Update EKS basic components (cloudposse/terraform-aws-components#509)

Author: Nuru

src/README.md

@@ -7,31 +7,23 @@ data "aws_partition" "current" {
   count = local.enabled ? 1 : 0
 }
 
-resource "kubernetes_namespace" "default" {
-  count = local.enabled && var.create_namespace ? 1 : 0
-
-  metadata {
-    name = var.kubernetes_namespace
-
-    labels = module.this.tags
-  }
-}
-
 module "cert_manager" {
   source  = "cloudposse/helm-release/aws"
-  version = "0.5.0"
-
-  name                 = "" # avoids hitting length restrictions on IAM Role names
-  chart                = var.cert_manager_chart
-  repository           = var.cert_manager_repository
-  description          = var.cert_manager_description
-  chart_version        = var.cert_manager_chart_version
-  kubernetes_namespace = join("", kubernetes_namespace.default.*.id)
-  create_namespace     = false
-  wait                 = var.wait
-  atomic               = var.atomic
-  cleanup_on_fail      = var.cleanup_on_fail
-  timeout              = var.timeout
+  version = "0.7.0"
+
+  name            = "" # avoids hitting length restrictions on IAM Role names
+  chart           = var.cert_manager_chart
+  repository      = var.cert_manager_repository
+  description     = var.cert_manager_description
+  chart_version   = var.cert_manager_chart_version
+  wait            = var.wait || var.letsencrypt_enabled || var.cert_manager_issuer_selfsigned_enabled
+  atomic          = var.atomic
+  cleanup_on_fail = var.cleanup_on_fail
+  timeout         = var.timeout
+
+  create_namespace_with_kubernetes = var.create_namespace
+  kubernetes_namespace             = var.kubernetes_namespace
+  kubernetes_namespace_labels      = merge(module.this.tags, { name = var.kubernetes_namespace })
 
   # Only install IAM role if letsencrypt_enabled is true
   iam_role_enabled            = var.letsencrypt_enabled
@@ -113,9 +105,10 @@ module "cert_manager" {
   context = module.this.context
 }
 
+
 module "cert_manager_issuer" {
   source  = "cloudposse/helm-release/aws"
-  version = "0.5.0"
+  version = "0.7.0"
 
   # Only install the issuer if either letsencrypt_installed or selfsigned_installed is true
   enabled = local.enabled && (var.letsencrypt_enabled || var.cert_manager_issuer_selfsigned_enabled)
@@ -125,15 +118,15 @@ module "cert_manager_issuer" {
   repository           = var.cert_manager_issuer_repository
   description          = var.cert_manager_issuer_description
   chart_version        = var.cert_manager_issuer_chart_version
-  kubernetes_namespace = join("", kubernetes_namespace.default.*.id)
+  kubernetes_namespace = var.kubernetes_namespace
   create_namespace     = false
   wait                 = var.wait
   atomic               = var.atomic
   cleanup_on_fail      = var.cleanup_on_fail
   timeout              = var.timeout
 
-  # Only install IAM role if letsencrypt_enabled is true
-  iam_role_enabled            = var.letsencrypt_enabled
+  # IAM role will be created by the cert-manager module above, if needed. Do not create a duplicate here.
+  iam_role_enabled            = false
   eks_cluster_oidc_issuer_url = replace(module.eks.outputs.eks_cluster_identity_oidc_issuer, "https://", "")
 
   # NOTE: Use with the local chart

src/default.auto.tfvars

@@ -2,6 +2,12 @@
 #
 # This file is a drop-in to provide a helm provider.
 #
+# It depends on 2 standard Cloud Posse data source modules to be already
+# defined in the same component:
+#
+#   1. module.iam_roles to provide the AWS profile or Role ARN to use to access the cluster
+#   2. module.eks to provide the EKS cluster information
+#
 # All the following variables are just about configuring the Kubernetes provider
 # to be able to modify EKS cluster. The reason there are so many options is
 # because at various times, each one of them has had problems, so we give you a choice.
@@ -100,9 +106,11 @@ locals {
     "--role-arn", local.kube_exec_auth_role_arn
   ] : []
 
-  certificate_authority_data = module.eks.outputs.eks_cluster_certificate_authority_data
-  eks_cluster_id             = module.eks.outputs.eks_cluster_id
-  eks_cluster_endpoint       = module.eks.outputs.eks_cluster_endpoint
+  # Provide dummy configuration for the case where the EKS cluster is not available.
+  certificate_authority_data = try(module.eks.outputs.eks_cluster_certificate_authority_data, "")
+  # Use coalesce+try to handle both the case where the output is missing and the case where it is empty.
+  eks_cluster_id       = coalesce(try(module.eks.outputs.eks_cluster_id, ""), "missing")
+  eks_cluster_endpoint = try(module.eks.outputs.eks_cluster_endpoint, "")
 }
 
 data "aws_eks_cluster_auth" "eks" {
@@ -114,14 +122,14 @@ provider "helm" {
   kubernetes {
     host                   = local.eks_cluster_endpoint
     cluster_ca_certificate = base64decode(local.certificate_authority_data)
-    token                  = local.kube_data_auth_enabled ? data.aws_eks_cluster_auth.eks[0].token : null
+    token                  = local.kube_data_auth_enabled ? one(data.aws_eks_cluster_auth.eks[*].token) : null
     # The Kubernetes provider will use information from KUBECONFIG if it exists, but if the default cluster
     # in KUBECONFIG is some other cluster, this will cause problems, so we override it always.
     config_path    = local.kubeconfig_file_enabled ? var.kubeconfig_file : ""
     config_context = var.kubeconfig_context
 
