Merge pull request #7 from shalb/kubeconfig-generate

Kubeconfig generate
shalb · May 17, 2023 · 9b6aa63 · 9b6aa63
2 parents 4243616 + 7b507dd
commit 9b6aa63
Show file tree

Hide file tree

Showing 13 changed files with 185 additions and 66 deletions.
diff --git a/README.md b/README.md
@@ -19,54 +19,97 @@ Terraform module that install core addons in EKS cluster:
 
 | Name | Version |
 |------|---------|
-| terraform | >= 1.2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.60.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.9.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
-| helm | n/a |
-| null | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.66.1 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.9.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#module\_attach\_load\_balancer\_controller\_policy) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> v5.11 |
+| <a name="module_iam_assumable_role_autoscaler"></a> [iam\_assumable\_role\_autoscaler](#module\_iam\_assumable\_role\_autoscaler) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.11 |
+| <a name="module_iam_assumable_role_efs"></a> [iam\_assumable\_role\_efs](#module\_iam\_assumable\_role\_efs) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v5.11 |
+| <a name="module_iam_assumable_role_external_secrets"></a> [iam\_assumable\_role\_external\_secrets](#module\_iam\_assumable\_role\_external\_secrets) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v5.11 |
+| <a name="module_iam_assumable_role_route53"></a> [iam\_assumable\_role\_route53](#module\_iam\_assumable\_role\_route53) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.11 |
+| <a name="module_iam_policy_autoscaler"></a> [iam\_policy\_autoscaler](#module\_iam\_policy\_autoscaler) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.11 |
+| <a name="module_iam_policy_route53"></a> [iam\_policy\_route53](#module\_iam\_policy\_route53) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.11 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [helm_release.argocd](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.aws_lb_controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.efs](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.external_secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.kubernetes_metrics_server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [null_resource.cluster_issuers](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.lb_delete_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| argocd\_chart\_version | Argocd helm chart version | `string` | `"3.29.5"` | no |
-| argocd\_image\_tag | Argocd docker image version | `string` | `"v2.2.2"` | no |
-| argocd\_password\_bcrypted | Bctypted password (hash) for argocd web ui | `string` | `""` | no |
-| cert\_manager\_version | Cert manager helm chart version | `string` | `"v1.5.4"` | no |
-| cluster\_autoscaler\_version | Cluster utoscaler helm chart version | `string` | `"9.27.0"` | no |
-| cluster\_name | EKS cluster name | `string` | n/a | yes |
-| cluster\_oidc\_issuer\_url | The URL on the EKS cluster for the OpenID Connect identity provider | `string` | n/a | yes |
-| cluster\_oidc\_provider\_arn | The ARN of the OIDC Provider if enable\_irsa = true | `string` | n/a | yes |
-| cluster\_subnets | Subnets where EKS worker nodes are spawned. Required for ingress controller. | `list(any)` | `[]` | no |
-| efs\_id | EFD FileSystem ID to use in efs drivers dynamyc storage class | `string` | `""` | no |
-| email | Organization email for LE issuers | `string` | `""` | no |
-| enable\_argocd | Disable/enable ArgoCD addon | `bool` | `false` | no |
-| enable\_aws\_lb\_controller | Disable/enable AWS LB controller | `bool` | `true` | no |
-| enable\_cert\_manager | Disable/enable cert manager | `bool` | `false` | no |
-| enable\_cert\_manager\_http\_issuers | Disable/enable cert manager http issuers | `bool` | `false` | no |
-| enable\_cluster\_autoscaler | Disable/enable AWS cluster autoscaler | `bool` | `true` | no |
-| enable\_efs | Disable/enable AWS EFS driver | `bool` | `false` | no |
-| enable\_external\_dns | Disable/enable external dns | `bool` | `true` | no |
-| enable\_external\_secrets | Disable/enable kubernetes external secrets addon | `bool` | `false` | no |
-| enable\_metrics\_server | Disable/enable Metric Server | `bool` | `false` | no |
-| enable\_nginx | Disable/enable Nginx Ingress | `bool` | `false` | no |
-| enable\_reloader | Disable/enable reloader | `bool` | `false` | no |
-| external\_dns\_version | External dns helm chart version | `string` | `"6.5.6"` | no |
-| external\_secrets\_version | External secrets helm chart version | `string` | `"0.7.2"` | no |
-| ingress\_nginx\_version | Ingress nginx helm chart version | `string` | `"4.2.5"` | no |
-| metrics\_server\_version | Metrics Server helm chart version | `string` | `"6.0.8"` | no |
-| nginx\_default\_cert | Define default ingress nginx cert in format namespace/certname, required for wildcard domains setup. | `string` | `"ingress-nginx/default"` | no |
-| region | EKS cluster region | `string` | n/a | yes |
