Unify module design (#7)

Unify module design

Co-authored-by: Martin Dojcak <[email protected]>

Author: tomas-balaz

.github/workflows/main.yml

@@ -2,14 +2,14 @@ name: Terraform validation
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
 
 env:
-  TERRAFORM_DOCS_VERSION: "v0.15.0"
-  TFLINT_VERSION: "v0.25.0"
-  TFSEC_VERSION: "v0.39.6"
+  TERRAFORM_DOCS_VERSION: "v0.16.0"
+  TFLINT_VERSION: "v0.35.0"
+  TFSEC_VERSION: "v1.6.2"
 
 jobs:
   terraform-validation:
@@ -71,6 +71,11 @@ jobs:
         run: |
           pip install detect-secrets
 
+      - shell: bash
+        name: "INSTALL: checkov"
+        run: |
+          pip install checkov
+
       - shell: bash
         name: "INSTALL: tflint"
         if: steps.cache-tflint.outputs.cache-hit != 'true'
@@ -84,6 +89,10 @@ jobs:
         name: "SETUP: tflint path"
         run: echo '~/tflint/bin/' >> $GITHUB_PATH
 
+      - shell: bash
+        name: "INIT: TFLint"
+        run: tflint --init
+
       - uses: actions/cache@v2
         id: cache-tfsec
         name: "CACHE: tfsec"

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.0.1
+    rev: v4.1.0
     hooks:
       - id: trailing-whitespace
       - id: check-merge-conflict
@@ -9,29 +9,25 @@ repos:
       - id: detect-private-key
       - id: end-of-file-fixer
 
-  - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.12
-    hooks:
-      - id: tflint
-      - id: terraform-validate
-
-  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.50.0
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.64.1
     hooks:
     - id: terraform_fmt
     - id: terraform_tflint
-    #- id: terraform_tfsec
+    - id: terraform_validate
+    - id: checkov
     - id: terraform_docs
       args:
         - '--args=--hide providers --sort-by required'
 
-  - repo: git://github.com/pecigonzalo/pre-commit-terraform-vars
+  - repo: https://github.com/pecigonzalo/pre-commit-terraform-vars
     rev: v1.0.0
     hooks:
     - id: terraform-vars
 
   - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.1.0
+    rev: v1.2.0
     hooks:
       - id: detect-secrets
         args: ['--baseline', '.secrets.baseline']
+        exclude: terraform.tfstate

.tflint.hcl

@@ -0,0 +1,5 @@
+plugin "aws" {
+  enabled = true
+  version = "0.13.2"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}

README.md

@@ -1,4 +1,9 @@
 locals {
+  argo_application_metadata = {
+    "labels" : try(var.argo_metadata.labels, {}),
+    "annotations" : try(var.argo_metadata.annotations, {}),
+    "finalizers" : try(var.argo_metadata.finalizers, [])
+  }
   argo_application_values = {
     "project" : var.argo_project
     "source" : {
@@ -8,48 +13,73 @@ locals {
       "helm" : {
         "releaseName" : var.helm_release_name
         "parameters" : [for k, v in var.settings : tomap({ "forceString" : true, "name" : k, "value" : v })]
-        "values" : data.utils_deep_merge_yaml.values[0].output
+        "values" : var.enabled ? data.utils_deep_merge_yaml.values[0].output : ""
       }
     }
     "destination" : {
       "server" : var.argo_destionation_server
-      "namespace" : var.k8s_namespace
+      "namespace" : var.namespace
     }
     "syncPolicy" : var.argo_sync_policy
     "info" : var.argo_info
   }
 }
 
