Skip to content

catalystcommunity/terraform-aws-catalyst-platform

BranchesTags

Repository files navigation

terraform-aws-catalyst-platform

This module provisions the Catalyst Platform in AWS. The Catalyst Platform is a simple end-to-end implementation of Kubernetes in AWS, so that you can get to what matters most as fast as possible, deploying your code to deliver value. It includes deployment of:

  • An AWS VPC with private and public subnets with appropriate tagging required to operate EKS.
  • An EKS cluster with default node groups.
  • Management of the aws-auth configmap for authorization via AWS IAM into the cluster.
  • IAM dependencies for the cluster autoscaler.
  • S3 and IAM dependencies for operating Velero, Cortex, and Loki in AWS EKS via IRSA.

Example Implementations

Basic

The most basic implementation requires only specifying names and availability zone configurations:

provider "aws" {
  region = "us-east-1"
}

module "platform" {
  source = "catalystcommunity/catalyst-platform/aws"

  vpc_name = "dev"
  vpc_cidr = "10.1.0.0/16"

  availability_zones = [
    {
      az_name             = "us-east-1a"
      private_subnet_cidr = "10.1.0.0/18"
      public_subnet_cidr  = "10.1.128.0/23"
    },
    {
      az_name             = "us-east-1b"
      private_subnet_cidr = "10.1.64.0/18"
      public_subnet_cidr  = "10.1.130.0/23"
    }
  ]

  eks_cluster_name = "dev"
}

aws-auth configmap management

For management of the AWS auth configmap, a kubernetes provider is required and must depend on the output of the EKS cluster:

provider "aws" {
  region = "us-east-1"
}

provider "kubernetes" {
  # overwrite config_path to ensure existing kubeconfig does not get used
  config_path = ""

  # build kube config based on output of platform module to ensure that it
  # speaks to the new cluster when creating the aws-auth configmap
  host                   = module.platform.eks_cluster_endpoint
  cluster_ca_certificate = base64decode(module.platform.eks_cluster_certificate_authority_data)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "aws"
    args        = [
      "eks", "get-token", "--cluster-name", module.platform.eks_cluster_id,
      # Any additional aws provider configuration should be specified via
      # command line args or environment variables, so that the kubernetes
      # provider can retrieve a token via the AWS CLI. This approach requires
      # the AWS CLI to be installed locally.
      "--region", "us-east-1",
      # "--profile", "my-profile-name", 
    ]
  }
}

module "platform" {
  source = "catalystcommunity/catalyst-platform/aws"

  vpc_name = "dev"
  vpc_cidr = "10.1.0.0/16"

  availability_zones = [
    {
      az_name             = "us-east-1a"
      private_subnet_cidr = "10.1.0.0/18"
      public_subnet_cidr  = "10.1.128.0/23"
    },
    {
      az_name             = "us-east-1b"
      private_subnet_cidr = "10.1.64.0/18"
      public_subnet_cidr  = "10.1.130.0/23"
    }
  ]

  eks_cluster_name          = "dev"
  manage_aws_auth_configmap = true
  aws_auth_sso_roles = [
    {
      sso_role_name = "admin"
      username      = "admin"
      groups        = ["system:masters"]
    }
  ]
}

Requirements

Name Version
terraform >= 0.13.1
archive ~> 2.0
aws ~> 5.0
kubernetes ~> 2.0
tls ~> 3.0