-| reloader\_version | Reloader chart version | `string` | `"v0.0.118"` | no |
-| route53\_domain | DNS domain to create apps DNS records for applications | `string` | n/a | yes |
-| route53\_zone\_id | The id of the route53 to create apps DNS records (for external dns) | `string` | n/a | yes |
+| <a name="input_argocd_chart_version"></a> [argocd\_chart\_version](#input\_argocd\_chart\_version) | Argocd helm chart version | `string` | `"3.29.5"` | no |
+| <a name="input_argocd_image_tag"></a> [argocd\_image\_tag](#input\_argocd\_image\_tag) | Argocd docker image version | `string` | `"v2.2.2"` | no |
+| <a name="input_argocd_password_bcrypted"></a> [argocd\_password\_bcrypted](#input\_argocd\_password\_bcrypted) | Bctypted password (hash) for argocd web ui | `string` | `""` | no |
+| <a name="input_cert_manager_version"></a> [cert\_manager\_version](#input\_cert\_manager\_version) | Cert manager helm chart version | `string` | `"v1.5.4"` | no |
+| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Cluster utoscaler helm chart version | `string` | `"9.27.0"` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name | `string` | n/a | yes |
+| <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider | `string` | n/a | yes |
+| <a name="input_cluster_oidc_provider_arn"></a> [cluster\_oidc\_provider\_arn](#input\_cluster\_oidc\_provider\_arn) | The ARN of the OIDC Provider if enable\_irsa = true | `string` | n/a | yes |
+| <a name="input_cluster_subnets"></a> [cluster\_subnets](#input\_cluster\_subnets) | Subnets where EKS worker nodes are spawned. Required for ingress controller. | `list(any)` | `[]` | no |
+| <a name="input_efs_id"></a> [efs\_id](#input\_efs\_id) | EFD FileSystem ID to use in efs drivers dynamyc storage class | `string` | `""` | no |
+| <a name="input_email"></a> [email](#input\_email) | Organization email for LE issuers | `string` | `""` | no |
+| <a name="input_enable_argocd"></a> [enable\_argocd](#input\_enable\_argocd) | Disable/enable ArgoCD addon | `bool` | `false` | no |
+| <a name="input_enable_aws_lb_controller"></a> [enable\_aws\_lb\_controller](#input\_enable\_aws\_lb\_controller) | Disable/enable AWS LB controller | `bool` | `true` | no |
+| <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Disable/enable cert manager | `bool` | `false` | no |
+| <a name="input_enable_cert_manager_http_issuers"></a> [enable\_cert\_manager\_http\_issuers](#input\_enable\_cert\_manager\_http\_issuers) | Disable/enable cert manager http issuers | `bool` | `false` | no |
+| <a name="input_enable_cluster_autoscaler"></a> [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Disable/enable AWS cluster autoscaler | `bool` | `true` | no |
+| <a name="input_enable_efs"></a> [enable\_efs](#input\_enable\_efs) | Disable/enable AWS EFS driver | `bool` | `false` | no |
+| <a name="input_enable_external_dns"></a> [enable\_external\_dns](#input\_enable\_external\_dns) | Disable/enable external dns | `bool` | `true` | no |
+| <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Disable/enable kubernetes external secrets addon | `bool` | `false` | no |
+| <a name="input_enable_metrics_server"></a> [enable\_metrics\_server](#input\_enable\_metrics\_server) | Disable/enable Metric Server | `bool` | `false` | no |
+| <a name="input_enable_nginx"></a> [enable\_nginx](#input\_enable\_nginx) | Disable/enable Nginx Ingress | `bool` | `false` | no |
+| <a name="input_enable_reloader"></a> [enable\_reloader](#input\_enable\_reloader) | Disable/enable reloader | `bool` | `false` | no |
+| <a name="input_external_dns_version"></a> [external\_dns\_version](#input\_external\_dns\_version) | External dns helm chart version | `string` | `"6.5.6"` | no |
+| <a name="input_external_secrets_version"></a> [external\_secrets\_version](#input\_external\_secrets\_version) | External secrets helm chart version | `string` | `"0.7.2"` | no |
+| <a name="input_ingress_nginx_version"></a> [ingress\_nginx\_version](#input\_ingress\_nginx\_version) | Ingress nginx helm chart version | `string` | `"4.2.5"` | no |
+| <a name="input_metrics_server_version"></a> [metrics\_server\_version](#input\_metrics\_server\_version) | Metrics Server helm chart version | `string` | `"6.0.8"` | no |
+| <a name="input_nginx_default_cert"></a> [nginx\_default\_cert](#input\_nginx\_default\_cert) | Define default ingress nginx cert in format namespace/certname, required for wildcard domains setup. | `string` | `"ingress-nginx/default"` | no |
+| <a name="input_region"></a> [region](#input\_region) | EKS cluster region | `string` | n/a | yes |
+| <a name="input_reloader_version"></a> [reloader\_version](#input\_reloader\_version) | Reloader chart version | `string` | `"v0.0.118"` | no |
+| <a name="input_route53_domain"></a> [route53\_domain](#input\_route53\_domain) | DNS domain to create apps DNS records for applications | `string` | n/a | yes |
+| <a name="input_route53_zone_id"></a> [route53\_zone\_id](#input\_route53\_zone\_id) | The id of the route53 to create apps DNS records (for external dns) | `string` | n/a | yes |
 
