diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md
index 6610f9af..7aa06968 100644
--- a/terraform/layer1-aws/README.md
+++ b/terraform/layer1-aws/README.md
@@ -118,3 +118,129 @@
| [vpc\_name](#output\_vpc\_name) | Name of infra VPC |
| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC |
| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC |
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | 1.1.8 |
+| [aws](#requirement\_aws) | 4.10.0 |
+| [kubectl](#requirement\_kubectl) | 1.14.0 |
+| [kubernetes](#requirement\_kubernetes) | 2.10.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 4.10.0 |
+| [kubectl](#provider\_kubectl) | 1.14.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 3.3.0 |
+| [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 4.14.0 |
+| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.9.0 |
+| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.14.0 |
+| [pritunl](#module\_pritunl) | ../modules/aws-pritunl | n/a |
+| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.5.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.12.0 |
+| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 4.14.0 |
+| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 3.12.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudtrail.main](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/cloudtrail) | resource |
+| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/iam_account_password_policy) | resource |
+| [aws_kms_key.eks](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/sns_topic_subscription) | resource |
+| [kubectl_manifest.aws_auth_configmap](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [aws_acm_certificate.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/acm_certificate) | data source |
+| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/ami) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/caller_identity) | data source |
+| [aws_eks_addon_version.aws_ebs_csi_driver](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_addon_version) | data source |
+| [aws_eks_addon_version.coredns](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_addon_version) | data source |
+| [aws_eks_addon_version.kube_proxy](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_addon_version) | data source |
+| [aws_eks_addon_version.vpc_cni](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_addon_version) | data source |
+| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_route53_zone.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/route53_zone) | data source |
+| [aws_security_group.default](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/security_group) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no |
+| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
+| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | {
"allow_users_to_change_password": true,
"create": true,
"hard_expiry": false,
"max_password_age": 90,
"minimum_password_length": 14,
"password_reuse_prevention": 10,
"require_lowercase_characters": true,
"require_numbers": true,
"require_symbols": true,
"require_uppercase_characters": true
} | no |
+| [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | {
"email": "demo@example.com",
"enabled": "false",
"rules": {
"aws_config_changes_enabled": true,
"cloudtrail_configuration_changes_enabled": true,
"console_login_failed_enabled": true,
"consolelogin_without_mfa_enabled": true,
"iam_policy_changes_enabled": true,
"kms_cmk_delete_or_disable_enabled": true,
"nacl_changes_enabled": true,
"network_gateway_changes_enabled": true,
"organization_changes_enabled": true,
"parameter_store_actions_enabled": true,
"route_table_changes_enabled": true,
"s3_bucket_policy_changes_enabled": true,
"secrets_manager_actions_enabled": true,
"security_group_changes_enabled": true,
"unauthorized_api_calls_enabled": true,
"usage_of_root_account_enabled": true,
"vpc_changes_enabled": true
}
} | no |
+| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no |
+| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |
+| [cloudtrail\_logs\_s3\_expiration\_days](#input\_cloudtrail\_logs\_s3\_expiration\_days) | How many days keep cloudtrail logs on S3 | `string` | `180` | no |
+| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no |
+| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no |
+| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes |
+| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no |
+| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | [
"audit"
]
| no |
+| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no |
+| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no |
+| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no |
+| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no |
+| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.25"` | no |
+| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | list(object({
rolearn = string
username = string
groups = list(string)
})) | `[]` | no |
+| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `list(any)` | [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
| no |
+| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no |
+| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no |
+| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
+| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | object({
instance_type = string
max_capacity = number
min_capacity = number
desired_capacity = number
capacity_rebalance = bool
use_mixed_instances_policy = bool
mixed_instances_policy = any
}) | {
"capacity_rebalance": true,
"desired_capacity": 0,
"instance_type": "t3.medium",
"max_capacity": 5,
"min_capacity": 0,
"mixed_instances_policy": {
"instances_distribution": {
"on_demand_base_capacity": 0,
"on_demand_percentage_above_base_capacity": 0
},
"override": [
{
"instance_type": "t3.medium"
},
{
"instance_type": "t3a.medium"
}
]
},
"use_mixed_instances_policy": true
} | no |
+| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | object({
instance_type = string
max_capacity = number
min_capacity = number
desired_capacity = number
capacity_rebalance = bool
use_mixed_instances_policy = bool
mixed_instances_policy = any
}) | {
"capacity_rebalance": false,
"desired_capacity": 0,
"instance_type": "t3.medium",
"max_capacity": 5,
"min_capacity": 0,
"mixed_instances_policy": {
"instances_distribution": {
"on_demand_base_capacity": 0,
"on_demand_percentage_above_base_capacity": 0
},
"override": [
{
"instance_type": "t3.medium"
},
{
"instance_type": "t3a.medium"
}
]
},
"use_mixed_instances_policy": true
} | no |
+| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | object({
instance_type = string
max_capacity = number
min_capacity = number
desired_capacity = number
capacity_rebalance = bool
use_mixed_instances_policy = bool
mixed_instances_policy = any
}) | {
"capacity_rebalance": false,
"desired_capacity": 1,
"instance_type": "t3a.medium",
"max_capacity": 5,
"min_capacity": 1,
"mixed_instances_policy": null,
"use_mixed_instances_policy": false
} | no |
+| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | object({
instance_type = string
max_capacity = number
min_capacity = number
desired_capacity = number
capacity_rebalance = bool
use_mixed_instances_policy = bool
mixed_instances_policy = any
}) | {
"capacity_rebalance": true,
"desired_capacity": 1,
"instance_type": "t3.medium",
"max_capacity": 5,
"min_capacity": 0,
"mixed_instances_policy": {
"instances_distribution": {
"on_demand_base_capacity": 0,
"on_demand_percentage_above_base_capacity": 0
},
"override": [
{
"instance_type": "t3.medium"
},
{
"instance_type": "t3a.medium"
}
]
},
"use_mixed_instances_policy": true
} | no |
+| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no |
+| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no |
+| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
+| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | {
"ap-east-1": "ape1",
"ap-northeast-1": "apn1",
"ap-northeast-2": "apn2",
"ap-south-1": "aps1",
"ap-southeast-1": "apse1",
"ap-southeast-2": "apse2",
"ca-central-1": "cac1",
"cn-north-1": "cnn1",
"cn-northwest-1": "cnnw1",
"eu-central-1": "euc1",
"eu-north-1": "eun1",
"eu-west-1": "euw1",
"eu-west-2": "euw2",
"eu-west-3": "euw3",
"sa-east-1": "sae1",
"us-east-1": "use1",
"us-east-2": "use2",
"us-gov-east-1": "usge1",
"us-gov-west-1": "usgw1",
"us-west-1": "usw1",
"us-west-2": "usw2"
} | no |
+| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no |
+| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. |
+| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 |
+| [domain\_name](#output\_domain\_name) | Domain name |
+| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. |
+| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a |
+| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
+| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description |
+| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider |
+| [env](#output\_env) | Suffix for the hostname depending on workspace |
+| [name](#output\_name) | Project name, required to form unique resource names |
+| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region |
+| [region](#output\_region) | Target region for all infrastructure resources |
+| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone |
+| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names |
+| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate |
+| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC |
+| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC |
+| [vpc\_id](#output\_vpc\_id) | ID of infra VPC |
+| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets |
+| [vpc\_name](#output\_vpc\_name) | Name of infra VPC |
+| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC |
+| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC |
diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf
index dbaa317d..85390dfc 100644
--- a/terraform/layer1-aws/aws-cloudtrail.tf
+++ b/terraform/layer1-aws/aws-cloudtrail.tf
@@ -8,6 +8,8 @@ resource "aws_cloudtrail" "main" {
is_multi_region_trail = true
tags = local.tags
+
+ depends_on = [aws_s3_bucket_policy.cloudtrail]
}
#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-cloudtrail-require-bucket-access-logging
diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf
index 88609149..a88760cc 100644
--- a/terraform/layer1-aws/aws-eks.tf
+++ b/terraform/layer1-aws/aws-eks.tf
@@ -3,8 +3,27 @@ locals {
"k8s.io/cluster-autoscaler/enabled" = "true"
"k8s.io/cluster-autoscaler/${local.name}" = "owned"
}
- eks_addon_vpc_cni = merge(var.eks_addons.vpc-cni, { service_account_role_arn = module.vpc_cni_irsa.iam_role_arn })
- eks_addons = merge(var.eks_addons, { vpc-cni = local.eks_addon_vpc_cni })
+
+ eks_addons = merge({
+ vpc-cni = {
+ resolve_conflicts = "OVERWRITE"
+ addon_version = data.aws_eks_addon_version.vpc_cni.version
+ service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
+ },
+ aws-ebs-csi-driver = {
+ resolve_conflicts = "OVERWRITE"
+ addon_version = data.aws_eks_addon_version.aws_ebs_csi_driver.version
+ service_account_role_arn = module.aws_ebs_csi_driver.iam_role_arn
+ },
+ coredns = {
+ resolve_conflicts = "OVERWRITE"
+ addon_version = data.aws_eks_addon_version.coredns.version
+ },
+ kube-proxy = {
+ resolve_conflicts = "OVERWRITE"
+ addon_version = data.aws_eks_addon_version.kube_proxy.version
+ }
+ })
eks_map_roles = [
{
@@ -247,6 +266,23 @@ module "vpc_cni_irsa" {
tags = local.tags
}
+module "aws_ebs_csi_driver" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+ version = "4.14.0"
+
+ role_name = "${local.name}-aws-ebs-csi-driver"
+ attach_ebs_csi_policy = true
+
+ oidc_providers = {
+ main = {
+ provider_arn = module.eks.oidc_provider_arn
+ namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+ }
+ }
+
+ tags = local.tags
+}
+
resource "aws_kms_key" "eks" {
count = var.eks_cluster_encryption_config_enable ? 1 : 0
description = "EKS Secret Encryption Key"
@@ -255,3 +291,23 @@ resource "aws_kms_key" "eks" {
resource "kubectl_manifest" "aws_auth_configmap" {
yaml_body = local.aws_auth_configmap_yaml
}
+
+data "aws_eks_addon_version" "aws_ebs_csi_driver" {
+ addon_name = "aws-ebs-csi-driver"
+ kubernetes_version = var.eks_cluster_version
+}
+
+data "aws_eks_addon_version" "coredns" {
+ addon_name = "coredns"
+ kubernetes_version = var.eks_cluster_version
+}
+
+data "aws_eks_addon_version" "kube_proxy" {
+ addon_name = "kube-proxy"
+ kubernetes_version = var.eks_cluster_version
+}
+
+data "aws_eks_addon_version" "vpc_cni" {
+ addon_name = "vpc-cni"
+ kubernetes_version = var.eks_cluster_version
+}
diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf
index 00b2374c..994c05c3 100644
--- a/terraform/layer1-aws/variables.tf
+++ b/terraform/layer1-aws/variables.tf
@@ -108,28 +108,10 @@ variable "single_nat_gateway" {
# EKS
variable "eks_cluster_version" {
- default = "1.22"
+ default = "1.25"
description = "Version of the EKS K8S cluster"
}
-variable "eks_addons" {
- default = {
- coredns = {
- resolve_conflicts = "OVERWRITE"
- addon_version = "v1.8.7-eksbuild.1"
- }
- kube-proxy = {
- resolve_conflicts = "OVERWRITE"
- addon_version = "v1.22.6-eksbuild.1"
- }
- vpc-cni = {
- resolve_conflicts = "OVERWRITE"
- addon_version = "v1.11.0-eksbuild.1"
- }
- }
- description = "A list of installed EKS add-ons"
-}
-
variable "eks_workers_additional_policies" {
type = list(any)
default = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md
index d788e020..1d831f39 100644
--- a/terraform/layer2-k8s/README.md
+++ b/terraform/layer2-k8s/README.md
@@ -148,3 +148,161 @@
| [victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret |
| [victoria\_metrics\_k8s\_stack\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_grafana\_admin\_password) | Grafana admin password |
| [victoria\_metrics\_k8s\_stack\_grafana\_domain\_name](#output\_victoria\_metrics\_k8s\_stack\_grafana\_domain\_name) | Grafana dashboards address |
