terraform-aws-catalyst-platform

This module provisions the Catalyst Platform in AWS. The Catalyst Platform is a simple end-to-end implementation of Kubernetes in AWS, so that you can get to what matters most as fast as possible, deploying your code to deliver value. It includes deployment of:

• An AWS VPC with private and public subnets with appropriate tagging required to operate EKS.
• An EKS cluster with default node groups.
• Management of the aws-auth configmap for authorization via AWS IAM into the cluster.
• IAM dependencies for the cluster autoscaler.
• S3 and IAM dependencies for operating Velero, Cortex, and Loki in AWS EKS via IRSA.

Example Implementations

Basic

The most basic implementation requires only specifying names and availability zone configurations:

provider "aws" {
  region = "us-east-1"
}

module "platform" {
  source = "catalystcommunity/catalyst-platform/aws"

  vpc_name = "dev"
  vpc_cidr = "10.1.0.0/16"

  availability_zones = [
    {
      az_name             = "us-east-1a"
      private_subnet_cidr = "10.1.0.0/18"
      public_subnet_cidr  = "10.1.128.0/23"
    },
    {
      az_name             = "us-east-1b"
      private_subnet_cidr = "10.1.64.0/18"
      public_subnet_cidr  = "10.1.130.0/23"
    }
  ]

  eks_cluster_name = "dev"
}

aws-auth configmap management

For management of the AWS auth configmap, a kubernetes provider is required and must depend on the output of the EKS cluster:

provider "aws" {
  region = "us-east-1"
}

provider "kubernetes" {
  # overwrite config_path to ensure existing kubeconfig does not get used
  config_path = ""

  # build kube config based on output of platform module to ensure that it
  # speaks to the new cluster when creating the aws-auth configmap
  host                   = module.platform.eks_cluster_endpoint
  cluster_ca_certificate = base64decode(module.platform.eks_cluster_certificate_authority_data)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "aws"
    args        = [
      "eks", "get-token", "--cluster-name", module.platform.eks_cluster_id,
      # Any additional aws provider configuration should be specified via
      # command line args or environment variables, so that the kubernetes
      # provider can retrieve a token via the AWS CLI. This approach requires
      # the AWS CLI to be installed locally.
      "--region", "us-east-1",
      # "--profile", "my-profile-name", 
    ]
  }
}

module "platform" {
  source = "catalystcommunity/catalyst-platform/aws"

  vpc_name = "dev"
  vpc_cidr = "10.1.0.0/16"

  availability_zones = [
    {
      az_name             = "us-east-1a"
      private_subnet_cidr = "10.1.0.0/18"
      public_subnet_cidr  = "10.1.128.0/23"
    },
    {
      az_name             = "us-east-1b"
      private_subnet_cidr = "10.1.64.0/18"
      public_subnet_cidr  = "10.1.130.0/23"
    }
  ]

  eks_cluster_name          = "dev"
  manage_aws_auth_configmap = true
  aws_auth_sso_roles = [
    {
      sso_role_name = "admin"
      username      = "admin"
      groups        = ["system:masters"]
    }
  ]
}

Requirements

Name	Version
terraform	>= 0.13.1
archive	~> 2.0
aws	~> 5.0
kubernetes	~> 2.0
tls	~> 3.0