Inputs

Name Description Type Default Required
eks_cluster_name Name of EKS cluster. Used in naming of many EKS resources, including cluster, IAM roles and policies, S3 buckets for Velero, Cortex, Loki, etc. string n/a yes
vpc_name Name of the VPC to create. Used in VPC resource tags for naming. string n/a yes
alarm_lambda_settings Alarm lambda function settings. Default settings are provided for slack and teams, but can be overridden here. 
map(object({
    source_code_path    = string
    zip_source_filename = string
    handler             = string
    runtime             = string
  }))
 {} no
alarm_sns_topics List of SNS topics to create for alerting on CloudWatch Synthetics Canaries. All created SNS topics will be supplied to the Synthetics Canary alarms. publish_target_type should specify one of the supported targets, currently slack and teams. 
list(object({
    name                = string
    publish_target_type = string
    webhook_url         = string
  }))
 [] no
availability_zones List of Availability zones with corresponding public and private subnet CIDRs to create subnets in each. Default EKS node groups get created for each availability zone specified. 
list(object({
    az_name             = string
    private_subnet_cidr = string
    public_subnet_cidr  = string
  }))
 [] no
aws_auth_roles Extra roles to add to the mapRoles field in the aws_auth configmap, for granting access via IAM roles 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
 [] no
aws_auth_sso_roles Extra SSO roles to add to the mapRoles field. Auto discovers SSO role ARNs based on regex. 
list(object({
    sso_role_name = string
    username      = string
    groups        = list(string)
  }))
 [] no
aws_auth_users Extra users to add to the mapUsers field in the aws_auth configmap, for granting access via IAM users 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
 [] no
aws_ebs_csi_driver_namespace AWS EBS CSI driver namespace, for configuring IRSA. string "kube-system" no
aws_ebs_csi_driver_service_account_name AWS EBS CSI driver service account name, for configuring IRSA. string "ebs-csi-controller-sa" no
cloudwatch_synthetics_bucket_name_override Override the CloudWatch Synthetics bucket name. string "" no
cloudwatch_synthetics_canaries List of CloudWatch Synthetic Canaries to create. Name is required, all other fields will inherit defaults if set to null. 
list(object({
    name                  = string
    artifact_s3_location  = string
    handler               = string
    runtime_version       = string
    source_code_path      = string
    environment_variables = map(string)
    delete_lambda         = bool
    timeout_in_seconds    = number
    schedule_expression   = string
    create_alarm          = bool
    alarm_config = object({
      comparison_operator = string
      evaluation_periods  = number
      period              = number
      statistic           = string
      threshold           = number
      alarm_description   = string
    })
  }))
 [] no
cluster_autoscaler_namespace Cluster autoscaler namespace, for configuring IRSA. string "cluster-autoscaler" no
cluster_autoscaler_service_account_name Cluster autoscaler service account name, for configuring IRSA. string "cluster-autoscaler" no
cortex_bucket_name_override Override the Cortex bucket name string "" no
cortex_namespace Cortex namespace, for configuring IRSA. string "cortex" no
cortex_service_account_name Cortex service account name, for configuring IRSA. string "cortex" no
create_cloudwatch_synthetics_bucket Whether to create an S3 bucket for CloudWatch Synthetics. bool false no
create_cortex_bucket Whether to create the Cortex bucket when Cortex dependencies are enabled. Allows for disabling the bucket and still creating the IAM dependencies, for scenarios where the bucket is not managed by terraform such as disaster recovery bool true no
create_loki_bucket Whether to create the Loki bucket when Loki dependencies are enabled. Allows for disabling the bucket and still creating the IAM dependencies, for scenarios where the bucket is not managed by terraform such as disaster recovery bool true no
create_velero_bucket Whether to create the Velero bucket when Velero dependencies are enabled. Allows for disabling the bucket and still creating the IAM dependencies, for scenarios where the bucket is not managed by terraform such as disaster recovery bool true no
eks_cluster_enabled_log_types List of EKS log types to enable. list(string) [] no
eks_cluster_endpoint_private_access Whether to enable private VPC access to the k8s API. bool false no
eks_cluster_endpoint_public_access Whether to enable public internet access to the k8s API. bool true no
eks_cluster_endpoint_public_access_cidrs What CIDRs to allow public access from to the k8s API. list(string) 
[
  "0.0.0.0/0"
]
 no
eks_cluster_version Kubernetes version of the EKS cluster. string "1.22" no
eks_default_node_groups_initial_desired_size Default node groups' initial desired size. Changes to this field are ignored to prevent downscaling during terraform updates. number 1 no
eks_default_node_groups_instance_types EC2 instance types to configure the default node groups with. list(string) 
[
  "t3.medium"
]
 no
eks_default_node_groups_max_size Default node groups' maximum size. number 3 no
eks_default_node_groups_min_size Default node groups' minimum size number 1 no
eks_default_node_groups_version Kubernetes version of the EKS cluster's default node groups, allows for upgrading the kubernetes control plane first, then upgrading the node groups separately afterwards. Defaults to the specified eks_cluster_version variable. string "" no
enable_aws_ebs_csi_driver_irsa Whether to enable the AWS EBS CSI driver IAM role with IRSA. bool false no
enable_cortex_dependencies Whether to enable Cortex S3 bucket and IAM role with IRSA. bool false no
enable_eks_default_node_groups Enables creation of a default set of node groups, one per availability zone defined by the availability_zones variable bool true no
enable_eks_subnet_tags Whether to enable addition of EKS tags to subnet resources. bool true no
enable_loki_dependencies Whether to enable Loki S3 bucket and IAM role with IRSA. bool false no
enable_velero_dependencies Whether to enable Velero S3 bucket and IAM role with IRSA. bool true no
loki_bucket_name_override Override the Loki bucket name string "" no
loki_namespace Loki namespace, for configuring IRSA. string "loki" no
loki_service_account_name Loki service account name, for configuring IRSA. string "loki" no
manage_aws_auth_configmap Whether to manage the aws-auth configmap. Requires configuration of a Kubernetes provider. bool false no
tags n/a map(string) {} no
velero_bucket_name_override Override the Velero bucket name string "" no
velero_namespace Velero namespace, for configuring IRSA. string "velero" no
velero_service_account_name Velero service account name, for configuring IRSA. string "velero" no
vpc_cidr VPC CIDR. string "10.0.0.0/16" no

