enh: use flags to enabled/disable additional functionalities instead of using examples folder (#176)

Author: mglotov

README.md

@@ -1,6 +1,8 @@
+#tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-vpc-no-public-ingress-sgr
 module "pritunl" {
-  source = "../modules/aws-ec2-pritunl"
+  count = var.pritunl_vpn_server_enable ? 1 : 0
 
+  source         = "../modules/aws-ec2-pritunl"
   environment    = local.env
   vpc_id         = module.vpc.vpc_id
   public_subnets = module.vpc.public_subnets

terraform/layer1-aws/README.md

@@ -245,3 +245,9 @@ variable "eks_cluster_encryption_config_enable" {
   default     = false
   description = "Enable or not encryption for k8s secrets with aws-kms"
 }
+
+variable "pritunl_vpn_server_enable" {
+  type        = bool
+  default     = false
+  description = "Indicates whether or not the Pritunl VPN server is deployed."
+}

terraform/layer1-aws/examples/aws-ec2-pritunl.tf renamed to terraform/layer1-aws/aws-ec2-pritunl.tf

@@ -1,12 +1,15 @@
 locals {
-  aws-load-balancer-controller = {
-    chart         = local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")].chart
-    repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")], "repository", null)
-    chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")], "version", null)
+  aws_load_balancer_controller = {
+    name          = local.helm_releases[index(local.helm_releases.*.id, "aws-load-balancer-controller")].id
+    enabled       = local.helm_releases[index(local.helm_releases.*.id, "aws-load-balancer-controller")].enabled
+    chart         = local.helm_releases[index(local.helm_releases.*.id, "aws-load-balancer-controller")].chart
+    repository    = local.helm_releases[index(local.helm_releases.*.id, "aws-load-balancer-controller")].repository
+    chart_version = local.helm_releases[index(local.helm_releases.*.id, "aws-load-balancer-controller")].version
+    namespace     = local.helm_releases[index(local.helm_releases.*.id, "aws-load-balancer-controller")].namespace
   }
   alb_ingress_controller = templatefile("${path.module}/templates/alb-ingress-controller-values.yaml",
     {
-      role_arn     = var.aws_loadbalancer_controller_enable ? module.aws_iam_aws_loadbalancer_controller[0].role_arn : "",
+      role_arn     = local.aws_load_balancer_controller.enabled ? module.aws_iam_aws_loadbalancer_controller[0].role_arn : "",
       region       = local.region,
       cluster_name = local.eks_cluster_id,
       vpc_id       = local.vpc_id
@@ -15,10 +18,10 @@ locals {
 
 #tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
 module "aws_load_balancer_controller_namespace" {
-  count = var.aws_loadbalancer_controller_enable ? 1 : 0
+  count = local.aws_load_balancer_controller.enabled ? 1 : 0
 
   source = "../modules/kubernetes-namespace"
-  name   = "aws-load-balancer-controller"
+  name   = local.aws_load_balancer_controller.namespace
   network_policies = [
     {
       name         = "default-deny"
@@ -34,7 +37,7 @@ module "aws_load_balancer_controller_namespace" {
           {
             namespace_selector = {
               match_labels = {
-                name = "aws-load-balancer-controller"
+                name = local.aws_load_balancer_controller.namespace
               }
             }
           }
@@ -48,7 +51,7 @@ module "aws_load_balancer_controller_namespace" {
         match_expressions = {
           key      = "app.kubernetes.io/name"
           operator = "In"
-          values   = ["aws-load-balancer-controller"]
+          values   = [local.aws_load_balancer_controller.name]
         }
       }
       ingress = {
@@ -89,10 +92,10 @@ module "aws_load_balancer_controller_namespace" {
 
 #tfsec:ignore:aws-iam-no-policy-wildcards
 module "aws_iam_aws_loadbalancer_controller" {
-  count = var.aws_loadbalancer_controller_enable ? 1 : 0
+  count = local.aws_load_balancer_controller.enabled ? 1 : 0
 
   source            = "../modules/aws-iam-eks-trusted"
-  name              = "${local.name}-alb-ingress"
+  name              = "${local.name}-aws-lb-controller"
   region            = local.region
   oidc_provider_arn = local.eks_oidc_provider_arn
   policy = jsonencode({
@@ -305,16 +308,17 @@ module "aws_iam_aws_loadbalancer_controller" {
 }
 
 resource "helm_release" "aws_loadbalancer_controller" {
-  count = var.aws_loadbalancer_controller_enable ? 1 : 0
+  count = local.aws_load_balancer_controller.enabled ? 1 : 0
 
