[ { "path": ".github/CONTRIBUTING.md", "content": "# Contributing\n\nWhen contributing to this repository, please first discuss the change you wish to make via issue,\nemail, or any other method with the owners of this repository before making a change.\n\nPlease note we have a code of conduct, please follow it in all your interactions with the project.\n\n## Pull Request Process\n\n1. Ensure any install or build dependencies are removed before the end of the layer when doing a build.\n2. Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations, and container parameters.\n3. Once all outstanding comments and checklist items have been addressed, your contribution will be merged! Merged PRs will trigger a new release\n\n## Checklists for contributions\n\n- [ ] Add [semantics prefix](#semantic-pull-requests) to your PR or Commits (at least one of your commit groups)\n- [ ] CI tests are passing\n- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation\n\n## Semantic Pull Requests\n\nTo generate changelog, Pull Requests or Commits must have semantic and must follow conventional specs below:\n\n- `feat:` for new features\n- `fix:` for bug fixes\n- `improvement:` for enhancements\n- `docs:` for documentation and examples\n- `refactor:` for code refactoring\n- `test:` for tests\n- `ci:` for CI purpose\n- `chore:` for chores stuff\n\nThe `chore` prefix skipped during changelog generation. It can be used for `chore: update changelog` commit message by example.\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: \"[bug]\"\nlabels: bug\nassignees: ArchiFleKs\n\n---\n\n## Describe the bug\n\nA clear and concise description of what the bug is.\n\n## What is the current behavior?\n\n\n## How to reproduce? Please include a code sample if relevant.\n\n\n## What's the expected behavior?\n\n\n## Are you able to fix this problem and submit a PR? Link here if you have already.\n\n\n## Environment details\n\n* Affected module version:\n* OS:\n* Terraform version:\n* Kubernetes version\n\n## Any other relevant info\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.md", "content": "---\nname: Feature request\nabout: Suggest an idea for this project\ntitle: \"[enhancement]\"\nlabels: enhancement\nassignees: ArchiFleKs\n\n---\n\n**Is your feature request related to a problem? Please describe.**\nA clear and concise description of what the problem is. Ex. I'm always frustrated when [...]\n\n**Describe the solution you'd like**\nA clear and concise description of what you want to happen.\n\n**Describe alternatives you've considered**\nA clear and concise description of any alternative solutions or features you've considered.\n\n**Additional context**\nAdd any other context or screenshots about the feature request here.\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "# Pull request title\n\n## Description\n\nPlease explain the changes you made here and link to any relevant issues.\n\n### Checklist\n\n- [ ] CI tests are passing\n- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/particuleio/terraform-kubernetes-addons/#doc-generation\n" }, { "path": ".github/renovate.json", "content": "{\n \"extends\": [\n \":separateMajorReleases\",\n \":ignoreUnstable\",\n \":prImmediately\",\n \":updateNotScheduled\",\n \":disableRateLimiting\",\n \":ignoreModulesAndTests\",\n \":gitSignOff\",\n \"group:monorepos\",\n \"group:recommended\",\n \"helpers:disableTypesNodeMajor\",\n \"workarounds:all\",\n \":automergeDigest\",\n \":automergeMinor\",\n \":dependencyDashboard\"\n ],\n \"baseBranchPatterns\": [\n \"main\"\n ],\n \"enabledManagers\": [\n \"helmv3\",\n \"github-actions\",\n \"pre-commit\",\n \"terraform\"\n ],\n \"semanticCommits\": \"enabled\",\n \"platformAutomerge\": false,\n \"helmv3\": {\n \"enabled\": true,\n \"managerFilePatterns\": [\n \"/(^|/)helm-dependencies.yaml$/\"\n ]\n },\n \"commitMessageExtra\": \"to {{newVersion}} (was {{currentVersion}})\",\n \"prHourlyLimit\": 0,\n \"packageRules\": [\n {\n \"matchManagers\": [\n \"github-actions\"\n ],\n \"semanticCommitScope\": \"ci\",\n \"semanticCommitType\": \"chore\"\n },\n {\n \"matchManagers\": [\n \"pre-commit\"\n ],\n \"semanticCommitScope\": \"ci\",\n \"semanticCommitType\": \"chore\"\n },\n {\n \"matchManagers\": [\n \"helmv3\"\n ],\n \"semanticCommitScope\": \"charts\",\n \"semanticCommitType\": \"fix\",\n \"matchUpdateTypes\": [\n \"patch\",\n \"digest\"\n ]\n },\n {\n \"matchManagers\": [\n \"helmv3\"\n ],\n \"semanticCommitScope\": \"charts\",\n \"semanticCommitType\": \"feat\",\n \"matchUpdateTypes\": [\n \"major\",\n \"minor\"\n ]\n },\n {\n \"matchManagers\": [\n \"helmv3\",\n \"github-actions\",\n \"pre-commit\"\n ],\n \"matchUpdateTypes\": [\n \"minor\",\n \"patch\",\n \"digest\"\n ],\n \"addLabels\": [\n \"automerge\"\n ]\n },\n {\n \"matchManagers\": [\n \"terraform\"\n ],\n \"semanticCommitScope\": \"tf\",\n \"semanticCommitType\": \"feat\",\n \"automerge\": false\n }\n ]\n}\n" }, { "path": ".github/workflows/pr-title.yml", "content": "name: 'Validate PR title'\n\non:\n pull_request_target:\n types:\n - opened\n - edited\n - synchronize\n\njobs:\n main:\n name: Validate PR title\n runs-on: ubuntu-latest\n steps:\n # Please look up the latest version from\n # https://github.com/amannn/action-semantic-pull-request/releases\n - uses: amannn/action-semantic-pull-request@v6.1.1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n with:\n # Configure which types are allowed.\n # Default: https://github.com/commitizen/conventional-commit-types\n types: |\n fix\n feat\n docs\n ci\n chore\n # Configure that a scope must always be provided.\n requireScope: false\n # Configure additional validation for the subject based on a regex.\n # This example ensures the subject starts with an uppercase character.\n # subjectPattern: ^[A-Z].+$\n # If `subjectPattern` is configured, you can use this property to override\n # the default error message that is shown when the pattern doesn't match.\n # The variables `subject` and `title` can be used within the message.\n # subjectPatternError: |\n # The subject \"{subject}\" found in the pull request title \"{title}\"\n # didn't match the configured pattern. Please ensure that the subject\n # starts with an uppercase character.\n # For work-in-progress PRs you can typically use draft pull requests\n # from Github. However, private repositories on the free plan don't have\n # this option and therefore this action allows you to opt-in to using the\n # special \"[WIP]\" prefix to indicate this state. This will avoid the\n # validation of the PR title and the pull request checks remain pending.\n # Note that a second check will be reported if this is enabled.\n wip: true\n # When using \"Squash and merge\" on a PR with only one commit, GitHub\n # will suggest using that commit message instead of the PR title for the\n # merge commit, and it's easy to commit this by mistake. Enable this option\n # to also validate the commit message for one commit PRs.\n validateSingleCommit: false\n" }, { "path": ".github/workflows/pre-commit.yml", "content": "name: Pre-Commit\n\non:\n pull_request:\n branches:\n - main\n - master\n workflow_dispatch:\n\nenv:\n TERRAFORM_DOCS_VERSION: v0.21.0\n TFLINT_VERSION: v0.61.0\n\njobs:\n collectInputs:\n name: Collect workflow inputs\n runs-on: ubuntu-latest\n outputs:\n directories: ${{ steps.dirs.outputs.directories }}\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n\n - name: Get root directories\n id: dirs\n uses: clowdhaus/terraform-composite-actions/directories@v1.14.0\n\n preCommitMinVersions:\n name: Min TF pre-commit\n needs: collectInputs\n runs-on: ubuntu-latest\n strategy:\n matrix:\n directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n\n - name: Terraform min/max versions\n id: minMax\n uses: clowdhaus/terraform-min-max@v3.0.1\n with:\n directory: ${{ matrix.directory }}\n\n - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}\n # Run only validate pre-commit check on min version supported\n if: ${{ matrix.directory != '.' }}\n uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0\n with:\n terraform-version: ${{ steps.minMax.outputs.minVersion }}\n terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}\n tflint-version: ${{ env.TFLINT_VERSION }}\n args: \"terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*\"\n\n - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}\n # Run only validate pre-commit check on min version supported\n if: ${{ matrix.directory == '.' }}\n uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0\n with:\n terraform-version: ${{ steps.minMax.outputs.minVersion }}\n terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}\n tflint-version: ${{ env.TFLINT_VERSION }}\n args: \"terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)\"\n\n preCommitMaxVersion:\n name: Max TF pre-commit\n runs-on: ubuntu-latest\n needs: collectInputs\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n with:\n ref: ${{ github.event.pull_request.head.ref }}\n repository: ${{github.event.pull_request.head.repo.full_name}}\n\n - name: Terraform min/max versions\n id: minMax\n uses: clowdhaus/terraform-min-max@v3.0.1\n\n - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}\n uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0\n with:\n terraform-version: ${{ steps.minMax.outputs.maxVersion }}\n terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}\n tflint-version: ${{ env.TFLINT_VERSION }}\n" }, { "path": ".github/workflows/release.yml", "content": "name: Release\n\non:\n push:\n branches:\n - release\n\njobs:\n terraform-release:\n if: github.ref == 'refs/heads/release'\n name: 'terraform:release'\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n\n - name: Semantic Release\n uses: cycjimmy/semantic-release-action@v3\n with:\n branches: |\n [\n 'release'\n ]\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" }, { "path": ".github/workflows/stale-actions.yaml", "content": "name: 'Mark or close stale issues and PRs'\non:\n schedule:\n - cron: '0 0 * * *'\n\njobs:\n stale:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/stale@v10\n with:\n repo-token: ${{ secrets.GITHUB_TOKEN }}\n # Staling issues and PR's\n days-before-stale: 30\n stale-issue-label: stale\n stale-pr-label: stale\n stale-issue-message: |\n This issue has been automatically marked as stale because it has been open 30 days\n with no activity. Remove stale label or comment or this issue will be closed in 10 days\n stale-pr-message: |\n This PR has been automatically marked as stale because it has been open 30 days\n with no activity. Remove stale label or comment or this PR will be closed in 10 days\n # Not stale if have this labels or part of milestone\n exempt-issue-labels: bug,wip,on-hold\n exempt-pr-labels: bug,wip,on-hold\n exempt-all-milestones: true\n # Close issue operations\n # Label will be automatically removed if the issues are no longer closed nor locked.\n days-before-close: 10\n delete-branch: true\n close-issue-message: This issue was automatically closed because of stale in 10 days\n close-pr-message: This PR was automatically closed because of stale in 10 days\n" }, { "path": ".gitignore", "content": ".terragrunt-cache\n.terraform\n.terraform.lock.hcl\n.idea\n.sisyphus\n" }, { "path": ".mergify.yml", "content": "pull_request_rules:\n - name: Automatic approve Renovate PRs (patch/minor)\n conditions:\n - author=renovate[bot]\n - label=automerge\n actions:\n review:\n type: APPROVE\n\n - name: Automatic merge Renovate PRs (patch/minor)\n conditions:\n - author=renovate[bot]\n - base=main\n - label=automerge\n - \"#approved-reviews-by>=1\"\n - check-success=Max TF pre-commit\n - check-success=Validate PR title\n actions:\n merge:\n method: squash\n\n - name: Automatic merge on approval\n conditions:\n - base=main\n - \"#approved-reviews-by>=1\"\n actions:\n merge:\n method: squash\n\n - name: Automatic merge on approval release\n conditions:\n - base=release\n - \"#approved-reviews-by>=1\"\n actions:\n merge:\n method: merge\n" }, { "path": ".pre-commit-config.yaml", "content": "repos:\n- repo: https://github.com/antonbabenko/pre-commit-terraform\n rev: v1.105.0\n hooks:\n - id: terraform_fmt\n - id: terraform_validate\n args:\n - --hook-config=--retry-once-with-cleanup=true\n - --tf-init-args=-upgrade\n - id: terraform_docs\n- repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v6.0.0\n hooks:\n - id: check-merge-conflict\n - id: end-of-file-fixer\n- repo: https://github.com/renovatebot/pre-commit-hooks\n rev: 43.110.9\n hooks:\n - id: renovate-config-validator\n" }, { "path": ".python-version", "content": "3.x\n" }, { "path": ".releaserc.json", "content": "{\n \"plugins\": [\n \"@semantic-release/commit-analyzer\",\n \"@semantic-release/release-notes-generator\",\n \"@semantic-release/github\"\n ]\n}\n" }, { "path": ".terraform-docs.yml", "content": "settings:\n lockfile: false\n" }, { "path": "CODEOWNERS", "content": "# This is a comment.\n# Each line is a file pattern followed by one or more owners.\n\n# These owners will be the default owners for everything in\n# the repo. Unless a later match takes precedence,\n# @global-owner1 and @global-owner2 will be requested for\n# review when someone opens a pull request.\n* @particuleio/team\n" }, { "path": "LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "README.md", "content": "# terraform-kubernetes-addons\n\n[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/terraform-kubernetes-addons)\n[![terraform-kubernetes-addons](https://github.com/particuleio/terraform-kubernetes-addons/workflows/terraform-kubernetes-addons/badge.svg)](https://github.com/particuleio/terraform-kubernetes-addons/actions?query=workflow%3Aterraform-kubernetes-addons)\n\n## Main components\n\n| Name | Description | Generic | AWS | Scaleway | GCP | Azure |\n|------|-------------|:-------:|:---:|:--------:|:---:|:-----:|\n| [admiralty](https://admiralty.io/) | A system of Kubernetes controllers that intelligently schedules workloads across clusters | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) | Enable new feature and the use of `gp3` volumes | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [aws-efs-csi-driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver) | Enable EFS Support | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [aws-for-fluent-bit](https://github.com/aws/aws-for-fluent-bit) | Cloudwatch logging with fluent bit instead of fluentd | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [aws-load-balancer-controller](https://aws.amazon.com/about-aws/whats-new/2020/10/introducing-aws-load-balancer-controller/) | Use AWS ALB/NLB for ingress and services | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) | Manage spot instance lifecyle | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [aws-calico](https://github.com/aws/eks-charts/tree/master/stable/aws-calico) | Use calico for network policy | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [secrets-store-csi-driver-provider-aws](https://github.com/aws/secrets-store-csi-driver-provider-aws) | AWS Secret Store and Parameter store driver for secret store CSI driver | :heavy_check_mark: | N/A | N/A | N/A | N/A |\n| [cert-manager](https://github.com/jetstack/cert-manager) | automatically generate TLS certificates, supports ACME v2 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | N/A |\n| [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) | scale worker nodes based on workload | N/A | :heavy_check_mark: | Included | Included | Included |\n| [cni-metrics-helper](https://docs.aws.amazon.com/eks/latest/userguide/cni-metrics-helper.html) | Provides cloudwatch metrics for VPC CNI plugins | N/A | :heavy_check_mark: | N/A | N/A | N/A |\n| [external-dns](https://github.com/kubernetes-incubator/external-dns) | sync ingress and service records in route53 | :x: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |\n| [flux2](https://github.com/fluxcd/flux2) | Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [ingress-nginx](https://github.com/kubernetes/ingress-nginx) | processes `Ingress` object and acts as a HTTP/HTTPS proxy (compatible with cert-manager) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |\n| [k8gb](https://www.k8gb.io/) | A cloud native Kubernetes Global Balancer | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [karma](https://github.com/prymitive/karma) | An alertmanager dashboard | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [keda](https://github.com/kedacore/keda) | Kubernetes Event-driven Autoscaling | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [kong](https://konghq.com/kong) | API Gateway ingress controller | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |\n| [kube-prometheus-stack](https://github.com/prometheus-operator/kube-prometheus) | Monitoring / Alerting / Dashboards | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |\n| [loki-stack](https://grafana.com/oss/loki/) | Grafana Loki logging stack | :heavy_check_mark: | :heavy_check_mark: | :construction: | :x: | :x: |\n| [promtail](https://grafana.com/docs/loki/latest/clients/promtail/) | Ship log to loki from other cluster (eg. mTLS) | :construction: | :heavy_check_mark: | :construction: | :x: | :x: |\n| [prometheus-adapter](https://github.com/kubernetes-sigs/prometheus-adapter) | Prometheus metrics for use with the autoscaling/v2 Horizontal Pod Autoscaler in Kubernetes 1.6+ | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [prometheus-cloudwatch-exporter](https://github.com/prometheus/cloudwatch_exporter) | An exporter for Amazon CloudWatch, for Prometheus. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [prometheus-blackbox-exporter](https://github.com/prometheus/blackbox_exporter) | The blackbox exporter allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP and ICMP. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [rabbitmq-cluster-operator](https://github.com/rabbitmq/cluster-operator) | The RabbitMQ Cluster Operator automates provisioning, management of RabbitMQ clusters. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [metrics-server](https://github.com/kubernetes-incubator/metrics-server) | enable metrics API and horizontal pod scaling (HPA) | :heavy_check_mark: | :heavy_check_mark: | Included | Included | Included |\n| [node-problem-detector](https://github.com/kubernetes/node-problem-detector) | Forwards node problems to Kubernetes events | :heavy_check_mark: | :heavy_check_mark: | Included | Included | Included |\n| [secrets-store-csi-driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) | Secrets Store CSI driver for Kubernetes secrets - Integrates secrets stores with Kubernetes via a CSI volume. | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets) | Technology agnostic, store secrets on git | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [thanos](https://thanos.io/) | Open source, highly available Prometheus setup with long term storage capabilities | :x: | :heavy_check_mark: | :construction: | :x: | :x: |\n| [thanos-memcached](https://thanos.io/tip/components/query-frontend.md/#memcached) | Open source, highly available Prometheus setup with long term storage capabilities | :x: | :heavy_check_mark: | :construction: | :x: | :x: |\n| [thanos-storegateway](https://thanos.io/) | Additional storegateway to query multiple object stores | :x: | :heavy_check_mark: | :construction: | :x: | :x: |\n| [thanos-tls-querier](https://thanos.io/tip/operating/cross-cluster-tls-communication.md/) | Thanos TLS querier for cross cluster collection | :x: | :heavy_check_mark: | :construction: | :x: | :x: |\n\n## Submodules\n\nSubmodules are used for specific cloud provider configuration such as IAM role for\nAWS. For a Kubernetes vanilla cluster, generic addons should be used.\n\nAny contribution supporting a new cloud provider is welcomed.\n\n* [AWS](./modules/aws)\n* [Scaleway](./modules/scaleway)\n* [GCP](./modules/google)\n* [Azure](./modules/azure)\n\n## Doc generation\n\nCode formatting and documentation for variables and outputs is generated using\n[pre-commit-terraform\nhooks](https://github.com/antonbabenko/pre-commit-terraform) which uses\n[terraform-docs](https://github.com/segmentio/terraform-docs).\n\nFollow [these\ninstructions](https://github.com/antonbabenko/pre-commit-terraform#how-to-install)\nto install pre-commit locally.\n\nAnd install `terraform-docs` with `go get github.com/segmentio/terraform-docs`\nor `brew install terraform-docs`.\n\n## Contributing\n\nReport issues/questions/feature requests on in the\n[issues](https://github.com/particuleio/terraform-kubernetes-addons/issues/new)\nsection.\n\nFull contributing [guidelines are covered\nhere](https://github.com/particuleio/terraform-kubernetes-addons/blob/master/.github/CONTRIBUTING.md).\n\n\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| [terraform](#requirement\\_terraform) | >= 1.5.7 |\n| [flux](#requirement\\_flux) | ~> 1.0 |\n| [github](#requirement\\_github) | ~> 6.0 |\n| [helm](#requirement\\_helm) | ~> 3.0 |\n| [http](#requirement\\_http) | >= 3 |\n| [kubectl](#requirement\\_kubectl) | ~> 2.0 |\n| [kubernetes](#requirement\\_kubernetes) | ~> 2.0, != 2.12 |\n| [tls](#requirement\\_tls) | ~> 4.0 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| [flux](#provider\\_flux) | ~> 1.0 |\n| [github](#provider\\_github) | ~> 6.0 |\n| [helm](#provider\\_helm) | ~> 3.0 |\n| [http](#provider\\_http) | >= 3 |\n| [kubectl](#provider\\_kubectl) | ~> 2.0 |\n| [kubernetes](#provider\\_kubernetes) | ~> 2.0, != 2.12 |\n| [random](#provider\\_random) | n/a |\n| [time](#provider\\_time) | n/a |\n| [tls](#provider\\_tls) | ~> 4.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |\n| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |\n| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |\n| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.metrics-server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.metrics-server_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.metrics-server_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.metrics-server_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.tigera-operator_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.tigera-operator_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |\n| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |\n| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |\n| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| [admiralty](#input\\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |\n| [cert-manager](#input\\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cert-manager-csi-driver](#input\\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cluster-autoscaler](#input\\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |\n| [cluster-name](#input\\_cluster-name) | Name of the Kubernetes cluster | `string` | `\"sample-cluster\"` | no |\n| [csi-external-snapshotter](#input\\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |\n| [external-dns](#input\\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |\n| [flux2](#input\\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |\n| [grafana-mcp](#input\\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |\n| [helm\\_defaults](#input\\_helm\\_defaults) | Customize default Helm behavior | `any` | `{}` | no |\n| [ingress-nginx](#input\\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |\n| [ip-masq-agent](#input\\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |\n| [k8gb](#input\\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |\n| [karma](#input\\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |\n| [keda](#input\\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |\n| [kong](#input\\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |\n| [kube-prometheus-stack](#input\\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |\n| [labels\\_prefix](#input\\_labels\\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `\"particule.io\"` | no |\n| [linkerd](#input\\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |\n| [linkerd-viz](#input\\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |\n| [linkerd2](#input\\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |\n| [linkerd2-cni](#input\\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |\n| [loki-stack](#input\\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [metrics-server](#input\\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |\n| [npd](#input\\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |\n| [priority-class](#input\\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |\n| [priority-class-ds](#input\\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |\n| [prometheus-adapter](#input\\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-blackbox-exporter](#input\\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |\n| [promtail](#input\\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [reloader](#input\\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |\n| [sealed-secrets](#input\\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |\n| [secrets-store-csi-driver](#input\\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |\n| [thanos](#input\\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-memcached](#input\\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-receive](#input\\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |\n| [thanos-storegateway](#input\\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier](#input\\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier-ca-cert](#input\\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [thanos-tls-querier-ca-private-key](#input\\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [tigera-operator](#input\\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |\n| [traefik](#input\\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |\n| [velero](#input\\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |\n| [victoria-metrics-k8s-stack](#input\\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| [grafana\\_password](#output\\_grafana\\_password) | n/a |\n| [loki-stack-ca](#output\\_loki-stack-ca) | n/a |\n| [loki-stack-ca-key](#output\\_loki-stack-ca-key) | n/a |\n| [promtail-cert](#output\\_promtail-cert) | n/a |\n| [promtail-key](#output\\_promtail-key) | n/a |\n\n" }, { "path": "admiralty.tf", "content": "locals {\n admiralty = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"admiralty\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"admiralty\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"admiralty\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"admiralty\")].version\n namespace = \"admiralty\"\n enabled = false\n create_ns = true\n default_network_policy = true\n },\n var.admiralty\n )\n\n values_admiralty = <<-VALUES\n VALUES\n}\n\nresource \"kubernetes_namespace\" \"admiralty\" {\n count = local.admiralty[\"enabled\"] && local.admiralty[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.admiralty[\"namespace\"]\n }\n\n name = local.admiralty[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"admiralty\" {\n count = local.admiralty[\"enabled\"] ? 1 : 0\n repository = local.admiralty[\"repository\"]\n name = local.admiralty[\"name\"]\n chart = local.admiralty[\"chart\"]\n version = local.admiralty[\"chart_version\"]\n timeout = local.admiralty[\"timeout\"]\n force_update = local.admiralty[\"force_update\"]\n recreate_pods = local.admiralty[\"recreate_pods\"]\n wait = local.admiralty[\"wait\"]\n atomic = local.admiralty[\"atomic\"]\n cleanup_on_fail = local.admiralty[\"cleanup_on_fail\"]\n dependency_update = local.admiralty[\"dependency_update\"]\n disable_crd_hooks = local.admiralty[\"disable_crd_hooks\"]\n disable_webhooks = local.admiralty[\"disable_webhooks\"]\n render_subchart_notes = local.admiralty[\"render_subchart_notes\"]\n replace = local.admiralty[\"replace\"]\n reset_values = local.admiralty[\"reset_values\"]\n reuse_values = local.admiralty[\"reuse_values\"]\n skip_crds = local.admiralty[\"skip_crds\"]\n verify = local.admiralty[\"verify\"]\n values = [\n local.values_admiralty,\n local.admiralty[\"extra_values\"]\n ]\n namespace = local.admiralty[\"create_ns\"] ? kubernetes_namespace.admiralty.*.metadata.0.name[count.index] : local.admiralty[\"namespace\"]\n}\n\nresource \"kubernetes_network_policy\" \"admiralty_default_deny\" {\n count = local.admiralty[\"enabled\"] && local.admiralty[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${local.admiralty[\"namespace\"]}-${local.admiralty[\"name\"]}-default-deny\"\n namespace = local.admiralty[\"namespace\"]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"admiralty_allow_namespace\" {\n count = local.admiralty[\"enabled\"] && local.admiralty[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${local.admiralty[\"namespace\"]}-${local.admiralty[\"name\"]}-default-namespace\"\n namespace = local.admiralty[\"namespace\"]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = local.admiralty[\"namespace\"]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "cert-manager-csi-driver.tf", "content": "locals {\n\n cert-manager-csi-driver = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager-csi-driver\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager-csi-driver\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager-csi-driver\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager-csi-driver\")].version\n enabled = local.cert-manager.csi_driver\n default_network_policy = true\n namespace = local.cert-manager.namespace\n },\n var.cert-manager-csi-driver\n )\n\n values_cert-manager-csi-driver = < v.content } : {}\n yaml_body = each.value\n}\n" }, { "path": "flux2.tf", "content": "locals {\n\n # GITHUB_TOKEN should be set for Github provider to work\n # GITHUB_ORGANIZATION should be set if deploying in another ORG and not your\n # github user\n\n flux2 = merge(\n {\n enabled = false\n create_ns = true\n namespace = \"flux-system\"\n path = \"gitops/clusters/${var.cluster-name}\"\n version = \"v2.6.1\"\n create_github_repository = false\n repository = \"gitops\"\n repository_visibility = \"public\"\n branch = \"main\"\n components_extra = [\"image-reflector-controller\", \"image-automation-controller\"]\n read_only = false\n default_network_policy = true\n },\n var.flux2\n )\n}\n\nresource \"kubernetes_namespace\" \"flux2\" {\n count = local.flux2[\"enabled\"] && local.flux2[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.flux2[\"namespace\"]\n }\n\n name = local.flux2[\"namespace\"]\n }\n lifecycle {\n ignore_changes = [\n metadata[0].annotations,\n metadata[0].labels,\n ]\n }\n}\n\nresource \"tls_private_key\" \"identity\" {\n count = local.flux2[\"enabled\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P521\"\n}\n\ndata \"github_repository\" \"main\" {\n count = local.flux2[\"enabled\"] && !local.flux2[\"create_github_repository\"] ? 1 : 0\n name = local.flux2[\"repository\"]\n}\n\nresource \"github_repository\" \"main\" {\n count = local.flux2[\"enabled\"] && local.flux2[\"create_github_repository\"] ? 1 : 0\n name = local.flux2[\"repository\"]\n visibility = local.flux2[\"repository_visibility\"]\n auto_init = true\n}\n\nresource \"github_branch_default\" \"main\" {\n count = local.flux2[\"enabled\"] && local.flux2[\"create_github_repository\"] ? 1 : 0\n repository = local.flux2[\"create_github_repository\"] ? github_repository.main[0].name : data.github_repository.main[0].name\n branch = local.flux2[\"branch\"]\n}\n\nresource \"github_repository_deploy_key\" \"main\" {\n count = local.flux2[\"enabled\"] ? 1 : 0\n title = \"flux-${local.flux2[\"create_github_repository\"] ? github_repository.main[0].name : local.flux2[\"repository\"]}-${local.flux2[\"branch\"]}\"\n repository = local.flux2[\"create_github_repository\"] ? github_repository.main[0].name : data.github_repository.main[0].name\n key = tls_private_key.identity[0].public_key_openssh\n read_only = local.flux2[\"read_only\"]\n}\n\nresource \"flux_bootstrap_git\" \"flux\" {\n count = local.flux2[\"enabled\"] ? 1 : 0\n\n depends_on = [\n github_repository_deploy_key.main,\n kubernetes_namespace.flux2\n ]\n\n path = local.flux2[\"path\"]\n version = local.flux2[\"version\"]\n namespace = local.flux2[\"namespace\"]\n cluster_domain = try(local.flux2[\"cluster_domain\"], null)\n components = try(local.flux2[\"components\"], null)\n components_extra = try(local.flux2[\"components_extra\"], null)\n disable_secret_creation = try(local.flux2[\"disable_secret_creation\"], null)\n image_pull_secret = try(local.flux2[\"image_pull_secrets\"], null)\n interval = try(local.flux2[\"interval\"], null)\n kustomization_override = try(local.flux2[\"kustomization_override\"], null)\n log_level = try(local.flux2[\"log_level\"], null)\n network_policy = try(local.flux2[\"network_policy\"], null)\n recurse_submodules = try(local.flux2[\"recurse_submodules\"], null)\n registry = try(local.flux2[\"registry\"], null)\n secret_name = try(local.flux2[\"secret_name\"], null)\n toleration_keys = try(local.flux2[\"toleration_keys\"], null)\n watch_all_namespaces = try(local.flux2[\"watch_all_namespaces\"], null)\n\n}\n\nresource \"kubernetes_network_policy\" \"flux2_allow_monitoring\" {\n count = local.flux2[\"enabled\"] && local.flux2[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${local.flux2[\"create_ns\"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2[\"namespace\"]}-allow-monitoring\"\n namespace = local.flux2[\"create_ns\"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2[\"namespace\"]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"8080\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"flux2_allow_namespace\" {\n count = local.flux2[\"enabled\"] && local.flux2[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${local.flux2[\"create_ns\"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2[\"namespace\"]}-allow-namespace\"\n namespace = local.flux2[\"create_ns\"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2[\"namespace\"]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = local.flux2[\"create_ns\"] ? kubernetes_namespace.flux2.*.metadata.0.name[count.index] : local.flux2[\"namespace\"]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "grafana-mcp.tf", "content": "locals {\n grafana-mcp = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"grafana-mcp\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"grafana-mcp\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"grafana-mcp\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"grafana-mcp\")].version\n namespace = \"telemetry\"\n create_ns = false\n enabled = false\n default_network_policy = true\n },\n var.grafana-mcp\n )\n\n values_grafana-mcp = < v.content } : {}\n yaml_body = each.value\n server_side_apply = true\n force_conflicts = true\n}\n" }, { "path": "kong.tf", "content": "locals {\n\n kong = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kong\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kong\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kong\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kong\")].version\n namespace = \"kong\"\n enabled = false\n default_network_policy = true\n ingress_cidrs = [\"0.0.0.0/0\"]\n manage_crds = true\n },\n var.kong\n )\n\n values_kong = < v.response_body\n } : null\n\n}\n\ndata \"http\" \"prometheus-operator_version\" {\n count = (local.victoria-metrics-k8s-stack.enabled && local.victoria-metrics-k8s-stack.install_prometheus_operator_crds) || (local.kube-prometheus-stack.enabled && local.kube-prometheus-stack.manage_crds) ? 