Outputs

Name Description
cluster_autoscaler_irsa_role_arn n/a
cortex_irsa_role_arn n/a
cortex_s3_bucket_id n/a
eks_cluster_arn n/a
eks_cluster_certificate_authority_data n/a
eks_cluster_endpoint n/a
eks_cluster_id n/a
eks_identity_oidc_url n/a
eks_irsa_provider_arn n/a
loki_irsa_role_arn n/a
loki_s3_bucket_id n/a
private_subnet_ids n/a
public_subnet_ids n/a
velero_irsa_role_arn n/a
velero_s3_bucket_id n/a
vpc_id n/a

Resources

Name Type
aws_cloudwatch_metric_alarm.canary_alarm resource
aws_eip.ngw resource
aws_eks_cluster.cluster resource
aws_eks_node_group.default resource
aws_iam_openid_connect_provider.irsa_provider resource
aws_iam_policy.alarm_lambda_access resource
aws_iam_policy.cloudwatch_synthetics_access resource
aws_iam_role.alarm_lambda_execution_role resource
aws_iam_role.cloudwatch_synthetics_execution_role resource
aws_iam_role.cluster_role resource
aws_iam_role.default_node_group_role resource
aws_iam_role_policy_attachment.alarm_lambda_access resource
aws_iam_role_policy_attachment.aws_ebs_csi_driver resource
aws_iam_role_policy_attachment.cloudwatch_synthetics_access resource
aws_iam_role_policy_attachment.cluster_role_policy resource
aws_iam_role_policy_attachment.node_group_policy resource
aws_internet_gateway.igw resource
aws_lambda_function.alarm resource
aws_lambda_permission.alarm_sns_access resource
aws_nat_gateway.ngw resource
aws_route.private-ngw resource
aws_route.public-igw resource
aws_route_table.private resource
aws_route_table.public resource
aws_route_table_association.private resource
aws_route_table_association.public resource
aws_s3_bucket.cloudwatch_synthetics_artifacts resource
aws_s3_bucket.cortex resource
aws_s3_bucket.loki resource
aws_s3_bucket.velero resource
aws_s3_bucket_acl.cloudwatch_synthetics_artifacts resource
aws_s3_bucket_acl.cortex resource
aws_s3_bucket_acl.loki resource
aws_s3_bucket_acl.velero resource
aws_s3_bucket_server_side_encryption_configuration.cloudwatch_synthetics_artifacts resource
aws_s3_bucket_server_side_encryption_configuration.cortex resource
aws_s3_bucket_server_side_encryption_configuration.loki resource
aws_s3_bucket_server_side_encryption_configuration.velero resource
aws_sns_topic.alarms resource
aws_sns_topic_subscription.alarm_lambda resource
aws_subnet.private resource
aws_subnet.public resource
aws_synthetics_canary.canary resource
aws_vpc.vpc resource
kubernetes_config_map_v1_data.aws_auth resource
archive_file.alarm_lambda_code data source
archive_file.synthetic_canary_lambda_code data source
aws_caller_identity.current data source
aws_iam_policy_document.alarm_lambda_access data source
aws_iam_policy_document.alarm_lambda_assume_role data source
aws_iam_policy_document.cloudwatch_synthetics_access data source
aws_iam_policy_document.cloudwatch_synthetics_assume_role data source
aws_iam_policy_document.cluster_assume_role_policy data source
aws_iam_policy_document.cluster_autoscaler data source
aws_iam_policy_document.cortex data source
aws_iam_policy_document.loki data source
aws_iam_policy_document.node_group_assume_role_policy data source
aws_iam_policy_document.velero data source
aws_iam_roles.sso_auto_discover data source
aws_region.current data source
tls_certificate.irsa data source

Modules

Name Source Version
aws_ebs_csi_irsa_role ./modules/eks-irsa-role n/a
cluster_autoscaler_irsa_role ./modules/eks-irsa-role n/a
cortex_irsa_role ./modules/eks-irsa-role n/a
loki_irsa_role ./modules/eks-irsa-role n/a
velero_irsa_role ./modules/eks-irsa-role n/a

About

Terraform module that provisions the Catalyst Platform in AWS

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

4 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases 19

v2.0.0 Latest
Jan 3, 2024
+ 18 releases

Packages

No packages published

Contributors 5

Languages