 ## Outputs
 
-No output.
-
+| Name | Description |
+|------|-------------|
+| <a name="output_cluster_certificate_authority_data_raw"></a> [cluster\_certificate\_authority\_data\_raw](#output\_cluster\_certificate\_authority\_data\_raw) | Base64 encoded certificate data required to communicate with the cluster |
+| <a name="output_kubeconfig"></a> [kubeconfig](#output\_kubeconfig) | The kubeconfig to use to authenticate with the cluster |
+| <a name="output_kubeconfig_raw"></a> [kubeconfig\_raw](#output\_kubeconfig\_raw) | The kubeconfig to use to authenticate with the cluster |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/argocd.tf b/argocd.tf
@@ -10,7 +10,7 @@ resource "helm_release" "argocd" {
     null_resource.cluster_issuers
   ]
   values = [
-    "${file("${path.module}/values/argocd.yaml")}"
+    file("${path.module}/values/argocd.yaml")
   ]
   set {
     name  = "server.config.url"

diff --git a/aws-lb-controller.tf b/aws-lb-controller.tf
@@ -21,7 +21,7 @@ module "attach_load_balancer_controller_policy" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version = "~> v5.11"
 
-  role_name = "aws-load-balancer-controller-${var.cluster_name}"
+  role_name = "aws-load-balancer-controller-${random_id.id.hex}-${var.cluster_name}"
 
   attach_load_balancer_controller_policy = true
   oidc_providers = {

diff --git a/cert-manager.tf b/cert-manager.tf
@@ -7,7 +7,7 @@ resource "helm_release" "cert_manager" {
   chart            = "cert-manager"
   version          = var.cert_manager_version # "v1.5.4"
   values = [
-    "${file("${path.module}/values/cert-manager.yaml")}"
+    file("${path.module}/values/cert-manager.yaml")
   ]
   set {
     name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
@@ -27,24 +27,21 @@ resource "null_resource" "cluster_issuers" {
       enable_http       = var.enable_cert_manager_http_issuers,
       main_route53_zone = var.route53_domain,
     })
+    kubeconfig = local.kubeconfig_base64
   }
   provisioner "local-exec" {
     interpreter = ["/bin/bash", "-c"]
     environment = {
-      KUBE_HOST      = data.aws_eks_cluster.cluster.endpoint
-      CA_CERTIFICATE = data.aws_eks_cluster.cluster.certificate_authority[0].data
-      TOKEN          = data.aws_eks_cluster_auth.cluster.token
+      KUBECONFIG = self.triggers.kubeconfig
     }
-    command = "echo \"${self.triggers.manifest}\" | kubectl apply -s $KUBE_HOST --token $TOKEN --certificate-authority $(echo $CA_CERTIFICATE | base64 -d > /tmp/ca0011; echo /tmp/ca0011) -f -"
+    command = "echo \"${self.triggers.manifest}\" | kubectl apply --kubeconfig <(echo $KUBECONFIG | base64 -d) -f -"
+  }
+  provisioner "local-exec" {
+    when        = destroy
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      KUBECONFIG = self.triggers.kubeconfig
+    }
+    command = "echo \"${self.triggers.manifest}\" | kubectl delete --kubeconfig <(echo $KUBECONFIG | base64 -d) -f -"
   }
-  # provisioner "local-exec" {
-  #   when        = destroy
-  #   interpreter = ["/bin/bash", "-c"]
-  #   environment = {
-  #     KUBE_HOST      = data.aws_eks_cluster.cluster.endpoint
-  #     CA_CERTIFICATE = data.aws_eks_cluster.cluster.certificate_authority[0].data
-  #     TOKEN          = data.aws_eks_cluster_auth.cluster.token
-  #   }
-  #   command = "echo \"${self.triggers.manifest}\" | kubectl delete -s $KUBE_HOST --token $TOKEN --certificate-authority $(echo $CA_CERTIFICATE | base64 -d > /tmp/ca0011; echo /tmp/ca0011) -f -"
-  # }
 }
diff --git a/cluster-autoscaler.tf b/cluster-autoscaler.tf
@@ -6,7 +6,7 @@ resource "helm_release" "cluster_autoscaler" {
   chart      = "cluster-autoscaler"
   version    = var.cluster_autoscaler_version
   values = [
-    "${file("${path.module}/values/cluster-autoscaler.yaml")}"
+    file("${path.module}/values/cluster-autoscaler.yaml")
   ]
 