1 : 0\n url = local.prometheus-operator_chart\n}\n\ndata \"http\" \"prometheus-operator_crds\" {\n for_each = (local.victoria-metrics-k8s-stack.enabled && local.victoria-metrics-k8s-stack.install_prometheus_operator_crds) || (local.kube-prometheus-stack.enabled && local.kube-prometheus-stack.manage_crds) ? toset(local.prometheus-operator_crds) : []\n url = each.key\n}\n\nresource \"kubectl_manifest\" \"prometheus-operator_crds\" {\n for_each = (local.victoria-metrics-k8s-stack.enabled && local.victoria-metrics-k8s-stack.install_prometheus_operator_crds) || (local.kube-prometheus-stack.enabled && local.kube-prometheus-stack.manage_crds) ? local.prometheus-operator_crds_apply : {}\n yaml_body = each.value\n server_side_apply = true\n force_conflicts = true\n}\n" }, { "path": "kube-prometheus.tf", "content": "locals {\n\n kube-prometheus-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].version\n namespace = \"monitoring\"\n enabled = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n manage_crds = true\n },\n var.kube-prometheus-stack\n )\n\n values_kube-prometheus-stack = <\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| [terraform](#requirement\\_terraform) | >= 1.5.7 |\n| [aws](#requirement\\_aws) | >= 6.28 |\n| [flux](#requirement\\_flux) | ~> 1.0 |\n| [github](#requirement\\_github) | ~> 6.0 |\n| [helm](#requirement\\_helm) | ~> 3.0 |\n| [http](#requirement\\_http) | >= 3 |\n| [kubectl](#requirement\\_kubectl) | ~> 2.0 |\n| [kubernetes](#requirement\\_kubernetes) | ~> 2.0, != 2.12 |\n| [tls](#requirement\\_tls) | ~> 4.0 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| [aws](#provider\\_aws) | >= 6.28 |\n| [flux](#provider\\_flux) | ~> 1.0 |\n| [github](#provider\\_github) | ~> 6.0 |\n| [helm](#provider\\_helm) | ~> 3.0 |\n| [http](#provider\\_http) | >= 3 |\n| [kubectl](#provider\\_kubectl) | ~> 2.0 |\n| [kubernetes](#provider\\_kubernetes) | ~> 2.0, != 2.12 |\n| [random](#provider\\_random) | n/a |\n| [time](#provider\\_time) | n/a |\n| [tls](#provider\\_tls) | ~> 4.0 |\n\n## Modules\n\n| Name | Source | Version |\n| ---- | ------ | ------- |\n| [iam\\_assumable\\_role\\_aws-ebs-csi-driver](#module\\_iam\\_assumable\\_role\\_aws-ebs-csi-driver) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_aws-efs-csi-driver](#module\\_iam\\_assumable\\_role\\_aws-efs-csi-driver) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_aws-for-fluent-bit](#module\\_iam\\_assumable\\_role\\_aws-for-fluent-bit) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_aws-load-balancer-controller](#module\\_iam\\_assumable\\_role\\_aws-load-balancer-controller) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_cert-manager](#module\\_iam\\_assumable\\_role\\_cert-manager) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_cluster-autoscaler](#module\\_iam\\_assumable\\_role\\_cluster-autoscaler) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_cni-metrics-helper](#module\\_iam\\_assumable\\_role\\_cni-metrics-helper) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_external-dns](#module\\_iam\\_assumable\\_role\\_external-dns) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_kube-prometheus-stack\\_grafana](#module\\_iam\\_assumable\\_role\\_kube-prometheus-stack\\_grafana) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_kube-prometheus-stack\\_thanos](#module\\_iam\\_assumable\\_role\\_kube-prometheus-stack\\_thanos) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_loki-stack](#module\\_iam\\_assumable\\_role\\_loki-stack) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_prometheus-cloudwatch-exporter](#module\\_iam\\_assumable\\_role\\_prometheus-cloudwatch-exporter) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_thanos](#module\\_iam\\_assumable\\_role\\_thanos) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_thanos-storegateway](#module\\_iam\\_assumable\\_role\\_thanos-storegateway) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_velero](#module\\_iam\\_assumable\\_role\\_velero) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [iam\\_assumable\\_role\\_yet-another-cloudwatch-exporter](#module\\_iam\\_assumable\\_role\\_yet-another-cloudwatch-exporter) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |\n| [karpenter](#module\\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | ~> 21.0 |\n| [kube-prometheus-stack\\_thanos\\_bucket](#module\\_kube-prometheus-stack\\_thanos\\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |\n| [loki\\_bucket](#module\\_loki\\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |\n| [s3\\_logging\\_bucket](#module\\_s3\\_logging\\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |\n| [security-group-efs-csi-driver](#module\\_security-group-efs-csi-driver) | terraform-aws-modules/security-group/aws//modules/nfs | ~> 5.0 |\n| [thanos\\_bucket](#module\\_thanos\\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |\n| [velero\\_thanos\\_bucket](#module\\_velero\\_thanos\\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [aws_cloudwatch_log_group.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_efs_file_system.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |\n| [aws_efs_mount_target.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |\n| [aws_iam_policy.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.cert-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.cni-metrics-helper](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.external-dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.karpenter_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.kube-prometheus-stack_grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_kms_alias.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_key.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |\n| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |\n| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |\n| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.aws-node-termination-handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubectl_manifest.aws-ebs-csi-driver_vsc](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.cni-metrics-helper](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.aws-node-termination-handler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.karpenter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.metrics-server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-ebs-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-ebs-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-efs-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-efs-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-for-fluent-bit_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-for-fluent-bit_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-load-balancer-controller_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-load-balancer-controller_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-load-balancer-controller_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-node-termination-handler_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.aws-node-termination-handler_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cluster-autoscaler_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cluster-autoscaler_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cluster-autoscaler_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karpenter_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karpenter_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karpenter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karpenter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.metrics-server_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.metrics-server_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.metrics-server_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-cloudwatch-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-cloudwatch-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.tigera-operator_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.tigera-operator_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.yet-another-cloudwatch-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.yet-another-cloudwatch-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_storage_class.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |\n| [kubernetes_storage_class.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |\n| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |\n| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |\n| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.aws-ebs-csi-driver_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.aws-ebs-csi-driver_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.aws-efs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.aws-efs-csi-driver_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.aws-for-fluent-bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.cert-manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.cluster-autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.cni-metrics-helper](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.external-dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.karpenter_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.kube-prometheus-stack_grafana](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.velero_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.velero_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |\n| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| [admiralty](#input\\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |\n| [arn-partition](#input\\_arn-partition) | ARN partition | `string` | `\"\"` | no |\n| [aws](#input\\_aws) | AWS provider customization | `any` | `{}` | no |\n| [aws-ebs-csi-driver](#input\\_aws-ebs-csi-driver) | Customize aws-ebs-csi-driver helm chart, see `aws-ebs-csi-driver.tf` | `any` | `{}` | no |\n| [aws-efs-csi-driver](#input\\_aws-efs-csi-driver) | Customize aws-efs-csi-driver helm chart, see `aws-efs-csi-driver.tf` | `any` | `{}` | no |\n| [aws-for-fluent-bit](#input\\_aws-for-fluent-bit) | Customize aws-for-fluent-bit helm chart, see `aws-fluent-bit.tf` | `any` | `{}` | no |\n| [aws-load-balancer-controller](#input\\_aws-load-balancer-controller) | Customize aws-load-balancer-controller chart, see `aws-load-balancer-controller.tf` for supported values | `any` | `{}` | no |\n| [aws-node-termination-handler](#input\\_aws-node-termination-handler) | Customize aws-node-termination-handler chart, see `aws-node-termination-handler.tf` | `any` | `{}` | no |\n| [cert-manager](#input\\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cert-manager-csi-driver](#input\\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cluster-autoscaler](#input\\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |\n| [cluster-name](#input\\_cluster-name) | Name of the Kubernetes cluster | `string` | `\"sample-cluster\"` | no |\n| [cni-metrics-helper](#input\\_cni-metrics-helper) | Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values | `any` | `{}` | no |\n| [csi-external-snapshotter](#input\\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |\n| [eks](#input\\_eks) | EKS cluster inputs | `any` | `{}` | no |\n| [external-dns](#input\\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |\n| [flux2](#input\\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |\n| [grafana-mcp](#input\\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |\n| [helm\\_defaults](#input\\_helm\\_defaults) | Customize default Helm behavior | `any` | `{}` | no |\n| [ingress-nginx](#input\\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |\n| [ip-masq-agent](#input\\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |\n| [k8gb](#input\\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |\n| [karma](#input\\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |\n| [karpenter](#input\\_karpenter) | Customize karpenter chart, see `karpenter.tf` for supported values | `any` | `{}` | no |\n| [keda](#input\\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |\n| [kong](#input\\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |\n| [kube-prometheus-stack](#input\\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |\n| [labels\\_prefix](#input\\_labels\\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `\"particule.io\"` | no |\n| [linkerd](#input\\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |\n| [linkerd-viz](#input\\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |\n| [linkerd2](#input\\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |\n| [linkerd2-cni](#input\\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |\n| [loki-stack](#input\\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [metrics-server](#input\\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |\n| [npd](#input\\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |\n| [priority-class](#input\\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |\n| [priority-class-ds](#input\\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |\n| [prometheus-adapter](#input\\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-blackbox-exporter](#input\\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-cloudwatch-exporter](#input\\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |\n| [promtail](#input\\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [reloader](#input\\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |\n| [s3-logging](#input\\_s3-logging) | Logging configuration for bucket created by this module | `any` | `{}` | no |\n| [sealed-secrets](#input\\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |\n| [secrets-store-csi-driver](#input\\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |\n| [secrets-store-csi-driver-provider-aws](#input\\_secrets-store-csi-driver-provider-aws) | Enable secrets-store-csi-driver-provider-aws | `any` | `{}` | no |\n| [tags](#input\\_tags) | Map of tags for AWS resources | `map(any)` | `{}` | no |\n| [thanos](#input\\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-memcached](#input\\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-receive](#input\\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |\n| [thanos-storegateway](#input\\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier](#input\\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier-ca-cert](#input\\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [thanos-tls-querier-ca-private-key](#input\\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [tigera-operator](#input\\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |\n| [traefik](#input\\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |\n| [velero](#input\\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |\n| [victoria-metrics-k8s-stack](#input\\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |\n| [yet-another-cloudwatch-exporter](#input\\_yet-another-cloudwatch-exporter) | Customize yet-another-cloudwatch-exporter chart, see `yet-another-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| [karpenter\\_iam](#output\\_karpenter\\_iam) | n/a |\n| [kube-prometheus-stack](#output\\_kube-prometheus-stack) | n/a |\n| [kube-prometheus-stack\\_sensitive](#output\\_kube-prometheus-stack\\_sensitive) | n/a |\n| [loki-stack-ca](#output\\_loki-stack-ca) | n/a |\n| [promtail-cert](#output\\_promtail-cert) | n/a |\n| [promtail-key](#output\\_promtail-key) | n/a |\n| [thanos\\_ca](#output\\_thanos\\_ca) | n/a |\n| [thanos\\_ca\\_key](#output\\_thanos\\_ca\\_key) | n/a |\n\n" }, { "path": "modules/aws/aws-ebs-csi-driver.tf", "content": "locals {\n aws-ebs-csi-driver = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-ebs-csi-driver\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-ebs-csi-driver\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-ebs-csi-driver\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-ebs-csi-driver\")].version\n namespace = \"kube-system\"\n create_ns = false\n service_account_names = {\n controller = \"ebs-csi-controller-sa\"\n node = \"ebs-csi-node-sa\"\n }\n create_iam_resources_irsa = true\n create_storage_class = true\n storage_class_name = \"ebs-sc\"\n is_default_class = false\n enabled = false\n iam_policy_override = null\n default_network_policy = true\n create_kms_key = true\n existing_kms_key_arn = null\n override_kms_alias = null\n use_kms = false\n use_encryption = false\n extra_sc_parameters = {}\n kms_enable_key_rotation = true\n volume_snapshot_class = <<-VOLUME_SNAPSHOT_CLASS\n apiVersion: snapshot.storage.k8s.io/v1\n kind: VolumeSnapshotClass\n metadata:\n name: csi-aws-vsc\n labels:\n velero.io/csi-volumesnapshot-class: \"true\"\n driver: ebs.csi.aws.com\n deletionPolicy: Retain\n VOLUME_SNAPSHOT_CLASS\n name_prefix = \"${var.cluster-name}-aws-ebs-csi-driver\"\n iam_use_name_prefix = false\n },\n var.aws-ebs-csi-driver\n )\n\n values_aws-ebs-csi-driver = < 6.0\"\n create = local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"create_iam_resources_irsa\"]\n name = local.aws-ebs-csi-driver[\"name_prefix\"]\n use_name_prefix = local.aws-ebs-csi-driver[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"create_iam_resources_irsa\"] ? { aws-ebs-csi-driver = aws_iam_policy.aws-ebs-csi-driver[0].arn } : {}\n oidc_subjects = [\n \"system:serviceaccount:${local.aws-ebs-csi-driver[\"namespace\"]}:${local.aws-ebs-csi-driver[\"service_account_names\"][\"controller\"]}\",\n ]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver.enabled && local.aws-ebs-csi-driver.create_iam_resources_irsa ? 1 : 0\n source_policy_documents = [\n data.aws_iam_policy_document.aws-ebs-csi-driver_default.0.json,\n local.aws-ebs-csi-driver.use_kms && local.aws-ebs-csi-driver.use_encryption ? data.aws_iam_policy_document.aws-ebs-csi-driver_kms.0.json : jsonencode({})\n ]\n}\n\ndata \"aws_iam_policy_document\" \"aws-ebs-csi-driver_kms\" {\n count = local.aws-ebs-csi-driver.enabled && local.aws-ebs-csi-driver.use_kms && local.aws-ebs-csi-driver.use_encryption ? 1 : 0\n source_policy_documents = [\n templatefile(\"${path.module}/iam/aws-ebs-csi-driver_kms.json\", { kmsKeyId = local.aws-ebs-csi-driver.create_kms_key ? aws_kms_key.aws-ebs-csi-driver.0.arn : local.aws-ebs-csi-driver.existing_kms_key_arn }),\n ]\n}\n\ndata \"aws_iam_policy_document\" \"aws-ebs-csi-driver_default\" {\n count = local.aws-ebs-csi-driver.enabled && local.aws-ebs-csi-driver.create_iam_resources_irsa ? 1 : 0\n source_policy_documents = [\n templatefile(\"${path.module}/iam/aws-ebs-csi-driver.json\", { arn-partition = local.arn-partition }),\n ]\n}\n\nresource \"aws_iam_policy\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.aws-ebs-csi-driver[\"name_prefix\"]\n policy = local.aws-ebs-csi-driver[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.aws-ebs-csi-driver.0.json : local.aws-ebs-csi-driver[\"iam_policy_override\"]\n tags = local.tags\n}\n\nresource \"kubernetes_namespace\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.aws-ebs-csi-driver[\"namespace\"]\n }\n\n name = local.aws-ebs-csi-driver[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver[\"enabled\"] ? 1 : 0\n repository = local.aws-ebs-csi-driver[\"repository\"]\n name = local.aws-ebs-csi-driver[\"name\"]\n chart = local.aws-ebs-csi-driver[\"chart\"]\n version = local.aws-ebs-csi-driver[\"chart_version\"]\n timeout = local.aws-ebs-csi-driver[\"timeout\"]\n force_update = local.aws-ebs-csi-driver[\"force_update\"]\n recreate_pods = local.aws-ebs-csi-driver[\"recreate_pods\"]\n wait = local.aws-ebs-csi-driver[\"wait\"]\n atomic = local.aws-ebs-csi-driver[\"atomic\"]\n cleanup_on_fail = local.aws-ebs-csi-driver[\"cleanup_on_fail\"]\n dependency_update = local.aws-ebs-csi-driver[\"dependency_update\"]\n disable_crd_hooks = local.aws-ebs-csi-driver[\"disable_crd_hooks\"]\n disable_webhooks = local.aws-ebs-csi-driver[\"disable_webhooks\"]\n render_subchart_notes = local.aws-ebs-csi-driver[\"render_subchart_notes\"]\n replace = local.aws-ebs-csi-driver[\"replace\"]\n reset_values = local.aws-ebs-csi-driver[\"reset_values\"]\n reuse_values = local.aws-ebs-csi-driver[\"reuse_values\"]\n skip_crds = local.aws-ebs-csi-driver[\"skip_crds\"]\n verify = local.aws-ebs-csi-driver[\"verify\"]\n values = [\n local.values_aws-ebs-csi-driver,\n local.aws-ebs-csi-driver[\"extra_values\"]\n ]\n namespace = local.aws-ebs-csi-driver[\"create_ns\"] ? kubernetes_namespace.aws-ebs-csi-driver.*.metadata.0.name[count.index] : local.aws-ebs-csi-driver[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.csi-external-snapshotter\n ]\n}\n\nresource \"kubernetes_storage_class\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"create_storage_class\"] ? 1 : 0\n metadata {\n name = local.aws-ebs-csi-driver[\"storage_class_name\"]\n annotations = {\n \"storageclass.kubernetes.io/is-default-class\" = tostring(local.aws-ebs-csi-driver[\"is_default_class\"])\n }\n }\n storage_provisioner = \"ebs.csi.aws.com\"\n volume_binding_mode = \"WaitForFirstConsumer\"\n allow_volume_expansion = true\n\n parameters = merge(\n {\n encrypted = local.aws-ebs-csi-driver.use_encryption\n kmsKeyId = local.aws-ebs-csi-driver.use_encryption ? local.aws-ebs-csi-driver.use_kms ? local.aws-ebs-csi-driver.create_kms_key ? aws_kms_key.aws-ebs-csi-driver.0.arn : local.aws-ebs-csi-driver.existing_kms_key_arn : \"\" : \"\"\n },\n local.aws-ebs-csi-driver.extra_sc_parameters\n )\n}\n\nresource \"kubernetes_network_policy\" \"aws-ebs-csi-driver_default_deny\" {\n count = local.aws-ebs-csi-driver[\"create_ns\"] && local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-ebs-csi-driver.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.aws-ebs-csi-driver.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"aws-ebs-csi-driver_allow_namespace\" {\n count = local.aws-ebs-csi-driver[\"create_ns\"] && local.aws-ebs-csi-driver[\"enabled\"] && local.aws-ebs-csi-driver[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-ebs-csi-driver.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.aws-ebs-csi-driver.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.aws-ebs-csi-driver.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"aws_kms_key\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver.enabled && local.aws-ebs-csi-driver.use_kms && local.aws-ebs-csi-driver.create_kms_key ? 1 : 0\n tags = local.tags\n enable_key_rotation = local.aws-ebs-csi-driver.kms_enable_key_rotation\n}\n\nresource \"aws_kms_alias\" \"aws-ebs-csi-driver\" {\n count = local.aws-ebs-csi-driver.enabled && local.aws-ebs-csi-driver.use_kms && local.aws-ebs-csi-driver.create_kms_key ? 1 : 0\n name = \"alias/aws-ebs-csi-driver-${local.aws-ebs-csi-driver.override_kms_alias != null ? local.aws-ebs-csi-driver.override_kms_alias : var.cluster-name}\"\n target_key_id = aws_kms_key.aws-ebs-csi-driver.0.id\n}\n\nresource \"kubectl_manifest\" \"aws-ebs-csi-driver_vsc\" {\n count = local.aws-ebs-csi-driver.enabled && local.aws-ebs-csi-driver.volume_snapshot_class != null ? 1 : 0\n yaml_body = local.aws-ebs-csi-driver.volume_snapshot_class\n\n depends_on = [\n kubectl_manifest.csi-external-snapshotter,\n helm_release.aws-ebs-csi-driver\n ]\n server_side_apply = true\n}\n" }, { "path": "modules/aws/aws-efs-csi-driver.tf", "content": "locals {\n aws-efs-csi-driver = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-efs-csi-driver\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-efs-csi-driver\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-efs-csi-driver\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-efs-csi-driver\")].version\n namespace = \"kube-system\"\n create_ns = false\n service_account_names = {\n controller = \"efs-csi-controller-sa\"\n node = \"efs-csi-node-sa\"\n }\n create_iam_resources_irsa = true\n create_storage_class = true\n storage_class_name = \"efs-sc\"\n is_default_class = false\n enabled = false\n iam_policy_override = null\n default_network_policy = true\n sg_vpc_ingress_cidrs = [\"0.0.0.0/0\"]\n sg_vpc_id = null\n sg_ingress_cidr_blocks = null\n sg_egress_ipv6_cidr_blocks = null\n sg_auto_ingress_with_self = []\n sg_input_ingress_with_source_security_group_id = []\n subnets = []\n name_prefix = \"${var.cluster-name}-aws-efs-csi-driver\"\n iam_use_name_prefix = false\n },\n var.aws-efs-csi-driver\n )\n\n values_aws-efs-csi-driver = <<-VALUES\n controller:\n serviceAccount:\n annotations:\n eks.amazonaws.com/role-arn: \"${local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_aws-efs-csi-driver.arn : \"\"}\"\n VALUES\n\n}\n\nmodule \"iam_assumable_role_aws-efs-csi-driver\" {\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"create_iam_resources_irsa\"]\n name = local.aws-efs-csi-driver[\"name_prefix\"]\n use_name_prefix = local.aws-efs-csi-driver[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"create_iam_resources_irsa\"] ? { aws-efs-csi-driver = aws_iam_policy.aws-efs-csi-driver[0].arn } : {}\n oidc_subjects = [\n \"system:serviceaccount:${local.aws-efs-csi-driver[\"namespace\"]}:${local.aws-efs-csi-driver[\"service_account_names\"][\"controller\"]}\",\n ]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver.enabled && local.aws-efs-csi-driver.create_iam_resources_irsa ? 1 : 0\n source_policy_documents = [\n data.aws_iam_policy_document.aws-efs-csi-driver_default.0.json\n ]\n}\n\ndata \"aws_iam_policy_document\" \"aws-efs-csi-driver_default\" {\n count = local.aws-efs-csi-driver.enabled && local.aws-efs-csi-driver.create_iam_resources_irsa ? 1 : 0\n source_policy_documents = [\n templatefile(\"${path.module}/iam/aws-efs-csi-driver.json\", { arn-partition = local.arn-partition }),\n ]\n}\n\nresource \"aws_iam_policy\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.aws-efs-csi-driver[\"name_prefix\"]\n policy = local.aws-efs-csi-driver[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.aws-efs-csi-driver.0.json : local.aws-efs-csi-driver[\"iam_policy_override\"]\n tags = local.tags\n}\n\nresource \"kubernetes_namespace\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.aws-efs-csi-driver[\"namespace\"]\n }\n\n name = local.aws-efs-csi-driver[\"namespace\"]\n }\n}\n\nresource \"aws_efs_file_system\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] && lookup(local.aws-efs-csi-driver, \"file_system_id\", null) == null ? 1 : 0\n creation_token = local.aws-efs-csi-driver[\"name_prefix\"]\n encrypted = lookup(local.aws-efs-csi-driver, \"encrypted\", \"true\")\n performance_mode = lookup(local.aws-efs-csi-driver, \"performance_mode\", \"generalPurpose\")\n provisioned_throughput_in_mibps = lookup(local.aws-efs-csi-driver, \"provisioned_throughput_in_mibps\", 0)\n throughput_mode = lookup(local.aws-efs-csi-driver, \"throughput_mode\", \"bursting\")\n dynamic \"lifecycle_policy\" {\n for_each = lookup(local.aws-efs-csi-driver, \"lifecycle_policy\", [])\n content {\n transition_to_ia = lookup(lifecycle_policy.value, \"transition_to_ia\", null)\n }\n }\n tags = merge(local.tags, { \"Name\" : local.aws-efs-csi-driver[\"name_prefix\"] })\n}\n\n\nresource \"aws_efs_mount_target\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] ? length(local.aws-efs-csi-driver[\"subnets\"]) : 0\n file_system_id = lookup(local.aws-efs-csi-driver, \"file_system_id\", null) == null ? aws_efs_file_system.aws-efs-csi-driver.0.id : local.aws-efs-csi-driver[\"file_system_id\"]\n subnet_id = element(local.aws-efs-csi-driver[\"subnets\"], count.index)\n security_groups = [module.security-group-efs-csi-driver.0.security_group_id]\n}\n\nmodule \"security-group-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] ? 1 : 0\n source = \"terraform-aws-modules/security-group/aws//modules/nfs\"\n version = \"~> 5.0\"\n name = local.aws-efs-csi-driver[\"name_prefix\"]\n description = \"NFS access to ${local.aws-efs-csi-driver[\"name_prefix\"]}\"\n vpc_id = local.aws-efs-csi-driver[\"sg_vpc_id\"]\n ingress_cidr_blocks = local.aws-efs-csi-driver[\"sg_vpc_ingress_cidrs\"]\n egress_ipv6_cidr_blocks = local.aws-efs-csi-driver[\"sg_egress_ipv6_cidr_blocks\"]\n auto_ingress_with_self = local.aws-efs-csi-driver[\"sg_auto_ingress_with_self\"]\n ingress_with_source_security_group_id = local.aws-efs-csi-driver[\"sg_input_ingress_with_source_security_group_id\"]\n tags = local.tags\n}\n\nresource \"helm_release\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] ? 1 : 0\n repository = local.aws-efs-csi-driver[\"repository\"]\n name = local.aws-efs-csi-driver[\"name\"]\n chart = local.aws-efs-csi-driver[\"chart\"]\n version = local.aws-efs-csi-driver[\"chart_version\"]\n timeout = local.aws-efs-csi-driver[\"timeout\"]\n force_update = local.aws-efs-csi-driver[\"force_update\"]\n recreate_pods = local.aws-efs-csi-driver[\"recreate_pods\"]\n wait = local.aws-efs-csi-driver[\"wait\"]\n atomic = local.aws-efs-csi-driver[\"atomic\"]\n cleanup_on_fail = local.aws-efs-csi-driver[\"cleanup_on_fail\"]\n dependency_update = local.aws-efs-csi-driver[\"dependency_update\"]\n disable_crd_hooks = local.aws-efs-csi-driver[\"disable_crd_hooks\"]\n disable_webhooks = local.aws-efs-csi-driver[\"disable_webhooks\"]\n render_subchart_notes = local.aws-efs-csi-driver[\"render_subchart_notes\"]\n replace = local.aws-efs-csi-driver[\"replace\"]\n reset_values = local.aws-efs-csi-driver[\"reset_values\"]\n reuse_values = local.aws-efs-csi-driver[\"reuse_values\"]\n skip_crds = local.aws-efs-csi-driver[\"skip_crds\"]\n verify = local.aws-efs-csi-driver[\"verify\"]\n values = [\n local.values_aws-efs-csi-driver,\n local.aws-efs-csi-driver[\"extra_values\"]\n ]\n namespace = local.aws-efs-csi-driver[\"create_ns\"] ? kubernetes_namespace.aws-efs-csi-driver.*.metadata.0.name[count.index] : local.aws-efs-csi-driver[\"namespace\"]\n}\n\nresource \"kubernetes_storage_class\" \"aws-efs-csi-driver\" {\n count = local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"create_storage_class\"] ? 1 : 0\n metadata {\n name = local.aws-efs-csi-driver[\"storage_class_name\"]\n annotations = {\n \"storageclass.kubernetes.io/is-default-class\" = tostring(local.aws-efs-csi-driver[\"is_default_class\"])\n }\n }\n storage_provisioner = \"efs.csi.aws.com\"\n parameters = {\n provisioningMode : \"efs-ap\"\n fileSystemId : lookup(local.aws-efs-csi-driver, \"file_system_id\", null) == null ? aws_efs_file_system.aws-efs-csi-driver.0.id : local.aws-efs-csi-driver[\"file_system_id\"]\n directoryPerms : \"700\"\n }\n}\n\nresource \"kubernetes_network_policy\" \"aws-efs-csi-driver_default_deny\" {\n count = local.aws-efs-csi-driver[\"create_ns\"] && local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-efs-csi-driver.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.aws-efs-csi-driver.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"aws-efs-csi-driver_allow_namespace\" {\n count = local.aws-efs-csi-driver[\"create_ns\"] && local.aws-efs-csi-driver[\"enabled\"] && local.aws-efs-csi-driver[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-efs-csi-driver.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.aws-efs-csi-driver.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.aws-efs-csi-driver.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/aws-for-fluent-bit.tf", "content": "locals {\n\n aws-for-fluent-bit = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-for-fluent-bit\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-for-fluent-bit\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-for-fluent-bit\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-for-fluent-bit\")].version\n namespace = \"aws-for-fluent-bit\"\n service_account_name = \"aws-for-fluent-bit\"\n create_iam_resources_irsa = true\n enabled = false\n iam_policy_override = null\n default_network_policy = true\n containers_log_retention_in_days = 180\n kms_key_id = null\n name_prefix = \"${var.cluster-name}-aws-for-fluent-bit\"\n iam_use_name_prefix = false\n },\n var.aws-for-fluent-bit\n )\n\n values_aws-for-fluent-bit = < 6.0\"\n create = local.aws-for-fluent-bit[\"enabled\"] && local.aws-for-fluent-bit[\"create_iam_resources_irsa\"]\n name = local.aws-for-fluent-bit[\"name_prefix\"]\n use_name_prefix = local.aws-for-fluent-bit[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.aws-for-fluent-bit[\"enabled\"] && local.aws-for-fluent-bit[\"create_iam_resources_irsa\"] ? { aws-for-fluent-bit = aws_iam_policy.aws-for-fluent-bit[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.aws-for-fluent-bit[\"namespace\"]}:${local.aws-for-fluent-bit[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"aws-for-fluent-bit\" {\n count = local.aws-for-fluent-bit[\"enabled\"] && local.aws-for-fluent-bit[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.aws-for-fluent-bit[\"name_prefix\"]\n policy = local.aws-for-fluent-bit[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.aws-for-fluent-bit.json : local.aws-for-fluent-bit[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"aws-for-fluent-bit\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\"\n ]\n\n resources = [\"*\"]\n }\n}\n\nresource \"aws_cloudwatch_log_group\" \"aws-for-fluent-bit\" {\n count = local.aws-for-fluent-bit[\"enabled\"] ? 1 : 0\n name = \"/aws/eks/${var.cluster-name}/containers\"\n retention_in_days = local.aws-for-fluent-bit[\"containers_log_retention_in_days\"]\n kms_key_id = local.aws-for-fluent-bit[\"kms_key_id\"]\n}\n\nresource \"kubernetes_namespace\" \"aws-for-fluent-bit\" {\n count = local.aws-for-fluent-bit[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.aws-for-fluent-bit[\"namespace\"]\n }\n\n name = local.aws-for-fluent-bit[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"aws-for-fluent-bit\" {\n count = local.aws-for-fluent-bit[\"enabled\"] ? 1 : 0\n repository = local.aws-for-fluent-bit[\"repository\"]\n name = local.aws-for-fluent-bit[\"name\"]\n chart = local.aws-for-fluent-bit[\"chart\"]\n version = local.aws-for-fluent-bit[\"chart_version\"]\n timeout = local.aws-for-fluent-bit[\"timeout\"]\n force_update = local.aws-for-fluent-bit[\"force_update\"]\n recreate_pods = local.aws-for-fluent-bit[\"recreate_pods\"]\n wait = local.aws-for-fluent-bit[\"wait\"]\n atomic = local.aws-for-fluent-bit[\"atomic\"]\n cleanup_on_fail = local.aws-for-fluent-bit[\"cleanup_on_fail\"]\n dependency_update = local.aws-for-fluent-bit[\"dependency_update\"]\n disable_crd_hooks = local.aws-for-fluent-bit[\"disable_crd_hooks\"]\n disable_webhooks = local.aws-for-fluent-bit[\"disable_webhooks\"]\n render_subchart_notes = local.aws-for-fluent-bit[\"render_subchart_notes\"]\n replace = local.aws-for-fluent-bit[\"replace\"]\n reset_values = local.aws-for-fluent-bit[\"reset_values\"]\n reuse_values = local.aws-for-fluent-bit[\"reuse_values\"]\n skip_crds = local.aws-for-fluent-bit[\"skip_crds\"]\n verify = local.aws-for-fluent-bit[\"verify\"]\n values = [\n local.values_aws-for-fluent-bit,\n local.aws-for-fluent-bit[\"extra_values\"]\n ]\n namespace = kubernetes_namespace.aws-for-fluent-bit.*.metadata.0.name[count.index]\n}\n\nresource \"kubernetes_network_policy\" \"aws-for-fluent-bit_default_deny\" {\n count = local.aws-for-fluent-bit[\"enabled\"] && local.aws-for-fluent-bit[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-for-fluent-bit.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.aws-for-fluent-bit.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"aws-for-fluent-bit_allow_namespace\" {\n count = local.aws-for-fluent-bit[\"enabled\"] && local.aws-for-fluent-bit[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-for-fluent-bit.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.aws-for-fluent-bit.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.aws-for-fluent-bit.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/aws-load-balancer-controller.tf", "content": "locals {\n aws-load-balancer-controller = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-load-balancer-controller\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-load-balancer-controller\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-load-balancer-controller\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-load-balancer-controller\")].version\n namespace = \"aws-load-balancer-controller\"\n service_account_name = \"aws-load-balancer-controller\"\n create_iam_resources_irsa = true\n enabled = false\n additional_iam_statements = null\n iam_policy_override = null\n default_network_policy = true\n allowed_cidrs = [\"0.0.0.0/0\"]\n name_prefix = \"${var.cluster-name}-awslbc\"\n iam_use_name_prefix = false\n },\n var.aws-load-balancer-controller\n )\n\n values_aws-load-balancer-controller = < 6.0\"\n create = local.aws-load-balancer-controller[\"enabled\"] && local.aws-load-balancer-controller[\"create_iam_resources_irsa\"]\n name = local.aws-load-balancer-controller[\"name_prefix\"]\n use_name_prefix = local.aws-load-balancer-controller[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.aws-load-balancer-controller[\"enabled\"] && local.aws-load-balancer-controller[\"create_iam_resources_irsa\"] ? { aws-load-balancer-controller = aws_iam_policy.aws-load-balancer-controller[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.aws-load-balancer-controller[\"namespace\"]}:${local.aws-load-balancer-controller[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"aws-load-balancer-controller\" {\n count = local.aws-load-balancer-controller[\"enabled\"] && local.aws-load-balancer-controller[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.aws-load-balancer-controller[\"name_prefix\"]\n policy = local.aws-load-balancer-controller[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.aws-load-balancer-controller[0].json : local.aws-load-balancer-controller[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"aws-load-balancer-controller\" {\n count = local.aws-load-balancer-controller.enabled && local.aws-load-balancer-controller.create_iam_resources_irsa ? 