upstream echo-server with alb group and logging (cloudposse/terraform-aws-components#492)

Benbentwo · nitrocode · web-flow · commit 6513223e3dd7 · 2022-09-19T11:26:47.000-07:00
* upstream echo-server with alb group and logging

* Apply suggestions from code review

Co-authored-by: nitrocode &lt;7775707+nitrocode@users.noreply.github.com&gt;

* upd

Co-authored-by: nitrocode &lt;7775707+nitrocode@users.noreply.github.com&gt;
diff --git a/src/README.md b/src/README.md
@@ -84,6 +84,7 @@ components:
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_alb_controller_ingress_group"></a> [alb\_controller\_ingress\_group](#module\_alb\_controller\_ingress\_group) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.4 |
 | <a name="module_echo_server"></a> [echo\_server](#module\_echo\_server) | cloudposse/helm-release/aws | 0.5.0 |
 | <a name="module_eks"></a> [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.4 |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a |
@@ -103,6 +104,11 @@ components:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
+| <a name="input_alb_access_logs_enabled"></a> [alb\_access\_logs\_enabled](#input\_alb\_access\_logs\_enabled) | Whether or not to enable access logs for the ALB | `bool` | `false` | no |
+| <a name="input_alb_access_logs_s3_bucket_name"></a> [alb\_access\_logs\_s3\_bucket\_name](#input\_alb\_access\_logs\_s3\_bucket\_name) | The name of the S3 bucket to store the access logs in | `string` | `null` | no |
+| <a name="input_alb_access_logs_s3_bucket_prefix"></a> [alb\_access\_logs\_s3\_bucket\_prefix](#input\_alb\_access\_logs\_s3\_bucket\_prefix) | The prefix to use when storing the access logs | `string` | `"echo-server"` | no |
+| <a name="input_alb_controller_ingress_group_component_name"></a> [alb\_controller\_ingress\_group\_component\_name](#input\_alb\_controller\_ingress\_group\_component\_name) | The name of the alb-controller-ingress-group component | `string` | `"eks/alb-controller-ingress-group"` | no |
+| <a name="input_alb_controller_ingress_group_enabled"></a> [alb\_controller\_ingress\_group\_enabled](#input\_alb\_controller\_ingress\_group\_enabled) | Uses alb-controller-ingress-group component for alb ingress group | `bool` | `false` | no |
 | <a name="input_atomic"></a> [atomic](#input\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no |
@@ -112,7 +118,7 @@ components:
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Set release description attribute (visible in the history). | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
-| <a name="input_eks_component_name"></a> [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/eks"` | no |
+| <a name="input_eks_component_name"></a> [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_helm_manifest_experiment_enabled"></a> [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `true` | no |
@@ -157,4 +163,3 @@ components:
 
 ## References
 * https://github.com/Ealenn/Echo-Server
-* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks/echo-server) - Cloud Posse's upstream component
diff --git a/src/charts/echo-server/templates/ingress.yaml b/src/charts/echo-server/templates/ingress.yaml
@@ -15,9 +15,14 @@ metadata:
       {{- end }}
     {{- else if eq (printf "%v" .Values.ingress.alb.enabled) "true" }}
     kubernetes.io/ingress.class: {{ .Values.ingress.alb.class }}
+      {{- if not .Values.ingress.alb.group_name }}
     alb.ingress.kubernetes.io/load-balancer-name: {{ index .Values.ingress.alb "load_balancer_name" | default "k8s-common" }}
+      {{- end }}
     alb.ingress.kubernetes.io/group.name: {{ index .Values.ingress.alb "group_name" | default "common" }}
     alb.ingress.kubernetes.io/scheme: internet-facing
+      {{- if .Values.ingress.alb.access_logs.enabled }}
+    alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket={{.Values.ingress.alb.access_logs.s3_bucket_name}},access_logs.s3.prefix={{.Values.ingress.alb.access_logs.s3_bucket_prefix}}
+      {{- end }}
     alb.ingress.kubernetes.io/target-type: 'ip'
       {{- if eq (printf "%v" .Values.ingress.alb.ssl_redirect.enabled) "true" }}
     alb.ingress.kubernetes.io/ssl-redirect: '{{ .Values.ingress.alb.ssl_redirect.port }}'
diff --git a/src/charts/echo-server/values.yaml b/src/charts/echo-server/values.yaml
@@ -65,6 +65,10 @@ ingress:
       enabled: true
     ## alb.ingress.kubernetes.io/ssl-redirect:
       port: 443
+    access_logs:
+      enabled: false
+      ## s3_bucket_name: "acme-ue2-prod-eks-cluster-alb-access-logs"
+      s3_bucket_prefix: "echo-server"
 