Inputs

Name	Description	Type	Default	Required
eks_cluster_name	Name of EKS cluster. Used in naming of many EKS resources, including cluster, IAM roles and policies, S3 buckets for Velero, Cortex, Loki, etc.	string	n/a	yes
vpc_name	Name of the VPC to create. Used in VPC resource tags for naming.	string	n/a	yes
alarm_lambda_settings	Alarm lambda function settings. Default settings are provided for slack and teams, but can be overridden here.	map(object({ source_code_path = string zip_source_filename = string handler = string runtime = string }))	{}	no
alarm_sns_topics	List of SNS topics to create for alerting on CloudWatch Synthetics Canaries. All created SNS topics will be supplied to the Synthetics Canary alarms. publish_target_type should specify one of the supported targets, currently slack and teams.	list(object({ name = string publish_target_type = string webhook_url = string }))	[]	no
availability_zones	List of Availability zones with corresponding public and private subnet CIDRs to create subnets in each. Default EKS node groups get created for each availability zone specified.	list(object({ az_name = string private_subnet_cidr = string public_subnet_cidr = string }))	[]	no
aws_auth_roles	Extra roles to add to the mapRoles field in the aws_auth configmap, for granting access via IAM roles	list(object({ rolearn = string username = string groups = list(string) }))	[]	no
aws_auth_sso_roles	Extra SSO roles to add to the mapRoles field. Auto discovers SSO role ARNs based on regex.	list(object({ sso_role_name = string username = string groups = list(string) }))	[]	no
aws_auth_users	Extra users to add to the mapUsers field in the aws_auth configmap, for granting access via IAM users	list(object({ userarn = string username = string groups = list(string) }))	[]	no
aws_ebs_csi_driver_namespace	AWS EBS CSI driver namespace, for configuring IRSA.	string	"kube-system"	no
aws_ebs_csi_driver_service_account_name	AWS EBS CSI driver service account name, for configuring IRSA.	string	"ebs-csi-controller-sa"	no
cloudwatch_synthetics_bucket_name_override	Override the CloudWatch Synthetics bucket name.	string	""	no
cloudwatch_synthetics_canaries	List of CloudWatch Synthetic Canaries to create. Name is required, all other fields will inherit defaults if set to null.	list(object({ name = string artifact_s3_location = string handler = string runtime_version = string source_code_path = string environment_variables = map(string) delete_lambda = bool timeout_in_seconds = number schedule_expression = string create_alarm = bool alarm_config = object({ comparison_operator = string evaluation_periods = number period = number statistic = string threshold = number alarm_description = string }) }))	[]	no
cluster_autoscaler_namespace	Cluster autoscaler namespace, for configuring IRSA.	string	"cluster-autoscaler"	no
cluster_autoscaler_service_account_name	Cluster autoscaler service account name, for configuring IRSA.	string	"cluster-autoscaler"	no
cortex_bucket_name_override	Override the Cortex bucket name	string	""	no
cortex_namespace	Cortex namespace, for configuring IRSA.	string	"cortex"	no
cortex_service_account_name	Cortex service account name, for configuring IRSA.	string	"cortex"	no
create_cloudwatch_synthetics_bucket	Whether to create an S3 bucket for CloudWatch Synthetics.	bool	false	no
create_cortex_bucket	Whether to create the Cortex bucket when Cortex dependencies are enabled. Allows for disabling the bucket and still creating the IAM dependencies, for scenarios where the bucket is not managed by terraform such as disaster recovery	bool	true	no
create_loki_bucket	Whether to create the Loki bucket when Loki dependencies are enabled. Allows for disabling the bucket and still creating the IAM dependencies, for scenarios where the bucket is not managed by terraform such as disaster recovery	bool	true	no
create_velero_bucket	Whether to create the Velero bucket when Velero dependencies are enabled. Allows for disabling the bucket and still creating the IAM dependencies, for scenarios where the bucket is not managed by terraform such as disaster recovery	bool	true	no
eks_cluster_enabled_log_types	List of EKS log types to enable.	list(string)	[]	no
eks_cluster_endpoint_private_access	Whether to enable private VPC access to the k8s API.	bool	false	no
eks_cluster_endpoint_public_access	Whether to enable public internet access to the k8s API.	bool	true	no
eks_cluster_endpoint_public_access_cidrs	What CIDRs to allow public access from to the k8s API.	list(string)	[ "0.0.0.0/0" ]	no
eks_cluster_version	Kubernetes version of the EKS cluster.	string	"1.22"	no
eks_default_node_groups_initial_desired_size	Default node groups' initial desired size. Changes to this field are ignored to prevent downscaling during terraform updates.	number	1	no
eks_default_node_groups_instance_types	EC2 instance types to configure the default node groups with.	list(string)	[ "t3.medium" ]	no
eks_default_node_groups_max_size	Default node groups' maximum size.	number	3	no
eks_default_node_groups_min_size	Default node groups' minimum size	number	1	no
eks_default_node_groups_version	Kubernetes version of the EKS cluster's default node groups, allows for upgrading the kubernetes control plane first, then upgrading the node groups separately afterwards. Defaults to the specified eks_cluster_version variable.	string	""	no
enable_aws_ebs_csi_driver_irsa	Whether to enable the AWS EBS CSI driver IAM role with IRSA.	bool	false	no
enable_cortex_dependencies	Whether to enable Cortex S3 bucket and IAM role with IRSA.	bool	false	no
enable_eks_default_node_groups	Enables creation of a default set of node groups, one per availability zone defined by the availability_zones variable	bool	true	no
enable_eks_subnet_tags	Whether to enable addition of EKS tags to subnet resources.	bool	true	no
enable_loki_dependencies	Whether to enable Loki S3 bucket and IAM role with IRSA.	bool	false	no
enable_velero_dependencies	Whether to enable Velero S3 bucket and IAM role with IRSA.	bool	true	no
loki_bucket_name_override	Override the Loki bucket name	string	""	no
loki_namespace	Loki namespace, for configuring IRSA.	string	"loki"	no
loki_service_account_name	Loki service account name, for configuring IRSA.	string	"loki"	no
manage_aws_auth_configmap	Whether to manage the aws-auth configmap. Requires configuration of a Kubernetes provider.	bool	false	no
tags	n/a	map(string)	{}	no
velero_bucket_name_override	Override the Velero bucket name	string	""	no
velero_namespace	Velero namespace, for configuring IRSA.	string	"velero"	no
velero_service_account_name	Velero service account name, for configuring IRSA.	string	"velero"	no
vpc_cidr	VPC CIDR.	string	"10.0.0.0/16"	no