1 : 0\n source_policy_documents = compact([\n templatefile(\"${path.module}/iam/aws-load-balancer-controller.json\", { arn-partition = local.arn-partition }),\n try(local.aws-load-balancer-controller.additional_iam_statements, \"\")\n ])\n}\n\nresource \"kubernetes_namespace\" \"aws-load-balancer-controller\" {\n count = local.aws-load-balancer-controller[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.aws-load-balancer-controller[\"namespace\"]\n }\n\n name = local.aws-load-balancer-controller[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"aws-load-balancer-controller\" {\n count = local.aws-load-balancer-controller[\"enabled\"] ? 1 : 0\n repository = local.aws-load-balancer-controller[\"repository\"]\n name = local.aws-load-balancer-controller[\"name\"]\n chart = local.aws-load-balancer-controller[\"chart\"]\n version = local.aws-load-balancer-controller[\"chart_version\"]\n timeout = local.aws-load-balancer-controller[\"timeout\"]\n force_update = local.aws-load-balancer-controller[\"force_update\"]\n recreate_pods = local.aws-load-balancer-controller[\"recreate_pods\"]\n wait = local.aws-load-balancer-controller[\"wait\"]\n atomic = local.aws-load-balancer-controller[\"atomic\"]\n cleanup_on_fail = local.aws-load-balancer-controller[\"cleanup_on_fail\"]\n dependency_update = local.aws-load-balancer-controller[\"dependency_update\"]\n disable_crd_hooks = local.aws-load-balancer-controller[\"disable_crd_hooks\"]\n disable_webhooks = local.aws-load-balancer-controller[\"disable_webhooks\"]\n render_subchart_notes = local.aws-load-balancer-controller[\"render_subchart_notes\"]\n replace = local.aws-load-balancer-controller[\"replace\"]\n reset_values = local.aws-load-balancer-controller[\"reset_values\"]\n reuse_values = local.aws-load-balancer-controller[\"reuse_values\"]\n skip_crds = local.aws-load-balancer-controller[\"skip_crds\"]\n verify = local.aws-load-balancer-controller[\"verify\"]\n values = [\n local.values_aws-load-balancer-controller,\n local.aws-load-balancer-controller[\"extra_values\"]\n ]\n namespace = kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]\n}\n\nresource \"kubernetes_network_policy\" \"aws-load-balancer-controller_default_deny\" {\n count = local.aws-load-balancer-controller[\"enabled\"] && local.aws-load-balancer-controller[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"aws-load-balancer-controller_allow_namespace\" {\n count = local.aws-load-balancer-controller[\"enabled\"] && local.aws-load-balancer-controller[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"aws-load-balancer-controller_allow_control_plane\" {\n count = local.aws-load-balancer-controller[\"enabled\"] && local.aws-load-balancer-controller[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]}-allow-control-plane\"\n namespace = kubernetes_namespace.aws-load-balancer-controller.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n match_expressions {\n key = \"app.kubernetes.io/name\"\n operator = \"In\"\n values = [\"aws-load-balancer-controller\"]\n }\n }\n\n ingress {\n ports {\n port = \"9443\"\n protocol = \"TCP\"\n }\n\n dynamic \"from\" {\n for_each = local.aws-load-balancer-controller[\"allowed_cidrs\"]\n content {\n ip_block {\n cidr = from.value\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/aws-node-termination-handler.tf", "content": "locals {\n aws-node-termination-handler = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-node-termination-handler\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-node-termination-handler\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-node-termination-handler\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"aws-node-termination-handler\")].version\n namespace = \"aws-node-termination-handler\"\n enabled = false\n default_network_policy = true\n },\n var.aws-node-termination-handler\n )\n\n values_aws-node-termination-handler = < 6.0\"\n create = local.cert-manager[\"enabled\"] && local.cert-manager[\"create_iam_resources_irsa\"]\n name = local.cert-manager[\"name_prefix\"]\n use_name_prefix = local.cert-manager[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.cert-manager[\"enabled\"] && local.cert-manager[\"create_iam_resources_irsa\"] ? { cert-manager = aws_iam_policy.cert-manager[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.cert-manager[\"namespace\"]}:${local.cert-manager[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"cert-manager\" {\n count = local.cert-manager[\"enabled\"] && local.cert-manager[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.cert-manager[\"name_prefix\"]\n policy = local.cert-manager[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.cert-manager.json : local.cert-manager[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"cert-manager\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"route53:GetChange\"\n ]\n\n resources = [\"arn:${local.arn-partition}:route53:::change/*\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"route53:ChangeResourceRecordSets\",\n \"route53:ListResourceRecordSets\"\n ]\n\n resources = [\"arn:${local.arn-partition}:route53:::hostedzone/*\"]\n\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"route53:ListHostedZonesByName\"\n ]\n\n resources = [\"*\"]\n\n }\n}\n\nresource \"kubernetes_namespace\" \"cert-manager\" {\n count = local.cert-manager[\"enabled\"] ? 1 : 0\n\n metadata {\n annotations = {\n \"certmanager.k8s.io/disable-validation\" = \"true\"\n }\n\n labels = {\n name = local.cert-manager[\"namespace\"]\n }\n\n name = local.cert-manager[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"cert-manager\" {\n count = local.cert-manager[\"enabled\"] ? 1 : 0\n repository = local.cert-manager[\"repository\"]\n name = local.cert-manager[\"name\"]\n chart = local.cert-manager[\"chart\"]\n version = local.cert-manager[\"chart_version\"]\n timeout = local.cert-manager[\"timeout\"]\n force_update = local.cert-manager[\"force_update\"]\n recreate_pods = local.cert-manager[\"recreate_pods\"]\n wait = local.cert-manager[\"wait\"]\n atomic = local.cert-manager[\"atomic\"]\n cleanup_on_fail = local.cert-manager[\"cleanup_on_fail\"]\n dependency_update = local.cert-manager[\"dependency_update\"]\n disable_crd_hooks = local.cert-manager[\"disable_crd_hooks\"]\n disable_webhooks = local.cert-manager[\"disable_webhooks\"]\n render_subchart_notes = local.cert-manager[\"render_subchart_notes\"]\n replace = local.cert-manager[\"replace\"]\n reset_values = local.cert-manager[\"reset_values\"]\n reuse_values = local.cert-manager[\"reuse_values\"]\n skip_crds = local.cert-manager[\"skip_crds\"]\n verify = local.cert-manager[\"verify\"]\n values = [\n local.values_cert-manager,\n local.cert-manager[\"extra_values\"]\n ]\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\ndata \"kubectl_path_documents\" \"cert-manager_cluster_issuers\" {\n pattern = \"${path.module}/templates/cert-manager-cluster-issuers.yaml.tpl\"\n vars = {\n aws_region = data.aws_region.current.name\n acme_email = local.cert-manager[\"acme_email\"]\n acme_http01_enabled = local.cert-manager[\"acme_http01_enabled\"]\n acme_http01_ingress_class = local.cert-manager[\"acme_http01_ingress_class\"]\n acme_dns01_enabled = local.cert-manager[\"acme_dns01_enabled\"]\n role_arn = local.cert-manager[\"cluster_issuer_assume_role_arn\"]\n }\n}\n\nresource \"time_sleep\" \"cert-manager_sleep\" {\n count = local.cert-manager[\"enabled\"] && (local.cert-manager[\"acme_http01_enabled\"] || local.cert-manager[\"acme_dns01_enabled\"]) ? 1 : 0\n depends_on = [helm_release.cert-manager]\n create_duration = \"120s\"\n}\n\nresource \"kubectl_manifest\" \"cert-manager_cluster_issuers\" {\n count = local.cert-manager[\"enabled\"] && (local.cert-manager[\"acme_http01_enabled\"] || local.cert-manager[\"acme_dns01_enabled\"]) ? length(data.kubectl_path_documents.cert-manager_cluster_issuers.documents) : 0\n yaml_body = element(data.kubectl_path_documents.cert-manager_cluster_issuers.documents, count.index)\n depends_on = [\n helm_release.cert-manager,\n kubernetes_namespace.cert-manager,\n time_sleep.cert-manager_sleep\n ]\n}\n\nresource \"kubernetes_network_policy\" \"cert-manager_default_deny\" {\n count = local.cert-manager[\"enabled\"] && local.cert-manager[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"cert-manager_allow_namespace\" {\n count = local.cert-manager[\"enabled\"] && local.cert-manager[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"cert-manager_allow_monitoring\" {\n count = local.cert-manager[\"enabled\"] && local.cert-manager[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-allow-monitoring\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"9402\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"cert-manager_allow_control_plane\" {\n count = local.cert-manager[\"enabled\"] && local.cert-manager[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-allow-control-plane\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n match_expressions {\n key = \"app.kubernetes.io/name\"\n operator = \"In\"\n values = [\"webhook\"]\n }\n }\n\n ingress {\n ports {\n port = \"10250\"\n protocol = \"TCP\"\n }\n\n dynamic \"from\" {\n for_each = local.cert-manager[\"allowed_cidrs\"]\n content {\n ip_block {\n cidr = from.value\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/cluster-autoscaler.tf", "content": "locals {\n cluster-autoscaler = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cluster-autoscaler\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cluster-autoscaler\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cluster-autoscaler\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cluster-autoscaler\")].version\n namespace = \"cluster-autoscaler\"\n service_account_name = \"cluster-autoscaler\"\n create_iam_resources_irsa = true\n enabled = false\n version = \"v1.28.0\"\n iam_policy_override = null\n default_network_policy = true\n name_prefix = \"${var.cluster-name}-cluster-autoscaler\"\n iam_use_name_prefix = false\n },\n var.cluster-autoscaler\n )\n\n values_cluster-autoscaler = < 6.0\"\n create = local.cluster-autoscaler[\"enabled\"] && local.cluster-autoscaler[\"create_iam_resources_irsa\"]\n name = local.cluster-autoscaler[\"name_prefix\"]\n use_name_prefix = local.cluster-autoscaler[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.cluster-autoscaler[\"enabled\"] && local.cluster-autoscaler[\"create_iam_resources_irsa\"] ? { cluster-autoscaler = aws_iam_policy.cluster-autoscaler[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.cluster-autoscaler[\"namespace\"]}:${local.cluster-autoscaler[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"cluster-autoscaler\" {\n count = local.cluster-autoscaler[\"enabled\"] && local.cluster-autoscaler[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.cluster-autoscaler[\"name_prefix\"]\n policy = local.cluster-autoscaler[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.cluster-autoscaler.json : local.cluster-autoscaler[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"cluster-autoscaler\" {\n statement {\n sid = \"clusterAutoscalerAll\"\n effect = \"Allow\"\n\n actions = [\n \"autoscaling:DescribeAutoScalingGroups\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeScalingActivities\",\n \"autoscaling:DescribeTags\",\n \"ec2:DescribeInstanceTypes\",\n \"ec2:DescribeLaunchTemplateVersions\",\n \"ec2:DescribeImages\",\n \"ec2:GetInstanceTypesFromInstanceRequirements\",\n \"eks:DescribeNodegroup\"\n ]\n\n resources = [\"*\"]\n }\n\n statement {\n sid = \"clusterAutoscalerOwn\"\n effect = \"Allow\"\n\n actions = [\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n ]\n\n resources = [\"*\"]\n\n condition {\n test = \"StringEquals\"\n variable = \"autoscaling:ResourceTag/kubernetes.io/cluster/${var.cluster-name}\"\n values = [\"owned\"]\n }\n\n condition {\n test = \"StringEquals\"\n variable = \"autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled\"\n values = [\"true\"]\n }\n }\n}\n\nresource \"kubernetes_namespace\" \"cluster-autoscaler\" {\n count = local.cluster-autoscaler[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.cluster-autoscaler[\"namespace\"]\n }\n\n name = local.cluster-autoscaler[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"cluster-autoscaler\" {\n count = local.cluster-autoscaler[\"enabled\"] ? 1 : 0\n repository = local.cluster-autoscaler[\"repository\"]\n name = local.cluster-autoscaler[\"name\"]\n chart = local.cluster-autoscaler[\"chart\"]\n version = local.cluster-autoscaler[\"chart_version\"]\n timeout = local.cluster-autoscaler[\"timeout\"]\n force_update = local.cluster-autoscaler[\"force_update\"]\n recreate_pods = local.cluster-autoscaler[\"recreate_pods\"]\n wait = local.cluster-autoscaler[\"wait\"]\n atomic = local.cluster-autoscaler[\"atomic\"]\n cleanup_on_fail = local.cluster-autoscaler[\"cleanup_on_fail\"]\n dependency_update = local.cluster-autoscaler[\"dependency_update\"]\n disable_crd_hooks = local.cluster-autoscaler[\"disable_crd_hooks\"]\n disable_webhooks = local.cluster-autoscaler[\"disable_webhooks\"]\n render_subchart_notes = local.cluster-autoscaler[\"render_subchart_notes\"]\n replace = local.cluster-autoscaler[\"replace\"]\n reset_values = local.cluster-autoscaler[\"reset_values\"]\n reuse_values = local.cluster-autoscaler[\"reuse_values\"]\n skip_crds = local.cluster-autoscaler[\"skip_crds\"]\n verify = local.cluster-autoscaler[\"verify\"]\n values = [\n local.values_cluster-autoscaler,\n local.cluster-autoscaler[\"extra_values\"]\n ]\n namespace = kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"cluster-autoscaler_default_deny\" {\n count = local.cluster-autoscaler[\"enabled\"] && local.cluster-autoscaler[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"cluster-autoscaler_allow_namespace\" {\n count = local.cluster-autoscaler[\"enabled\"] && local.cluster-autoscaler[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"cluster-autoscaler_allow_monitoring\" {\n count = local.cluster-autoscaler[\"enabled\"] && local.cluster-autoscaler[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]}-allow-monitoring\"\n namespace = kubernetes_namespace.cluster-autoscaler.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"8085\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/cni-metrics-helper.tf", "content": "locals {\n cni-metrics-helper = merge(\n {\n create_iam_resources_irsa = true\n enabled = false\n version = \"v1.9.0\"\n iam_policy_override = null\n name_prefix = \"${var.cluster-name}-cni-metrics-helper\"\n iam_use_name_prefix = false\n },\n var.cni-metrics-helper\n )\n}\n\nmodule \"iam_assumable_role_cni-metrics-helper\" {\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = local.cni-metrics-helper[\"enabled\"] && local.cni-metrics-helper[\"create_iam_resources_irsa\"]\n name = local.cni-metrics-helper[\"name_prefix\"]\n use_name_prefix = local.cni-metrics-helper[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.cni-metrics-helper[\"enabled\"] && local.cni-metrics-helper[\"create_iam_resources_irsa\"] ? { cni-metrics-helper = aws_iam_policy.cni-metrics-helper[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:kube-system:cni-metrics-helper\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"cni-metrics-helper\" {\n count = local.cni-metrics-helper[\"enabled\"] && local.cni-metrics-helper[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.cni-metrics-helper[\"name_prefix\"]\n policy = local.cni-metrics-helper[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.cni-metrics-helper.json : local.cni-metrics-helper[\"iam_policy_override\"]\n}\n\ndata \"aws_iam_policy_document\" \"cni-metrics-helper\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"cloudwatch:PutMetricData\",\n \"ec2:DescribeTags\"\n ]\n resources = [\"*\"]\n }\n}\n\nresource \"kubectl_manifest\" \"cni-metrics-helper\" {\n count = local.cni-metrics-helper[\"enabled\"] ? 1 : 0\n yaml_body = templatefile(\"${path.module}/templates/cni-metrics-helper.yaml.tpl\", {\n cni-metrics-helper_role_arn_irsa = local.cni-metrics-helper[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_cni-metrics-helper.arn : \"\"\n cni-metrics-helper_version = local.cni-metrics-helper[\"version\"]\n })\n}\n" }, { "path": "modules/aws/data.tf", "content": "data \"aws_region\" \"current\" {}\n\ndata \"aws_caller_identity\" \"current\" {}\n\ndata \"aws_partition\" \"current\" {}\n" }, { "path": "modules/aws/examples/README.md", "content": "## Examples\n\nExamples are located in [teks](https://github.com/particuleio/teks) repository.\n" }, { "path": "modules/aws/external-dns.tf", "content": "locals {\n\n external-dns = { for k, v in var.external-dns : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"external-dns\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"external-dns\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"external-dns\")].version\n name = k\n namespace = k\n service_account_name = \"external-dns\"\n enabled = false\n create_iam_resources_irsa = true\n iam_policy_override = null\n default_network_policy = true\n name_prefix = \"${var.cluster-name}\"\n iam_use_name_prefix = false\n },\n v,\n ) }\n\n values_external-dns = { for k, v in local.external-dns : k => merge(\n {\n values = <<-VALUES\n provider: aws\n txtPrefix: \"ext-dns-\"\n txtOwnerId: ${var.cluster-name}\n logFormat: json\n policy: sync\n serviceAccount:\n name: ${v[\"service_account_name\"]}\n annotations:\n eks.amazonaws.com/role-arn: \"${v[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_external-dns[k].arn : \"\"}\"\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"]}\n priorityClassName: ${local.priority-class[\"create\"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : \"\"}\n VALUES\n },\n v,\n ) }\n}\n\nmodule \"iam_assumable_role_external-dns\" {\n for_each = local.external-dns\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = each.value[\"enabled\"] && each.value[\"create_iam_resources_irsa\"]\n name = \"${each.value.name_prefix}-${each.key}\"\n use_name_prefix = each.value[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = each.value[\"enabled\"] && each.value[\"create_iam_resources_irsa\"] ? { external-dns = aws_iam_policy.external-dns[each.key].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${each.value[\"namespace\"]}:${each.value[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"external-dns\" {\n for_each = { for k, v in local.external-dns : k => v if v[\"enabled\"] && v[\"create_iam_resources_irsa\"] }\n name = \"${each.value.name_prefix}-${each.key}\"\n policy = each.value[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.external-dns.json : each.value[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"external-dns\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"route53:ChangeResourceRecordSets\"\n ]\n\n resources = [\"arn:${local.arn-partition}:route53:::hostedzone/*\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"route53:ListHostedZones\",\n \"route53:ListResourceRecordSets\"\n ]\n\n resources = [\"*\"]\n\n }\n}\n\nresource \"kubernetes_namespace\" \"external-dns\" {\n for_each = { for k, v in local.external-dns : k => v if v[\"enabled\"] }\n\n metadata {\n labels = {\n name = each.value[\"namespace\"]\n }\n\n name = each.value[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"external-dns\" {\n for_each = { for k, v in local.external-dns : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = [\n local.values_external-dns[each.key][\"values\"],\n each.value[\"extra_values\"]\n ]\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"external-dns_default_deny\" {\n for_each = { for k, v in local.external-dns : k => v if v[\"enabled\"] && v[\"default_network_policy\"] }\n\n metadata {\n name = \"${kubernetes_namespace.external-dns[each.key].metadata.0.name}-default-deny\"\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"external-dns_allow_namespace\" {\n for_each = { for k, v in local.external-dns : k => v if v[\"enabled\"] && v[\"default_network_policy\"] }\n\n metadata {\n name = \"${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-namespace\"\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"external-dns_allow_monitoring\" {\n for_each = { for k, v in local.external-dns : k => v if v[\"enabled\"] && v[\"default_network_policy\"] }\n\n metadata {\n name = \"${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-monitoring\"\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"http\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/iam/aws-ebs-csi-driver.json", "content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateSnapshot\",\n \"ec2:AttachVolume\",\n \"ec2:DetachVolume\",\n \"ec2:ModifyVolume\",\n \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeSnapshots\",\n \"ec2:DescribeTags\",\n \"ec2:DescribeVolumes\",\n \"ec2:DescribeVolumesModifications\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\"\n ],\n \"Resource\": [\n \"arn:${arn-partition}:ec2:*:*:volume/*\",\n \"arn:${arn-partition}:ec2:*:*:snapshot/*\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"ec2:CreateAction\": [\n \"CreateVolume\",\n \"CreateSnapshot\"\n ]\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteTags\"\n ],\n \"Resource\": [\n \"arn:${arn-partition}:ec2:*:*:volume/*\",\n \"arn:${arn-partition}:ec2:*:*:snapshot/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:RequestTag/ebs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:RequestTag/CSIVolumeName\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/ebs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/CSIVolumeName\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/kubernetes.io/created-for/pvc/name\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteSnapshot\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/CSIVolumeSnapshotName\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteSnapshot\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/ebs.csi.aws.com/cluster\": \"true\"\n }\n }\n }\n ]\n}\n" }, { "path": "modules/aws/iam/aws-ebs-csi-driver_kms.json", "content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": [\n \"${kmsKeyId}\"\n ],\n \"Condition\": {\n \"Bool\": {\n \"kms:GrantIsForAWSResource\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": [\n \"${kmsKeyId}\"\n ]\n }\n ]\n}\n" }, { "path": "modules/aws/iam/aws-efs-csi-driver.json", "content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticfilesystem:DescribeAccessPoints\",\n \"elasticfilesystem:DescribeFileSystems\",\n \"elasticfilesystem:DescribeMountTargets\",\n \"ec2:DescribeAvailabilityZones\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticfilesystem:CreateAccessPoint\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:RequestTag/efs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticfilesystem:TagResource\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:ResourceTag/efs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": \"elasticfilesystem:DeleteAccessPoint\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:ResourceTag/efs.csi.aws.com/cluster\": \"true\"\n }\n }\n }\n ]\n}\n" }, { "path": "modules/aws/iam/aws-load-balancer-controller.json", "content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringEquals\": {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeVpcPeeringConnections\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeTags\",\n \"ec2:GetCoipPoolUsage\",\n \"ec2:DescribeCoipPools\",\n \"ec2:GetSecurityGroupsForVpc\",\n \"elasticloadbalancing:DescribeLoadBalancers\",\n \"elasticloadbalancing:DescribeLoadBalancerAttributes\",\n \"elasticloadbalancing:DescribeListeners\",\n \"elasticloadbalancing:DescribeListenerCertificates\",\n \"elasticloadbalancing:DescribeSSLPolicies\",\n \"elasticloadbalancing:DescribeRules\",\n \"elasticloadbalancing:DescribeTargetGroups\",\n \"elasticloadbalancing:DescribeTargetGroupAttributes\",\n \"elasticloadbalancing:DescribeTargetHealth\",\n \"elasticloadbalancing:DescribeTags\",\n \"elasticloadbalancing:DescribeTrustStores\",\n \"elasticloadbalancing:DescribeListenerAttributes\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cognito-idp:DescribeUserPoolClient\",\n \"acm:ListCertificates\",\n \"acm:DescribeCertificate\",\n \"iam:ListServerCertificates\",\n \"iam:GetServerCertificate\",\n \"waf-regional:GetWebACL\",\n \"waf-regional:GetWebACLForResource\",\n \"waf-regional:AssociateWebACL\",\n \"waf-regional:DisassociateWebACL\",\n \"wafv2:GetWebACL\",\n \"wafv2:GetWebACLForResource\",\n \"wafv2:AssociateWebACL\",\n \"wafv2:DisassociateWebACL\",\n \"shield:GetSubscriptionState\",\n \"shield:DescribeProtection\",\n \"shield:CreateProtection\",\n \"shield:DeleteProtection\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:RevokeSecurityGroupIngress\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateSecurityGroup\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\"\n ],\n \"Resource\": \"arn:${arn-partition}:ec2:*:*:security-group/*\",\n \"Condition\": {\n \"StringEquals\": {\n \"ec2:CreateAction\": \"CreateSecurityGroup\"\n },\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\",\n \"ec2:DeleteTags\"\n ],\n \"Resource\": \"arn:${arn-partition}:ec2:*:*:security-group/*\",\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"true\",\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:DeleteSecurityGroup\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:CreateLoadBalancer\",\n \"elasticloadbalancing:CreateTargetGroup\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:CreateListener\",\n \"elasticloadbalancing:DeleteListener\",\n \"elasticloadbalancing:CreateRule\",\n \"elasticloadbalancing:DeleteRule\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:AddTags\",\n \"elasticloadbalancing:RemoveTags\"\n ],\n \"Resource\": [\n \"arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*\"\n ],\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"true\",\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:AddTags\",\n \"elasticloadbalancing:RemoveTags\"\n ],\n \"Resource\": [\n \"arn:${arn-partition}:elasticloadbalancing:*:*:listener/net/*/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:listener/app/*/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:ModifyLoadBalancerAttributes\",\n \"elasticloadbalancing:SetIpAddressType\",\n \"elasticloadbalancing:SetSecurityGroups\",\n \"elasticloadbalancing:SetSubnets\",\n \"elasticloadbalancing:DeleteLoadBalancer\",\n \"elasticloadbalancing:ModifyTargetGroup\",\n \"elasticloadbalancing:ModifyTargetGroupAttributes\",\n \"elasticloadbalancing:DeleteTargetGroup\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:AddTags\"\n ],\n \"Resource\": [\n \"arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*\",\n \"arn:${arn-partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"elasticloadbalancing:CreateAction\": [\n \"CreateTargetGroup\",\n \"CreateLoadBalancer\"\n ]\n },\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:RegisterTargets\",\n \"elasticloadbalancing:DeregisterTargets\"\n ],\n \"Resource\": \"arn:${arn-partition}:elasticloadbalancing:*:*:targetgroup/*/*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:SetWebAcl\",\n \"elasticloadbalancing:ModifyListener\",\n \"elasticloadbalancing:AddListenerCertificates\",\n \"elasticloadbalancing:RemoveListenerCertificates\",\n \"elasticloadbalancing:ModifyRule\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n" }, { "path": "modules/aws/ingress-nginx.tf", "content": "locals {\n\n ingress-nginx = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].version\n namespace = \"ingress-nginx\"\n use_nlb = false\n use_nlb_ip = false\n use_l7 = false\n enabled = false\n default_network_policy = true\n linkerd-viz-enabled = false\n linkerd-viz-namespace = \"linkerd-viz\"\n ingress_cidrs = [\"0.0.0.0/0\"]\n allowed_cidrs = [\"0.0.0.0/0\"]\n extra_ns_labels = {}\n extra_ns_annotations = {}\n },\n var.ingress-nginx\n )\n\n values_ingress-nginx_l4 = < 21.0\"\n\n create = local.karpenter[\"enabled\"]\n\n cluster_name = var.cluster-name\n\n node_iam_role_additional_policies = {\n AmazonSSMManagedInstanceCore = \"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore\",\n KarpeneterAdditional = local.karpenter[\"enabled\"] ? aws_iam_policy.karpenter_additional[0].arn : \"\"\n }\n\n iam_role_use_name_prefix = false\n\n create_iam_role = false\n iam_role_name = local.karpenter[\"iam_role_name\"]\n\n tags = local.tags\n}\n\nresource \"kubernetes_namespace\" \"karpenter\" {\n count = local.karpenter[\"enabled\"] && local.karpenter[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.karpenter[\"namespace\"]\n }\n\n name = local.karpenter[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"karpenter\" {\n count = local.karpenter[\"enabled\"] ? 1 : 0\n repository = local.karpenter[\"repository\"]\n repository_username = local.karpenter[\"repository_username\"]\n repository_password = local.karpenter[\"repository_password\"]\n name = local.karpenter[\"name\"]\n chart = local.karpenter[\"chart\"]\n version = local.karpenter[\"chart_version\"]\n timeout = local.karpenter[\"timeout\"]\n force_update = local.karpenter[\"force_update\"]\n recreate_pods = local.karpenter[\"recreate_pods\"]\n wait = local.karpenter[\"wait\"]\n atomic = local.karpenter[\"atomic\"]\n cleanup_on_fail = local.karpenter[\"cleanup_on_fail\"]\n dependency_update = local.karpenter[\"dependency_update\"]\n disable_crd_hooks = local.karpenter[\"disable_crd_hooks\"]\n disable_webhooks = local.karpenter[\"disable_webhooks\"]\n render_subchart_notes = local.karpenter[\"render_subchart_notes\"]\n replace = local.karpenter[\"replace\"]\n reset_values = local.karpenter[\"reset_values\"]\n reuse_values = local.karpenter[\"reuse_values\"]\n skip_crds = local.karpenter[\"skip_crds\"]\n verify = local.karpenter[\"verify\"]\n values = [\n local.values_karpenter,\n local.karpenter[\"extra_values\"]\n ]\n namespace = local.karpenter[\"create_ns\"] ? kubernetes_namespace.karpenter.*.metadata.0.name[count.index] : local.karpenter[\"namespace\"]\n\n set = [\n {\n name = \"settings.aws.clusterName\"\n value = var.cluster-name\n },\n {\n name = \"serviceAccount.annotations.eks\\\\.amazonaws\\\\.com/role-arn\"\n value = module.karpenter.iam_role_arn\n },\n {\n name = \"settings.aws.defaultInstanceProfile\"\n value = module.karpenter.instance_profile_name\n },\n {\n name = \"settings.aws.interruptionQueueName\"\n value = module.karpenter.queue_name\n }\n ]\n\n}\n\nresource \"kubernetes_network_policy\" \"karpenter_default_deny\" {\n count = local.karpenter[\"create_ns\"] && local.karpenter[\"enabled\"] && local.karpenter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.karpenter.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.karpenter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"karpenter_allow_namespace\" {\n count = local.karpenter[\"create_ns\"] && local.karpenter[\"enabled\"] && local.karpenter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.karpenter.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.karpenter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.karpenter.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"karpenter_allow_monitoring\" {\n count = local.karpenter[\"create_ns\"] && local.karpenter[\"enabled\"] && local.karpenter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.karpenter.*.metadata.0.name[count.index]}-allow-monitoring\"\n namespace = kubernetes_namespace.karpenter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"8080\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"karpenter_allow_control_plane\" {\n count = local.karpenter[\"create_ns\"] && local.karpenter[\"enabled\"] && local.karpenter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.karpenter.*.metadata.0.name[count.index]}-allow-control-plane\"\n namespace = kubernetes_namespace.karpenter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n match_expressions {\n key = \"app.kubernetes.io/name\"\n operator = \"In\"\n values = [\"karpenter\"]\n }\n }\n\n ingress {\n ports {\n port = \"8443\"\n protocol = \"TCP\"\n }\n\n dynamic \"from\" {\n for_each = local.karpenter[\"allowed_cidrs\"]\n content {\n ip_block {\n cidr = from.value\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\noutput \"karpenter_iam\" {\n value = module.karpenter\n}\n" }, { "path": "modules/aws/kube-prometheus.tf", "content": "locals {\n kube-prometheus-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"kube-prometheus-stack\")].version\n namespace = \"monitoring\"\n grafana_service_account_name = \"kube-prometheus-stack-grafana\"\n prometheus_service_account_name = \"kube-prometheus-stack-prometheus\"\n grafana_create_iam_resources_irsa = false\n grafana_iam_policy_override = null\n thanos_create_iam_resources_irsa = true\n thanos_iam_policy_override = null\n thanos_sidecar_enabled = false\n thanos_dashboard_enabled = true\n thanos_create_bucket = true\n thanos_bucket = \"thanos-store-${var.cluster-name}\"\n thanos_bucket_force_destroy = false\n thanos_bucket_enforce_tls = false\n thanos_store_config = null\n thanos_version = \"v0.38.0\"\n enabled = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n default_global_requests = false\n default_global_limits = false\n manage_crds = true\n name_prefix = \"${var.cluster-name}-kps\"\n iam_use_name_prefix = false\n },\n var.kube-prometheus-stack\n )\n\n values_kube-prometheus-stack = < 6.0\"\n create = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"grafana_create_iam_resources_irsa\"]\n name = \"${local.kube-prometheus-stack[\"name_prefix\"]}-grafana\"\n use_name_prefix = local.kube-prometheus-stack[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"grafana_create_iam_resources_irsa\"] ? { \"kube-prometheus-stack-grafana\" = aws_iam_policy.kube-prometheus-stack_grafana[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.kube-prometheus-stack[\"namespace\"]}:${local.kube-prometheus-stack[\"grafana_service_account_name\"]}\"]\n tags = local.tags\n}\n\nmodule \"iam_assumable_role_kube-prometheus-stack_thanos\" {\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_iam_resources_irsa\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"]\n name = \"${local.kube-prometheus-stack[\"name_prefix\"]}-thanos\"\n use_name_prefix = local.kube-prometheus-stack[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_iam_resources_irsa\"] ? { \"kube-prometheus-stack-thanos\" = aws_iam_policy.kube-prometheus-stack_thanos[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.kube-prometheus-stack[\"namespace\"]}:${local.kube-prometheus-stack[\"prometheus_service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"kube-prometheus-stack_grafana\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"grafana_create_iam_resources_irsa\"] ? 1 : 0\n name = \"${local.kube-prometheus-stack[\"name_prefix\"]}-grafana\"\n policy = local.kube-prometheus-stack[\"grafana_iam_policy_override\"] == null ? data.aws_iam_policy_document.kube-prometheus-stack_grafana.json : local.kube-prometheus-stack[\"grafana_iam_policy_override\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"kube-prometheus-stack_thanos\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_iam_resources_irsa\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n name = \"${local.kube-prometheus-stack[\"name_prefix\"]}-thanos\"\n policy = local.kube-prometheus-stack[\"thanos_iam_policy_override\"] == null ? data.aws_iam_policy_document.kube-prometheus-stack_thanos.json : local.kube-prometheus-stack[\"thanos_iam_policy_override\"]\n tags = local.tags\n}\n\nresource \"kubernetes_secret\" \"kube-prometheus-stack_thanos\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n metadata {\n name = \"${local.kube-prometheus-stack[\"thanos_bucket\"]}-config\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n data = {\n \"thanos.yaml\" = local.thanos_store_config_computed\n }\n}\n\ndata \"aws_iam_policy_document\" \"kube-prometheus-stack_grafana\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"cloudwatch:DescribeAlarmsForMetric\",\n \"cloudwatch:DescribeAlarmHistory\",\n \"cloudwatch:DescribeAlarms\",\n \"cloudwatch:ListMetrics\",\n \"cloudwatch:GetMetricStatistics\",\n \"cloudwatch:GetMetricData\"\n ]\n\n resources = [\"*\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"logs:DescribeLogGroups\",\n \"logs:GetLogGroupFields\",\n \"logs:StartQuery\",\n \"logs:StopQuery\",\n \"logs:GetQueryResults\",\n \"logs:GetLogEvents\"\n ]\n\n resources = [\"*\"]\n\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"ec2:DescribeTags\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeRegions\"\n ]\n\n resources = [\"*\"]\n }\n}\n\ndata \"aws_iam_policy_document\" \"kube-prometheus-stack_thanos\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:ListBucket\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${local.kube-prometheus-stack[\"thanos_bucket\"]}\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:*Object\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${local.kube-prometheus-stack[\"thanos_bucket\"]}/*\"]\n }\n}\n\nmodule \"kube-prometheus-stack_thanos_bucket\" {\n create_bucket = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] && local.kube-prometheus-stack[\"thanos_create_bucket\"]\n\n source = \"terraform-aws-modules/s3-bucket/aws\"\n version = \"~> 5.0\"\n\n control_object_ownership = true\n object_ownership = \"ObjectWriter\"\n\n force_destroy = local.kube-prometheus-stack[\"thanos_bucket_force_destroy\"]\n\n bucket = local.kube-prometheus-stack[\"thanos_bucket\"]\n acl = \"private\"\n\n versioning = {\n status = true\n }\n\n server_side_encryption_configuration = {\n rule = {\n apply_server_side_encryption_by_default = {\n sse_algorithm = \"AES256\"\n }\n }\n }\n\n logging = local.s3-logging.enabled ? {\n target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id\n target_prefix = \"${var.cluster-name}/${local.kube-prometheus-stack.name}/\"\n } : {}\n\n attach_deny_insecure_transport_policy = local.kube-prometheus-stack[\"thanos_bucket_enforce_tls\"]\n\n tags = local.tags\n}\n\nresource \"kubernetes_namespace\" \"kube-prometheus-stack\" {\n count = local.kube-prometheus-stack[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.kube-prometheus-stack[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.kube-prometheus-stack[\"namespace\"]\n }\n\n lifecycle {\n ignore_changes = [\n metadata[0].annotations,\n metadata[0].labels,\n ]\n }\n}\n\nresource \"random_string\" \"grafana_password\" {\n count = local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"] ? 