 #resources: {}
 #  # We usually recommend not to specify default resources and to leave this as a conscious
diff --git a/src/main.tf b/src/main.tf
@@ -2,6 +2,15 @@ locals {
   enabled               = module.this.enabled
   ingress_nginx_enabled = var.ingress_type == "nginx" ? true : false
   ingress_alb_enabled   = var.ingress_type == "alb" ? true : false
+
+  alb_access_logs_enabled = var.alb_access_logs_enabled && var.alb_access_logs_s3_bucket_name != null && var.alb_access_logs_s3_bucket_name != ""
+  ingress_controller_group_enabled = var.alb_controller_ingress_group_enabled ? [
+    {
+      name  = "ingress.alb.group_name"
+      value = module.alb_controller_ingress_group.outputs.group_name
+      type  = "auto"
+    }
+  ] : []
 }
 
 resource "kubernetes_namespace" "default" {
@@ -35,7 +44,7 @@ module "echo_server" {
 
   eks_cluster_oidc_issuer_url = replace(module.eks.outputs.eks_cluster_identity_oidc_issuer, "https://", "")
 
-  set = [
+  set = concat([
     {
       name  = "ingress.hostname"
       value = format(var.hostname_template, var.tenant, var.stage, var.environment)
@@ -50,8 +59,25 @@ module "echo_server" {
       name  = "ingress.alb.enabled"
       value = local.ingress_alb_enabled
       type  = "auto"
+    },
+    {
+      name  = "ingress.alb.access_logs.enabled"
+      value = local.alb_access_logs_enabled
+      type  = "auto"
+    },
+    {
+      name  = "ingress.alb.access_logs.s3_bucket_name"
+      value = var.alb_access_logs_s3_bucket_name == null ? "" : var.alb_access_logs_s3_bucket_name
+      type  = "auto"
+    },
+    {
+      name  = "ingress.alb.access_logs.s3_bucket_prefix"
+      value = var.alb_access_logs_s3_bucket_prefix
+      type  = "auto"
     }
-  ]
+    ],
+    local.ingress_controller_group_enabled
+  )
 
   values = compact([
     # hardcoded values
diff --git a/src/remote-state.tf b/src/remote-state.tf
@@ -6,3 +6,13 @@ module "eks" {
 
   context = module.this.context
 }
+
+module "alb_controller_ingress_group" {
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "0.22.4"
+
+  component = var.alb_controller_ingress_group_component_name
+
+  context = module.this.context
+}
+
diff --git a/src/variables.tf b/src/variables.tf
@@ -6,5 +6,35 @@ variable "region" {
 variable "eks_component_name" {
   type        = string
   description = "The name of the eks component"
-  default     = "eks/eks"
+  default     = "eks/cluster"
+}
+
+variable "alb_controller_ingress_group_component_name" {
+  type        = string
+  description = "The name of the alb-controller-ingress-group component"
+  default     = "eks/alb-controller-ingress-group"
+}
+
+variable "alb_controller_ingress_group_enabled" {
+  type        = bool
+  description = "Uses alb-controller-ingress-group component for alb ingress group"
+  default     = false
+}
+
+variable "alb_access_logs_enabled" {
+  type        = bool
+  description = "Whether or not to enable access logs for the ALB"
+  default     = false
+}
+
+variable "alb_access_logs_s3_bucket_name" {
+  type        = string
+  description = "The name of the S3 bucket to store the access logs in"
+  default     = null
+}
+
+variable "alb_access_logs_s3_bucket_prefix" {
+  type        = string
+  description = "The prefix to use when storing the access logs"
+  default     = "echo-server"
 }
