velero is working on eks with web identity setup

ivankatliarchuk · ivankatliarchuk · commit 813940483062 · 2020-07-19T20:00:36.000+01:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.0.1
+  rev: v3.1.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
@@ -17,7 +17,7 @@ repos:
   - id: detect-aws-credentials
     args: ['--allow-missing-credentials']
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.30.0
+  rev: v1.31.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs
diff --git a/README.md b/README.md
@@ -1,24 +1,44 @@
-# Module Blueprint
-
-Terraform module blueprint
-
-![](https://github.com/terraform-module/terraform-module-blueprint/workflows/release/badge.svg)
-![](https://github.com/terraform-module/terraform-module-blueprint/workflows/commit-check/badge.svg)
-![](https://github.com/terraform-module/terraform-module-blueprint/workflows/labeler/badge.svg)
-
-[![](https://img.shields.io/github/license/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/v/tag/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/issues/github/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/issues/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/issues-closed/terraform-module/terraform-module-blueprint)
-[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-[![](https://img.shields.io/github/repo-size/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/languages/top/terraform-module/terraform-module-blueprint?color=green&logo=terraform&logoColor=blue)
-![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/contributors/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/last-commit/terraform-module/terraform-module-blueprint)
-[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-module-blueprint/graphs/commit-activity)
-[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-module-blueprint.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-module-blueprint)
+# Velero installation on AWS EKS Kubernetes
+
+![](https://github.com/terraform-module/terraform-kubernetes-velero/workflows/release/badge.svg)
+![](https://github.com/terraform-module/terraform-kubernetes-velero/workflows/commit-check/badge.svg)
+![](https://github.com/terraform-module/terraform-kubernetes-velero/workflows/labeler/badge.svg)
+
+[![](https://img.shields.io/github/license/terraform-module/terraform-kubernetes-velero)](https://github.com/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/github/v/tag/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/issues/github/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/github/issues/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/github/issues-closed/terraform-module/terraform-kubernetes-velero)
+[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-kubernetes-velero)](https://github.com/terraform-module/terraform-kubernetes-velero)
+[![](https://img.shields.io/github/repo-size/terraform-module/terraform-kubernetes-velero)](https://github.com/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/github/languages/top/terraform-module/terraform-kubernetes-velero?color=green&logo=terraform&logoColor=blue)
+![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/github/contributors/terraform-module/terraform-kubernetes-velero)
+![](https://img.shields.io/github/last-commit/terraform-module/terraform-kubernetes-velero)
+[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-kubernetes-velero/graphs/commit-activity)
+[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-kubernetes-velero.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-kubernetes-velero)
+
+## References
+
+- [Velero Providers](https://velero.io/docs/master/supported-providers/)
+- [Velero BackupStorage](https://velero.io/docs/master/api-types/backupstoragelocation/)
+- [Velero Basic Install](https://velero.io/docs/v1.4/basic-install/)
+- [Velero Daily Backup/Disaster Recovery](https://velero.io/docs/v1.4/disaster-case/)
+- [Velero Cluster Migration](https://velero.io/docs/v1.4/migration-case/)
+- [Velero AWS Plugin](https://github.com/vmware-tanzu/velero-plugin-for-aws)
+
+- [Chart installation](https://github.com/vmware-tanzu/helm-charts/blob/master/charts/velero/README.md)
+- [Velero Helm Chart](https://github.com/vmware-tanzu/velero)
+- [AWS Setup](https://github.com/vmware-tanzu/velero-plugin-for-aws#setup)
+- [AWS CSI Driver](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html)
+- [Cassandra Example](https://velero.io/blog/velero-v1-1-stateful-backup-vsphere/)
+
+## Installation
+
+```sh
+$ brew install velero
+$ helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
+```
 
 ## Documentation
 
@@ -39,7 +59,45 @@ Here's the gist of using it directly from github.
 ## Module Variables
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-Error: no lines in file
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12 |
+| helm | >= 1.2 |
+| kubernetes | >= 1.11.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| helm | >= 1.2 |
+| kubernetes | >= 1.11.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| app\_deploy | whther or not to deploy app | `bool` | `true` | no |
+| bucket | Backup and Restore bucket. | `string` | n/a | yes |
+| cluster\_name | Cluster name. | `string` | n/a | yes |
+| description | Namespace description | `string` | `"velero-back-up-and-restore"` | no |
+| name | namespace name | `string` | `"velero"` | no |
+| namespace\_deploy | whther or not to deploy namespace | `bool` | `false` | no |
+| openid\_connect\_provider\_uri | OpenID Connect Provider for EKS to enable IRSA. | `string` | n/a | yes |
+| repository | VMware Tanzu repository for Helm repos. | `string` | `"https://vmware-tanzu.github.io/helm-charts"` | no |
+| tags | A mapping of tags to assign to the object. | `map` | `{}` | no |
+| values | List of values in raw yaml to pass to helm. Values will be merged. | `list(string)` | n/a | yes |
+| vars | A Release is an instance of a chart running in a Kubernetes cluster. | `map` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| namespace | Namespace name |
+| namespace\_name | Namespace name |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Commands
@@ -72,10 +130,14 @@ Submit a pull request
 
 # Authors
 
-Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-module-blueprint/graphs/contributors).
+Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-kubernetes-velero/graphs/contributors).
 