     dynamic "exec" {
-      for_each = local.kube_exec_auth_enabled ? ["exec"] : []
+      for_each = local.kube_exec_auth_enabled && length(local.certificate_authority_data) > 0 ? ["exec"] : []
       content {
         api_version = local.kubeconfig_exec_auth_api_version
         command     = "aws"
@@ -132,21 +140,21 @@ provider "helm" {
     }
   }
   experiments {
-    manifest = var.helm_manifest_experiment_enabled
+    manifest = var.helm_manifest_experiment_enabled && module.this.enabled
   }
 }
 
 provider "kubernetes" {
   host                   = local.eks_cluster_endpoint
   cluster_ca_certificate = base64decode(local.certificate_authority_data)
-  token                  = local.kube_data_auth_enabled ? data.aws_eks_cluster_auth.eks[0].token : null
+  token                  = local.kube_data_auth_enabled ? one(data.aws_eks_cluster_auth.eks[*].token) : null
   # The Kubernetes provider will use information from KUBECONFIG if it exists, but if the default cluster
   # in KUBECONFIG is some other cluster, this will cause problems, so we override it always.
   config_path    = local.kubeconfig_file_enabled ? var.kubeconfig_file : ""
   config_context = var.kubeconfig_context
 
   dynamic "exec" {
-    for_each = local.kube_exec_auth_enabled ? ["exec"] : []
+    for_each = local.kube_exec_auth_enabled && length(local.certificate_authority_data) > 0 ? ["exec"] : []
     content {
       api_version = local.kubeconfig_exec_auth_api_version
       command     = "aws"

src/main.tf

@@ -1,6 +1,6 @@
 module "eks" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
-  version = "0.22.4"
+  version = "1.3.1"
 
   component = var.eks_component_name
 
@@ -9,7 +9,7 @@ module "eks" {
 
 module "dns_gbl_delegated" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
-  version = "0.22.4"
+  version = "1.3.1"
 
   component   = "dns-delegated"
   environment = "gbl"

src/provider-helm.tf

@@ -22,12 +22,13 @@ variable "cert_manager_description" {
 variable "cert_manager_chart" {
   type        = string
   description = "Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `<repository>/<chart>` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended."
+  default     = "cert-manager"
 }
 
 variable "cert_manager_repository" {
   type        = string
   description = "Repository URL where to locate the requested chart."
-  default     = null
+  default     = "https://charts.jetstack.io"
 }
 
 variable "cert_manager_chart_version" {
@@ -48,12 +49,22 @@ variable "cert_manager_resources" {
     })
   })
   description = "The cpu and memory of the cert manager's limits and requests."
+  default = {
+    limits = {
+      cpu    = "200m"
+      memory = "256Mi"
+    }
+    requests = {
+      cpu    = "100m"
+      memory = "128Mi"
+    }
+  }
 }
 
 variable "cart_manager_rbac_enabled" {
   type        = bool
-  default     = true
   description = "Service Account for pods."
+  default     = true
 }
 
 variable "cert_manager_metrics_enabled" {
@@ -79,6 +90,7 @@ variable "cert_manager_issuer_description" {
 variable "cert_manager_issuer_chart" {
   type        = string
   description = "Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `<repository>/<chart>` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended."
+  default     = "./cert-manager-issuer/"
 }
 
 variable "cert_manager_issuer_repository" {
@@ -112,13 +124,14 @@ variable "cert_manager_issuer_values" {
 
 variable "create_namespace" {
   type        = bool
-  description = "Create the namespace if it does not yet exist. Defaults to `false`."
-  default     = null
+  description = "Create the namespace if it does not yet exist. Defaults to `true`."
+  default     = true
 }
 
 variable "kubernetes_namespace" {
   type        = string
   description = "The namespace to install the release into."
+  default     = "cert-manager"
 }
 
 variable "timeout" {
@@ -129,20 +142,20 @@ variable "timeout" {
 
 variable "cleanup_on_fail" {
   type        = bool
-  description = "Allow deletion of new resources created in this upgrade when upgrade fails."
+  description = "If `true`, resources created in this deploy will be deleted when deploy fails. Highly recommended to prevent cert-manager from getting into a wedeged state."
   default     = true
 }
 
 variable "atomic" {
   type        = bool
-  description = "If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used."
+  description = "If `true`, if any part of the installation process fails, all parts are treated as failed. Highly recommended to prevent cert-manager from getting into a wedged state. The wait flag will be set automatically if atomic is used."
   default     = true
 }
 
 variable "wait" {
   type        = bool
-  description = "Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`."
-  default     = null
+  description = "Set `true` to wait until all resources are in a ready state before marking the release as successful. Ignored if provisioning Issuers. It will wait for as long as `timeout`. Defaults to `true`."
+  default     = true
 }
 
 variable "eks_component_name" {

src/remote-state.tf

@@ -4,11 +4,15 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.9.0"
     }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.14.0"
+    }
   }
 }