-data "utils_deep_merge_yaml" "argo_application_values" {
-  count = var.enabled && var.argo_application_enabled && var.argo_application_use_helm ? 1 : 0
+data "utils_deep_merge_yaml" "argo_helm_values" {
+  count = var.enabled && var.argo_enabled && var.argo_helm_enabled ? 1 : 0
   input = compact([
-    yamlencode(local.argo_application_values),
-    var.argo_application_values
+    yamlencode({
+      "apiVersion" : var.argo_apiversion
+    }),
+    yamlencode({
+      "spec" : local.argo_application_values
+    }),
+    yamlencode({
+      "spec" : var.argo_spec
+    }),
+    yamlencode(
+      local.argo_application_metadata
+    )
   ])
 }
 
-resource "helm_release" "argocd_application" {
-  count = var.enabled && var.argo_application_enabled && var.argo_application_use_helm ? 1 : 0
+resource "helm_release" "argo_application" {
+  count = var.enabled && var.argo_enabled && var.argo_helm_enabled ? 1 : 0
 
   chart     = "${path.module}/helm/argocd-application"
   name      = var.helm_release_name
   namespace = var.argo_namespace
 
   values = [
-    data.utils_deep_merge_yaml.argo_application_values[0].output
+    data.utils_deep_merge_yaml.argo_helm_values[0].output,
+    var.argo_helm_values
   ]
 }
 
-
-resource "kubernetes_manifest" "self" {
-  count = var.enabled && var.argo_application_enabled && !var.argo_application_use_helm ? 1 : 0
+resource "kubernetes_manifest" "this" {
+  count = var.enabled && var.argo_enabled && !var.argo_helm_enabled ? 1 : 0
   manifest = {
-    "apiVersion" = "argoproj.io/v1alpha1"
+    "apiVersion" = var.argo_apiversion
     "kind"       = "Application"
-    "metadata" = {
-      "name"      = var.helm_release_name
-      "namespace" = var.argo_namespace
-    }
-    "spec" = local.argo_application_values
+    "metadata" = merge(
+      local.argo_application_metadata,
+      { "name" = var.helm_release_name },
+      { "namespace" = var.argo_namespace },
+    )
+    "spec" = merge(
+      local.argo_application_values,
+      var.argo_spec
+    )
+  }
+
+  computed_fields = var.argo_kubernetes_manifest_computed_fields
+
+  field_manager {
+    name            = var.argo_kubernetes_manifest_field_manager_name
+    force_conflicts = var.argo_kubernetes_manifest_field_manager_force_conflicts
+  }
+
+  wait_for = {
+    fields = var.argo_kubernetes_manifest_wait_for_fields
   }
 }

argo.tf

@@ -2,6 +2,22 @@
 
 The code in this example shows how to use the module with basic configuration and minimal set of other resources.
 
+## Deployment methods
+
+### Helm
+Deploy helm chart by helm (default method, set `enabled = true`)
+
+### Argo kubernetes
+Deploy helm chart as argo application by kubernetes manifest (set `enabled = true` and `argo_enabled = true`)
+
+### Argo helm
+Create helm release resource and deploy it as argo application (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`)
+
+## AWS IAM resources
+
+To disable of creation IRSA role and IRSA policy, set `irsa_role_create = false` and `irsa_policy_enabled = false`, respectively
+
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -11,10 +27,15 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_eks_cluster"></a> [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 0.43.2 |
-| <a name="module_eks_node_group"></a> [eks\_node\_group](#module\_eks\_node\_group) | cloudposse/eks-node-group/aws | 0.25.0 |
-| <a name="module_lb_controller"></a> [lb\_controller](#module\_lb\_controller) | ../../ | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.6.0 |
+| <a name="module_eks_cluster"></a> [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 0.45.0 |
+| <a name="module_eks_node_group"></a> [eks\_node\_group](#module\_eks\_node\_group) | cloudposse/eks-node-group/aws | 0.28.0 |
+| <a name="module_lb_controller_argo_helm"></a> [lb\_controller\_argo\_helm](#module\_lb\_controller\_argo\_helm) | ../../ | n/a |
+| <a name="module_lb_controller_argo_kubernetes"></a> [lb\_controller\_argo\_kubernetes](#module\_lb\_controller\_argo\_kubernetes) | ../../ | n/a |
+| <a name="module_lb_controller_helm"></a> [lb\_controller\_helm](#module\_lb\_controller\_helm) | ../../ | n/a |
+| <a name="module_lbc_disabled"></a> [lbc\_disabled](#module\_lbc\_disabled) | ../../ | n/a |
+| <a name="module_lbc_without_irsa_policy"></a> [lbc\_without\_irsa\_policy](#module\_lbc\_without\_irsa\_policy) | ../../ | n/a |
+| <a name="module_lbc_without_irsa_role"></a> [lbc\_without\_irsa\_role](#module\_lbc\_without\_irsa\_role) | ../../ | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.13.0 |
 