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | 1.1.8 |
+| [aws](#requirement\_aws) | 4.10.0 |
+| [helm](#requirement\_helm) | 2.5.1 |
+| [http](#requirement\_http) | 2.1.0 |
+| [kubectl](#requirement\_kubectl) | 1.14.0 |
+| [kubernetes](#requirement\_kubernetes) | 2.10.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 4.10.0 |
+| [helm](#provider\_helm) | 2.5.1 |
+| [http](#provider\_http) | 2.1.0 |
+| [kubectl](#provider\_kubectl) | 1.14.0 |
+| [kubernetes](#provider\_kubernetes) | 2.10.0 |
+| [random](#provider\_random) | n/a |
+| [tls](#provider\_tls) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws\_iam\_autoscaler](#module\_aws\_iam\_autoscaler) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a |
+| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a |
+| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [aws\_node\_termination\_handler\_namespace](#module\_aws\_node\_termination\_handler\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [cluster\_autoscaler\_namespace](#module\_cluster\_autoscaler\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a |
+| [elk\_namespace](#module\_elk\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [fargate\_namespace](#module\_fargate\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [keda\_namespace](#module\_keda\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [kiali\_namespace](#module\_kiali\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [loki\_namespace](#module\_loki\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [reloader\_namespace](#module\_reloader\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [tigera\_operator\_namespace](#module\_tigera\_operator\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_record.default_ingress](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/route53_record) | resource |
+| [aws_s3_bucket.elastic_stack](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.gitlab_runner_cache](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.elastic_stack_acl](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_acl.gitlab_runner_acl](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.gitlab_runner_lifecycle](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_public_access_block.elastic_stack_public_access_block](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_public_access_block.gitlab_runner_cache_public_access_block](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.elastic_stack_encryption](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.gitlab_runner_encryption](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.cert_manager](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.certificate](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.cluster_issuer](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.elk](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.external_dns](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.external_secrets](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.gitlab_runner](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.ingress_nginx](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.istio_base](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.istiod](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.kedacore](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.kiali](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.loki_stack](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.prometheus_operator](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.tigera_operator](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
+| [kubectl_manifest.calico_felix](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubernetes_ingress_v1.default](https://registry.terraform.io/providers/kubernetes/2.10.0/docs/resources/ingress_v1) | resource |
+| [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/kubernetes/2.10.0/docs/resources/secret) | resource |
+| [kubernetes_secret.elasticsearch_credentials](https://registry.terraform.io/providers/kubernetes/2.10.0/docs/resources/secret) | resource |
+| [kubernetes_secret.elasticsearch_s3_user_creds](https://registry.terraform.io/providers/kubernetes/2.10.0/docs/resources/secret) | resource |
+| [kubernetes_secret.kibana_enc_key](https://registry.terraform.io/providers/kubernetes/2.10.0/docs/resources/secret) | resource |
+| [kubernetes_storage_class.advanced](https://registry.terraform.io/providers/kubernetes/2.10.0/docs/resources/storage_class) | resource |