1 : 0\n length = 16\n special = false\n}\n\nresource \"helm_release\" \"kube-prometheus-stack\" {\n count = local.kube-prometheus-stack[\"enabled\"] ? 1 : 0\n repository = local.kube-prometheus-stack[\"repository\"]\n name = local.kube-prometheus-stack[\"name\"]\n chart = local.kube-prometheus-stack[\"chart\"]\n version = local.kube-prometheus-stack[\"chart_version\"]\n timeout = local.kube-prometheus-stack[\"timeout\"]\n force_update = local.kube-prometheus-stack[\"force_update\"]\n recreate_pods = local.kube-prometheus-stack[\"recreate_pods\"]\n wait = local.kube-prometheus-stack[\"wait\"]\n atomic = local.kube-prometheus-stack[\"atomic\"]\n cleanup_on_fail = local.kube-prometheus-stack[\"cleanup_on_fail\"]\n dependency_update = local.kube-prometheus-stack[\"dependency_update\"]\n disable_crd_hooks = local.kube-prometheus-stack[\"disable_crd_hooks\"]\n disable_webhooks = local.kube-prometheus-stack[\"disable_webhooks\"]\n render_subchart_notes = local.kube-prometheus-stack[\"render_subchart_notes\"]\n replace = local.kube-prometheus-stack[\"replace\"]\n reset_values = local.kube-prometheus-stack[\"reset_values\"]\n reuse_values = local.kube-prometheus-stack[\"reuse_values\"]\n skip_crds = local.kube-prometheus-stack[\"skip_crds\"]\n verify = local.kube-prometheus-stack[\"verify\"]\n values = compact([\n local.values_kube-prometheus-stack,\n local.kong[\"enabled\"] ? local.values_dashboard_kong : null,\n local.cert-manager[\"enabled\"] ? local.values_dashboard_cert-manager : null,\n local.cluster-autoscaler[\"enabled\"] ? local.values_dashboard_cluster-autoscaler : null,\n local.ingress-nginx[\"enabled\"] ? local.values_dashboard_ingress-nginx : null,\n local.thanos[\"enabled\"] && local.kube-prometheus-stack[\"thanos_dashboard_enabled\"] ? local.values_dashboard_thanos : null,\n local.values_dashboard_node_exporter,\n local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? local.values_thanos_sidecar : null,\n local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? local.values_grafana_ds : null,\n local.kube-prometheus-stack[\"default_global_requests\"] ? local.values_kps_global_requests : null,\n local.kube-prometheus-stack[\"default_global_limits\"] ? local.values_kps_global_limits : null,\n local.kube-prometheus-stack[\"extra_values\"]\n ])\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n\n depends_on = [\n helm_release.ingress-nginx,\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_default_deny\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_allow_namespace\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_allow_ingress\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-ingress\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"ingress\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_allow_control_plane\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-control-plane\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n match_expressions {\n key = \"app\"\n operator = \"In\"\n values = [\"${local.kube-prometheus-stack[\"name\"]}-operator\"]\n }\n }\n\n ingress {\n ports {\n port = \"10250\"\n protocol = \"TCP\"\n }\n\n dynamic \"from\" {\n for_each = local.kube-prometheus-stack[\"allowed_cidrs\"]\n content {\n ip_block {\n cidr = from.value\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\noutput \"kube-prometheus-stack\" {\n value = {\n iam_assumable_role_kube-prometheus-stack_grafana = module.iam_assumable_role_kube-prometheus-stack_grafana\n iam_assumable_role_kube-prometheus-stack_thanos = module.iam_assumable_role_kube-prometheus-stack_thanos\n }\n}\n\noutput \"kube-prometheus-stack_sensitive\" {\n value = {\n grafana_password = element(concat(random_string.grafana_password.*.result, [\"\"]), 0)\n }\n sensitive = true\n}\n" }, { "path": "modules/aws/locals-aws.tf", "content": "locals {\n tags = var.tags\n arn-partition = var.arn-partition != \"\" ? var.arn-partition : data.aws_partition.current.partition\n}\n" }, { "path": "modules/aws/loki-stack.tf", "content": "locals {\n loki-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].version\n namespace = \"monitoring\"\n create_iam_resources_irsa = true\n iam_policy_override = null\n create_ns = false\n enabled = false\n default_network_policy = true\n create_bucket = true\n bucket = \"loki-store-${var.cluster-name}\"\n bucket_lifecycle_rule = []\n bucket_force_destroy = false\n bucket_enforce_tls = false\n generate_ca = true\n trusted_ca_content = null\n create_promtail_cert = true\n create_grafana_ds_cm = true\n name_prefix = \"${var.cluster-name}-loki\"\n iam_use_name_prefix = false\n },\n var.loki-stack\n )\n\n values_loki-stack = <<-VALUES\n test:\n enabled: false\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"]}\n gateway:\n service:\n labels:\n prometheus.io/service-monitor: \"false\"\n priorityClassName: ${local.priority-class[\"create\"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : \"\"}\n serviceAccount:\n name: ${local.loki-stack[\"name\"]}\n annotations:\n eks.amazonaws.com/role-arn: \"${local.loki-stack[\"enabled\"] && local.loki-stack[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_loki-stack.arn : \"\"}\"\n persistence:\n enabled: true\n loki:\n auth_enabled: false\n storage:\n bucketNames:\n chunks: \"${local.loki-stack[\"bucket\"]}\"\n ruler: \"${local.loki-stack[\"bucket\"]}\"\n admin: \"${local.loki-stack[\"bucket\"]}\"\n s3:\n region: eu-west-1\n schemaConfig:\n configs:\n - from: 2020-10-24\n store: boltdb-shipper\n object_store: aws\n schema: v12\n index:\n prefix: loki_index_\n period: 24h\n storage_config:\n aws:\n s3: \"s3://${data.aws_region.current.name}/${local.loki-stack[\"bucket\"]}\"\n VALUES\n}\n\nmodule \"iam_assumable_role_loki-stack\" {\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_iam_resources_irsa\"]\n name = local.loki-stack[\"name_prefix\"]\n use_name_prefix = local.loki-stack[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_iam_resources_irsa\"] ? { loki-stack = aws_iam_policy.loki-stack[0].arn } : {}\n oidc_wildcard_subjects = [\"system:serviceaccount:${local.loki-stack[\"namespace\"]}:${local.loki-stack[\"name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"loki-stack\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.loki-stack[\"name_prefix\"]\n policy = local.loki-stack[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.loki-stack.json : local.loki-stack[\"iam_policy_override\"]\n}\n\ndata \"aws_iam_policy_document\" \"loki-stack\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:ListBucket\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${local.loki-stack[\"bucket\"]}\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:*Object\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${local.loki-stack[\"bucket\"]}/*\"]\n }\n}\n\nresource \"kubernetes_namespace\" \"loki-stack\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.loki-stack[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.loki-stack[\"namespace\"]\n }\n}\n\nresource \"kubernetes_config_map\" \"loki-stack_grafana_ds\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_grafana_ds_cm\"] ? 1 : 0\n metadata {\n name = \"${local.loki-stack[\"name\"]}-grafana-ds\"\n namespace = local.loki-stack[\"namespace\"]\n labels = {\n grafana_datasource = \"1\"\n }\n }\n\n data = {\n \"datasource.yml\" = <<-VALUES\n datasources:\n - access: proxy\n editable: true\n isDefault: false\n name: Loki\n orgId: 1\n type: loki\n url: http://${local.loki-stack[\"name\"]}-gateway\n version: 1\n VALUES\n }\n}\n\nresource \"helm_release\" \"loki-stack\" {\n count = local.loki-stack[\"enabled\"] ? 1 : 0\n repository = local.loki-stack[\"repository\"]\n name = local.loki-stack[\"name\"]\n chart = local.loki-stack[\"chart\"]\n version = local.loki-stack[\"chart_version\"]\n timeout = local.loki-stack[\"timeout\"]\n force_update = local.loki-stack[\"force_update\"]\n recreate_pods = local.loki-stack[\"recreate_pods\"]\n wait = local.loki-stack[\"wait\"]\n atomic = local.loki-stack[\"atomic\"]\n cleanup_on_fail = local.loki-stack[\"cleanup_on_fail\"]\n dependency_update = local.loki-stack[\"dependency_update\"]\n disable_crd_hooks = local.loki-stack[\"disable_crd_hooks\"]\n disable_webhooks = local.loki-stack[\"disable_webhooks\"]\n render_subchart_notes = local.loki-stack[\"render_subchart_notes\"]\n replace = local.loki-stack[\"replace\"]\n reset_values = local.loki-stack[\"reset_values\"]\n reuse_values = local.loki-stack[\"reuse_values\"]\n skip_crds = local.loki-stack[\"skip_crds\"]\n verify = local.loki-stack[\"verify\"]\n values = [\n local.values_loki-stack,\n local.loki-stack[\"extra_values\"]\n ]\n namespace = local.loki-stack[\"create_ns\"] ? kubernetes_namespace.loki-stack.*.metadata.0.name[count.index] : local.loki-stack[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nmodule \"loki_bucket\" {\n create_bucket = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_bucket\"]\n\n source = \"terraform-aws-modules/s3-bucket/aws\"\n version = \"~> 5.0\"\n\n control_object_ownership = true\n object_ownership = \"ObjectWriter\"\n\n force_destroy = local.loki-stack[\"bucket_force_destroy\"]\n\n bucket = local.loki-stack[\"bucket\"]\n acl = \"private\"\n\n versioning = {\n status = true\n }\n\n server_side_encryption_configuration = {\n rule = {\n apply_server_side_encryption_by_default = {\n sse_algorithm = \"AES256\"\n }\n }\n }\n\n logging = local.s3-logging.enabled ? {\n target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id\n target_prefix = \"${var.cluster-name}/${local.loki-stack.name}/\"\n } : {}\n\n attach_deny_insecure_transport_policy = local.loki-stack[\"bucket_enforce_tls\"]\n\n tags = local.tags\n\n lifecycle_rule = local.loki-stack[\"bucket_lifecycle_rule\"]\n}\n\nresource \"tls_private_key\" \"loki-stack-ca-key\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_self_signed_cert\" \"loki-stack-ca-cert\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] ? 1 : 0\n private_key_pem = tls_private_key.loki-stack-ca-key[0].private_key_pem\n is_ca_certificate = true\n\n subject {\n common_name = var.cluster-name\n organization = var.cluster-name\n }\n\n validity_period_hours = 87600\n early_renewal_hours = 720\n\n allowed_uses = [\n \"cert_signing\"\n ]\n}\n\nresource \"kubernetes_network_policy\" \"loki-stack_default_deny\" {\n count = local.loki-stack[\"create_ns\"] && local.loki-stack[\"enabled\"] && local.loki-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"loki-stack_allow_namespace\" {\n count = local.loki-stack[\"create_ns\"] && local.loki-stack[\"enabled\"] && local.loki-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"loki-stack_allow_ingress\" {\n count = local.loki-stack[\"create_ns\"] && local.loki-stack[\"enabled\"] && local.loki-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-allow-ingress\"\n namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"ingress\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_secret\" \"loki-stack-ca\" {\n count = local.loki-stack[\"enabled\"] && (local.loki-stack[\"generate_ca\"] || local.loki-stack[\"trusted_ca_content\"] != null) ? 1 : 0\n metadata {\n name = \"${local.loki-stack[\"name\"]}-ca\"\n namespace = local.loki-stack[\"create_ns\"] ? kubernetes_namespace.loki-stack.*.metadata.0.name[count.index] : local.loki-stack[\"namespace\"]\n }\n\n data = {\n \"ca.crt\" = local.loki-stack[\"generate_ca\"] ? tls_self_signed_cert.loki-stack-ca-cert[count.index].cert_pem : local.loki-stack[\"trusted_ca_content\"]\n }\n}\n\nresource \"tls_private_key\" \"promtail-key\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] && local.loki-stack[\"create_promtail_cert\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_cert_request\" \"promtail-csr\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] && local.loki-stack[\"create_promtail_cert\"] ? 1 : 0\n private_key_pem = tls_private_key.promtail-key[count.index].private_key_pem\n\n subject {\n common_name = \"promtail\"\n }\n\n dns_names = [\n \"promtail\"\n ]\n}\n\nresource \"tls_locally_signed_cert\" \"promtail-cert\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] && local.loki-stack[\"create_promtail_cert\"] ? 1 : 0\n cert_request_pem = tls_cert_request.promtail-csr[count.index].cert_request_pem\n ca_private_key_pem = tls_private_key.loki-stack-ca-key[count.index].private_key_pem\n ca_cert_pem = tls_self_signed_cert.loki-stack-ca-cert[count.index].cert_pem\n\n validity_period_hours = 8760\n early_renewal_hours = 720\n\n allowed_uses = [\n \"key_encipherment\",\n \"digital_signature\",\n \"client_auth\"\n ]\n}\n\noutput \"loki-stack-ca\" {\n value = element(concat(tls_self_signed_cert.loki-stack-ca-cert[*].cert_pem, [\"\"]), 0)\n}\n\noutput \"promtail-key\" {\n value = element(concat(tls_private_key.promtail-key[*].private_key_pem, [\"\"]), 0)\n sensitive = true\n}\n\noutput \"promtail-cert\" {\n value = element(concat(tls_locally_signed_cert.promtail-cert[*].cert_pem, [\"\"]), 0)\n sensitive = true\n}\n" }, { "path": "modules/aws/prometheus-cloudwatch-exporter.tf", "content": "locals {\n prometheus-cloudwatch-exporter = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"prometheus-cloudwatch-exporter\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"prometheus-cloudwatch-exporter\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"prometheus-cloudwatch-exporter\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"prometheus-cloudwatch-exporter\")].version\n namespace = \"monitoring\"\n create_ns = false\n enabled = false\n default_network_policy = true\n service_account_name = \"prometheus-cloudwatch-exporter\"\n create_iam_resources_irsa = true\n iam_policy_override = null\n name_prefix = \"${var.cluster-name}-prom-cw-exporter\"\n iam_use_name_prefix = false\n },\n var.prometheus-cloudwatch-exporter\n )\n\n values_prometheus-cloudwatch-exporter = <<-VALUES\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"]}\n aws:\n role: \"${local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_prometheus-cloudwatch-exporter.arn : \"\"}\"\n serviceAccount:\n name: ${local.prometheus-cloudwatch-exporter[\"service_account_name\"]}\n annotations:\n eks.amazonaws.com/role-arn: \"${local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_prometheus-cloudwatch-exporter.arn : \"\"}\"\n VALUES\n}\n\nmodule \"iam_assumable_role_prometheus-cloudwatch-exporter\" {\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"create_iam_resources_irsa\"]\n name = local.prometheus-cloudwatch-exporter[\"name_prefix\"]\n use_name_prefix = local.prometheus-cloudwatch-exporter[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"create_iam_resources_irsa\"] ? { prometheus-cloudwatch-exporter = aws_iam_policy.prometheus-cloudwatch-exporter[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.prometheus-cloudwatch-exporter[\"namespace\"]}:${local.prometheus-cloudwatch-exporter[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"prometheus-cloudwatch-exporter\" {\n count = local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.prometheus-cloudwatch-exporter[\"name_prefix\"]\n policy = local.prometheus-cloudwatch-exporter[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.prometheus-cloudwatch-exporter.json : local.prometheus-cloudwatch-exporter[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"prometheus-cloudwatch-exporter\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"cloudwatch:ListMetrics\",\n \"cloudwatch:GetMetricStatistics\",\n \"tag:GetResources\"\n ]\n\n resources = [\"*\"]\n }\n}\n\nresource \"kubernetes_namespace\" \"prometheus-cloudwatch-exporter\" {\n count = local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.prometheus-cloudwatch-exporter[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.prometheus-cloudwatch-exporter[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"prometheus-cloudwatch-exporter\" {\n count = local.prometheus-cloudwatch-exporter[\"enabled\"] ? 1 : 0\n repository = local.prometheus-cloudwatch-exporter[\"repository\"]\n name = local.prometheus-cloudwatch-exporter[\"name\"]\n chart = local.prometheus-cloudwatch-exporter[\"chart\"]\n version = local.prometheus-cloudwatch-exporter[\"chart_version\"]\n timeout = local.prometheus-cloudwatch-exporter[\"timeout\"]\n force_update = local.prometheus-cloudwatch-exporter[\"force_update\"]\n recreate_pods = local.prometheus-cloudwatch-exporter[\"recreate_pods\"]\n wait = local.prometheus-cloudwatch-exporter[\"wait\"]\n atomic = local.prometheus-cloudwatch-exporter[\"atomic\"]\n cleanup_on_fail = local.prometheus-cloudwatch-exporter[\"cleanup_on_fail\"]\n dependency_update = local.prometheus-cloudwatch-exporter[\"dependency_update\"]\n disable_crd_hooks = local.prometheus-cloudwatch-exporter[\"disable_crd_hooks\"]\n disable_webhooks = local.prometheus-cloudwatch-exporter[\"disable_webhooks\"]\n render_subchart_notes = local.prometheus-cloudwatch-exporter[\"render_subchart_notes\"]\n replace = local.prometheus-cloudwatch-exporter[\"replace\"]\n reset_values = local.prometheus-cloudwatch-exporter[\"reset_values\"]\n reuse_values = local.prometheus-cloudwatch-exporter[\"reuse_values\"]\n skip_crds = local.prometheus-cloudwatch-exporter[\"skip_crds\"]\n verify = local.prometheus-cloudwatch-exporter[\"verify\"]\n values = [\n local.values_prometheus-cloudwatch-exporter,\n local.prometheus-cloudwatch-exporter[\"extra_values\"]\n ]\n namespace = local.prometheus-cloudwatch-exporter[\"create_ns\"] ? kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index] : local.prometheus-cloudwatch-exporter[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"prometheus-cloudwatch-exporter_default_deny\" {\n count = local.prometheus-cloudwatch-exporter[\"create_ns\"] && local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"prometheus-cloudwatch-exporter_allow_namespace\" {\n count = local.prometheus-cloudwatch-exporter[\"create_ns\"] && local.prometheus-cloudwatch-exporter[\"enabled\"] && local.prometheus-cloudwatch-exporter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.prometheus-cloudwatch-exporter.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/s3-logging.tf", "content": "locals {\n s3-logging = merge(\n {\n enabled = false\n create_bucket = true\n custom_bucket_id = null\n },\n var.s3-logging\n )\n}\n\nmodule \"s3_logging_bucket\" {\n create_bucket = local.s3-logging.enabled && local.s3-logging.create_bucket\n\n source = \"terraform-aws-modules/s3-bucket/aws\"\n version = \"~> 5.0\"\n\n control_object_ownership = true\n object_ownership = \"ObjectWriter\"\n\n bucket = \"${var.cluster-name}-eks-addons-s3-logging\"\n acl = \"private\"\n\n versioning = {\n status = true\n }\n\n server_side_encryption_configuration = {\n rule = {\n apply_server_side_encryption_by_default = {\n sse_algorithm = \"AES256\"\n }\n }\n }\n\n tags = local.tags\n}\n" }, { "path": "modules/aws/secrets-store-csi-driver-provider-aws.tf", "content": "locals {\n\n secrets-store-csi-driver-provider-aws = merge(\n {\n enabled = local.secrets-store-csi-driver.enabled\n url = \"https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml\"\n },\n var.secrets-store-csi-driver-provider-aws\n )\n\n secrets-store-csi-driver-provider-aws_apply = local.secrets-store-csi-driver-provider-aws.enabled ? [for v in data.kubectl_file_documents.secrets-store-csi-driver-provider-aws.0.documents : {\n data : yamldecode(v)\n content : v\n }\n ] : null\n}\n\ndata \"http\" \"secrets-store-csi-driver-provider-aws\" {\n count = local.secrets-store-csi-driver-provider-aws.enabled ? 1 : 0\n url = local.secrets-store-csi-driver-provider-aws.url\n}\n\ndata \"kubectl_file_documents\" \"secrets-store-csi-driver-provider-aws\" {\n count = local.secrets-store-csi-driver-provider-aws.enabled ? 1 : 0\n content = data.http.secrets-store-csi-driver-provider-aws[0].response_body\n}\n\nresource \"kubectl_manifest\" \"secrets-store-csi-driver-provider-aws\" {\n for_each = local.secrets-store-csi-driver-provider-aws.enabled ? { for v in local.secrets-store-csi-driver-provider-aws_apply : lower(join(\"/\", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, \"namespace\", \"\"), v.data.metadata.name]))) => v.content } : {}\n yaml_body = each.value\n}\n" }, { "path": "modules/aws/templates/cert-manager-cluster-issuers.yaml.tpl", "content": "---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt-staging\nspec:\n acme:\n server: https://acme-staging-v02.api.letsencrypt.org/directory\n email: '${acme_email}'\n privateKeySecretRef:\n name: letsencrypt-staging\n solvers:\n %{ if acme_dns01_enabled }\n - dns01:\n route53:\n region: '${aws_region}'\n %{ if role_arn != \"\" }\n role: '${role_arn}'\n %{ endif }\n %{ endif }\n %{ if acme_http01_enabled }\n - http01:\n ingress:\n class: '${acme_http01_ingress_class}'\n %{ if acme_dns01_enabled }\n selector:\n matchLabels:\n \"use-http01-solver\": \"true\"\n %{ endif }\n %{ endif }\n---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt\nspec:\n acme:\n server: https://acme-v02.api.letsencrypt.org/directory\n email: '${acme_email}'\n privateKeySecretRef:\n name: letsencrypt\n solvers:\n %{ if acme_dns01_enabled }\n - dns01:\n route53:\n region: '${aws_region}'\n %{ if role_arn != \"\" }\n role: '${role_arn}'\n %{ endif }\n %{ endif }\n %{ if acme_http01_enabled }\n - http01:\n ingress:\n class: '${acme_http01_ingress_class}'\n %{ if acme_dns01_enabled }\n selector:\n matchLabels:\n \"use-http01-solver\": \"true\"\n %{ endif }\n %{ endif }\n" }, { "path": "modules/aws/templates/cni-metrics-helper.yaml.tpl", "content": "---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: cni-metrics-helper\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cni-metrics-helper\nsubjects:\n - kind: ServiceAccount\n name: cni-metrics-helper\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: cni-metrics-helper\nrules:\n - apiGroups: [\"\"]\n resources:\n - nodes\n - pods\n - pods/proxy\n - services\n - resourcequotas\n - replicationcontrollers\n - limitranges\n - persistentvolumeclaims\n - persistentvolumes\n - namespaces\n - endpoints\n verbs: [\"list\", \"watch\", \"get\"]\n - apiGroups: [\"extensions\"]\n resources:\n - daemonsets\n - deployments\n - replicasets\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"apps\"]\n resources:\n - statefulsets\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"batch\"]\n resources:\n - cronjobs\n - jobs\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"autoscaling\"]\n resources:\n - horizontalpodautoscalers\n verbs: [\"list\", \"watch\"]\n---\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n name: cni-metrics-helper\n namespace: kube-system\n labels:\n k8s-app: cni-metrics-helper\nspec:\n selector:\n matchLabels:\n k8s-app: cni-metrics-helper\n template:\n metadata:\n labels:\n k8s-app: cni-metrics-helper\n spec:\n serviceAccountName: cni-metrics-helper\n containers:\n - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:${cni-metrics-helper_version}\n imagePullPolicy: Always\n name: cni-metrics-helper\n env:\n - name: USE_CLOUDWATCH\n value: \"true\"\n priorityClassName: \"system-cluster-critical\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: cni-metrics-helper\n namespace: kube-system\n annotations:\n eks.amazonaws.com/role-arn: \"${cni-metrics-helper_role_arn_irsa}\"\n" }, { "path": "modules/aws/thanos-memcached.tf", "content": "locals {\n\n thanos-memcached = merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/memcached\")].name\n repository = \"\"\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/memcached\")].version\n name = \"thanos-memcached\"\n namespace = local.thanos[\"namespace\"]\n enabled = false\n },\n var.thanos-memcached\n )\n\n values_thanos-memcached = <<-VALUES\n architecture: \"high-availability\"\n replicaCount: 2\n podAntiAffinityPreset: hard\n metrics:\n enabled: ${local.kube-prometheus-stack[\"enabled\"]}\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"]}\n VALUES\n}\n\nresource \"helm_release\" \"thanos-memcached\" {\n count = local.thanos-memcached[\"enabled\"] ? 1 : 0\n repository = local.thanos-memcached[\"repository\"]\n name = local.thanos-memcached[\"name\"]\n chart = local.thanos-memcached[\"chart\"]\n version = local.thanos-memcached[\"chart_version\"]\n timeout = local.thanos-memcached[\"timeout\"]\n force_update = local.thanos-memcached[\"force_update\"]\n recreate_pods = local.thanos-memcached[\"recreate_pods\"]\n wait = local.thanos-memcached[\"wait\"]\n atomic = local.thanos-memcached[\"atomic\"]\n cleanup_on_fail = local.thanos-memcached[\"cleanup_on_fail\"]\n dependency_update = local.thanos-memcached[\"dependency_update\"]\n disable_crd_hooks = local.thanos-memcached[\"disable_crd_hooks\"]\n disable_webhooks = local.thanos-memcached[\"disable_webhooks\"]\n render_subchart_notes = local.thanos-memcached[\"render_subchart_notes\"]\n replace = local.thanos-memcached[\"replace\"]\n reset_values = local.thanos-memcached[\"reset_values\"]\n reuse_values = local.thanos-memcached[\"reuse_values\"]\n skip_crds = local.thanos-memcached[\"skip_crds\"]\n verify = local.thanos-memcached[\"verify\"]\n values = compact([\n local.values_thanos-memcached,\n local.thanos-memcached[\"extra_values\"]\n ])\n namespace = local.thanos-memcached[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n" }, { "path": "modules/aws/thanos-storegateway.tf", "content": "locals {\n\n thanos-storegateway = { for k, v in var.thanos-storegateway : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].version\n name = \"${local.thanos[\"name\"]}-storegateway-${k}\"\n create_iam_resources_irsa = true\n iam_policy_override = null\n enabled = false\n default_global_requests = false\n default_global_limits = false\n bucket = null\n region = null\n name_prefix = \"${var.cluster-name}-thanos-sg\"\n iam_use_name_prefix = false\n },\n v,\n ) }\n\n values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(\n {\n values = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n objstoreConfig:\n type: S3\n config:\n bucket: ${v[\"bucket\"]}\n region: ${v[\"region\"] == null ? data.aws_region.current.region : v[\"region\"]}\n endpoint: s3.${v[\"region\"] == null ? data.aws_region.current.region : v[\"region\"]}.amazonaws.com\n sse_config:\n type: \"SSE-S3\"\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n enabled: false\n queryFrontend:\n enabled: false\n compactor:\n enabled: false\n storegateway:\n replicaCount: 2\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n enabled: true\n serviceAccount:\n annotations:\n eks.amazonaws.com/role-arn: \"${v[\"enabled\"] && v[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_thanos-storegateway[k].arn : \"\"}\"\n pdb:\n create: true\n minAvailable: 1\n VALUES\n },\n v,\n ) }\n}\n\nmodule \"iam_assumable_role_thanos-storegateway\" {\n for_each = local.thanos-storegateway\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = each.value[\"enabled\"] && each.value[\"create_iam_resources_irsa\"]\n name = \"${each.value.name_prefix}-${each.key}\"\n use_name_prefix = each.value[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = each.value[\"enabled\"] && each.value[\"create_iam_resources_irsa\"] ? { thanos-storegateway = aws_iam_policy.thanos-storegateway[each.key].arn } : {}\n oidc_wildcard_subjects = [\"system:serviceaccount:${local.thanos[\"namespace\"]}:${each.value[\"name\"]}-storegateway\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"thanos-storegateway\" {\n for_each = { for k, v in local.thanos-storegateway : k => v if v[\"enabled\"] && v[\"create_iam_resources_irsa\"] }\n name = \"${each.value.name_prefix}-${each.key}\"\n policy = each.value[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.thanos-storegateway[each.key].json : each.value[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"thanos-storegateway\" {\n\n for_each = { for k, v in local.thanos-storegateway : k => v if v[\"enabled\"] && v[\"create_iam_resources_irsa\"] }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:ListBucket\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${each.value[\"bucket\"]}\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:*Object\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${each.value[\"bucket\"]}/*\"]\n }\n}\n\nresource \"helm_release\" \"thanos-storegateway\" {\n for_each = { for k, v in local.thanos-storegateway : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = compact([\n local.values_thanos-storegateway[each.key][\"values\"],\n each.value[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n each.value[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n each.value[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n" }, { "path": "modules/aws/thanos-tls-querier.tf", "content": "locals {\n\n thanos-ca-key = local.thanos[\"generate_ca\"] ? (var.thanos-tls-querier-ca-private-key != \"\" ? var.thanos-tls-querier-ca-private-key : tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem) : \"\"\n thanos-ca-cert = local.thanos[\"generate_ca\"] ? (var.thanos-tls-querier-ca-cert != \"\" ? var.thanos-tls-querier-ca-cert : tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem) : \"\"\n\n thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].version\n name = \"${local.thanos[\"name\"]}-tls-querier-${k}\"\n enabled = false\n generate_cert = local.thanos[\"generate_ca\"]\n client_server_name = \"\"\n ## This default to Let's encrypt X1 root CA\n grpc_client_tls_ca_pem = <<-EOV\n -----BEGIN CERTIFICATE-----\n MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n -----END CERTIFICATE-----\n EOV\n stores = []\n default_global_requests = false\n default_global_limits = false\n },\n v,\n ) }\n\n values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(\n {\n values = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n replicaCount: 2\n extraFlags:\n - --query.timeout=5m\n - --query.lookback-delta=15m\n - --query.replica-label=rule_replica\n enabled: true\n dnsDiscovery:\n enabled: false\n pdb:\n create: true\n minAvailable: 1\n grpc:\n client:\n servername: ${v[\"client_server_name\"]}\n tls:\n enabled: ${v[\"generate_cert\"]}\n key: |\n ${indent(10, v[\"generate_cert\"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : \"\")}\n cert: |\n ${indent(10, v[\"generate_cert\"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : \"\")}\n ca: |\n ${indent(10, v[\"generate_cert\"] ? v[\"grpc_client_tls_ca_pem\"] : \"\")}\n stores: ${jsonencode(v[\"stores\"])}\n queryFrontend:\n enabled: false\n compactor:\n enabled: false\n storegateway:\n enabled: false\n VALUES\n },\n v,\n ) }\n}\n\nresource \"helm_release\" \"thanos-tls-querier\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = compact([\n local.values_thanos-tls-querier[each.key][\"values\"],\n each.value[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n each.value[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n each.value[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n\nresource \"tls_private_key\" \"thanos-tls-querier-cert-key\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_cert_request\" \"thanos-tls-querier-cert-csr\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem\n\n subject {\n common_name = each.key\n }\n\n dns_names = [\n each.key\n ]\n}\n\nresource \"tls_locally_signed_cert\" \"thanos-tls-querier-cert\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n cert_request_pem = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem\n ca_private_key_pem = local.thanos-ca-key\n ca_cert_pem = local.thanos-ca-cert\n\n validity_period_hours = 8760\n early_renewal_hours = 720\n\n allowed_uses = [\n \"key_encipherment\",\n \"digital_signature\",\n \"client_auth\"\n ]\n}\n" }, { "path": "modules/aws/thanos.tf", "content": "locals {\n\n thanos = merge(\n local.helm_defaults,\n {\n name = \"thanos\"\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].name\n repository = \"\"\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].version\n namespace = \"monitoring\"\n create_iam_resources_irsa = true\n iam_policy_override = null\n create_ns = false\n enabled = false\n default_network_policy = true\n default_global_requests = false\n default_global_limits = false\n create_bucket = false\n bucket = \"thanos-store-${var.cluster-name}\"\n bucket_force_destroy = false\n bucket_enforce_tls = false\n generate_ca = false\n trusted_ca_content = null\n name_prefix = \"${var.cluster-name}-thanos\"\n iam_use_name_prefix = false\n },\n var.thanos\n )\n\n values_thanos = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n receive:\n enabled: false\n pdb:\n create: true\n minAvailable: 1\n serviceAccount:\n annotations:\n eks.amazonaws.com/role-arn: \"${local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_thanos.arn : \"\"}\"\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n extraFlags:\n - --query.timeout=5m\n - --query.lookback-delta=15m\n - --query.replica-label=rule_replica\n replicaCount: 2\n replicaLabel:\n - prometheus_replica\n enabled: true\n dnsDiscovery:\n enabled: true\n sidecarsService: ${local.kube-prometheus-stack[\"name\"]}-thanos-discovery\n sidecarsNamespace: \"${local.kube-prometheus-stack[\"namespace\"]}\"\n pdb:\n create: true\n minAvailable: 1\n stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : \"dnssrv+_grpc._tcp.${v[\"name\"]}-query-grpc.${local.thanos[\"namespace\"]}.svc.cluster.local\"], [for k, v in local.thanos-storegateway : \"dnssrv+_grpc._tcp.${v[\"name\"]}-storegateway.${local.thanos[\"namespace\"]}.svc.cluster.local\"]))}\n queryFrontend:\n extraFlags:\n - --query-frontend.compress-responses\n - --query-range.split-interval=12h\n - --labels.split-interval=12h\n - --query-range.max-retries-per-request=10\n - --labels.max-retries-per-request=10\n - --query-frontend.log-queries-longer-than=10s\n replicaCount: 2\n enabled: true\n pdb:\n create: true\n minAvailable: 1\n compactor:\n extraFlags:\n - --deduplication.replica-label=prometheus_replica\n - --deduplication.replica-label=rule_replica\n strategyType: Recreate\n enabled: true\n serviceAccount:\n annotations:\n eks.amazonaws.com/role-arn: \"${local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_thanos.arn : \"\"}\"\n storegateway:\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n replicaCount: 2\n enabled: true\n serviceAccount:\n annotations:\n eks.amazonaws.com/role-arn: \"${local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources_irsa\"] ? module.iam_assumable_role_thanos.arn : \"\"}\"\n pdb:\n create: true\n minAvailable: 1\n VALUES\n\n\n values_thanos_caching = <<-VALUES\n queryFrontend:\n extraFlags:\n - --query-frontend.compress-responses\n - --query-range.split-interval=12h\n - --labels.split-interval=12h\n - --query-range.max-retries-per-request=10\n - --labels.max-retries-per-request=10\n - --query-frontend.log-queries-longer-than=10s\n - |-\n --query-range.response-cache-config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n - |-\n --labels.response-cache-config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n storegateway:\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n - |-\n --index-cache.config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"max_item_size\": \"1MiB\"\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n - |-\n --store.caching-bucket.config=\"blocks_iter_ttl\": \"5m\"\n \"chunk_object_attrs_ttl\": \"24h\"\n \"chunk_subrange_size\": 16000\n \"chunk_subrange_ttl\": \"24h\"\n \"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"max_item_size\": \"1MiB\"\n \"timeout\": \"500ms\"\n \"max_chunks_get_range_requests\": 3\n \"metafile_content_ttl\": \"24h\"\n \"metafile_doesnt_exist_ttl\": \"15m\"\n \"metafile_exists_ttl\": \"2h\"\n \"metafile_max_size\": \"1MiB\"\n \"type\": \"memcached\"\n VALUES\n\n\n values_store_config = <<-VALUES\n objstoreConfig:\n type: S3\n config:\n bucket: ${local.thanos[\"bucket\"]}\n region: ${data.aws_region.current.region}\n endpoint: s3.