_enabled" {
+  type        = bool
+  description = "Set `true` to deploy a default IngressClass. There should only be one default per cluster."
+  default     = true
+}
+
+variable "default_ingress_class_name" {
+  type        = string
+  description = "Class name for default ingress"
+  default     = "default"
+}
+
+variable "default_ingress_group" {
+  type        = string
+  description = "Group name for default ingress"
+  default     = "common"
+}
+
+variable "default_ingress_scheme" {
+  type        = string
+  description = "Scheme for default ingress, one of `internet-facing` or `internal`."
+  default     = "internet-facing"
+
+  validation {
+    condition     = contains(["internet-facing", "internal"], var.default_ingress_scheme)
+    error_message = "The default ingress scheme must be one of `internet-facing` or `internal`."
+  }
+}
+
+variable "default_ingress_ip_address_type" {
+  type        = string
+  description = "IP address type for default ingress, one of `ipv4` or `dualstack`."
+  default     = "dualstack"
+
+  validation {
+    condition     = contains(["ipv4", "dualstack"], var.default_ingress_ip_address_type)
+    error_message = "The default ingress IP address type must be one of `ipv4` or `dualstack`."
+  }
+}
+
+variable "default_ingress_load_balancer_attributes" {
+  type        = list(object({ key = string, value = string }))
+  description = <<-EOT
+    A list of load balancer attributes to apply to the default ingress load balancer.
+    See [Load Balancer Attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes).
+    EOT
+  default     = []
+}
+
+variable "default_ingress_additional_tags" {
+  type        = map(string)
+  description = "Additional tags to apply to the ingress load balancer."
+  default     = {}
+}
diff --git a/src/versions.tf b/src/versions.tf
@@ -4,11 +4,15 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.9.0"
     }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.14.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,11 +4,15 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = "~> 4.0"`
	`7`	`+ version = ">= 4.9.0"`
`8`	`8`	`}`
`9`	`9`	`helm = {`
`10`	`10`	`source = "hashicorp/helm"`
`11`	`11`	`version = ">= 2.0"`
`12`	`12`	`}`
	`13`	`+ kubernetes = {`
	`14`	`+ source = "hashicorp/kubernetes"`
	`15`	`+ version = ">= 2.14.0"`
	`16`	`+ }`
`13`	`17`	`}`
`14`	`18`	`}`