+| [random_string.elasticsearch_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.kibana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.kube_prometheus_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.victoria_metrics_k8s_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [tls_cert_request.aws_loadbalancer_controller_webhook](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_locally_signed_cert.aws_loadbalancer_controller_webhook](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
+| [tls_private_key.aws_loadbalancer_controller_webhook](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.aws_loadbalancer_controller_webhook_ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_self_signed_cert.aws_loadbalancer_controller_webhook_ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/aws/4.10.0/docs/data-sources/secretsmanager_secret_version) | data source |
+| [http_http.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/http/2.1.0/docs/data-sources/http) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [additional\_allowed\_ips](#input\_additional\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
+| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no |
+| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
+| [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.25.0"` | no |
+| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes |
+| [eks\_cluster\_id](#input\_eks\_cluster\_id) | ID of the created EKS cluster. | `any` | n/a | yes |
+| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | `any` | n/a | yes |
+| [environment](#input\_environment) | Env name | `string` | `"demo"` | no |
+| [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no |
+| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
+| [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no |
+| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
+| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | {
"ap-east-1": "ape1",
"ap-northeast-1": "apn1",
"ap-northeast-2": "apn2",
"ap-south-1": "aps1",
"ap-southeast-1": "apse1",
"ap-southeast-2": "apse2",
"ca-central-1": "cac1",
"cn-north-1": "cnn1",
"cn-northwest-1": "cnnw1",
"eu-central-1": "euc1",
"eu-north-1": "eun1",
"eu-west-1": "euw1",
"eu-west-2": "euw2",
"eu-west-3": "euw3",
"sa-east-1": "sae1",
"us-east-1": "use1",
"us-east-2": "use2",
"us-gov-east-1": "usge1",
"us-gov-west-1": "usgw1",
"us-west-1": "usw1",
"us-west-2": "usw2"
} | no |
+| [ssl\_certificate\_arn](#input\_ssl\_certificate\_arn) | ARN of ACM SSL certificate | `any` | n/a | yes |
+| [vpc\_cidr](#input\_vpc\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |
+| [vpc\_id](#input\_vpc\_id) | ID of infra VPC | `any` | n/a | yes |
+| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [apm\_domain\_name](#output\_apm\_domain\_name) | APM domain name |
+| [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name) | Name of the bucket for ELKS snapshots |
+| [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password) | Password of the superuser 'elastic' |
+| [gitlab\_runner\_cache\_bucket\_name](#output\_gitlab\_runner\_cache\_bucket\_name) | Name of the s3 bucket for gitlab-runner cache |
+| [kibana\_domain\_name](#output\_kibana\_domain\_name) | Kibana dashboards address |
+| [kube\_prometheus\_stack\_alertmanager\_domain\_name](#output\_kube\_prometheus\_stack\_alertmanager\_domain\_name) | Alertmanager ui address |
+| [kube\_prometheus\_stack\_get\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret |
+| [kube\_prometheus\_stack\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_grafana\_admin\_password) | Grafana admin password |
+| [kube\_prometheus\_stack\_grafana\_domain\_name](#output\_kube\_prometheus\_stack\_grafana\_domain\_name) | Grafana dashboards address |
+| [kube\_prometheus\_stack\_prometheus\_domain\_name](#output\_kube\_prometheus\_stack\_prometheus\_domain\_name) | Prometheus ui address |
+| [victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret |
+| [victoria\_metrics\_k8s\_stack\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_grafana\_admin\_password) | Grafana admin password |
+| [victoria\_metrics\_k8s\_stack\_grafana\_domain\_name](#output\_victoria\_metrics\_k8s\_stack\_grafana\_domain\_name) | Grafana dashboards address |
+
\ No newline at end of file
diff --git a/terraform/layer2-k8s/eks-aws-node-termination-handler.tf b/terraform/layer2-k8s/eks-aws-node-termination-handler.tf
index 54e350a7..d7f62101 100644
--- a/terraform/layer2-k8s/eks-aws-node-termination-handler.tf
+++ b/terraform/layer2-k8s/eks-aws-node-termination-handler.tf
@@ -8,6 +8,10 @@ locals {
namespace = local.helm_releases[index(local.helm_releases.*.id, "aws-node-termination-handler")].namespace
}
aws_node_termination_handler_values = <