${data.aws_region.current.region}.amazonaws.com\n sse_config:\n type: \"SSE-S3\"\n VALUES\n\n values_thanos_global_requests = <<-VALUES\n query:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n queryFrontend:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n compactor:\n resources:\n requests:\n cpu: 50m\n memory: 258Mi\n storegateway:\n resources:\n requests:\n cpu: 25m\n memory: 64Mi\n VALUES\n\n values_thanos_global_limits = <<-VALUES\n query:\n resources:\n limits:\n memory: 128Mi\n queryFrontend:\n resources:\n limits:\n memory: 64Mi\n compactor:\n resources:\n limits:\n memory: 2Gi\n storegateway:\n resources:\n limits:\n memory: 1Gi\n VALUES\n}\n\nmodule \"iam_assumable_role_thanos\" {\n source = \"terraform-aws-modules/iam/aws//modules/iam-role\"\n version = \"~> 6.0\"\n create = local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources_irsa\"]\n name = local.thanos[\"name_prefix\"]\n use_name_prefix = local.thanos[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources_irsa\"] ? { thanos = aws_iam_policy.thanos[0].arn } : {}\n oidc_wildcard_subjects = [\"system:serviceaccount:${local.thanos[\"namespace\"]}:${local.thanos[\"name\"]}-*\"]\n tags = local.tags\n}\n\n\nresource \"aws_iam_policy\" \"thanos\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.thanos[\"name_prefix\"]\n policy = local.thanos[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.thanos.json : local.thanos[\"iam_policy_override\"]\n tags = local.tags\n}\n\n\ndata \"aws_iam_policy_document\" \"thanos\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:ListBucket\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${local.thanos[\"bucket\"]}\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:*Object\"\n ]\n\n resources = [\"arn:${local.arn-partition}:s3:::${local.thanos[\"bucket\"]}/*\"]\n }\n}\n\n\nmodule \"thanos_bucket\" {\n create_bucket = local.thanos[\"enabled\"] && local.thanos[\"create_bucket\"]\n\n source = \"terraform-aws-modules/s3-bucket/aws\"\n version = \"~> 5.0\"\n\n control_object_ownership = true\n object_ownership = \"ObjectWriter\"\n\n force_destroy = local.thanos[\"bucket_force_destroy\"]\n\n bucket = local.thanos[\"bucket\"]\n acl = \"private\"\n\n versioning = {\n status = true\n }\n\n server_side_encryption_configuration = {\n rule = {\n apply_server_side_encryption_by_default = {\n sse_algorithm = \"AES256\"\n }\n }\n }\n\n logging = local.s3-logging.enabled ? {\n target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id\n target_prefix = \"${var.cluster-name}/${local.thanos.name}/\"\n } : {}\n\n attach_deny_insecure_transport_policy = local.thanos[\"bucket_enforce_tls\"]\n\n tags = local.tags\n}\n\nresource \"kubernetes_namespace\" \"thanos\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.thanos[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.thanos[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"thanos\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n repository = local.thanos[\"repository\"]\n name = local.thanos[\"name\"]\n chart = local.thanos[\"chart\"]\n version = local.thanos[\"chart_version\"]\n timeout = local.thanos[\"timeout\"]\n force_update = local.thanos[\"force_update\"]\n recreate_pods = local.thanos[\"recreate_pods\"]\n wait = local.thanos[\"wait\"]\n atomic = local.thanos[\"atomic\"]\n cleanup_on_fail = local.thanos[\"cleanup_on_fail\"]\n dependency_update = local.thanos[\"dependency_update\"]\n disable_crd_hooks = local.thanos[\"disable_crd_hooks\"]\n disable_webhooks = local.thanos[\"disable_webhooks\"]\n render_subchart_notes = local.thanos[\"render_subchart_notes\"]\n replace = local.thanos[\"replace\"]\n reset_values = local.thanos[\"reset_values\"]\n reuse_values = local.thanos[\"reuse_values\"]\n skip_crds = local.thanos[\"skip_crds\"]\n verify = local.thanos[\"verify\"]\n values = compact([\n local.values_thanos,\n local.values_store_config,\n local.thanos[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n local.thanos[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n local.thanos-memcached[\"enabled\"] ? local.values_thanos_caching : null,\n local.thanos[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n helm_release.thanos-memcached\n ]\n}\n\nresource \"tls_private_key\" \"thanos-tls-querier-ca-key\" {\n count = local.thanos[\"generate_ca\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_self_signed_cert\" \"thanos-tls-querier-ca-cert\" {\n count = local.thanos[\"generate_ca\"] ? 1 : 0\n private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem\n is_ca_certificate = true\n\n subject {\n common_name = var.cluster-name\n organization = var.cluster-name\n }\n\n validity_period_hours = 87600\n early_renewal_hours = 720\n\n allowed_uses = [\n \"cert_signing\"\n ]\n}\n\nresource \"kubernetes_secret\" \"thanos-ca\" {\n count = local.thanos[\"enabled\"] && (local.thanos[\"generate_ca\"] || local.thanos[\"trusted_ca_content\"] != null) ? 1 : 0\n metadata {\n name = \"${local.thanos[\"name\"]}-ca\"\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos[\"namespace\"]\n }\n\n data = {\n \"ca.crt\" = local.thanos[\"generate_ca\"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos[\"trusted_ca_content\"]\n }\n}\n\noutput \"thanos_ca\" {\n value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [\"\"]), 0)\n}\n\noutput \"thanos_ca_key\" {\n value = element(concat(tls_private_key.thanos-tls-querier-ca-key[*].private_key_pem, [\"\"]), 0)\n sensitive = true\n}\n" }, { "path": "modules/aws/tigera-operator.tf", "content": "locals {\n tigera-operator = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"tigera-operator\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"tigera-operator\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"tigera-operator\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"tigera-operator\")].version\n namespace = \"tigera-operator\"\n create_ns = true\n manage_crds = true\n enabled = false\n default_network_policy = true\n },\n var.tigera-operator\n )\n\n tigera-operator_crds = \"https://raw.githubusercontent.com/projectcalico/calico/${local.tigera-operator.chart_version}/manifests/operator-crds.yaml\"\n\n calico_crds = \"https://raw.githubusercontent.com/projectcalico/calico/${local.tigera-operator.chart_version}/manifests/crds.yaml\"\n\n tigera-operator_crds_apply = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? [for v in data.kubectl_file_documents.tigera-operator_crds.0.documents : {\n data : yamldecode(v)\n content : v\n }\n ] : null\n\n calico_crds_apply = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? [for v in data.kubectl_file_documents.tigera-operator_crds.0.documents : {\n data : yamldecode(v)\n content : v\n }\n ] : null\n\n values_tigera-operator = <<-VALUES\n installation:\n kubernetesProvider: EKS\n VALUES\n}\n\ndata \"http\" \"tigera-operator_crds\" {\n count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0\n url = local.tigera-operator_crds\n}\n\ndata \"http\" \"calico_crds\" {\n count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0\n url = local.calico_crds\n}\n\ndata \"kubectl_file_documents\" \"tigera-operator_crds\" {\n count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0\n content = data.http.tigera-operator_crds[0].response_body\n}\n\ndata \"kubectl_file_documents\" \"calico_crds\" {\n count = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? 1 : 0\n content = data.http.calico_crds[0].response_body\n}\n\nresource \"kubectl_manifest\" \"tigera-operator_crds\" {\n for_each = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.tigera-operator_crds_apply : lower(join(\"/\", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, \"namespace\", \"\"), v.data.metadata.name]))) => v.content } : {}\n yaml_body = each.value\n server_side_apply = true\n force_conflicts = true\n}\n\nresource \"kubectl_manifest\" \"calico_crds\" {\n for_each = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.calico_crds_apply : lower(join(\"/\", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, \"namespace\", \"\"), v.data.metadata.name]))) => v.content } : {}\n yaml_body = each.value\n server_side_apply = true\n force_conflicts = true\n}\n\nresource \"kubernetes_namespace\" \"tigera-operator\" {\n count = local.tigera-operator[\"enabled\"] && local.tigera-operator[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.tigera-operator[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"tigera-operator\"\n }\n\n name = local.tigera-operator[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"tigera-operator\" {\n count = local.tigera-operator[\"enabled\"] ? 1 : 0\n repository = local.tigera-operator[\"repository\"]\n name = local.tigera-operator[\"name\"]\n chart = local.tigera-operator[\"chart\"]\n version = local.tigera-operator[\"chart_version\"]\n timeout = local.tigera-operator[\"timeout\"]\n force_update = local.tigera-operator[\"force_update\"]\n recreate_pods = local.tigera-operator[\"recreate_pods\"]\n wait = local.tigera-operator[\"wait\"]\n atomic = local.tigera-operator[\"atomic\"]\n cleanup_on_fail = local.tigera-operator[\"cleanup_on_fail\"]\n dependency_update = local.tigera-operator[\"dependency_update\"]\n disable_crd_hooks = local.tigera-operator[\"disable_crd_hooks\"]\n disable_webhooks = local.tigera-operator[\"disable_webhooks\"]\n render_subchart_notes = local.tigera-operator[\"render_subchart_notes\"]\n replace = local.tigera-operator[\"replace\"]\n reset_values = local.tigera-operator[\"reset_values\"]\n reuse_values = local.tigera-operator[\"reuse_values\"]\n skip_crds = local.tigera-operator[\"skip_crds\"]\n verify = local.tigera-operator[\"verify\"]\n values = [\n local.values_tigera-operator,\n local.tigera-operator[\"extra_values\"]\n ]\n namespace = local.tigera-operator[\"create_ns\"] ? kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index] : local.tigera-operator[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"tigera-operator_default_deny\" {\n count = local.tigera-operator[\"create_ns\"] && local.tigera-operator[\"enabled\"] && local.tigera-operator[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"tigera-operator_allow_namespace\" {\n count = local.tigera-operator[\"create_ns\"] && local.tigera-operator[\"enabled\"] && local.tigera-operator[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/variables-aws.tf", "content": "variable \"arn-partition\" {\n description = \"ARN partition\"\n default = \"\"\n type = string\n}\n\nvariable \"aws\" {\n description = \"AWS provider customization\"\n type = any\n default = {}\n}\n\nvariable \"aws-ebs-csi-driver\" {\n description = \"Customize aws-ebs-csi-driver helm chart, see `aws-ebs-csi-driver.tf`\"\n type = any\n default = {}\n}\n\nvariable \"aws-efs-csi-driver\" {\n description = \"Customize aws-efs-csi-driver helm chart, see `aws-efs-csi-driver.tf`\"\n type = any\n default = {}\n}\n\nvariable \"aws-for-fluent-bit\" {\n description = \"Customize aws-for-fluent-bit helm chart, see `aws-fluent-bit.tf`\"\n type = any\n default = {}\n}\n\nvariable \"aws-load-balancer-controller\" {\n description = \"Customize aws-load-balancer-controller chart, see `aws-load-balancer-controller.tf` for supported values\"\n type = any\n default = {}\n}\n\nvariable \"aws-node-termination-handler\" {\n description = \"Customize aws-node-termination-handler chart, see `aws-node-termination-handler.tf`\"\n type = any\n default = {}\n}\n\nvariable \"cni-metrics-helper\" {\n description = \"Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values\"\n type = any\n default = {}\n}\n\nvariable \"eks\" {\n description = \"EKS cluster inputs\"\n type = any\n default = {}\n}\n\nvariable \"karpenter\" {\n description = \"Customize karpenter chart, see `karpenter.tf` for supported values\"\n type = any\n default = {}\n}\n\nvariable \"prometheus-cloudwatch-exporter\" {\n description = \"Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values\"\n type = any\n default = {}\n}\n\nvariable \"s3-logging\" {\n description = \"Logging configuration for bucket created by this module\"\n type = any\n default = {}\n}\n\nvariable \"secrets-store-csi-driver-provider-aws\" {\n description = \"Enable secrets-store-csi-driver-provider-aws\"\n type = any\n default = {}\n}\n\nvariable \"tags\" {\n description = \"Map of tags for AWS resources\"\n type = map(any)\n default = {}\n}\n\nvariable \"yet-another-cloudwatch-exporter\" {\n description = \"Customize yet-another-cloudwatch-exporter chart, see `yet-another-cloudwatch-exporter.tf` for supported values\"\n type = any\n default = {}\n}\n" }, { "path": "modules/aws/velero.tf", "content": "locals {\n velero = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].version\n namespace = \"velero\"\n service_account_name = \"velero\"\n enabled = false\n create_iam_resources_irsa = true\n iam_policy_override = null\n create_bucket = true\n bucket = \"${var.cluster-name}-velero\"\n bucket_force_destroy = false\n bucket_enforce_tls = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n kms_key_arn_access_list = []\n name_prefix = \"${var.cluster-name}-velero\"\n iam_use_name_prefix = false\n },\n var.velero\n )\n\n values_velero = < 6.0\"\n create = local.velero[\"enabled\"] && local.velero[\"create_iam_resources_irsa\"]\n name = local.velero[\"name_prefix\"]\n use_name_prefix = local.velero[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.velero[\"enabled\"] && local.velero[\"create_iam_resources_irsa\"] ? { velero = aws_iam_policy.velero[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.velero[\"namespace\"]}:${local.velero[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"velero\" {\n count = local.velero[\"enabled\"] && local.velero[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.velero[\"name_prefix\"]\n policy = local.velero[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.velero.0.json : local.velero[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"velero\" {\n count = local.velero.enabled && local.velero.create_iam_resources_irsa ? 1 : 0\n source_policy_documents = [\n data.aws_iam_policy_document.velero_default.0.json,\n local.velero.kms_key_arn_access_list != [] ? data.aws_iam_policy_document.velero_kms.0.json : jsonencode({})\n ]\n}\n\ndata \"aws_iam_policy_document\" \"velero_default\" {\n count = local.velero.enabled && local.velero.create_iam_resources_irsa ? 1 : 0\n statement {\n effect = \"Allow\"\n actions = [\n \"ec2:DescribeVolumes\",\n \"ec2:DescribeSnapshots\",\n \"ec2:CreateTags\",\n \"ec2:CreateVolume\",\n \"ec2:CreateSnapshot\",\n \"ec2:DeleteSnapshot\"\n ]\n resources = [\"*\"]\n }\n\n statement {\n effect = \"Allow\"\n actions = [\n \"s3:GetObject\",\n \"s3:DeleteObject\",\n \"s3:PutObject\",\n \"s3:AbortMultipartUpload\",\n \"s3:ListMultipartUploadParts\"\n ]\n resources = [\"arn:aws:s3:::${local.velero.bucket}/*\"]\n }\n\n statement {\n effect = \"Allow\"\n\n actions = [\n \"s3:ListBucket\"\n ]\n resources = [\"arn:aws:s3:::${local.velero.bucket}\"]\n }\n}\n\ndata \"aws_iam_policy_document\" \"velero_kms\" {\n count = local.velero.enabled && local.velero.create_iam_resources_irsa && local.velero.kms_key_arn_access_list != [] ? 1 : 0\n\n statement {\n effect = \"Allow\"\n actions = [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ]\n resources = local.velero.kms_key_arn_access_list\n condition {\n test = \"Bool\"\n variable = \"kms:GrantIsForAWSResource\"\n values = [\"true\"]\n }\n }\n\n statement {\n effect = \"Allow\"\n actions = [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ]\n resources = local.velero.kms_key_arn_access_list\n }\n}\n\nmodule \"velero_thanos_bucket\" {\n create_bucket = local.velero.enabled && local.velero.create_bucket\n\n source = \"terraform-aws-modules/s3-bucket/aws\"\n version = \"~> 5.0\"\n\n control_object_ownership = true\n object_ownership = \"ObjectWriter\"\n\n force_destroy = local.velero.bucket_force_destroy\n\n bucket = local.velero.bucket\n acl = \"private\"\n\n versioning = {\n status = true\n }\n\n server_side_encryption_configuration = {\n rule = {\n apply_server_side_encryption_by_default = {\n sse_algorithm = \"AES256\"\n }\n }\n }\n\n logging = local.s3-logging.enabled ? {\n target_bucket = local.s3-logging.create_bucket ? module.s3_logging_bucket.s3_bucket_id : local.s3-logging.custom_bucket_id\n target_prefix = \"${var.cluster-name}/${local.velero.name}/\"\n } : {}\n\n attach_deny_insecure_transport_policy = local.velero.bucket_enforce_tls\n\n tags = local.tags\n}\n\nresource \"kubernetes_namespace\" \"velero\" {\n count = local.velero[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.velero[\"namespace\"]\n }\n\n name = local.velero[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"velero\" {\n count = local.velero[\"enabled\"] ? 1 : 0\n repository = local.velero[\"repository\"]\n name = local.velero[\"name\"]\n chart = local.velero[\"chart\"]\n version = local.velero[\"chart_version\"]\n timeout = local.velero[\"timeout\"]\n force_update = local.velero[\"force_update\"]\n recreate_pods = local.velero[\"recreate_pods\"]\n wait = local.velero[\"wait\"]\n atomic = local.velero[\"atomic\"]\n cleanup_on_fail = local.velero[\"cleanup_on_fail\"]\n dependency_update = local.velero[\"dependency_update\"]\n disable_crd_hooks = local.velero[\"disable_crd_hooks\"]\n disable_webhooks = local.velero[\"disable_webhooks\"]\n render_subchart_notes = local.velero[\"render_subchart_notes\"]\n replace = local.velero[\"replace\"]\n reset_values = local.velero[\"reset_values\"]\n reuse_values = local.velero[\"reuse_values\"]\n skip_crds = local.velero[\"skip_crds\"]\n verify = local.velero[\"verify\"]\n values = compact([\n local.values_velero,\n local.velero[\"extra_values\"]\n ])\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"velero_default_deny\" {\n count = local.velero[\"enabled\"] && local.velero[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"velero_allow_namespace\" {\n count = local.velero[\"enabled\"] && local.velero[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"velero_allow_monitoring\" {\n count = local.velero[\"enabled\"] && local.velero[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-monitoring\"\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"8085\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/aws/versions.tf", "content": "terraform {\n required_version = \">= 1.5.7\"\n required_providers {\n aws = {\n source = \"hashicorp/aws\"\n version = \">= 6.28\"\n }\n helm = {\n source = \"hashicorp/helm\"\n version = \"~> 3.0\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0, != 2.12\"\n }\n kubectl = {\n source = \"alekc/kubectl\"\n version = \"~> 2.0\"\n }\n flux = {\n source = \"fluxcd/flux\"\n version = \"~> 1.0\"\n }\n github = {\n source = \"integrations/github\"\n version = \"~> 6.0\"\n }\n tls = {\n source = \"hashicorp/tls\"\n version = \"~> 4.0\"\n }\n http = {\n source = \"hashicorp/http\"\n version = \">= 3\"\n }\n }\n}\n" }, { "path": "modules/aws/victoria-metrics-k8s-stack.tf", "content": "locals {\n victoria-metrics-k8s-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].version\n namespace = \"monitoring\"\n enabled = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n install_prometheus_operator_crds = true\n },\n var.victoria-metrics-k8s-stack\n )\n\n values_victoria-metrics-k8s-stack = < 6.0\"\n create = local.yet-another-cloudwatch-exporter[\"enabled\"] && local.yet-another-cloudwatch-exporter[\"create_iam_resources_irsa\"]\n name = local.yet-another-cloudwatch-exporter[\"name_prefix\"]\n use_name_prefix = local.yet-another-cloudwatch-exporter[\"iam_use_name_prefix\"]\n enable_oidc = true\n oidc_provider_urls = [replace(var.eks[\"cluster_oidc_issuer_url\"], \"https://\", \"\")]\n policies = local.yet-another-cloudwatch-exporter[\"enabled\"] && local.yet-another-cloudwatch-exporter[\"create_iam_resources_irsa\"] ? { yet-another-cloudwatch-exporter = aws_iam_policy.yet-another-cloudwatch-exporter[0].arn } : {}\n oidc_subjects = [\"system:serviceaccount:${local.yet-another-cloudwatch-exporter[\"namespace\"]}:${local.yet-another-cloudwatch-exporter[\"service_account_name\"]}\"]\n tags = local.tags\n}\n\nresource \"aws_iam_policy\" \"yet-another-cloudwatch-exporter\" {\n count = local.yet-another-cloudwatch-exporter[\"enabled\"] && local.yet-another-cloudwatch-exporter[\"create_iam_resources_irsa\"] ? 1 : 0\n name = local.yet-another-cloudwatch-exporter[\"name_prefix\"]\n policy = local.yet-another-cloudwatch-exporter[\"iam_policy_override\"] == null ? data.aws_iam_policy_document.yet-another-cloudwatch-exporter.json : local.yet-another-cloudwatch-exporter[\"iam_policy_override\"]\n tags = local.tags\n}\n\ndata \"aws_iam_policy_document\" \"yet-another-cloudwatch-exporter\" {\n statement {\n effect = \"Allow\"\n\n actions = [\n \"tag:GetResources\",\n \"cloudwatch:GetMetricData\",\n \"cloudwatch:GetMetricStatistics\",\n \"cloudwatch:ListMetrics\",\n \"ec2:DescribeTags\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeRegions\",\n \"ec2:DescribeTransitGateway*\",\n \"apigateway:GET\",\n \"dms:DescribeReplicationInstances\",\n \"dms:DescribeReplicationTasks\"\n ]\n\n resources = [\"*\"]\n }\n}\n\nresource \"kubernetes_namespace\" \"yet-another-cloudwatch-exporter\" {\n count = local.yet-another-cloudwatch-exporter[\"enabled\"] && local.yet-another-cloudwatch-exporter[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.yet-another-cloudwatch-exporter[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.yet-another-cloudwatch-exporter[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"yet-another-cloudwatch-exporter\" {\n count = local.yet-another-cloudwatch-exporter[\"enabled\"] ? 1 : 0\n repository = local.yet-another-cloudwatch-exporter[\"repository\"]\n name = local.yet-another-cloudwatch-exporter[\"name\"]\n chart = local.yet-another-cloudwatch-exporter[\"chart\"]\n version = local.yet-another-cloudwatch-exporter[\"chart_version\"]\n timeout = local.yet-another-cloudwatch-exporter[\"timeout\"]\n force_update = local.yet-another-cloudwatch-exporter[\"force_update\"]\n recreate_pods = local.yet-another-cloudwatch-exporter[\"recreate_pods\"]\n wait = local.yet-another-cloudwatch-exporter[\"wait\"]\n atomic = local.yet-another-cloudwatch-exporter[\"atomic\"]\n cleanup_on_fail = local.yet-another-cloudwatch-exporter[\"cleanup_on_fail\"]\n dependency_update = local.yet-another-cloudwatch-exporter[\"dependency_update\"]\n disable_crd_hooks = local.yet-another-cloudwatch-exporter[\"disable_crd_hooks\"]\n disable_webhooks = local.yet-another-cloudwatch-exporter[\"disable_webhooks\"]\n render_subchart_notes = local.yet-another-cloudwatch-exporter[\"render_subchart_notes\"]\n replace = local.yet-another-cloudwatch-exporter[\"replace\"]\n reset_values = local.yet-another-cloudwatch-exporter[\"reset_values\"]\n reuse_values = local.yet-another-cloudwatch-exporter[\"reuse_values\"]\n skip_crds = local.yet-another-cloudwatch-exporter[\"skip_crds\"]\n verify = local.yet-another-cloudwatch-exporter[\"verify\"]\n values = [\n local.values_yet-another-cloudwatch-exporter,\n local.yet-another-cloudwatch-exporter[\"extra_values\"]\n ]\n namespace = local.yet-another-cloudwatch-exporter[\"create_ns\"] ? kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index] : local.yet-another-cloudwatch-exporter[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"yet-another-cloudwatch-exporter_default_deny\" {\n count = local.yet-another-cloudwatch-exporter[\"create_ns\"] && local.yet-another-cloudwatch-exporter[\"enabled\"] && local.yet-another-cloudwatch-exporter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"yet-another-cloudwatch-exporter_allow_namespace\" {\n count = local.yet-another-cloudwatch-exporter[\"create_ns\"] && local.yet-another-cloudwatch-exporter[\"enabled\"] && local.yet-another-cloudwatch-exporter[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/azure/.terraform-docs.yml", "content": "settings:\n lockfile: false\n" }, { "path": "modules/azure/README.md", "content": "## About\n\nProvides various Kubernetes addons that are often used on Kubernetes with Azure\n\n\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| [terraform](#requirement\\_terraform) | >= 1.5.7 |\n| [azurerm](#requirement\\_azurerm) | ~> 4.0 |\n| [flux](#requirement\\_flux) | ~> 1.0 |\n| [github](#requirement\\_github) | ~> 6.0 |\n| [helm](#requirement\\_helm) | ~> 3.0 |\n| [http](#requirement\\_http) | >= 3 |\n| [kubectl](#requirement\\_kubectl) | ~> 2.0 |\n| [kubernetes](#requirement\\_kubernetes) | ~> 2.0, != 2.12 |\n| [tls](#requirement\\_tls) | ~> 4.0 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| [flux](#provider\\_flux) | ~> 1.0 |\n| [github](#provider\\_github) | ~> 6.0 |\n| [helm](#provider\\_helm) | ~> 3.0 |\n| [http](#provider\\_http) | >= 3 |\n| [kubectl](#provider\\_kubectl) | ~> 2.0 |\n| [kubernetes](#provider\\_kubernetes) | ~> 2.0, != 2.12 |\n| [random](#provider\\_random) | n/a |\n| [time](#provider\\_time) | n/a |\n| [tls](#provider\\_tls) | ~> 4.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |\n| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |\n| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |\n| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubectl_manifest.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.tigera-operator_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.tigera-operator_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |\n| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |\n| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |\n| [http_http.calico_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.tigera-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [kubectl_file_documents.calico_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.tigera-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| [admiralty](#input\\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |\n| [cert-manager](#input\\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cert-manager-csi-driver](#input\\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cluster-autoscaler](#input\\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |\n| [cluster-name](#input\\_cluster-name) | Name of the Kubernetes cluster | `string` | `\"sample-cluster\"` | no |\n| [csi-external-snapshotter](#input\\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |\n| [external-dns](#input\\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |\n| [flux2](#input\\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |\n| [grafana-mcp](#input\\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |\n| [helm\\_defaults](#input\\_helm\\_defaults) | Customize default Helm behavior | `any` | `{}` | no |\n| [ingress-nginx](#input\\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |\n| [ip-masq-agent](#input\\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |\n| [k8gb](#input\\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |\n| [karma](#input\\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |\n| [keda](#input\\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |\n| [kong](#input\\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |\n| [kube-prometheus-stack](#input\\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |\n| [labels\\_prefix](#input\\_labels\\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `\"particule.io\"` | no |\n| [linkerd](#input\\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |\n| [linkerd-viz](#input\\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |\n| [linkerd2](#input\\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |\n| [linkerd2-cni](#input\\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |\n| [loki-stack](#input\\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [metrics-server](#input\\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |\n| [npd](#input\\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |\n| [priority-class](#input\\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |\n| [priority-class-ds](#input\\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |\n| [prometheus-adapter](#input\\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-blackbox-exporter](#input\\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |\n| [promtail](#input\\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [reloader](#input\\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |\n| [sealed-secrets](#input\\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |\n| [secrets-store-csi-driver](#input\\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |\n| [thanos](#input\\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-memcached](#input\\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-receive](#input\\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |\n| [thanos-storegateway](#input\\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier](#input\\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier-ca-cert](#input\\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [thanos-tls-querier-ca-private-key](#input\\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [tigera-operator](#input\\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |\n| [traefik](#input\\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |\n| [velero](#input\\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |\n| [victoria-metrics-k8s-stack](#input\\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| [grafana\\_password](#output\\_grafana\\_password) | n/a |\n| [loki-stack-ca](#output\\_loki-stack-ca) | n/a |\n| [loki-stack-ca-key](#output\\_loki-stack-ca-key) | n/a |\n| [promtail-cert](#output\\_promtail-cert) | n/a |\n| [promtail-key](#output\\_promtail-key) | n/a |\n\n" }, { "path": "modules/azure/ingress-nginx.tf", "content": "locals {\n\n ingress-nginx = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].version\n namespace = \"ingress-nginx\"\n },\n var.ingress-nginx\n )\n}\n\nresource \"kubernetes_namespace\" \"ingress-nginx\" {\n count = local.ingress-nginx[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.ingress-nginx[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"ingress\"\n }\n\n name = \"nginx-ingress\"\n }\n}\n\nresource \"helm_release\" \"ingress-nginx\" {\n count = local.ingress-nginx[\"enabled\"] ? 1 : 0\n repository = local.ingress-nginx[\"repository\"]\n name = local.ingress-nginx[\"name\"]\n chart = local.ingress-nginx[\"chart\"]\n version = local.ingress-nginx[\"chart_version\"]\n timeout = local.ingress-nginx[\"timeout\"]\n force_update = local.ingress-nginx[\"force_update\"]\n recreate_pods = local.ingress-nginx[\"recreate_pods\"]\n wait = local.ingress-nginx[\"wait\"]\n atomic = local.ingress-nginx[\"atomic\"]\n cleanup_on_fail = local.ingress-nginx[\"cleanup_on_fail\"]\n dependency_update = local.ingress-nginx[\"dependency_update\"]\n disable_crd_hooks = local.ingress-nginx[\"disable_crd_hooks\"]\n disable_webhooks = local.ingress-nginx[\"disable_webhooks\"]\n render_subchart_notes = local.ingress-nginx[\"render_subchart_notes\"]\n replace = local.ingress-nginx[\"replace\"]\n reset_values = local.ingress-nginx[\"reset_values\"]\n reuse_values = local.ingress-nginx[\"reuse_values\"]\n skip_crds = local.ingress-nginx[\"skip_crds\"]\n verify = local.ingress-nginx[\"verify\"]\n values = [\n local.ingress-nginx[\"extra_values\"],\n ]\n namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]\n\n #The ingress controller needs to be scheduled on a Linux node. Windows Server nodes shouldn't run the ingress controller\n set = [{\n name = \"defaultBackend.nodeSelector.kubernetes\\\\.io/os\"\n value = \"linux\"\n }]\n\n}\n" }, { "path": "modules/azure/version.tf", "content": "terraform {\n required_version = \">= 1.5.7\"\n required_providers {\n azurerm = {\n source = \"hashicorp/azurerm\"\n version = \"~> 4.0\"\n }\n helm = {\n source = \"hashicorp/helm\"\n version = \"~> 3.0\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0, != 2.12\"\n }\n kubectl = {\n source = \"alekc/kubectl\"\n version = \"~> 2.0\"\n }\n flux = {\n source = \"fluxcd/flux\"\n version = \"~> 1.0\"\n }\n github = {\n source = \"integrations/github\"\n version = \"~> 6.0\"\n }\n tls = {\n source = \"hashicorp/tls\"\n version = \"~> 4.0\"\n }\n http = {\n source = \"hashicorp/http\"\n version = \">= 3\"\n }\n }\n}\n" }, { "path": "modules/google/.terraform-docs.yml", "content": "settings:\n lockfile: false\n" }, { "path": "modules/google/README.md", "content": "# terraform-kubernetes-addons:google\n\n[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/terraform-kubernetes-addons)\n[![terraform-kubernetes-addons](https://github.com/particuleio/terraform-kubernetes-addons/workflows/terraform-kubernetes-addons/badge.svg)](https://github.com/particuleio/terraform-kubernetes-addons/actions?query=workflow%3Aterraform-kubernetes-addons)\n\n## About\n\nProvides various addons that are often used on Kubernetes with Google and GKE.\n\n## Terraform docs\n\nProvides various Kubernetes addons that are often used on Kubernetes with GCP\n\n\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| [terraform](#requirement\\_terraform) | >= 1.3 |\n| [flux](#requirement\\_flux) | ~> 1.0 |\n| [github](#requirement\\_github) | ~> 6.0 |\n| [google](#requirement\\_google) | >= 4.69 |\n| [google-beta](#requirement\\_google-beta) | >= 4.69 |\n| [helm](#requirement\\_helm) | ~> 3.0 |\n| [http](#requirement\\_http) | >= 3 |\n| [jinja](#requirement\\_jinja) | ~> 2.0 |\n| [kubectl](#requirement\\_kubectl) | ~> 2.0 |\n| [kubernetes](#requirement\\_kubernetes) | ~> 2.0, != 2.12 |\n| [tls](#requirement\\_tls) | ~> 4.0 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| [flux](#provider\\_flux) | ~> 1.0 |\n| [github](#provider\\_github) | ~> 6.0 |\n| [google](#provider\\_google) | >= 4.69 |\n| [helm](#provider\\_helm) | ~> 3.0 |\n| [http](#provider\\_http) | >= 3 |\n| [jinja](#provider\\_jinja) | ~> 2.0 |\n| [kubectl](#provider\\_kubectl) | ~> 2.0 |\n| [kubernetes](#provider\\_kubernetes) | ~> 2.0, != 2.12 |\n| [random](#provider\\_random) | n/a |\n| [time](#provider\\_time) | n/a |\n| [tls](#provider\\_tls) | ~> 4.0 |\n\n## Modules\n\n| Name | Source | Version |\n| ---- | ------ | ------- |\n| [cert\\_manager\\_workload\\_identity](#module\\_cert\\_manager\\_workload\\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0.0 |\n| [external\\_dns\\_workload\\_identity](#module\\_external\\_dns\\_workload\\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0.0 |\n| [iam\\_assumable\\_sa\\_kube-prometheus-stack\\_grafana](#module\\_iam\\_assumable\\_sa\\_kube-prometheus-stack\\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_kube-prometheus-stack\\_thanos](#module\\_iam\\_assumable\\_sa\\_kube-prometheus-stack\\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_loki-stack](#module\\_iam\\_assumable\\_sa\\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-compactor](#module\\_iam\\_assumable\\_sa\\_thanos-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-receive](#module\\_iam\\_assumable\\_sa\\_thanos-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-receive-compactor](#module\\_iam\\_assumable\\_sa\\_thanos-receive-compactor) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-receive-receive](#module\\_iam\\_assumable\\_sa\\_thanos-receive-receive) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-receive-sg](#module\\_iam\\_assumable\\_sa\\_thanos-receive-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-sg](#module\\_iam\\_assumable\\_sa\\_thanos-sg) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_thanos-storegateway](#module\\_iam\\_assumable\\_sa\\_thanos-storegateway) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [iam\\_assumable\\_sa\\_velero](#module\\_iam\\_assumable\\_sa\\_velero) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 44.0 |\n| [kube-prometheus-stack\\_grafana-iam-member](#module\\_kube-prometheus-stack\\_grafana-iam-member) | terraform-google-modules/iam/google//modules/member_iam | ~> 8.0 |\n| [kube-prometheus-stack\\_kube-prometheus-stack\\_bucket](#module\\_kube-prometheus-stack\\_kube-prometheus-stack\\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 12.0 |\n| [kube-prometheus-stack\\_thanos\\_kms\\_bucket](#module\\_kube-prometheus-stack\\_thanos\\_kms\\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |\n| [loki-stack\\_bucket](#module\\_loki-stack\\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 12.0 |\n| [loki-stack\\_kms\\_bucket](#module\\_loki-stack\\_kms\\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |\n| [thanos-receive\\_bucket](#module\\_thanos-receive\\_bucket) | terraform-google-modules/cloud-storage/google | ~> 12.0 |\n| [thanos-receive\\_kms\\_bucket](#module\\_thanos-receive\\_kms\\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |\n| [thanos-storegateway\\_bucket\\_iam](#module\\_thanos-storegateway\\_bucket\\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 8.0 |\n| [thanos\\_bucket](#module\\_thanos\\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 12.0 |\n| [thanos\\_kms\\_bucket](#module\\_thanos\\_kms\\_bucket) | terraform-google-modules/kms/google | ~> 4.0 |\n| [velero\\_bucket](#module\\_velero\\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v12.3.0 |\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |\n| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |\n| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |\n| [google_dns_managed_zone_iam_member.cert_manager_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |\n| [google_dns_managed_zone_iam_member.external_dns_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |\n| [google_project_iam_custom_role.