-  name        = "aws-load-balancer-controller"
-  chart       = local.aws-load-balancer-controller.chart
-  repository  = local.aws-load-balancer-controller.repository
-  version     = local.aws-load-balancer-controller.chart_version
+  name        = local.aws_load_balancer_controller.name
+  chart       = local.aws_load_balancer_controller.chart
+  repository  = local.aws_load_balancer_controller.repository
+  version     = local.aws_load_balancer_controller.chart_version
   namespace   = module.aws_load_balancer_controller_namespace[count.index].name
   max_history = var.helm_release_history_size
 
   values = [
     local.alb_ingress_controller
   ]
+
 }

terraform/layer1-aws/variables.tf

@@ -1,15 +1,20 @@
 locals {
-  aws-node-termination-handler = {
-    chart         = local.helm_charts[index(local.helm_charts.*.id, "aws-node-termination-handler")].chart
-    repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-node-termination-handler")], "repository", null)
-    chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-node-termination-handler")], "version", null)
+  aws_node_termination_handler = {
+    name          = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].id
+    enabled       = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].enabled
+    chart         = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].chart
+    repository    = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].repository
+    chart_version = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].version
+    namespace     = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].namespace
   }
 }
 
 #tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
 module "aws_node_termination_handler_namespace" {
+  count = local.aws_node_termination_handler.enabled ? 1 : 0
+
   source = "../modules/kubernetes-namespace"
-  name   = "aws-node-termination-handler"
+  name   = local.aws_node_termination_handler.namespace
   network_policies = [
     {
       name         = "default-deny"
@@ -25,7 +30,7 @@ module "aws_node_termination_handler_namespace" {
           {
             namespace_selector = {
               match_labels = {
-                name = "aws-node-termination-handler"
+                name = local.aws_node_termination_handler.namespace
               }
             }
           }
@@ -53,12 +58,13 @@ module "aws_node_termination_handler_namespace" {
 }
 
 resource "helm_release" "aws_node_termination_handler" {
-  name        = "aws-node-termination-handler"
-  chart       = local.aws-node-termination-handler.chart
-  repository  = local.aws-node-termination-handler.repository
-  version     = local.aws-node-termination-handler.chart_version
-  namespace   = module.aws_node_termination_handler_namespace.name
-  wait        = false
+  count = local.aws_node_termination_handler.enabled ? 1 : 0
+
+  name        = local.aws_node_termination_handler.name
+  chart       = local.aws_node_termination_handler.chart
+  repository  = local.aws_node_termination_handler.repository
+  version     = local.aws_node_termination_handler.chart_version
+  namespace   = module.aws_node_termination_handler_namespace[count.index].name
   max_history = var.helm_release_history_size
 
   values = [

terraform/layer2-k8s/.terraform.lock.hcl

@@ -1,25 +1,26 @@
 locals {
-  aws-calico = {
-    chart         = local.helm_charts[index(local.helm_charts.*.id, "aws-calico")].chart
-    repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-calico")], "repository", null)
-    chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-calico")], "version", null)
+  aws_calico = {
+    name          = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].id
+    enabled       = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].enabled
+    chart         = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].chart
+    repository    = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].repository
+    chart_version = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].version
+    namespace     = local.helm_releases[index(local.helm_releases.*.id, "aws-calico")].namespace
   }
 }
 
-data "template_file" "calico_daemonset" {
-  template = file("${path.module}/templates/calico-values.yaml")
-}
-
 resource "helm_release" "calico_daemonset" {
-  name        = "aws-calico"
-  chart       = local.aws-calico.chart
-  repository  = local.aws-calico.repository
-  version     = local.aws-calico.chart_version
-  namespace   = "kube-system"
+  count = local.aws_calico.enabled ? 1 : 0
+
+  name        = local.aws_calico.name
+  chart       = local.aws_calico.chart
+  repository  = local.aws_calico.repository
+  version     = local.aws_calico.chart_version
+  namespace   = local.aws_calico.namespace
   max_history = var.helm_release_history_size
-  wait        = false
 
   values = [
-    data.template_file.calico_daemonset.rendered,
+    file("${path.module}/templates/calico-values.yaml")
   ]
+
 }