   set {
@@ -27,7 +27,7 @@ module "iam_policy_autoscaler" {
   count   = var.enable_cluster_autoscaler ? 1 : 0
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
   version = "~> 5.11"
-  name    = "ClusterAutoScaler-${var.cluster_name}"
+  name    = "ClusterAutoScaler-${random_id.id.hex}-${var.cluster_name}"
   policy  = <<-EOT
   {
     "Version": "2012-10-17",
@@ -62,5 +62,5 @@ module "iam_assumable_role_autoscaler" {
   ]
   oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:cluster-autoscaler-aws-cluster-autoscaler"]
   provider_url                  = var.cluster_oidc_issuer_url
-  role_name                     = "eks-autoscaler-${var.cluster_name}"
+  role_name                     = "eks-autoscaler-${random_id.id.hex}-${var.cluster_name}"
 }
diff --git a/efs-driver.tf b/efs-driver.tf
@@ -27,7 +27,7 @@ module "iam_assumable_role_efs" {
   source       = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version      = "~> v5.11"
   create_role  = true
-  role_name    = "eks-efs-${var.cluster_name}"
+  role_name    = "eks-efs-${random_id.id.hex}-${var.cluster_name}"
   provider_url = var.cluster_oidc_issuer_url
   role_policy_arns = [
     aws_iam_policy.efs[0].arn
@@ -37,7 +37,7 @@ module "iam_assumable_role_efs" {
 
 resource "aws_iam_policy" "efs" {
   count  = var.enable_efs ? 1 : 0
-  name   = "AllowEFS-${var.cluster_name}"
+  name   = "AllowEFS-${random_id.id.hex}-${var.cluster_name}"
   policy = <<-EOF
 {
   "Version": "2012-10-17",

diff --git a/external-dns.tf b/external-dns.tf
@@ -7,7 +7,7 @@ resource "helm_release" "external_dns" {
   chart            = "external-dns"
   version          = var.external_dns_version
   values = [
-    "${file("${path.module}/values/external-dns.yaml")}"
+    file("${path.module}/values/external-dns.yaml")
   ]
   set {
     name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
@@ -30,7 +30,7 @@ resource "helm_release" "external_dns" {
 module "iam_policy_route53" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
   version = "~> 5.11"
-  name    = "AllowExternalDNSUpdates-${var.cluster_name}"
+  name    = "AllowExternalDNSUpdates-${random_id.id.hex}-${var.cluster_name}"
   policy  = <<-EOT
   {
     "Version": "2012-10-17",
@@ -74,5 +74,5 @@ module "iam_assumable_role_route53" {
     "system:serviceaccount:cert-manager:cert-manager"
   ]
   provider_url = var.cluster_oidc_issuer_url
-  role_name    = "eks-route53-${var.cluster_name}"
+  role_name    = "eks-route53-${random_id.id.hex}-${var.cluster_name}"
 }
diff --git a/external-secrets.tf b/external-secrets.tf
@@ -16,7 +16,7 @@ module "iam_assumable_role_external_secrets" {
   source       = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version      = "~> v5.11"
   create_role  = true
-  role_name    = "eks-external-secrets-${var.cluster_name}"
+  role_name    = "eks-external-secrets-${random_id.id.hex}-${var.cluster_name}"
   provider_url = var.cluster_oidc_issuer_url
   role_policy_arns = [
     aws_iam_policy.external_secrets[0].arn
@@ -26,7 +26,7 @@ module "iam_assumable_role_external_secrets" {
 
 resource "aws_iam_policy" "external_secrets" {
   count  = var.enable_external_secrets ? 1 : 0
-  name   = "AllowExternalSecrets-${var.cluster_name}"
+  name   = "AllowExternalSecrets-${random_id.id.hex}-${var.cluster_name}"
   policy = <<-EOF
 {
   "Version": "2012-10-17",