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |\n| [google_project_iam_member.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |\n| [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.loki-stack_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive-receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive_compactor_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive_receive_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive_sg_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos-receive_sg_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_receive_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_receive_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectCreator_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.thanos_sg_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.velero_gcs_iam_objectUser_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [google_storage_bucket_iam_member.velero_gcs_iam_objectViewer_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |\n| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-receive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.ip_masq_agent](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_manifest.velero_snapshot_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |\n| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.thanos-receive](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.npd_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.secrets-store-csi-driver_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |\n| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |\n| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |\n| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |\n| [google_project.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |\n| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [jinja_template.cert-manager_cluster_issuers](https://registry.terraform.io/providers/NikolaLohinski/jinja/latest/docs/data-sources/template) | data source |\n| [kubectl_file_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_filename_list.ip_masq_agent_manifests](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/filename_list) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| [admiralty](#input\\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |\n| [cert-manager](#input\\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cert-manager-csi-driver](#input\\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cluster-autoscaler](#input\\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |\n| [cluster-name](#input\\_cluster-name) | Name of the Kubernetes cluster | `string` | `\"sample-cluster\"` | no |\n| [cni-metrics-helper](#input\\_cni-metrics-helper) | Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values | `any` | `{}` | no |\n| [csi-external-snapshotter](#input\\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |\n| [external-dns](#input\\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |\n| [flux2](#input\\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |\n| [gke](#input\\_gke) | GKE cluster inputs | `any` | `{}` | no |\n| [google](#input\\_google) | GCP provider customization | `any` | `{}` | no |\n| [grafana-mcp](#input\\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |\n| [helm\\_defaults](#input\\_helm\\_defaults) | Customize default Helm behavior | `any` | `{}` | no |\n| [ingress-nginx](#input\\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |\n| [ip-masq-agent](#input\\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |\n| [k8gb](#input\\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |\n| [karma](#input\\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |\n| [keda](#input\\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |\n| [kong](#input\\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |\n| [kube-prometheus-stack](#input\\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |\n| [labels\\_prefix](#input\\_labels\\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `\"particule.io\"` | no |\n| [linkerd](#input\\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |\n| [linkerd-viz](#input\\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |\n| [linkerd2](#input\\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |\n| [linkerd2-cni](#input\\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |\n| [loki-stack](#input\\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [metrics-server](#input\\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |\n| [npd](#input\\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |\n| [priority-class](#input\\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |\n| [priority-class-ds](#input\\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |\n| [project\\_id](#input\\_project\\_id) | GCP project id | `string` | `\"\"` | no |\n| [prometheus-adapter](#input\\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-blackbox-exporter](#input\\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-cloudwatch-exporter](#input\\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |\n| [promtail](#input\\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [reloader](#input\\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |\n| [sealed-secrets](#input\\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |\n| [secrets-store-csi-driver](#input\\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |\n| [tags](#input\\_tags) | Map of tags for Google resources | `map(any)` | `{}` | no |\n| [thanos](#input\\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-memcached](#input\\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-receive](#input\\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |\n| [thanos-storegateway](#input\\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier](#input\\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier-ca-cert](#input\\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [thanos-tls-querier-ca-private-key](#input\\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [tigera-operator](#input\\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |\n| [traefik](#input\\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |\n| [velero](#input\\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |\n| [victoria-metrics-k8s-stack](#input\\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| [kube-prometheus-stack](#output\\_kube-prometheus-stack) | n/a |\n| [kube-prometheus-stack\\_sensitive](#output\\_kube-prometheus-stack\\_sensitive) | n/a |\n| [loki-stack-ca](#output\\_loki-stack-ca) | n/a |\n| [promtail-cert](#output\\_promtail-cert) | n/a |\n| [promtail-key](#output\\_promtail-key) | n/a |\n| [thanos\\_ca](#output\\_thanos\\_ca) | n/a |\n\n" }, { "path": "modules/google/cert-manager.tf", "content": "locals {\n cert-manager = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].version\n namespace = \"cert-manager\"\n service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].name\n project_id = \"default-0\"\n create_iam_resources = true\n enable_monitoring = false\n enabled = false\n iam_policy_override = null\n default_network_policy = true\n managed_zone = \"default\"\n acme_email = \"contact@acme.com\"\n acme_http01_enabled = true\n acme_http01_ingress_class = \"nginx\"\n acme_dns01_enabled = false\n acme_dns01_provider = \"clouddns\"\n acme_dns01_provider_clouddns = {\n project_id = \"default-0\"\n dns_zone_name = \"default\"\n }\n acme_dns01_provider_route53 = {\n aws_region = \"eu-west1\"\n }\n allowed_cidrs = [\"0.0.0.0/0\"]\n csi_driver = false\n name_prefix = \"${var.cluster-name}-cert-manager\"\n },\n var.cert-manager\n )\n\n\n values_cert-manager = < 44.0.0\"\n name = local.cert-manager.service_account_name\n namespace = local.cert-manager.namespace\n project_id = local.cert-manager.project_id\n roles = []\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\n# This resource will configure the required IAM permissions for the cert-manager service account\n# to deal with Cloud DNS. The IAM permissions will be set at the resource level (DNS zone) and not at the project\n# level.\nresource \"google_dns_managed_zone_iam_member\" \"cert_manager_cloud_dns_iam_permissions\" {\n count = local.cert-manager.acme_dns01_enabled && local.cert-manager.create_iam_resources && local.cert-manager.enabled ? 1 : 0\n project = local.cert-manager.project_id\n managed_zone = local.cert-manager.managed_zone\n role = \"roles/dns.admin\"\n member = \"serviceAccount:${module.cert_manager_workload_identity.0.gcp_service_account_email}\"\n}\n\n# This resource will create a dedicated Kubernetes namespace for cert-manager.\nresource \"kubernetes_namespace\" \"cert-manager\" {\n count = local.cert-manager.enabled ? 1 : 0\n\n metadata {\n annotations = {\n \"certmanager.k8s.io/disable-validation\" = \"true\"\n }\n\n labels = {\n name = local.cert-manager[\"namespace\"]\n }\n\n name = local.cert-manager[\"namespace\"]\n }\n}\n\n# This resource will deploy a Flux HelmRelease on the cluster to deploy\n# cert-manager official helm chart.\nresource \"helm_release\" \"cert-manager\" {\n count = local.cert-manager.enabled ? 1 : 0\n repository = local.cert-manager.repository\n name = local.cert-manager.name\n chart = local.cert-manager.chart\n version = local.cert-manager.chart_version\n timeout = local.cert-manager.timeout\n force_update = local.cert-manager.force_update\n recreate_pods = local.cert-manager.recreate_pods\n wait = local.cert-manager.wait\n atomic = local.cert-manager.atomic\n cleanup_on_fail = local.cert-manager.cleanup_on_fail\n dependency_update = local.cert-manager.dependency_update\n disable_crd_hooks = local.cert-manager.disable_crd_hooks\n disable_webhooks = local.cert-manager.disable_webhooks\n render_subchart_notes = local.cert-manager.render_subchart_notes\n replace = local.cert-manager.replace\n reset_values = local.cert-manager.reset_values\n reuse_values = local.cert-manager.reuse_values\n skip_crds = local.cert-manager.skip_crds\n verify = local.cert-manager.verify\n values = [\n local.values_cert-manager,\n local.cert-manager[\"extra_values\"]\n ]\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n}\n\n# This resource will render our jinja template for our cluster issuers.\ndata \"jinja_template\" \"cert-manager_cluster_issuers\" {\n template = \"./templates/cert-manager-cluster-issuers.yaml.j2\"\n context {\n type = \"yaml\"\n data = yamlencode({\n acme_email = local.cert-manager.acme_email\n acme_http01_enabled = local.cert-manager.acme_http01_enabled\n acme_http01_ingress_class = local.cert-manager.acme_http01_ingress_class\n acme_dns01_enabled = local.cert-manager.acme_dns01_enabled\n acme_dns01_provider = local.cert-manager.acme_dns01_provider\n acme_dns01_provider_clouddns = local.cert-manager.acme_dns01_provider_clouddns\n acme_dns01_provider_route53 = local.cert-manager.acme_dns01_provider_route53\n })\n }\n strict_undefined = false\n}\n\n# This resource will split our rendered cluster issuers manifest into a list of individual document.\ndata \"kubectl_file_documents\" \"cert-manager_cluster_issuers\" {\n content = data.jinja_template.cert-manager_cluster_issuers.result\n}\n\n# This resource is there to wait for cert-manager to be deployed before creating certificate issuers.\nresource \"time_sleep\" \"cert-manager_sleep\" {\n count = local.cert-manager.enabled && (local.cert-manager.acme_http01_enabled || local.cert-manager.acme_dns01_enabled) ? 1 : 0\n depends_on = [helm_release.cert-manager]\n create_duration = \"120s\"\n}\n\n# This ressource will deploy the certificate issuers on the clusters.\nresource \"kubectl_manifest\" \"cert-manager_cluster_issuers\" {\n count = local.cert-manager.enabled && (local.cert-manager.acme_http01_enabled || local.cert-manager.acme_dns01_enabled) ? length(data.kubectl_file_documents.cert-manager_cluster_issuers.documents) : 0\n yaml_body = element(data.kubectl_file_documents.cert-manager_cluster_issuers.documents, count.index)\n depends_on = [\n helm_release.cert-manager,\n kubernetes_namespace.cert-manager,\n time_sleep.cert-manager_sleep\n ]\n}\n\n# This resource will create a network policy which deny all ingress traffic from cert-manager\n# namespace.\nresource \"kubernetes_network_policy\" \"cert-manager_default_deny\" {\n count = local.cert-manager.enabled && local.cert-manager.default_network_policy ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\n# This resource will create a network policy which allows the workloads in cert-manager\n# namespace to communicate.\nresource \"kubernetes_network_policy\" \"cert-manager_allow_namespace\" {\n count = local.cert-manager.enabled && local.cert-manager.default_network_policy ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\n# This resource will create a network policy to allow monitoring agent to collect\n# metrics.\nresource \"kubernetes_network_policy\" \"cert-manager_allow_monitoring\" {\n count = local.cert-manager.enabled && local.cert-manager.default_network_policy ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-allow-monitoring\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"9402\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\n# This resource will create a network policy which will allow control plane to reach\n# cert-manager webhook on port 10250.\nresource \"kubernetes_network_policy\" \"cert-manager_allow_control_plane\" {\n count = local.cert-manager.enabled && local.cert-manager.default_network_policy ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]}-allow-control-plane\"\n namespace = kubernetes_namespace.cert-manager.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n match_expressions {\n key = \"app.kubernetes.io/name\"\n operator = \"In\"\n values = [\"webhook\"]\n }\n }\n\n ingress {\n ports {\n port = \"10250\"\n protocol = \"TCP\"\n }\n\n dynamic \"from\" {\n for_each = local.cert-manager.allowed_cidrs\n content {\n ip_block {\n cidr = from.value\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/google/data.tf", "content": "data \"google_project\" \"current\" {}\n\ndata \"google_client_config\" \"current\" {}\n" }, { "path": "modules/google/external-dns.tf", "content": "locals {\n\n external-dns = { for k, v in var.external-dns : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"external-dns\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"external-dns\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"external-dns\")].version\n project_id = \"default-0\"\n name = k\n namespace = k\n service_account_name = \"external-dns\"\n enable_monitoring = false\n enabled = false\n managed_zones = []\n create_iam_resources = true\n iam_policy_override = null\n default_network_policy = true\n name_prefix = \"${var.cluster-name}\"\n },\n v,\n ) }\n\n values_external-dns = { for k, v in local.external-dns : k => merge(\n {\n values = <<-VALUES\n provider: google\n txtPrefix: \"ext-dns-\"\n txtOwnerId: ${var.cluster-name}\n logFormat: json\n policy: sync\n serviceAccount:\n name: ${v.service_account_name}\n annotations:\n iam.gke.io/gcp-service-account: '${module.external_dns_workload_identity[k].gcp_service_account_email}'\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"] || v.enable_monitoring}\n priorityClassName: ${local.priority-class[\"create\"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : \"\"}\n VALUES\n },\n v,\n ) if v.enabled }\n\n managed_zones_by_instance = flatten([\n for k, v in local.external-dns : [\n for idx, zone in lookup(v, \"managed_zones\", []) : {\n zone_name = zone\n instance = k\n project_id = v.project_id\n }\n ] if v.enabled && v.create_iam_resources])\n}\n\n# This module will create a Google Service account and configure the right permissions\n# to be allowed to use the workload identity on GKE.\nmodule \"external_dns_workload_identity\" {\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0.0\"\n\n for_each = { for k, v in local.external-dns : k => v if v.enabled && v.create_iam_resources }\n\n name = each.value.service_account_name\n namespace = each.value.namespace\n project_id = each.value.project_id\n roles = [\"roles/dns.reader\"]\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\n# This module will configure the required IAM permissions for external-dns service account\n# to deal with Cloud DNS. The IAM permissions will be set at the resource level (DNS zone) and not at the project\n# level.\nresource \"google_dns_managed_zone_iam_member\" \"external_dns_cloud_dns_iam_permissions\" {\n for_each = { for idx, item in local.managed_zones_by_instance : \"${item.instance}-${item.zone_name}\" => item }\n project = each.value.project_id\n managed_zone = each.value.zone_name\n role = \"roles/dns.admin\"\n member = \"serviceAccount:${module.external_dns_workload_identity[each.value.instance].gcp_service_account_email}\"\n}\n\n\n# This resource will create a dedicated namespace for each external-dns instance.\nresource \"kubernetes_namespace\" \"external-dns\" {\n for_each = { for k, v in local.external-dns : k => v if v.enabled }\n\n metadata {\n labels = {\n name = each.value.namespace\n }\n\n name = each.value.namespace\n }\n}\n\n# This resource will create a helm release for each external-dns instance.\nresource \"helm_release\" \"external-dns\" {\n for_each = { for k, v in local.external-dns : k => v if v.enabled }\n repository = each.value.repository\n name = each.value.name\n chart = each.value.chart\n version = each.value.chart_version\n timeout = each.value.timeout\n force_update = each.value.force_update\n recreate_pods = each.value.recreate_pods\n wait = each.value.wait\n atomic = each.value.atomic\n cleanup_on_fail = each.value.cleanup_on_fail\n dependency_update = each.value.dependency_update\n disable_crd_hooks = each.value.disable_crd_hooks\n disable_webhooks = each.value.disable_webhooks\n render_subchart_notes = each.value.render_subchart_notes\n replace = each.value.replace\n reset_values = each.value.reset_values\n reuse_values = each.value.reuse_values\n skip_crds = each.value.skip_crds\n verify = each.value.verify\n values = [\n local.values_external-dns[each.key].values,\n each.value.extra_values\n ]\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n}\n\n# This resource will create for each external-dns instance a network policy to deny all ingress traffic\n# by default in the namespace.\nresource \"kubernetes_network_policy\" \"external-dns_default_deny\" {\n for_each = { for k, v in local.external-dns : k => v if v.enabled && v.default_network_policy }\n\n metadata {\n name = \"${kubernetes_namespace.external-dns[each.key].metadata.0.name}-default-deny\"\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\n# This resource will create for each external-dns instance a network policy to allow the\n# workloads to communicate each other inside the external-dns namespace.\nresource \"kubernetes_network_policy\" \"external-dns_allow_namespace\" {\n for_each = { for k, v in local.external-dns : k => v if v.enabled && v.default_network_policy }\n\n metadata {\n name = \"${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-namespace\"\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\n# This resource will create for each external-dns instance a network policy to allow the\n# monitoring agent to collect metrics.\nresource \"kubernetes_network_policy\" \"external-dns_allow_monitoring\" {\n for_each = { for k, v in local.external-dns : k => v if v.enabled && v.default_network_policy }\n\n metadata {\n name = \"${kubernetes_namespace.external-dns[each.key].metadata.0.name}-allow-monitoring\"\n namespace = kubernetes_namespace.external-dns[each.key].metadata.0.name\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"http\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "modules/google/ingress-nginx.tf", "content": "locals {\n\n ingress-nginx = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"ingress-nginx\")].version\n namespace = \"ingress-nginx\"\n use_nlb = false\n enabled = false\n default_network_policy = true\n ingress_cidrs = [\"0.0.0.0/0\"]\n allowed_cidrs = [\"0.0.0.0/0\"]\n extra_ns_labels = {}\n extra_ns_annotations = {}\n },\n var.ingress-nginx\n )\n\n values_ingress-nginx_l4 = <0.31.x\"\nVALUES\n\n values_dashboard_thanos = < 44.0\"\n namespace = local.kube-prometheus-stack[\"namespace\"]\n project_id = var.project_id\n name = local.kube-prometheus-stack[\"grafana_service_account_name\"]\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"iam_assumable_sa_kube-prometheus-stack_thanos\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.kube-prometheus-stack[\"namespace\"]\n project_id = var.project_id\n name = local.kube-prometheus-stack[\"prometheus_service_account_name\"]\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nresource \"kubernetes_secret\" \"kube-prometheus-stack_thanos\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n metadata {\n name = \"${local.kube-prometheus-stack[\"thanos_bucket\"]}-config\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n data = {\n \"thanos.yaml\" = local.thanos_store_config_computed\n }\n}\n\nresource \"google_storage_bucket_iam_member\" \"kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_bucket\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n bucket = module.kube-prometheus-stack_kube-prometheus-stack_bucket[0].name\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_kube-prometheus-stack_thanos[0].gcp_service_account_email}\"\n}\n\nresource \"google_storage_bucket_iam_member\" \"kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_bucket\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n bucket = module.kube-prometheus-stack_kube-prometheus-stack_bucket[0].name\n role = \"roles/storage.objectAdmin\"\n member = \"serviceAccount:${module.iam_assumable_sa_kube-prometheus-stack_thanos[0].gcp_service_account_email}\"\n}\n\nmodule \"kube-prometheus-stack_grafana-iam-member\" {\n count = local.kube-prometheus-stack[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/iam/google//modules/member_iam\"\n version = \"~> 8.0\"\n\n service_account_address = module.iam_assumable_sa_kube-prometheus-stack_grafana[0].gcp_service_account_email\n project_id = var.project_id\n project_roles = [\n \"roles/monitoring.viewer\",\n \"roles/logging.viewer\",\n \"roles/compute.viewer\"\n ]\n}\n\nmodule \"kube-prometheus-stack_thanos_kms_bucket\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_bucket\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kms/google\"\n version = \"~> 4.0\"\n\n project_id = var.project_id\n location = data.google_client_config.current.region\n keyring = \"thanos\"\n keys = [\"thanos\"]\n owners = [\n \"serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com\"\n ]\n set_owners_for = [\n \"thanos\"\n ]\n}\n\nmodule \"kube-prometheus-stack_kube-prometheus-stack_bucket\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_bucket\"] && local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? 1 : 0\n\n source = \"terraform-google-modules/cloud-storage/google//modules/simple_bucket\"\n version = \"~> 12.0\"\n project_id = var.project_id\n location = data.google_client_config.current.region\n\n name = local.kube-prometheus-stack[\"thanos_bucket\"]\n\n encryption = {\n default_kms_key_name = module.kube-prometheus-stack_thanos_kms_bucket[0].keys.thanos\n }\n}\n\nresource \"kubernetes_namespace\" \"kube-prometheus-stack\" {\n count = local.kube-prometheus-stack[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.kube-prometheus-stack[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.kube-prometheus-stack[\"namespace\"]\n }\n}\n\nresource \"random_string\" \"grafana_password\" {\n count = local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"] ? 1 : 0\n length = 16\n special = false\n}\n\nresource \"helm_release\" \"kube-prometheus-stack\" {\n count = local.kube-prometheus-stack[\"enabled\"] ? 1 : 0\n repository = local.kube-prometheus-stack[\"repository\"]\n name = local.kube-prometheus-stack[\"name\"]\n chart = local.kube-prometheus-stack[\"chart\"]\n version = local.kube-prometheus-stack[\"chart_version\"]\n timeout = local.kube-prometheus-stack[\"timeout\"]\n force_update = local.kube-prometheus-stack[\"force_update\"]\n recreate_pods = local.kube-prometheus-stack[\"recreate_pods\"]\n wait = local.kube-prometheus-stack[\"wait\"]\n atomic = local.kube-prometheus-stack[\"atomic\"]\n cleanup_on_fail = local.kube-prometheus-stack[\"cleanup_on_fail\"]\n dependency_update = local.kube-prometheus-stack[\"dependency_update\"]\n disable_crd_hooks = local.kube-prometheus-stack[\"disable_crd_hooks\"]\n disable_webhooks = local.kube-prometheus-stack[\"disable_webhooks\"]\n render_subchart_notes = local.kube-prometheus-stack[\"render_subchart_notes\"]\n replace = local.kube-prometheus-stack[\"replace\"]\n reset_values = local.kube-prometheus-stack[\"reset_values\"]\n reuse_values = local.kube-prometheus-stack[\"reuse_values\"]\n skip_crds = local.kube-prometheus-stack[\"skip_crds\"]\n verify = local.kube-prometheus-stack[\"verify\"]\n values = compact([\n local.values_kube-prometheus-stack,\n local.ingress-nginx[\"enabled\"] ? local.values_dashboard_ingress-nginx : null,\n ((local.thanos[\"enabled\"] && local.kube-prometheus-stack[\"thanos_dashboard_enabled\"]) || local.thanos-receive[\"enabled\"]) ? local.values_dashboard_thanos : null,\n local.values_dashboard_node_exporter,\n local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] ? local.values_thanos_sidecar : null,\n local.thanos-receive[\"enabled\"] ? local.values_thanos_receive : null,\n ((local.kube-prometheus-stack[\"thanos_sidecar_enabled\"] && local.thanos[\"enabled\"]) || local.thanos-receive[\"enabled\"]) ? local.values_grafana_ds_thanos : local.values_grafana_ds_default,\n local.kube-prometheus-stack[\"default_global_requests\"] ? local.values_kps_global_requests : null,\n local.kube-prometheus-stack[\"default_global_limits\"] ? local.values_kps_global_limits : null,\n local.kube-prometheus-stack[\"extra_values\"]\n ])\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n\n depends_on = [\n helm_release.ingress-nginx,\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_default_deny\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_allow_namespace\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_allow_ingress\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-ingress\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"ingress\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"kube-prometheus-stack_allow_control_plane\" {\n count = local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]}-allow-control-plane\"\n namespace = kubernetes_namespace.kube-prometheus-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n match_expressions {\n key = \"app\"\n operator = \"In\"\n values = [\"${local.kube-prometheus-stack[\"name\"]}-operator\"]\n }\n }\n\n ingress {\n ports {\n port = \"10250\"\n protocol = \"TCP\"\n }\n\n dynamic \"from\" {\n for_each = local.kube-prometheus-stack[\"allowed_cidrs\"]\n content {\n ip_block {\n cidr = from.value\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\noutput \"kube-prometheus-stack\" {\n value = {\n iam_assumable_sa_kube-prometheus-stack_grafana = module.iam_assumable_sa_kube-prometheus-stack_grafana[*]\n iam_assumable_sa_kube-prometheus-stack_thanos = module.iam_assumable_sa_kube-prometheus-stack_thanos[*]\n }\n}\n\noutput \"kube-prometheus-stack_sensitive\" {\n value = {\n grafana_password = element(concat(random_string.grafana_password.*.result, [\"\"]), 0)\n }\n sensitive = true\n}\n" }, { "path": "modules/google/loki-stack.tf", "content": "locals {\n loki-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].version\n service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"loki\")].name\n namespace = \"monitoring\"\n create_iam_resources = true\n iam_policy_override = null\n create_ns = false\n enabled = false\n default_network_policy = true\n create_bucket = true\n bucket = \"loki-store-${var.cluster-name}\"\n bucket_lifecycle_rule = []\n bucket_force_destroy = false\n bucket_location = \"europe-west1\"\n kms_bucket_location = \"europe-west1\"\n generate_ca = true\n trusted_ca_content = null\n create_promtail_cert = true\n create_grafana_ds_cm = true\n name_prefix = \"${var.cluster-name}-loki\"\n },\n var.loki-stack\n )\n\n values_loki-stack = <<-VALUES\n lokiCanary:\n enabled: false\n test:\n enabled: false\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] || local.victoria-metrics-k8s-stack[\"enabled\"]}\n gateway:\n service:\n labels:\n prometheus.io/service-monitor: \"false\"\n priorityClassName: ${local.priority-class[\"create\"] ? kubernetes_priority_class.kubernetes_addons[0].metadata[0].name : \"\"}\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.loki-stack.create_iam_resources && local.loki-stack.enabled ? module.iam_assumable_sa_loki-stack[0].gcp_service_account_email : \"\"}\"\n persistence:\n enabled: true\n loki:\n auth_enabled: false\n storage:\n bucketNames:\n chunks: \"${local.loki-stack[\"bucket\"]}\"\n ruler: \"${local.loki-stack[\"bucket\"]}\"\n admin: \"${local.loki-stack[\"bucket\"]}\"\n schemaConfig:\n configs:\n - from: 2020-10-24\n store: boltdb-shipper\n object_store: gcs\n schema: v12\n index:\n prefix: loki_index_\n period: 24h\n - from: 2024-12-20\n store: tsdb\n object_store: gcs\n schema: v13\n index:\n prefix: loki_index_\n period: 24h\n storage_config:\n gcs:\n bucket_name: \"${local.loki-stack[\"bucket\"]}\"\n VALUES\n}\n\nmodule \"iam_assumable_sa_loki-stack\" {\n count = local.loki-stack[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.loki-stack[\"namespace\"]\n project_id = var.project_id\n name = local.loki-stack.service_account_name\n gcp_sa_name = \"${local.loki-stack.service_account_name}-stack\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nresource \"kubernetes_namespace\" \"loki-stack\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.loki-stack[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.loki-stack[\"namespace\"]\n }\n}\n\nresource \"kubernetes_config_map\" \"loki-stack_grafana_ds\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_grafana_ds_cm\"] ? 1 : 0\n metadata {\n name = \"${local.loki-stack[\"name\"]}-grafana-ds\"\n namespace = local.loki-stack[\"namespace\"]\n labels = {\n grafana_datasource = \"1\"\n }\n }\n\n data = {\n \"datasource.yml\" = <<-VALUES\n datasources:\n - access: proxy\n editable: true\n isDefault: false\n name: Loki\n orgId: 1\n type: loki\n url: http://${local.loki-stack[\"name\"]}-gateway\n version: 1\n VALUES\n }\n}\n\nresource \"helm_release\" \"loki-stack\" {\n count = local.loki-stack[\"enabled\"] ? 1 : 0\n repository = local.loki-stack[\"repository\"]\n name = local.loki-stack[\"name\"]\n chart = local.loki-stack[\"chart\"]\n version = local.loki-stack[\"chart_version\"]\n timeout = local.loki-stack[\"timeout\"]\n force_update = local.loki-stack[\"force_update\"]\n recreate_pods = local.loki-stack[\"recreate_pods\"]\n wait = local.loki-stack[\"wait\"]\n atomic = local.loki-stack[\"atomic\"]\n cleanup_on_fail = local.loki-stack[\"cleanup_on_fail\"]\n dependency_update = local.loki-stack[\"dependency_update\"]\n disable_crd_hooks = local.loki-stack[\"disable_crd_hooks\"]\n disable_webhooks = local.loki-stack[\"disable_webhooks\"]\n render_subchart_notes = local.loki-stack[\"render_subchart_notes\"]\n replace = local.loki-stack[\"replace\"]\n reset_values = local.loki-stack[\"reset_values\"]\n reuse_values = local.loki-stack[\"reuse_values\"]\n skip_crds = local.loki-stack[\"skip_crds\"]\n verify = local.loki-stack[\"verify\"]\n values = [\n local.values_loki-stack,\n local.loki-stack[\"extra_values\"]\n ]\n namespace = local.loki-stack[\"create_ns\"] ? kubernetes_namespace.loki-stack.*.metadata.0.name[count.index] : local.loki-stack[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nmodule \"loki-stack_kms_bucket\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_bucket\"] ? 1 : 0\n source = \"terraform-google-modules/kms/google\"\n version = \"~> 4.0\"\n\n project_id = var.project_id\n location = local.loki-stack[\"kms_bucket_location\"]\n keyring = \"loki-stack\"\n keys = [\"loki-stack\"]\n owners = [\n \"serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com\"\n ]\n set_owners_for = [\n \"loki-stack\"\n ]\n}\n\nmodule \"loki-stack_bucket\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"create_bucket\"] ? 1 : 0\n\n source = \"terraform-google-modules/cloud-storage/google//modules/simple_bucket\"\n version = \"~> 12.0\"\n project_id = var.project_id\n location = local.loki-stack[\"bucket_location\"]\n\n name = local.loki-stack[\"bucket\"]\n\n encryption = {\n default_kms_key_name = module.loki-stack_kms_bucket[0].keys.loki-stack\n }\n}\n\nresource \"google_storage_bucket_iam_member\" \"loki-stack_gcs_iam_objectCreator_permissions\" {\n count = local.loki-stack[\"enabled\"] ? 1 : 0\n bucket = local.loki-stack[\"bucket\"]\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}\"\n depends_on = [\n module.loki-stack_bucket\n ]\n}\n\nresource \"google_storage_bucket_iam_member\" \"loki-stack_gcs_iam_objectUser_permissions\" {\n count = local.loki-stack[\"enabled\"] ? 1 : 0\n bucket = local.loki-stack[\"bucket\"]\n role = \"roles/storage.objectUser\"\n member = \"serviceAccount:${module.iam_assumable_sa_loki-stack[0].gcp_service_account_email}\"\n depends_on = [\n module.loki-stack_bucket\n ]\n}\n\nresource \"tls_private_key\" \"loki-stack-ca-key\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_self_signed_cert\" \"loki-stack-ca-cert\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] ? 1 : 0\n private_key_pem = tls_private_key.loki-stack-ca-key[0].private_key_pem\n is_ca_certificate = true\n\n subject {\n common_name = var.cluster-name\n organization = var.cluster-name\n }\n\n validity_period_hours = 87600\n early_renewal_hours = 720\n\n allowed_uses = [\n \"cert_signing\"\n ]\n}\n\nresource \"kubernetes_network_policy\" \"loki-stack_default_deny\" {\n count = local.loki-stack[\"create_ns\"] && local.loki-stack[\"enabled\"] && local.loki-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"loki-stack_allow_namespace\" {\n count = local.loki-stack[\"create_ns\"] && local.loki-stack[\"enabled\"] && local.loki-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"loki-stack_allow_ingress\" {\n count = local.loki-stack[\"create_ns\"] && local.loki-stack[\"enabled\"] && local.loki-stack[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]}-allow-ingress\"\n namespace = kubernetes_namespace.loki-stack.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"ingress\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_secret\" \"loki-stack-ca\" {\n count = local.loki-stack[\"enabled\"] && (local.loki-stack[\"generate_ca\"] || local.loki-stack[\"trusted_ca_content\"] != null) ? 1 : 0\n metadata {\n name = \"${local.loki-stack[\"name\"]}-ca\"\n namespace = local.loki-stack[\"create_ns\"] ? kubernetes_namespace.loki-stack.*.metadata.0.name[count.index] : local.loki-stack[\"namespace\"]\n }\n\n data = {\n \"ca.crt\" = local.loki-stack[\"generate_ca\"] ? tls_self_signed_cert.loki-stack-ca-cert[count.index].cert_pem : local.loki-stack[\"trusted_ca_content\"]\n }\n}\n\nresource \"tls_private_key\" \"promtail-key\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] && local.loki-stack[\"create_promtail_cert\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_cert_request\" \"promtail-csr\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] && local.loki-stack[\"create_promtail_cert\"] ? 