 [![ForTheBadge uses-git](http://ForTheBadge.com/images/badges/uses-git.svg)](https://GitHub.com/)
 
 ## Terraform Registry
 
-- [Module](https://registry.terraform.io/modules/terraform-module/todo/aws)
+- [Module](https://registry.terraform.io/modules/terraform-module/kubernetes-velero/aws)
+
+## TODO
+
+- [ ] Kiam support
diff --git a/data.tf b/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,78 @@
+data aws_iam_policy_document assume_role {
+  statement {
+    sid = "serviceaccount"
+
+    actions = [
+      "sts:AssumeRoleWithWebIdentity",
+    ]
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${local.account_id}:oidc-provider/${var.openid_connect_provider_uri}"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${var.openid_connect_provider_uri}:sub"
+
+      values = [
+        "system:serviceaccount:${local.namespace}:velero-server",
+      ]
+    }
+  }
+}
+
+data aws_iam_policy_document policy {
+  statement {
+    sid = "ec2"
+
+    actions = [
+      "ec2:DescribeVolumes",
+      "ec2:DescribeSnapshots",
+      "ec2:CreateTags",
+      "ec2:CreateVolume",
+      "ec2:CreateSnapshot",
+      "ec2:DeleteSnapshot",
+    ]
+
+    resources = ["*", ]
+  }
+  statement {
+    sid = "s3list"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = ["arn:aws:s3:::${var.bucket}", ]
+  }
+
+  statement {
+    sid = "s3backup"
+
+    actions = [
+      "s3:GetObject",
+      "s3:DeleteObject",
+      "s3:PutObject",
+      "s3:AbortMultipartUpload",
+      "s3:ListMultipartUploadParts"
+    ]
+    resources = ["arn:aws:s3:::${var.bucket}/velero/*", ]
+  }
+}
+
+resource aws_iam_role this {
+  name               = format("%s-%s", var.cluster_name, var.name)
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags = merge(var.tags,
+    { Attached = var.name },
+    { ServiceAccountName = var.name },
+    { ServiceAccountNameSpace = local.namespace },
+  )
+}
+
+resource aws_iam_role_policy this {
+  name   = format("%s-%s", var.cluster_name, var.name)
+  role   = aws_iam_role.this.id
+  policy = data.aws_iam_policy_document.policy.json
+}
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  namespace  = element(concat([for entry in kubernetes_namespace.this : entry.id], list("")), 0)
+  account_id = data.aws_caller_identity.current.account_id
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,37 @@
+resource kubernetes_namespace this {
+  count = var.namespace_deploy ? 1 : 0
+
+  metadata {
+    name = var.name
+
+    labels = {
+      name        = var.name
+      description = var.description
+    }
+  }
+}
+
+resource helm_release this {
+  count = var.app_deploy ? 1 : 0
+
+  name       = var.name
+  chart      = var.name
+  namespace  = local.namespace
+  repository = var.repository
+
+  force_update  = lookup(var.vars, "force_update", true)
+  wait          = lookup(var.vars, "wait", true)
+  recreate_pods = lookup(var.vars, "recreate_pods", true)
+  max_history   = lookup(var.vars, "max_history", 0)
+  lint          = lookup(var.vars, "lint", true)
+  version       = lookup(var.vars, "version", "2.12.0")
+
+  values = concat(var.values, list(<<EOF
+serviceAccount:
+  server:
+    create: true
+    annotations:
+      eks.amazonaws.com/role-arn: "${aws_iam_role.this.arn}"
+EOF
+  ))
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,4 +1,9 @@
-output "used" {
-  description = "used value"
-  value       = var.variable
+output "namespace" {
+  value       = kubernetes_namespace.this[0].metadata[0].name
+  description = "Namespace name"
+}
+
+output "namespace_name" {
+  value       = local.namespace
+  description = "Namespace name"
 }
diff --git a/variables.tf b/variables.tf
@@ -1,5 +1,61 @@
-variable "variable" {
-  default     = "variable"
-  description = "defaul,description,type"
+variable "cluster_name" {
+  description = "Cluster name."
+  type        = string
+}
+
+variable "namespace_deploy" {
+  default     = false
+  description = "whther or not to deploy namespace"
+  type        = bool
+}
+
+variable "app_deploy" {
+  default     = true
+  description = "whther or not to deploy app"
+  type        = bool
+}
+
+variable "name" {
+  default     = "velero"
+  description = "namespace name"
+  type        = string
+}
+
+variable "description" {
+  default     = "velero-back-up-and-restore"
+  description = "Namespace description"
+  type        = string
+}
+
+variable "openid_connect_provider_uri" {
+  description = "OpenID Connect Provider for EKS to enable IRSA."
+  type        = string
+}
+
+variable "tags" {
+  default     = {}
+  description = "A mapping of tags to assign to the object."
+  type        = map
+}
+
+variable "repository" {
+  default     = "https://vmware-tanzu.github.io/helm-charts"
+  description = "VMware Tanzu repository for Helm repos."
+  type        = string
+}
+
+variable "values" {
+  description = "List of values in raw yaml to pass to helm. Values will be merged."
+  type        = list(string)
+}
+
+variable "vars" {
+  description = "A Release is an instance of a chart running in a Kubernetes cluster."
+  type        = map
+  default     = {}
+}
+
+variable "bucket" {
+  description = "Backup and Restore bucket."
   type        = string
 }
diff --git a/versions.tf b/versions.tf
@@ -1,3 +1,8 @@
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    kubernetes = ">= 1.11.0"
+    helm       = ">= 1.2"
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+data "aws_caller_identity" "current" {}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,8 @@`
`1`	`1`	`terraform {`
`2`	`2`	`required_version = ">= 0.12"`
	`3`	`+`
	`4`	`+ required_providers {`
	`5`	`+ kubernetes = ">= 1.11.0"`
	`6`	`+ helm = ">= 1.2"`
	`7`	`+ }`
`3`	`8`	`}`