Outputs

Name	Description
cluster_autoscaler_irsa_role_arn	n/a
cortex_irsa_role_arn	n/a
cortex_s3_bucket_id	n/a
eks_cluster_arn	n/a
eks_cluster_certificate_authority_data	n/a
eks_cluster_endpoint	n/a
eks_cluster_id	n/a
eks_identity_oidc_url	n/a
eks_irsa_provider_arn	n/a
loki_irsa_role_arn	n/a
loki_s3_bucket_id	n/a
private_subnet_ids	n/a
public_subnet_ids	n/a
velero_irsa_role_arn	n/a
velero_s3_bucket_id	n/a
vpc_id	n/a

Resources

Name	Type
aws_cloudwatch_metric_alarm.canary_alarm	resource
aws_eip.ngw	resource
aws_eks_cluster.cluster	resource
aws_eks_node_group.default	resource
aws_iam_openid_connect_provider.irsa_provider	resource
aws_iam_policy.alarm_lambda_access	resource
aws_iam_policy.cloudwatch_synthetics_access	resource
aws_iam_role.alarm_lambda_execution_role	resource
aws_iam_role.cloudwatch_synthetics_execution_role	resource
aws_iam_role.cluster_role	resource
aws_iam_role.default_node_group_role	resource
aws_iam_role_policy_attachment.alarm_lambda_access	resource
aws_iam_role_policy_attachment.aws_ebs_csi_driver	resource
aws_iam_role_policy_attachment.cloudwatch_synthetics_access	resource
aws_iam_role_policy_attachment.cluster_role_policy	resource
aws_iam_role_policy_attachment.node_group_policy	resource
aws_internet_gateway.igw	resource
aws_lambda_function.alarm	resource
aws_lambda_permission.alarm_sns_access	resource
aws_nat_gateway.ngw	resource
aws_route.private-ngw	resource
aws_route.public-igw	resource
aws_route_table.private	resource
aws_route_table.public	resource
aws_route_table_association.private	resource
aws_route_table_association.public	resource
aws_s3_bucket.cloudwatch_synthetics_artifacts	resource
aws_s3_bucket.cortex	resource
aws_s3_bucket.loki	resource
aws_s3_bucket.velero	resource
aws_s3_bucket_acl.cloudwatch_synthetics_artifacts	resource
aws_s3_bucket_acl.cortex	resource
aws_s3_bucket_acl.loki	resource
aws_s3_bucket_acl.velero	resource
aws_s3_bucket_server_side_encryption_configuration.cloudwatch_synthetics_artifacts	resource
aws_s3_bucket_server_side_encryption_configuration.cortex	resource
aws_s3_bucket_server_side_encryption_configuration.loki	resource
aws_s3_bucket_server_side_encryption_configuration.velero	resource
aws_sns_topic.alarms	resource
aws_sns_topic_subscription.alarm_lambda	resource
aws_subnet.private	resource
aws_subnet.public	resource
aws_synthetics_canary.canary	resource
aws_vpc.vpc	resource
kubernetes_config_map_v1_data.aws_auth	resource
archive_file.alarm_lambda_code	data source
archive_file.synthetic_canary_lambda_code	data source
aws_caller_identity.current	data source
aws_iam_policy_document.alarm_lambda_access	data source
aws_iam_policy_document.alarm_lambda_assume_role	data source
aws_iam_policy_document.cloudwatch_synthetics_access	data source
aws_iam_policy_document.cloudwatch_synthetics_assume_role	data source
aws_iam_policy_document.cluster_assume_role_policy	data source
aws_iam_policy_document.cluster_autoscaler	data source
aws_iam_policy_document.cortex	data source
aws_iam_policy_document.loki	data source
aws_iam_policy_document.node_group_assume_role_policy	data source
aws_iam_policy_document.velero	data source
aws_iam_roles.sso_auto_discover	data source
aws_region.current	data source
tls_certificate.irsa	data source

Modules

Name	Source	Version
aws_ebs_csi_irsa_role	./modules/eks-irsa-role	n/a
cluster_autoscaler_irsa_role	./modules/eks-irsa-role	n/a
cortex_irsa_role	./modules/eks-irsa-role	n/a
loki_irsa_role	./modules/eks-irsa-role	n/a
velero_irsa_role	./modules/eks-irsa-role	n/a