1 : 0\n private_key_pem = tls_private_key.promtail-key[count.index].private_key_pem\n\n subject {\n common_name = \"promtail\"\n }\n\n dns_names = [\n \"promtail\"\n ]\n}\n\nresource \"tls_locally_signed_cert\" \"promtail-cert\" {\n count = local.loki-stack[\"enabled\"] && local.loki-stack[\"generate_ca\"] && local.loki-stack[\"create_promtail_cert\"] ? 1 : 0\n cert_request_pem = tls_cert_request.promtail-csr[count.index].cert_request_pem\n ca_private_key_pem = tls_private_key.loki-stack-ca-key[count.index].private_key_pem\n ca_cert_pem = tls_self_signed_cert.loki-stack-ca-cert[count.index].cert_pem\n\n validity_period_hours = 8760\n early_renewal_hours = 720\n\n allowed_uses = [\n \"key_encipherment\",\n \"digital_signature\",\n \"client_auth\"\n ]\n}\n\noutput \"loki-stack-ca\" {\n value = element(concat(tls_self_signed_cert.loki-stack-ca-cert[*].cert_pem, [\"\"]), 0)\n}\n\noutput \"promtail-key\" {\n value = element(concat(tls_private_key.promtail-key[*].private_key_pem, [\"\"]), 0)\n sensitive = true\n}\n\noutput \"promtail-cert\" {\n value = element(concat(tls_locally_signed_cert.promtail-cert[*].cert_pem, [\"\"]), 0)\n sensitive = true\n}\n" }, { "path": "modules/google/manifests/gke-ip-masq/ip-masq-agent-configmap.yaml", "content": "---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: ip-masq-agent\n namespace: kube-system\ndata:\n config: |\n nonMasqueradeCIDRs:\n - 10.0.0.0/8\n - 172.16.0.0/12\n - 192.168.0.0/16\n resyncInterval: 60s\n masqLinkLocal: false\n" }, { "path": "modules/google/manifests/gke-ip-masq/ip-masq-agent-daemonset.yaml", "content": "---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: ip-masq-agent\n namespace: kube-system\nspec:\n selector:\n matchLabels:\n k8s-app: ip-masq-agent\n template:\n metadata:\n labels:\n k8s-app: ip-masq-agent\n spec:\n hostNetwork: true\n containers:\n - name: ip-masq-agent\n image: gke.gcr.io/ip-masq-agent:v2.9.3-v0.2.4-gke.5\n args:\n # The masq-chain must be IP-MASQ\n - --masq-chain=IP-MASQ\n # To non-masquerade reserved IP ranges by default,\n # uncomment the following line.\n # - --nomasq-all-reserved-ranges\n securityContext:\n privileged: true\n volumeMounts:\n - name: config-volume\n mountPath: /etc/config\n volumes:\n - name: config-volume\n configMap:\n name: ip-masq-agent\n optional: true\n items:\n - key: config\n path: ip-masq-agent\n tolerations:\n - effect: NoSchedule\n operator: Exists\n - effect: NoExecute\n operator: Exists\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n" }, { "path": "modules/google/templates/cert-manager-cluster-issuers.yaml.j2", "content": "---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt-staging\nspec:\n acme:\n server: https://acme-staging-v02.api.letsencrypt.org/directory\n email: {{ acme_email }}\n privateKeySecretRef:\n name: letsencrypt-staging\n solvers:\n {%- if acme_dns01_enabled and acme_dns01_provider == \"route53\" %}\n - dns01:\n route53:\n region: \"{{ acme_dns01_provider_route53.aws_region }}\"\n {%- endif -%}\n {%- if acme_dns01_enabled and acme_dns01_provider == \"clouddns\" %}\n - dns01:\n cloudDNS:\n project: {{ acme_dns01_provider_clouddns.project_id }}\n hostedZoneName: {{ acme_dns01_provider_clouddns.dns_zone_name }}\n {%- endif -%}\n {%- if acme_http01_enabled %}\n - http01:\n ingress:\n class: {{ acme_http01_ingress_class }}\n {%- if acme_dns01_enabled %}\n selector:\n matchLabels:\n \"use-http01-solver\": \"true\"\n {%- endif %}\n {%- endif %}\n---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt\nspec:\n acme:\n server: https://acme-v02.api.letsencrypt.org/directory\n email: {{ acme_email }}\n privateKeySecretRef:\n name: letsencrypt\n solvers:\n {%- if acme_dns01_enabled and acme_dns01_provider == \"route53\" %}\n - dns01:\n route53:\n region: \"{{ acme_dns01_provider_route53.aws_region }}\"\n {%- endif -%}\n {%- if acme_dns01_enabled and acme_dns01_provider == \"clouddns\" %}\n - dns01:\n cloudDNS:\n project: {{ acme_dns01_provider_clouddns.project_id }}\n hostedZoneName: {{ acme_dns01_provider_clouddns.dns_zone_name }}\n {%- endif -%}\n {%- if acme_http01_enabled %}\n - http01:\n ingress:\n class: {{ acme_http01_ingress_class }}\n {%- if acme_dns01_enabled %}\n selector:\n matchLabels:\n \"use-http01-solver\": \"true\"\n {%- endif %}\n {%- endif %}\n" }, { "path": "modules/google/templates/cert-manager-cluster-issuers.yaml.tpl", "content": "---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt-staging\nspec:\n acme:\n server: https://acme-staging-v02.api.letsencrypt.org/directory\n email: '${acme_email}'\n privateKeySecretRef:\n name: letsencrypt-staging\n solvers:\n %{ if acme_dns01_enabled }\n - dns01:\n route53:\n region: '${aws_region}'\n %{ endif }\n %{ if acme_http01_enabled }\n - http01:\n ingress:\n class: '${acme_http01_ingress_class}'\n %{ if acme_dns01_enabled }\n selector:\n matchLabels:\n \"use-http01-solver\": \"true\"\n %{ endif }\n %{ endif }\n---\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt\nspec:\n acme:\n server: https://acme-v02.api.letsencrypt.org/directory\n email: '${acme_email}'\n privateKeySecretRef:\n name: letsencrypt\n solvers:\n %{ if acme_dns01_enabled }\n - dns01:\n route53:\n region: '${aws_region}'\n %{ endif }\n %{ if acme_http01_enabled }\n - http01:\n ingress:\n class: '${acme_http01_ingress_class}'\n %{ if acme_dns01_enabled }\n selector:\n matchLabels:\n \"use-http01-solver\": \"true\"\n %{ endif }\n %{ endif }\n" }, { "path": "modules/google/templates/cni-metrics-helper.yaml.tpl", "content": "---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: cni-metrics-helper\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: cni-metrics-helper\nsubjects:\n - kind: ServiceAccount\n name: cni-metrics-helper\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: cni-metrics-helper\nrules:\n - apiGroups: [\"\"]\n resources:\n - nodes\n - pods\n - pods/proxy\n - services\n - resourcequotas\n - replicationcontrollers\n - limitranges\n - persistentvolumeclaims\n - persistentvolumes\n - namespaces\n - endpoints\n verbs: [\"list\", \"watch\", \"get\"]\n - apiGroups: [\"extensions\"]\n resources:\n - daemonsets\n - deployments\n - replicasets\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"apps\"]\n resources:\n - statefulsets\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"batch\"]\n resources:\n - cronjobs\n - jobs\n verbs: [\"list\", \"watch\"]\n - apiGroups: [\"autoscaling\"]\n resources:\n - horizontalpodautoscalers\n verbs: [\"list\", \"watch\"]\n---\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n name: cni-metrics-helper\n namespace: kube-system\n labels:\n k8s-app: cni-metrics-helper\nspec:\n selector:\n matchLabels:\n k8s-app: cni-metrics-helper\n template:\n metadata:\n labels:\n k8s-app: cni-metrics-helper\n spec:\n serviceAccountName: cni-metrics-helper\n containers:\n - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:${cni-metrics-helper_version}\n imagePullPolicy: Always\n name: cni-metrics-helper\n env:\n - name: USE_CLOUDWATCH\n value: \"true\"\n priorityClassName: \"system-cluster-critical\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: cni-metrics-helper\n namespace: kube-system\n annotations:\n eks.amazonaws.com/role-arn: \"${cni-metrics-helper_role_arn_irsa}\"\n" }, { "path": "modules/google/thanos-memcached.tf", "content": "locals {\n\n thanos-memcached = merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/memcached\")].name\n repository = \"\"\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/memcached\")].version\n name = \"thanos-memcached\"\n namespace = local.thanos[\"namespace\"]\n enabled = false\n },\n var.thanos-memcached\n )\n\n values_thanos-memcached = <<-VALUES\n architecture: \"high-availability\"\n replicaCount: 2\n podAntiAffinityPreset: hard\n metrics:\n enabled: ${local.kube-prometheus-stack[\"enabled\"]}\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"]}\n VALUES\n}\n\nresource \"helm_release\" \"thanos-memcached\" {\n count = local.thanos-memcached[\"enabled\"] ? 1 : 0\n repository = local.thanos-memcached[\"repository\"]\n name = local.thanos-memcached[\"name\"]\n chart = local.thanos-memcached[\"chart\"]\n version = local.thanos-memcached[\"chart_version\"]\n timeout = local.thanos-memcached[\"timeout\"]\n force_update = local.thanos-memcached[\"force_update\"]\n recreate_pods = local.thanos-memcached[\"recreate_pods\"]\n wait = local.thanos-memcached[\"wait\"]\n atomic = local.thanos-memcached[\"atomic\"]\n cleanup_on_fail = local.thanos-memcached[\"cleanup_on_fail\"]\n dependency_update = local.thanos-memcached[\"dependency_update\"]\n disable_crd_hooks = local.thanos-memcached[\"disable_crd_hooks\"]\n disable_webhooks = local.thanos-memcached[\"disable_webhooks\"]\n render_subchart_notes = local.thanos-memcached[\"render_subchart_notes\"]\n replace = local.thanos-memcached[\"replace\"]\n reset_values = local.thanos-memcached[\"reset_values\"]\n reuse_values = local.thanos-memcached[\"reuse_values\"]\n skip_crds = local.thanos-memcached[\"skip_crds\"]\n verify = local.thanos-memcached[\"verify\"]\n values = compact([\n local.values_thanos-memcached,\n local.thanos-memcached[\"extra_values\"]\n ])\n namespace = local.thanos-memcached[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n" }, { "path": "modules/google/thanos-receive.tf", "content": "locals {\n\n thanos-receive = merge(\n local.helm_defaults,\n {\n name = \"thanos\"\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].name\n repository = \"\"\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].version\n namespace = \"monitoring\"\n create_iam_resources = true\n iam_policy_override = null\n create_ns = false\n enabled = false\n default_network_policy = true\n default_global_requests = false\n default_global_limits = false\n create_bucket = true\n bucket = \"thanos-receive-store-${var.cluster-name}\"\n bucket_force_destroy = false\n },\n var.thanos-receive\n )\n\n values_thanos-receive = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n receive:\n extraFlags:\n - --receive.hashrings-algorithm=ketama\n enabled: true\n replicaCount: 3\n replicationFactor: 2\n pdb:\n create: true\n minAvailable: 1\n service:\n additionalHeadless: true\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.thanos-receive[\"enabled\"] && local.thanos-receive[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-receive-receive[0].gcp_service_account_email : \"\"}\"\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n compactor:\n strategyType: Recreate\n enabled: true\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.thanos-receive[\"enabled\"] && local.thanos-receive[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-receive-compactor[0].gcp_service_account_email : \"\"}\"\n storegateway:\n replicaCount: 2\n enabled: true\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.thanos-receive[\"enabled\"] && local.thanos-receive[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-receive-sg[0].gcp_service_account_email : \"\"}\"\n pdb:\n create: true\n minAvailable: 1\n VALUES\n\n values_thanos-receive_store_config = <<-VALUES\n objstoreConfig:\n type: GCS\n config:\n bucket: ${local.thanos-receive[\"bucket\"]}\n VALUES\n\n values_thanos-receive_global_requests = <<-VALUES\n query:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n queryFrontend:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n compactor:\n resources:\n requests:\n cpu: 50m\n memory: 258Mi\n storegateway:\n resources:\n requests:\n cpu: 25m\n memory: 64Mi\n receive:\n resources:\n requests:\n cpu: 200m\n memory: 512Mi\n VALUES\n\n values_thanos-receive_global_limits = <<-VALUES\n query:\n resources:\n limits:\n memory: 128Mi\n queryFrontend:\n resources:\n limits:\n memory: 64Mi\n compactor:\n resources:\n limits:\n memory: 2Gi\n storegateway:\n resources:\n limits:\n memory: 1Gi\n receive:\n resources:\n limits:\n memory: 1Gi\n VALUES\n}\n\nmodule \"iam_assumable_sa_thanos-receive-receive\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.thanos-receive[\"namespace\"]\n project_id = var.project_id\n name = \"${local.thanos-receive[\"name\"]}-receive\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"iam_assumable_sa_thanos-receive-compactor\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.thanos-receive[\"namespace\"]\n project_id = var.project_id\n name = \"${local.thanos-receive[\"name\"]}-compactor\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"iam_assumable_sa_thanos-receive-sg\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.thanos-receive[\"namespace\"]\n project_id = var.project_id\n name = \"${local.thanos-receive[\"name\"]}-storegateway\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"thanos-receive_bucket\" {\n count = local.thanos-receive[\"enabled\"] && local.thanos-receive[\"create_bucket\"] ? 1 : 0\n\n source = \"terraform-google-modules/cloud-storage/google\"\n version = \"~> 12.0\"\n project_id = var.project_id\n location = data.google_client_config.current.region\n\n names = [local.thanos-receive[\"bucket\"]]\n encryption_key_names = {\n \"${local.thanos-receive[\"bucket\"]}\" = module.thanos-receive_kms_bucket[0].keys.thanos-receive\n }\n}\n\nmodule \"thanos-receive_kms_bucket\" {\n count = local.thanos-receive[\"enabled\"] && local.thanos-receive[\"create_bucket\"] ? 1 : 0\n source = \"terraform-google-modules/kms/google\"\n version = \"~> 4.0\"\n\n project_id = var.project_id\n location = data.google_client_config.current.region\n keyring = \"thanos-receive\"\n keys = [\"thanos-receive\"]\n owners = [\n \"serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com\"\n ]\n set_owners_for = [\n \"thanos-receive\"\n ]\n}\n\n# GCS permissions for thanos-receive service account\nresource \"google_storage_bucket_iam_member\" \"thanos-receive-receive_gcs_iam_objectViewer_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-receive[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos-receive_receive_gcs_iam_objectCreator_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-receive[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\n# GCS permissions for thanos-receive compactor service account\nresource \"google_storage_bucket_iam_member\" \"thanos-receive_compactor_gcs_iam_objectViewer_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-compactor[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos-receive_compactor_gcs_iam_objectCreator_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-compactor[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos-receive_compactor_gcs_iam_legacyBucketWriter_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.legacyBucketWriter\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-compactor[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\n# GCS permissions for thanos-receive storage gateway service account\nresource \"google_storage_bucket_iam_member\" \"thanos-receive_sg_gcs_iam_objectViewer_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-sg[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos-receive_sg_gcs_iam_objectCreator_permissions\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n bucket = local.thanos-receive[\"bucket\"]\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive-sg[0].gcp_service_account_email}\"\n depends_on = [\n module.thanos-receive_bucket\n ]\n}\n\nresource \"kubernetes_namespace\" \"thanos-receive\" {\n count = local.thanos-receive[\"enabled\"] && local.thanos-receive[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.thanos-receive[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.thanos-receive[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"thanos-receive\" {\n count = local.thanos-receive[\"enabled\"] ? 1 : 0\n repository = local.thanos-receive[\"repository\"]\n name = local.thanos-receive[\"name\"]\n chart = local.thanos-receive[\"chart\"]\n version = local.thanos-receive[\"chart_version\"]\n timeout = local.thanos-receive[\"timeout\"]\n force_update = local.thanos-receive[\"force_update\"]\n recreate_pods = local.thanos-receive[\"recreate_pods\"]\n wait = local.thanos-receive[\"wait\"]\n atomic = local.thanos-receive[\"atomic\"]\n cleanup_on_fail = local.thanos-receive[\"cleanup_on_fail\"]\n dependency_update = local.thanos-receive[\"dependency_update\"]\n disable_crd_hooks = local.thanos-receive[\"disable_crd_hooks\"]\n disable_webhooks = local.thanos-receive[\"disable_webhooks\"]\n render_subchart_notes = local.thanos-receive[\"render_subchart_notes\"]\n replace = local.thanos-receive[\"replace\"]\n reset_values = local.thanos-receive[\"reset_values\"]\n reuse_values = local.thanos-receive[\"reuse_values\"]\n skip_crds = local.thanos-receive[\"skip_crds\"]\n verify = local.thanos-receive[\"verify\"]\n values = compact([\n local.values_thanos-receive,\n local.values_thanos-receive_store_config,\n local.thanos-receive[\"default_global_requests\"] ? local.values_thanos-receive_global_requests : null,\n local.thanos-receive[\"default_global_limits\"] ? local.values_thanos-receive_global_limits : null,\n local.thanos-receive[\"extra_values\"]\n ])\n namespace = local.thanos-receive[\"create_ns\"] ? kubernetes_namespace.thanos-receive.*.metadata.0.name[count.index] : local.thanos-receive[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n" }, { "path": "modules/google/thanos-storegateway.tf", "content": "locals {\n\n thanos-storegateway = { for k, v in var.thanos-storegateway : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].version\n name = \"${local.thanos[\"name\"]}-storegateway-${k}\"\n create_iam_resources = true\n iam_policy_override = null\n enabled = false\n default_global_requests = false\n default_global_limits = false\n bucket = null\n region = null\n name_prefix = \"${var.cluster-name}-thanos-sg\"\n },\n v,\n ) }\n\n values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(\n {\n values = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n objstoreConfig:\n type: GCS\n config:\n bucket: ${v[\"bucket\"]}\n service_account: \"${v[\"name_prefix\"]}-thanos-sg\"\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n enabled: false\n queryFrontend:\n enabled: false\n compactor:\n enabled: false\n storegateway:\n replicaCount: 2\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n enabled: true\n serviceAccount:\n annotations:\n eks.amazonaws.com/role-arn: \"${v[\"enabled\"] && v[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-storegateway[k].iam_role_arn : \"\"}\"\n iam.gke.io/gcp-service-account: \"${v[\"enabled\"] && v[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-storegateway[k].gcp_service_account_name : \"\"}\"\n pdb:\n create: true\n minAvailable: 1\n VALUES\n },\n v,\n ) }\n}\n\nmodule \"iam_assumable_sa_thanos-storegateway\" {\n for_each = local.thanos-storegateway\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = each.value[\"namespace\"]\n project_id = data.google_project.current.id\n name = \"${each.value[\"name_prefix\"]}-${each.key}\"\n}\n\n\nmodule \"thanos-storegateway_bucket_iam\" {\n for_each = local.thanos-storegateway\n source = \"terraform-google-modules/iam/google//modules/storage_buckets_iam\"\n version = \"~> 8.0\"\n\n mode = \"additive\"\n storage_buckets = [each.value[\"bucket\"]]\n bindings = {\n \"roles/storage.objectViewer\" = [\n \"serviceAccount:${module.iam_assumable_sa_thanos-storegateway[\"${each.key}\"].gcp_service_account_email}\"\n ]\n }\n}\n\nresource \"helm_release\" \"thanos-storegateway\" {\n for_each = { for k, v in local.thanos-storegateway : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = compact([\n local.values_thanos-storegateway[each.key][\"values\"],\n each.value[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n each.value[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n each.value[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n" }, { "path": "modules/google/thanos-tls-querier.tf", "content": "locals {\n\n thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].version\n name = \"${local.thanos[\"name\"]}-tls-querier-${k}\"\n enabled = false\n generate_cert = local.thanos[\"generate_ca\"]\n client_server_name = \"\"\n ## This default to Let's encrypt X1 root CA\n grpc_client_tls_ca_pem = <<-EOV\n -----BEGIN CERTIFICATE-----\n MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n -----END CERTIFICATE-----\n EOV\n stores = []\n default_global_requests = false\n default_global_limits = false\n },\n v,\n ) }\n\n values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(\n {\n values = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n replicaCount: 2\n extraFlags:\n - --query.timeout=5m\n - --query.lookback-delta=15m\n - --query.replica-label=rule_replica\n enabled: true\n dnsDiscovery:\n enabled: false\n pdb:\n create: true\n minAvailable: 1\n grpc:\n client:\n servername: ${v[\"client_server_name\"]}\n tls:\n enabled: ${v[\"generate_cert\"]}\n key: |\n ${indent(10, v[\"generate_cert\"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : \"\")}\n cert: |\n ${indent(10, v[\"generate_cert\"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : \"\")}\n ca: |\n ${indent(10, v[\"generate_cert\"] ? v[\"grpc_client_tls_ca_pem\"] : \"\")}\n stores: ${jsonencode(v[\"stores\"])}\n queryFrontend:\n enabled: false\n compactor:\n enabled: false\n storegateway:\n enabled: false\n VALUES\n },\n v,\n ) }\n}\n\nresource \"helm_release\" \"thanos-tls-querier\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = compact([\n local.values_thanos-tls-querier[each.key][\"values\"],\n each.value[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n each.value[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n each.value[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n\nresource \"tls_private_key\" \"thanos-tls-querier-cert-key\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_cert_request\" \"thanos-tls-querier-cert-csr\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem\n\n subject {\n common_name = each.key\n }\n\n dns_names = [\n each.key\n ]\n}\n\nresource \"tls_locally_signed_cert\" \"thanos-tls-querier-cert\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n cert_request_pem = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem\n ca_private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem\n ca_cert_pem = tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem\n\n validity_period_hours = 8760\n\n allowed_uses = [\n \"key_encipherment\",\n \"digital_signature\",\n \"client_auth\"\n ]\n}\n" }, { "path": "modules/google/thanos.tf", "content": "locals {\n\n thanos = merge(\n local.helm_defaults,\n {\n name = \"thanos\"\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].name\n repository = \"\"\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].version\n namespace = \"monitoring\"\n create_iam_resources = true\n iam_policy_override = null\n create_ns = false\n enabled = false\n default_network_policy = true\n default_global_requests = false\n default_global_limits = false\n create_bucket = false\n bucket = \"thanos-store-${var.cluster-name}\"\n bucket_force_destroy = false\n bucket_location = \"europe-west1\"\n bucket_public_access_prevention = \"enforced\"\n kms_bucket_location = \"europe-west1\"\n generate_ca = false\n trusted_ca_content = null\n name_prefix = \"gke-thanos\"\n },\n var.thanos\n )\n\n thanos_bucket = (\n local.thanos[\"enabled\"] && local.kube-prometheus-stack[\"enabled\"] && local.kube-prometheus-stack[\"thanos_create_bucket\"] ? module.kube-prometheus-stack_kube-prometheus-stack_bucket[0].name :\n local.thanos[\"enabled\"] && local.thanos[\"create_bucket\"] ? module.thanos_bucket[0].name : local.thanos[\"bucket\"]\n )\n\n values_thanos = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n receive:\n enabled: false\n pdb:\n create: true\n minAvailable: 1\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-receive[0].gcp_service_account_email : \"\"}\"\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n extraFlags:\n - --query.timeout=5m\n - --query.lookback-delta=15m\n - --query.replica-label=rule_replica\n replicaCount: 2\n replicaLabel:\n - prometheus_replica\n enabled: true\n dnsDiscovery:\n enabled: true\n sidecarsService: ${local.kube-prometheus-stack[\"name\"]}-thanos-discovery\n sidecarsNamespace: \"${local.kube-prometheus-stack[\"namespace\"]}\"\n pdb:\n create: true\n minAvailable: 1\n stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : \"dnssrv+_grpc._tcp.${v[\"name\"]}-query-grpc.${local.thanos[\"namespace\"]}.svc.cluster.local\"], [for k, v in local.thanos-storegateway : \"dnssrv+_grpc._tcp.${v[\"name\"]}-storegateway.${local.thanos[\"namespace\"]}.svc.cluster.local\"]))}\n queryFrontend:\n extraFlags:\n - --query-frontend.compress-responses\n - --query-range.split-interval=12h\n - --labels.split-interval=12h\n - --query-range.max-retries-per-request=10\n - --labels.max-retries-per-request=10\n - --query-frontend.log-queries-longer-than=10s\n replicaCount: 2\n enabled: true\n pdb:\n create: true\n minAvailable: 1\n compactor:\n extraFlags:\n - --deduplication.replica-label=prometheus_replica\n - --deduplication.replica-label=rule_replica\n strategyType: Recreate\n enabled: true\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email : \"\"}\"\n storegateway:\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n replicaCount: 2\n enabled: true\n serviceAccount:\n annotations:\n iam.gke.io/gcp-service-account: \"${local.thanos[\"enabled\"] && local.thanos[\"create_iam_resources\"] ? module.iam_assumable_sa_thanos-sg[0].gcp_service_account_email : \"\"}\"\n pdb:\n create: true\n minAvailable: 1\n VALUES\n\n values_thanos_caching = <<-VALUES\n queryFrontend:\n extraFlags:\n - --query-frontend.compress-responses\n - --query-range.split-interval=12h\n - --labels.split-interval=12h\n - --query-range.max-retries-per-request=10\n - --labels.max-retries-per-request=10\n - --query-frontend.log-queries-longer-than=10s\n - |-\n --query-range.response-cache-config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n - |-\n --labels.response-cache-config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n storegateway:\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n - |-\n --index-cache.config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"max_item_size\": \"1MiB\"\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n - |-\n --store.caching-bucket.config=\"blocks_iter_ttl\": \"5m\"\n \"chunk_object_attrs_ttl\": \"24h\"\n \"chunk_subrange_size\": 16000\n \"chunk_subrange_ttl\": \"24h\"\n \"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"max_item_size\": \"1MiB\"\n \"timeout\": \"500ms\"\n \"max_chunks_get_range_requests\": 3\n \"metafile_content_ttl\": \"24h\"\n \"metafile_doesnt_exist_ttl\": \"15m\"\n \"metafile_exists_ttl\": \"2h\"\n \"metafile_max_size\": \"1MiB\"\n \"type\": \"memcached\"\n VALUES\n\n\n values_store_config = <<-VALUES\n objstoreConfig:\n type: GCS\n config:\n bucket: ${local.thanos_bucket}\n VALUES\n\n values_thanos_global_requests = <<-VALUES\n query:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n queryFrontend:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n compactor:\n resources:\n requests:\n cpu: 50m\n memory: 258Mi\n storegateway:\n resources:\n requests:\n cpu: 25m\n memory: 64Mi\n VALUES\n\n values_thanos_global_limits = <<-VALUES\n query:\n resources:\n limits:\n memory: 128Mi\n queryFrontend:\n resources:\n limits:\n memory: 64Mi\n compactor:\n resources:\n limits:\n memory: 2Gi\n storegateway:\n resources:\n limits:\n memory: 1Gi\n VALUES\n}\n\nmodule \"iam_assumable_sa_thanos-receive\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.thanos[\"namespace\"]\n project_id = var.project_id\n name = \"${local.thanos[\"name\"]}-receive\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"iam_assumable_sa_thanos-compactor\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.thanos[\"namespace\"]\n project_id = var.project_id\n name = \"${local.thanos[\"name\"]}-compactor\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"iam_assumable_sa_thanos-sg\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n source = \"terraform-google-modules/kubernetes-engine/google//modules/workload-identity\"\n version = \"~> 44.0\"\n namespace = local.thanos[\"namespace\"]\n project_id = var.project_id\n name = \"${local.thanos[\"name\"]}-storegateway\"\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\nmodule \"thanos_bucket\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_bucket\"] ? 1 : 0\n\n source = \"terraform-google-modules/cloud-storage/google//modules/simple_bucket\"\n version = \"~> 12.0\"\n project_id = var.project_id\n location = local.thanos[\"bucket_location\"]\n\n name = local.thanos[\"bucket\"]\n\n encryption = {\n default_kms_key_name = module.thanos_kms_bucket[0].keys.thanos\n }\n\n public_access_prevention = local.thanos[\"bucket_public_access_prevention\"]\n}\n\nmodule \"thanos_kms_bucket\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_bucket\"] ? 1 : 0\n source = \"terraform-google-modules/kms/google\"\n version = \"~> 4.0\"\n\n project_id = var.project_id\n location = local.thanos[\"kms_bucket_location\"]\n keyring = \"thanos\"\n keys = [\"thanos\"]\n owners = [\n \"serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com\"\n ]\n set_owners_for = [\n \"thanos\"\n ]\n}\n\n# GCS permissions for thanos service account\nresource \"google_storage_bucket_iam_member\" \"thanos_receive_gcs_iam_objectViewer_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive[0].gcp_service_account_email}\"\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos_receive_gcs_iam_objectCreator_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-receive[0].gcp_service_account_email}\"\n}\n\n# GCS permissions for thanos compactor service account\nresource \"google_storage_bucket_iam_member\" \"thanos_compactor_gcs_iam_objectViewer_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email}\"\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos_compactor_gcs_iam_objectCreator_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email}\"\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos_compactor_gcs_iam_legacyBucketWriter_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.legacyBucketWriter\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-compactor[0].gcp_service_account_email}\"\n}\n\n# GCS permissions for thanos storage gateway service account\nresource \"google_storage_bucket_iam_member\" \"thanos_sg_gcs_iam_objectViewer_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-sg[0].gcp_service_account_email}\"\n}\n\nresource \"google_storage_bucket_iam_member\" \"thanos_sg_gcs_iam_objectCreator_permissions\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n bucket = local.thanos_bucket\n role = \"roles/storage.objectCreator\"\n member = \"serviceAccount:${module.iam_assumable_sa_thanos-sg[0].gcp_service_account_email}\"\n}\n\nresource \"kubernetes_namespace\" \"thanos\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.thanos[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.thanos[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"thanos\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n repository = local.thanos[\"repository\"]\n name = local.thanos[\"name\"]\n chart = local.thanos[\"chart\"]\n version = local.thanos[\"chart_version\"]\n timeout = local.thanos[\"timeout\"]\n force_update = local.thanos[\"force_update\"]\n recreate_pods = local.thanos[\"recreate_pods\"]\n wait = local.thanos[\"wait\"]\n atomic = local.thanos[\"atomic\"]\n cleanup_on_fail = local.thanos[\"cleanup_on_fail\"]\n dependency_update = local.thanos[\"dependency_update\"]\n disable_crd_hooks = local.thanos[\"disable_crd_hooks\"]\n disable_webhooks = local.thanos[\"disable_webhooks\"]\n render_subchart_notes = local.thanos[\"render_subchart_notes\"]\n replace = local.thanos[\"replace\"]\n reset_values = local.thanos[\"reset_values\"]\n reuse_values = local.thanos[\"reuse_values\"]\n skip_crds = local.thanos[\"skip_crds\"]\n verify = local.thanos[\"verify\"]\n values = compact([\n local.values_thanos,\n local.values_store_config,\n local.thanos[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n local.thanos[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n local.thanos-memcached[\"enabled\"] ? local.values_thanos_caching : null,\n local.thanos[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n helm_release.thanos-memcached\n ]\n}\n\nresource \"tls_private_key\" \"thanos-tls-querier-ca-key\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"generate_ca\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_self_signed_cert\" \"thanos-tls-querier-ca-cert\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"generate_ca\"] ? 1 : 0\n private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem\n is_ca_certificate = true\n\n subject {\n common_name = var.cluster-name\n organization = var.cluster-name\n }\n\n validity_period_hours = 87600\n\n allowed_uses = [\n \"cert_signing\"\n ]\n}\n\nresource \"kubernetes_secret\" \"thanos-ca\" {\n count = local.thanos[\"enabled\"] && (local.thanos[\"generate_ca\"] || local.thanos[\"trusted_ca_content\"] != null) ? 1 : 0\n metadata {\n name = \"${local.thanos[\"name\"]}-ca\"\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos[\"namespace\"]\n }\n\n data = {\n \"ca.crt\" = local.thanos[\"generate_ca\"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos[\"trusted_ca_content\"]\n }\n}\n\noutput \"thanos_ca\" {\n value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [\"\"]), 0)\n}\n" }, { "path": "modules/google/variables-google.tf", "content": "variable \"google\" {\n description = \"GCP provider customization\"\n type = any\n default = {}\n}\n\nvariable \"project_id\" {\n description = \"GCP project id\"\n type = string\n default = \"\"\n}\n\nvariable \"cni-metrics-helper\" {\n description = \"Customize cni-metrics-helper deployment, see `cni-metrics-helper.tf` for supported values\"\n type = any\n default = {}\n}\n\nvariable \"gke\" {\n description = \"GKE cluster inputs\"\n type = any\n default = {}\n}\n\nvariable \"prometheus-cloudwatch-exporter\" {\n description = \"Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values\"\n type = any\n default = {}\n}\n\nvariable \"tags\" {\n description = \"Map of tags for Google resources\"\n type = map(any)\n default = {}\n}\n" }, { "path": "modules/google/velero.tf", "content": "locals {\n velero = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].version\n namespace = \"velero\"\n service_account_name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n enabled = false\n create_iam_resources = true\n create_bucket = true\n bucket = \"${var.cluster-name}-velero\"\n bucket_location = \"eu\"\n bucket_force_destroy = false\n bucket_versioning = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n kms_key_arn_access_list = []\n name_prefix = \"${var.cluster-name}-velero\"\n snapshot_location = \"eu\"\n create_snapshot_class = true\n },\n var.velero\n )\n\n values_velero = < 44.0\"\n namespace = local.velero[\"namespace\"]\n project_id = var.project_id\n name = local.velero.service_account_name\n use_existing_k8s_sa = true\n annotate_k8s_sa = false\n}\n\n\nmodule \"velero_bucket\" {\n count = (local.velero[\"enabled\"] && local.velero[\"create_bucket\"]) ? 1 : 0\n source = \"github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket?ref=v12.3.0\"\n\n name = local.velero[\"name_prefix\"]\n project_id = data.google_project.current.project_id\n\n versioning = local.velero[\"bucket_versioning\"]\n location = local.velero[\"bucket_location\"]\n\n force_destroy = local.velero[\"bucket_force_destroy\"]\n}\n\nresource \"google_storage_bucket_iam_member\" \"velero_gcs_iam_objectUser_permissions\" {\n count = local.velero[\"enabled\"] ? 1 : 0\n bucket = local.velero[\"bucket\"]\n role = \"roles/storage.objectUser\"\n member = \"serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}\"\n depends_on = [\n module.velero_bucket\n ]\n}\n\nresource \"google_storage_bucket_iam_member\" \"velero_gcs_iam_objectViewer_permissions\" {\n count = local.velero[\"enabled\"] ? 1 : 0\n bucket = local.velero[\"bucket\"]\n role = \"roles/storage.objectViewer\"\n member = \"serviceAccount:${module.iam_assumable_sa_velero[0].gcp_service_account_email}\"\n depends_on = [\n module.velero_bucket\n ]\n}\n\nresource \"kubernetes_namespace\" \"velero\" {\n count = local.velero[\"enabled\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.velero[\"namespace\"]\n }\n\n name = local.velero[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"velero\" {\n count = local.velero[\"enabled\"] ? 1 : 0\n repository = local.velero[\"repository\"]\n name = local.velero[\"name\"]\n chart = local.velero[\"chart\"]\n version = local.velero[\"chart_version\"]\n timeout = local.velero[\"timeout\"]\n force_update = local.velero[\"force_update\"]\n recreate_pods = local.velero[\"recreate_pods\"]\n wait = local.velero[\"wait\"]\n atomic = local.velero[\"atomic\"]\n cleanup_on_fail = local.velero[\"cleanup_on_fail\"]\n dependency_update = local.velero[\"dependency_update\"]\n disable_crd_hooks = local.velero[\"disable_crd_hooks\"]\n disable_webhooks = local.velero[\"disable_webhooks\"]\n render_subchart_notes = local.velero[\"render_subchart_notes\"]\n replace = local.velero[\"replace\"]\n reset_values = local.velero[\"reset_values\"]\n reuse_values = local.velero[\"reuse_values\"]\n skip_crds = local.velero[\"skip_crds\"]\n verify = local.velero[\"verify\"]\n values = compact([\n local.values_velero,\n local.velero[\"extra_values\"]\n ])\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"velero_default_deny\" {\n count = local.velero[\"enabled\"] && local.velero[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"velero_allow_namespace\" {\n count = local.velero[\"enabled\"] && local.velero[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"velero_allow_monitoring\" {\n count = local.velero[\"enabled\"] && local.velero[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-monitoring\"\n namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n ports {\n port = \"8085\"\n protocol = \"TCP\"\n }\n\n from {\n namespace_selector {\n match_labels = {\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_manifest\" \"velero_snapshot_class\" {\n count = (local.velero[\"enabled\"] && local.velero[\"create_snapshot_class\"]) ? 1 : 0\n manifest = {\n apiVersion = \"snapshot.storage.k8s.io/v1\"\n kind = \"VolumeSnapshotClass\"\n metadata = {\n name = \"default\"\n labels = {\n \"velero.io/csi-volumesnapshot-class\" = \"true\"\n }\n }\n driver = \"pd.csi.storage.gke.io\"\n deletionPolicy = \"Delete\"\n }\n}\n" }, { "path": "modules/google/versions.tf", "content": "terraform {\n required_version = \">= 1.3\"\n required_providers {\n google = \">= 4.69\"\n google-beta = \">= 4.69\"\n helm = \"~> 3.0\"\n kubernetes = \"~> 2.0, != 2.12\"\n kubectl = {\n source = \"alekc/kubectl\"\n version = \"~> 2.0\"\n }\n jinja = {\n source = \"NikolaLohinski/jinja\"\n version = \"~> 2.0\"\n }\n flux = {\n source = \"fluxcd/flux\"\n version = \"~> 1.0\"\n }\n github = {\n source = \"integrations/github\"\n version = \"~> 6.0\"\n }\n tls = {\n source = \"hashicorp/tls\"\n version = \"~> 4.0\"\n }\n http = {\n source = \"hashicorp/http\"\n version = \">= 3\"\n }\n }\n}\n" }, { "path": "modules/google/victoria-metrics-k8s-stack.tf", "content": "locals {\n victoria-metrics-k8s-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].version\n namespace = \"monitoring\"\n enabled = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n install_prometheus_operator_crds = true\n },\n var.victoria-metrics-k8s-stack\n )\n\n values_victoria-metrics-k8s-stack = <\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| [terraform](#requirement\\_terraform) | >= 1.5.7 |\n| [flux](#requirement\\_flux) | ~> 1.0 |\n| [github](#requirement\\_github) | ~> 6.0 |\n| [helm](#requirement\\_helm) | ~> 3.0 |\n| [http](#requirement\\_http) | >= 3 |\n| [kubectl](#requirement\\_kubectl) | ~> 2.0 |\n| [kubernetes](#requirement\\_kubernetes) | ~> 2.0, != 2.12 |\n| [scaleway](#requirement\\_scaleway) | >= 2.2.0 |\n| [tls](#requirement\\_tls) | ~> 4.0 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| [flux](#provider\\_flux) | ~> 1.0 |\n| [github](#provider\\_github) | ~> 6.0 |\n| [helm](#provider\\_helm) | ~> 3.0 |\n| [http](#provider\\_http) | >= 3 |\n| [kubectl](#provider\\_kubectl) | ~> 2.0 |\n| [kubernetes](#provider\\_kubernetes) | ~> 2.0, != 2.12 |\n| [random](#provider\\_random) | n/a |\n| [scaleway](#provider\\_scaleway) | >= 2.2.0 |\n| [time](#provider\\_time) | n/a |\n| [tls](#provider\\_tls) | ~> 4.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [flux_bootstrap_git.flux](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/resources/bootstrap_git) | resource |\n| [github_branch_default.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_default) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |\n| [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |\n| [helm_release.admiralty](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.cert-manager-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.external-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.grafana-mcp](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.k8gb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.karma](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kong](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.scaleway-webhook-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-memcached](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |\n| [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |\n| [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.flux2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.grafana-mcp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.ingress-nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.k8gb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.karma](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.keda](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |\n| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.cert-manager_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.external-dns_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.flux2_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.grafana-mcp_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.k8gb_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.karma_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.keda_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kong_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.linkerd2-cni_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.loki-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |\n| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |\n| [kubernetes_secret.cert-manager_scaleway_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.external-dns_scaleway_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.kube-prometheus-stack_thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.loki-stack-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.promtail-tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.thanos-ca](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_secret.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [random_string.grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |\n| [scaleway_object_bucket.kube-prometheus-stack_thanos_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |\n| [scaleway_object_bucket.loki_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |\n| [scaleway_object_bucket.thanos_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |\n| [scaleway_object_bucket.velero_bucket](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource |\n| [scaleway_object_bucket_acl.kube-prometheus-stack_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |\n| [scaleway_object_bucket_acl.loki_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |\n| [scaleway_object_bucket_acl.thanos_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |\n| [scaleway_object_bucket_acl.velero_bucket_acl](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_acl) | resource |\n| [time_sleep.cert-manager_sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |\n| [tls_cert_request.promtail-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_cert_request.thanos-tls-querier-cert-csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |\n| [tls_locally_signed_cert.promtail-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_locally_signed_cert.thanos-tls-querier-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |\n| [tls_private_key.identity](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.loki-stack-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.promtail-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.thanos-tls-querier-ca-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.thanos-tls-querier-cert-key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_private_key.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [tls_self_signed_cert.linkerd_trust_anchor](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.loki-stack-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |\n| [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |\n| [http_http.csi-external-snapshotter](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.kong_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |\n| [kubectl_file_documents.csi-external-snapshotter](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_file_documents.kong_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/file_documents) | data source |\n| [kubectl_path_documents.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/data-sources/path_documents) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| [admiralty](#input\\_admiralty) | Customize admiralty chart, see `admiralty.tf` for supported values | `any` | `{}` | no |\n| [cert-manager](#input\\_cert-manager) | Customize cert-manager chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cert-manager-csi-driver](#input\\_cert-manager-csi-driver) | Customize cert-manager-csi-driver chart, see `cert-manager.tf` for supported values | `any` | `{}` | no |\n| [cert-manager\\_scaleway\\_webhook\\_dns](#input\\_cert-manager\\_scaleway\\_webhook\\_dns) | Scaleway webhook dns customization | `any` | `{}` | no |\n| [cluster-autoscaler](#input\\_cluster-autoscaler) | Customize cluster-autoscaler chart, see `cluster-autoscaler.tf` for supported values | `any` | `{}` | no |\n| [cluster-name](#input\\_cluster-name) | Name of the Kubernetes cluster | `string` | `\"sample-cluster\"` | no |\n| [csi-external-snapshotter](#input\\_csi-external-snapshotter) | Customize csi-external-snapshotter, see `csi-external-snapshotter.tf` for supported values | `any` | `{}` | no |\n| [external-dns](#input\\_external-dns) | Map of map for external-dns configuration: see `external_dns.tf` for supported values | `any` | `{}` | no |\n| [flux2](#input\\_flux2) | Customize Flux chart, see `flux2.tf` for supported values | `any` | `{}` | no |\n| [grafana-mcp](#input\\_grafana-mcp) | Customize grafana-mcp chart, see `grafana-mcp.tf` for supported values | `any` | `{}` | no |\n| [helm\\_defaults](#input\\_helm\\_defaults) | Customize default Helm behavior | `any` | `{}` | no |\n| [ingress-nginx](#input\\_ingress-nginx) | Customize ingress-nginx chart, see `nginx-ingress.tf` for supported values | `any` | `{}` | no |\n| [ip-masq-agent](#input\\_ip-masq-agent) | Configure ip masq agent chart, see `ip-masq-agent.tf` for supported values. This addon works only on GCP. | `any` | `{}` | no |\n| [k8gb](#input\\_k8gb) | Customize k8gb chart, see `k8gb.tf` for supported values | `any` | `{}` | no |\n| [kapsule](#input\\_kapsule) | Kapsule cluster inputs | `any` | `{}` | no |\n| [karma](#input\\_karma) | Customize karma chart, see `karma.tf` for supported values | `any` | `{}` | no |\n| [keda](#input\\_keda) | Customize keda chart, see `keda.tf` for supported values | `any` | `{}` | no |\n| [kong](#input\\_kong) | Customize kong-ingress chart, see `kong.tf` for supported values | `any` | `{}` | no |\n| [kube-prometheus-stack](#input\\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |\n| [labels\\_prefix](#input\\_labels\\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `\"particule.io\"` | no |\n| [linkerd](#input\\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |\n| [linkerd-viz](#input\\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |\n| [linkerd2](#input\\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |\n| [linkerd2-cni](#input\\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |\n| [loki-stack](#input\\_loki-stack) | Customize loki-stack chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [metrics-server](#input\\_metrics-server) | Customize metrics-server chart, see `metrics_server.tf` for supported values | `any` | `{}` | no |\n| [npd](#input\\_npd) | Customize node-problem-detector chart, see `npd.tf` for supported values | `any` | `{}` | no |\n| [priority-class](#input\\_priority-class) | Customize a priority class for addons | `any` | `{}` | no |\n| [priority-class-ds](#input\\_priority-class-ds) | Customize a priority class for addons daemonsets | `any` | `{}` | no |\n| [prometheus-adapter](#input\\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |\n| [prometheus-blackbox-exporter](#input\\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |\n| [promtail](#input\\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |\n| [reloader](#input\\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |\n| [scaleway](#input\\_scaleway) | Scaleway provider customization | `any` | `{}` | no |\n| [sealed-secrets](#input\\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |\n| [secrets-store-csi-driver](#input\\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |\n| [tags](#input\\_tags) | Map of tags for Scaleway resources | `map(any)` | `{}` | no |\n| [thanos](#input\\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-memcached](#input\\_thanos-memcached) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-receive](#input\\_thanos-receive) | Customize thanos chart, see `thanos-receive.tf` for supported values | `any` | `{}` | no |\n| [thanos-storegateway](#input\\_thanos-storegateway) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier](#input\\_thanos-tls-querier) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |\n| [thanos-tls-querier-ca-cert](#input\\_thanos-tls-querier-ca-cert) | TLS CA certificate, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [thanos-tls-querier-ca-private-key](#input\\_thanos-tls-querier-ca-private-key) | TLS CA private key, used to generate the client mTLS materials | `string` | `\"\"` | no |\n| [tigera-operator](#input\\_tigera-operator) | Customize tigera-operator chart, see `tigera-operator.tf` for supported values | `any` | `{}` | no |\n| [traefik](#input\\_traefik) | Customize traefik chart, see `traefik.tf` for supported values | `any` | `{}` | no |\n| [velero](#input\\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |\n| [victoria-metrics-k8s-stack](#input\\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| [grafana\\_password](#output\\_grafana\\_password) | n/a |\n| [loki-stack-ca](#output\\_loki-stack-ca) | n/a |\n| [promtail-cert](#output\\_promtail-cert) | n/a |\n| [promtail-key](#output\\_promtail-key) | n/a |\n| [thanos\\_ca](#output\\_thanos\\_ca) | n/a |\n\n" }, { "path": "modules/scaleway/cert-manager.tf", "content": "locals {\n\n cert-manager = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"cert-manager\")].version\n namespace = \"cert-manager\"\n service_account_name = \"cert-manager\"\n enabled = false\n default_network_policy = true\n acme_email = \"contact@acme.com\"\n acme_http01_enabled = false\n acme_http01_ingress_class = \"nginx\"\n acme_dns01_enabled = false\n acme_dns01_provider = \"\"\n acme_dns01_hosted_zone_id = \"\"\n acme_dns01_aws_secret = \"\"\n acme_dns01_aws_access_key_id = \"\"\n acme_dns01_aws_access_key_secret = \"\"\n acme_dns01_region = \"\"\n acme_dns01_google_project = \"\"\n acme_dns01_google_secret = \"\"\n acme_dns01_google_service_account_key = \"\"\n allowed_cidrs = [\"0.0.0.0/0\"]\n csi_driver = false\n },\n var.cert-manager\n )\n\n cert-manager_scaleway_webhook_dns = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"scaleway-webhook\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"scaleway-webhook\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"scaleway-webhook\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"scaleway-webhook\")].version\n enabled = local.cert-manager[\"acme_dns01_enabled\"] && local.cert-manager[\"enabled\"]\n secret_name = \"scaleway-credentials\"\n },\n var.cert-manager_scaleway_webhook_dns\n )\n\n values_cert-manager = < merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].version\n name = \"${local.thanos[\"name\"]}-storegateway-${k}\"\n create_iam_resources_irsa = true\n iam_policy_override = null\n enabled = false\n default_global_requests = false\n default_global_limits = false\n bucket = null\n region = null\n },\n v,\n ) }\n\n values_thanos-storegateway = { for k, v in local.thanos-storegateway : k => merge(\n {\n values = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n objstoreConfig:\n type: S3\n config:\n bucket: ${v[\"bucket\"]}\n region: ${v[\"region\"] == null ? local.scaleway[\"region\"] : v[\"region\"]}\n endpoint: s3.${v[\"region\"] == null ? local.scaleway[\"region\"] : v[\"region\"]}.scw.cloud\n signature_version2: false\n access_key: ${local.scaleway[\"scw_access_key\"]}\n secret_key: ${local.scaleway[\"scw_secret_key\"]}\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n enabled: false\n queryFrontend:\n enabled: false\n compactor:\n enabled: false\n storegateway:\n replicaCount: 2\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n enabled: true\n pdb:\n create: true\n minAvailable: 1\n VALUES\n },\n v,\n ) }\n}\n\nresource \"helm_release\" \"thanos-storegateway\" {\n for_each = { for k, v in local.thanos-storegateway : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = compact([\n local.values_thanos-storegateway[each.key][\"values\"],\n each.value[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n each.value[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n each.value[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n" }, { "path": "modules/scaleway/thanos-tls-querier.tf", "content": "locals {\n\n thanos-tls-querier = { for k, v in var.thanos-tls-querier : k => merge(\n local.helm_defaults,\n {\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"thanos\")].version\n name = \"${local.thanos[\"name\"]}-tls-querier-${k}\"\n enabled = false\n generate_cert = local.thanos[\"generate_ca\"]\n client_server_name = \"\"\n ## This default to Let's encrypt X1 root CA\n grpc_client_tls_ca_pem = <<-EOV\n -----BEGIN CERTIFICATE-----\n MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n -----END CERTIFICATE-----\n EOV\n stores = []\n default_global_requests = false\n default_global_limits = false\n },\n v,\n ) }\n\n values_thanos-tls-querier = { for k, v in local.thanos-tls-querier : k => merge(\n {\n values = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n replicaCount: 2\n extraFlags:\n - --query.timeout=5m\n - --query.lookback-delta=15m\n - --query.replica-label=rule_replica\n enabled: true\n dnsDiscovery:\n enabled: false\n pdb:\n create: true\n minAvailable: 1\n grpc:\n client:\n servername: ${v[\"client_server_name\"]}\n tls:\n enabled: ${v[\"generate_cert\"]}\n key: |\n ${indent(10, v[\"generate_cert\"] ? tls_private_key.thanos-tls-querier-cert-key[k].private_key_pem : \"\")}\n cert: |\n ${indent(10, v[\"generate_cert\"] ? tls_locally_signed_cert.thanos-tls-querier-cert[k].cert_pem : \"\")}\n ca: |\n ${indent(10, v[\"generate_cert\"] ? v[\"grpc_client_tls_ca_pem\"] : \"\")}\n stores: ${jsonencode(v[\"stores\"])}\n queryFrontend:\n enabled: false\n compactor:\n enabled: false\n storegateway:\n enabled: false\n VALUES\n },\n v,\n ) }\n}\n\nresource \"helm_release\" \"thanos-tls-querier\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] }\n repository = each.value[\"repository\"]\n name = each.value[\"name\"]\n chart = each.value[\"chart\"]\n version = each.value[\"chart_version\"]\n timeout = each.value[\"timeout\"]\n force_update = each.value[\"force_update\"]\n recreate_pods = each.value[\"recreate_pods\"]\n wait = each.value[\"wait\"]\n atomic = each.value[\"atomic\"]\n cleanup_on_fail = each.value[\"cleanup_on_fail\"]\n dependency_update = each.value[\"dependency_update\"]\n disable_crd_hooks = each.value[\"disable_crd_hooks\"]\n disable_webhooks = each.value[\"disable_webhooks\"]\n render_subchart_notes = each.value[\"render_subchart_notes\"]\n replace = each.value[\"replace\"]\n reset_values = each.value[\"reset_values\"]\n reuse_values = each.value[\"reuse_values\"]\n skip_crds = each.value[\"skip_crds\"]\n verify = each.value[\"verify\"]\n values = compact([\n local.values_thanos-tls-querier[each.key][\"values\"],\n each.value[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n each.value[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n each.value[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[0] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n ]\n}\n\nresource \"tls_private_key\" \"thanos-tls-querier-cert-key\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_cert_request\" \"thanos-tls-querier-cert-csr\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n private_key_pem = tls_private_key.thanos-tls-querier-cert-key[each.key].private_key_pem\n\n subject {\n common_name = each.key\n }\n\n dns_names = [\n each.key\n ]\n}\n\nresource \"tls_locally_signed_cert\" \"thanos-tls-querier-cert\" {\n for_each = { for k, v in local.thanos-tls-querier : k => v if v[\"enabled\"] && v[\"generate_cert\"] }\n cert_request_pem = tls_cert_request.thanos-tls-querier-cert-csr[each.key].cert_request_pem\n ca_private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem\n ca_cert_pem = tls_self_signed_cert.thanos-tls-querier-ca-cert[0].cert_pem\n\n validity_period_hours = 8760\n\n allowed_uses = [\n \"key_encipherment\",\n \"digital_signature\",\n \"client_auth\"\n ]\n}\n" }, { "path": "modules/scaleway/thanos.tf", "content": "locals {\n\n thanos = merge(\n local.helm_defaults,\n {\n name = \"thanos\"\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].name\n repository = \"\"\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"oci://registry-1.docker.io/bitnamicharts/thanos\")].version\n namespace = \"monitoring\"\n iam_policy_override = null\n create_ns = false\n enabled = false\n default_network_policy = true\n default_global_requests = false\n default_global_limits = false\n create_bucket = false\n bucket = \"thanos-store-${var.cluster-name}\"\n generate_ca = false\n trusted_ca_content = null\n },\n var.thanos\n )\n\n values_thanos = <<-VALUES\n global:\n security:\n allowInsecureImages: true\n image:\n registry: quay.io\n repository: thanos/thanos\n tag: v0.37.2\n receive:\n enabled: false\n pdb:\n create: true\n minAvailable: 1\n metrics:\n enabled: true\n serviceMonitor:\n enabled: ${local.kube-prometheus-stack[\"enabled\"] ? \"true\" : \"false\"}\n query:\n extraFlags:\n - --query.timeout=5m\n - --query.lookback-delta=15m\n - --query.replica-label=rule_replica\n replicaCount: 2\n replicaLabel:\n - prometheus_replica\n enabled: true\n dnsDiscovery:\n enabled: true\n sidecarsService: ${local.kube-prometheus-stack[\"name\"]}-thanos-discovery\n sidecarsNamespace: \"${local.kube-prometheus-stack[\"namespace\"]}\"\n pdb:\n create: true\n minAvailable: 1\n stores: ${jsonencode(concat([for k, v in local.thanos-tls-querier : \"dnssrv+_grpc._tcp.${v[\"name\"]}-query-grpc.${local.thanos[\"namespace\"]}.svc.cluster.local\"], [for k, v in local.thanos-storegateway : \"dnssrv+_grpc._tcp.${v[\"name\"]}-storegateway.${local.thanos[\"namespace\"]}.svc.cluster.local\"]))}\n queryFrontend:\n extraFlags:\n - --query-frontend.compress-responses\n - --query-range.split-interval=12h\n - --labels.split-interval=12h\n - --query-range.max-retries-per-request=10\n - --labels.max-retries-per-request=10\n - --query-frontend.log-queries-longer-than=10s\n replicaCount: 2\n enabled: true\n pdb:\n create: true\n minAvailable: 1\n compactor:\n extraFlags:\n - --deduplication.replica-label=prometheus_replica\n - --deduplication.replica-label=rule_replica\n strategyType: Recreate\n enabled: true\n storegateway:\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n replicaCount: 2\n enabled: true\n pdb:\n create: true\n minAvailable: 1\n VALUES\n\n\n values_thanos_caching = <<-VALUES\n queryFrontend:\n extraFlags:\n - --query-frontend.compress-responses\n - --query-range.split-interval=12h\n - --labels.split-interval=12h\n - --query-range.max-retries-per-request=10\n - --labels.max-retries-per-request=10\n - --query-frontend.log-queries-longer-than=10s\n - |-\n --query-range.response-cache-config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n - |-\n --labels.response-cache-config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n storegateway:\n extraFlags:\n - --ignore-deletion-marks-delay=24h\n - |-\n --index-cache.config=\"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"max_item_size\": \"1MiB\"\n \"timeout\": \"500ms\"\n \"type\": \"memcached\"\n - |-\n --store.caching-bucket.config=\"blocks_iter_ttl\": \"5m\"\n \"chunk_object_attrs_ttl\": \"24h\"\n \"chunk_subrange_size\": 16000\n \"chunk_subrange_ttl\": \"24h\"\n \"config\":\n \"addresses\":\n - \"dnssrv+_memcache._tcp.${local.thanos-memcached[\"name\"]}.${local.thanos-memcached[\"namespace\"]}.svc.cluster.local\"\n \"dns_provider_update_interval\": \"10s\"\n \"max_async_buffer_size\": 10000\n \"max_async_concurrency\": 20\n \"max_get_multi_batch_size\": 0\n \"max_get_multi_concurrency\": 100\n \"max_idle_connections\": 100\n \"max_item_size\": \"1MiB\"\n \"timeout\": \"500ms\"\n \"max_chunks_get_range_requests\": 3\n \"metafile_content_ttl\": \"24h\"\n \"metafile_doesnt_exist_ttl\": \"15m\"\n \"metafile_exists_ttl\": \"2h\"\n \"metafile_max_size\": \"1MiB\"\n \"type\": \"memcached\"\n VALUES\n\n\n values_store_config = <<-VALUES\n objstoreConfig:\n type: S3\n config:\n bucket: ${local.kube-prometheus-stack[\"thanos_bucket\"]}\n region: ${local.kube-prometheus-stack[\"thanos_bucket_region\"]}\n endpoint: s3.${local.kube-prometheus-stack[\"thanos_bucket_region\"]}.scw.cloud\n access_key: ${local.scaleway[\"scw_access_key\"]}\n secret_key: ${local.scaleway[\"scw_secret_key\"]}\n signature_version2: false\n VALUES\n\n values_thanos_global_requests = <<-VALUES\n query:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n queryFrontend:\n resources:\n requests:\n cpu: 25m\n memory: 32Mi\n compactor:\n resources:\n requests:\n cpu: 50m\n memory: 258Mi\n storegateway:\n resources:\n requests:\n cpu: 25m\n memory: 64Mi\n VALUES\n\n values_thanos_global_limits = <<-VALUES\n query:\n resources:\n limits:\n memory: 128Mi\n queryFrontend:\n resources:\n limits:\n memory: 64Mi\n compactor:\n resources:\n limits:\n memory: 2Gi\n storegateway:\n resources:\n limits:\n memory: 1Gi\n VALUES\n}\n\nresource \"scaleway_object_bucket\" \"thanos_bucket\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_bucket\"] ? 1 : 0\n name = local.thanos[\"bucket\"]\n}\n\nresource \"scaleway_object_bucket_acl\" \"thanos_bucket_acl\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_bucket\"] ? 1 : 0\n bucket = scaleway_object_bucket.thanos_bucket.0.id\n acl = \"private\"\n}\n\nresource \"kubernetes_namespace\" \"thanos\" {\n count = local.thanos[\"enabled\"] && local.thanos[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.thanos[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"monitoring\"\n }\n\n name = local.thanos[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"thanos\" {\n count = local.thanos[\"enabled\"] ? 1 : 0\n repository = local.thanos[\"repository\"]\n name = local.thanos[\"name\"]\n chart = local.thanos[\"chart\"]\n version = local.thanos[\"chart_version\"]\n timeout = local.thanos[\"timeout\"]\n force_update = local.thanos[\"force_update\"]\n recreate_pods = local.thanos[\"recreate_pods\"]\n wait = local.thanos[\"wait\"]\n atomic = local.thanos[\"atomic\"]\n cleanup_on_fail = local.thanos[\"cleanup_on_fail\"]\n dependency_update = local.thanos[\"dependency_update\"]\n disable_crd_hooks = local.thanos[\"disable_crd_hooks\"]\n disable_webhooks = local.thanos[\"disable_webhooks\"]\n render_subchart_notes = local.thanos[\"render_subchart_notes\"]\n replace = local.thanos[\"replace\"]\n reset_values = local.thanos[\"reset_values\"]\n reuse_values = local.thanos[\"reuse_values\"]\n skip_crds = local.thanos[\"skip_crds\"]\n verify = local.thanos[\"verify\"]\n values = compact([\n local.values_thanos,\n local.values_store_config,\n local.thanos[\"default_global_requests\"] ? local.values_thanos_global_requests : null,\n local.thanos[\"default_global_limits\"] ? local.values_thanos_global_limits : null,\n local.thanos-memcached[\"enabled\"] ? local.values_thanos_caching : null,\n local.thanos[\"extra_values\"]\n ])\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos[\"namespace\"]\n\n depends_on = [\n helm_release.kube-prometheus-stack,\n helm_release.thanos-memcached\n ]\n}\n\nresource \"tls_private_key\" \"thanos-tls-querier-ca-key\" {\n count = local.thanos[\"generate_ca\"] ? 1 : 0\n algorithm = \"ECDSA\"\n ecdsa_curve = \"P384\"\n}\n\nresource \"tls_self_signed_cert\" \"thanos-tls-querier-ca-cert\" {\n count = local.thanos[\"generate_ca\"] ? 1 : 0\n private_key_pem = tls_private_key.thanos-tls-querier-ca-key[0].private_key_pem\n is_ca_certificate = true\n\n subject {\n common_name = var.cluster-name\n organization = var.cluster-name\n }\n\n validity_period_hours = 87600\n\n allowed_uses = [\n \"cert_signing\"\n ]\n}\n\nresource \"kubernetes_secret\" \"thanos-ca\" {\n count = local.thanos[\"enabled\"] && (local.thanos[\"generate_ca\"] || local.thanos[\"trusted_ca_content\"] != null) ? 1 : 0\n metadata {\n name = \"${local.thanos[\"name\"]}-ca\"\n namespace = local.thanos[\"create_ns\"] ? kubernetes_namespace.thanos.*.metadata.0.name[count.index] : local.thanos[\"namespace\"]\n }\n\n data = {\n \"ca.crt\" = local.thanos[\"generate_ca\"] ? tls_self_signed_cert.thanos-tls-querier-ca-cert[count.index].cert_pem : local.thanos[\"trusted_ca_content\"]\n }\n}\n\noutput \"thanos_ca\" {\n value = element(concat(tls_self_signed_cert.thanos-tls-querier-ca-cert[*].cert_pem, [\"\"]), 0)\n}\n" }, { "path": "modules/scaleway/variables-scaleway.tf", "content": "variable \"scaleway\" {\n description = \"Scaleway provider customization\"\n type = any\n default = {}\n}\n\nvariable \"kapsule\" {\n description = \"Kapsule cluster inputs\"\n type = any\n default = {}\n}\n\nvariable \"cert-manager_scaleway_webhook_dns\" {\n description = \"Scaleway webhook dns customization\"\n type = any\n default = {}\n}\n\nvariable \"tags\" {\n description = \"Map of tags for Scaleway resources\"\n type = map(any)\n default = {}\n}\n" }, { "path": "modules/scaleway/velero.tf", "content": "locals {\n velero = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"velero\")].version\n namespace = \"velero\"\n service_account_name = \"velero\"\n enabled = false\n create_bucket = true\n bucket = \"${var.cluster-name}-velero\"\n bucket_force_destroy = false\n default_network_policy = true\n name_prefix = \"${var.cluster-name}-velero\"\n secret_name = \"velero-scaleway-credentials\"\n },\n var.velero\n )\n\n values_velero = <= 1.5.7\"\n required_providers {\n helm = {\n source = \"hashicorp/helm\"\n version = \"~> 3.0\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0, != 2.12\"\n }\n kubectl = {\n source = \"alekc/kubectl\"\n version = \"~> 2.0\"\n }\n flux = {\n source = \"fluxcd/flux\"\n version = \"~> 1.0\"\n }\n github = {\n source = \"integrations/github\"\n version = \"~> 6.0\"\n }\n scaleway = {\n source = \"scaleway/scaleway\"\n version = \">= 2.2.0\"\n }\n tls = {\n source = \"hashicorp/tls\"\n version = \"~> 4.0\"\n }\n http = {\n source = \"hashicorp/http\"\n version = \">= 3\"\n }\n }\n}\n" }, { "path": "modules/scaleway/victoria-metrics-k8s-stack.tf", "content": "locals {\n victoria-metrics-k8s-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].version\n namespace = \"monitoring\"\n enabled = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n install_prometheus_operator_crds = true\n },\n var.victoria-metrics-k8s-stack\n )\n\n values_victoria-metrics-k8s-stack = < v.content } : {}\n yaml_body = each.value\n server_side_apply = true\n force_conflicts = true\n}\n\nresource \"kubectl_manifest\" \"calico_crds\" {\n for_each = local.tigera-operator.enabled && local.tigera-operator.manage_crds ? { for v in local.calico_crds_apply : lower(join(\"/\", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, \"namespace\", \"\"), v.data.metadata.name]))) => v.content } : {}\n yaml_body = each.value\n server_side_apply = true\n force_conflicts = true\n}\n\nresource \"kubernetes_namespace\" \"tigera-operator\" {\n count = local.tigera-operator[\"enabled\"] && local.tigera-operator[\"create_ns\"] ? 1 : 0\n\n metadata {\n labels = {\n name = local.tigera-operator[\"namespace\"]\n \"${local.labels_prefix}/component\" = \"tigera-operator\"\n }\n\n name = local.tigera-operator[\"namespace\"]\n }\n}\n\nresource \"helm_release\" \"tigera-operator\" {\n count = local.tigera-operator[\"enabled\"] ? 1 : 0\n repository = local.tigera-operator[\"repository\"]\n name = local.tigera-operator[\"name\"]\n chart = local.tigera-operator[\"chart\"]\n version = local.tigera-operator[\"chart_version\"]\n timeout = local.tigera-operator[\"timeout\"]\n force_update = local.tigera-operator[\"force_update\"]\n recreate_pods = local.tigera-operator[\"recreate_pods\"]\n wait = local.tigera-operator[\"wait\"]\n atomic = local.tigera-operator[\"atomic\"]\n cleanup_on_fail = local.tigera-operator[\"cleanup_on_fail\"]\n dependency_update = local.tigera-operator[\"dependency_update\"]\n disable_crd_hooks = local.tigera-operator[\"disable_crd_hooks\"]\n disable_webhooks = local.tigera-operator[\"disable_webhooks\"]\n render_subchart_notes = local.tigera-operator[\"render_subchart_notes\"]\n replace = local.tigera-operator[\"replace\"]\n reset_values = local.tigera-operator[\"reset_values\"]\n reuse_values = local.tigera-operator[\"reuse_values\"]\n skip_crds = local.tigera-operator[\"skip_crds\"]\n verify = local.tigera-operator[\"verify\"]\n values = [\n local.values_tigera-operator,\n local.tigera-operator[\"extra_values\"]\n ]\n namespace = local.tigera-operator[\"create_ns\"] ? kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index] : local.tigera-operator[\"namespace\"]\n\n depends_on = [\n kubectl_manifest.prometheus-operator_crds\n ]\n}\n\nresource \"kubernetes_network_policy\" \"tigera-operator_default_deny\" {\n count = local.tigera-operator[\"create_ns\"] && local.tigera-operator[\"enabled\"] && local.tigera-operator[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-default-deny\"\n namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n policy_types = [\"Ingress\"]\n }\n}\n\nresource \"kubernetes_network_policy\" \"tigera-operator_allow_namespace\" {\n count = local.tigera-operator[\"create_ns\"] && local.tigera-operator[\"enabled\"] && local.tigera-operator[\"default_network_policy\"] ? 1 : 0\n\n metadata {\n name = \"${kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]}-allow-namespace\"\n namespace = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]\n }\n\n spec {\n pod_selector {\n }\n\n ingress {\n from {\n namespace_selector {\n match_labels = {\n name = kubernetes_namespace.tigera-operator.*.metadata.0.name[count.index]\n }\n }\n }\n }\n\n policy_types = [\"Ingress\"]\n }\n}\n" }, { "path": "traefik.tf", "content": "locals {\n\n traefik = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"traefik\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"traefik\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"traefik\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"traefik\")].version\n namespace = \"traefik\"\n enabled = false\n ingress_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n manage_crds = true\n },\n var.traefik\n )\n\n values_traefik = <= 1.5.7\"\n required_providers {\n helm = {\n source = \"hashicorp/helm\"\n version = \"~> 3.0\"\n }\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.0, != 2.12\"\n }\n kubectl = {\n source = \"alekc/kubectl\"\n version = \"~> 2.0\"\n }\n flux = {\n source = \"fluxcd/flux\"\n version = \"~> 1.0\"\n }\n github = {\n source = \"integrations/github\"\n version = \"~> 6.0\"\n }\n tls = {\n source = \"hashicorp/tls\"\n version = \"~> 4.0\"\n }\n http = {\n source = \"hashicorp/http\"\n version = \">= 3\"\n }\n }\n}\n" }, { "path": "victoria-metrics-k8s-stack.tf", "content": "locals {\n victoria-metrics-k8s-stack = merge(\n local.helm_defaults,\n {\n name = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n chart = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].name\n repository = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].repository\n chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, \"victoria-metrics-k8s-stack\")].version\n namespace = \"monitoring\"\n enabled = false\n allowed_cidrs = [\"0.0.0.0/0\"]\n default_network_policy = true\n install_prometheus_operator_crds = true\n },\n var.victoria-metrics-k8s-stack\n )\n\n values_victoria-metrics-k8s-stack = <