 ## Resources
 

examples/basic/README.md

@@ -1,6 +1,6 @@
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "3.6.0"
+  version = "3.13.0"
 
   name               = "lb_controller-vpc"
   cidr               = "10.0.0.0/16"
@@ -11,7 +11,7 @@ module "vpc" {
 
 module "eks_cluster" {
   source  = "cloudposse/eks-cluster/aws"
-  version = "0.43.2"
+  version = "0.45.0"
 
   region     = "eu-central-1"
   subnet_ids = module.vpc.public_subnets
@@ -21,7 +21,7 @@ module "eks_cluster" {
 
 module "eks_node_group" {
   source  = "cloudposse/eks-node-group/aws"
-  version = "0.25.0"
+  version = "0.28.0"
 
   cluster_name   = "lb_controller"
   instance_types = ["t3.medium"]
@@ -32,10 +32,98 @@ module "eks_node_group" {
   depends_on     = [module.eks_cluster.kubernetes_config_map_id]
 }
 
-module "lb_controller" {
+module "lbc_disabled" {
   source = "../../"
 
+  enabled = false
+
   cluster_name                     = module.eks_cluster.eks_cluster_id
   cluster_identity_oidc_issuer     = module.eks_cluster.eks_cluster_identity_oidc_issuer
   cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+
+}
+
+module "lbc_without_irsa_role" {
+  source = "../../"
+
+  irsa_role_create                 = false
+  cluster_name                     = module.eks_cluster.eks_cluster_id
+  cluster_identity_oidc_issuer     = module.eks_cluster.eks_cluster_identity_oidc_issuer
+  cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+
+}
+
+module "lbc_without_irsa_policy" {
+  source = "../../"
+
+  irsa_policy_enabled              = false
+  cluster_name                     = module.eks_cluster.eks_cluster_id
+  cluster_identity_oidc_issuer     = module.eks_cluster.eks_cluster_identity_oidc_issuer
+  cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+}
+
+
+module "lb_controller_helm" {
+  source = "../../"
+
+  enabled           = true
+  argo_enabled      = false
+  argo_helm_enabled = false
+
+  cluster_name                     = module.eks_cluster.eks_cluster_id
+  cluster_identity_oidc_issuer     = module.eks_cluster.eks_cluster_identity_oidc_issuer
+  cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+
+  helm_release_name = "aws-lbc-helm"
+  namespace         = "aws-lb-controller-helm"
+
+  values = yamlencode({
+    "podLabels" : {
+      "app" : "aws-lbc-helm"
+    }
+  })
+
+  helm_timeout = 240
+  helm_wait    = true
+}
+
+module "lb_controller_argo_kubernetes" {
+  source = "../../"
+
+  enabled           = true
+  argo_enabled      = true
+  argo_helm_enabled = false
+
+  cluster_name                     = module.eks_cluster.eks_cluster_id
+  cluster_identity_oidc_issuer     = module.eks_cluster.eks_cluster_identity_oidc_issuer
+  cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+
+  helm_release_name = "aws-lbc-argo-kubernetes"
+  namespace         = "aws-lb-controller-argo-kubernetes"
+
+  argo_sync_policy = {
+    "automated" : {}
+    "syncOptions" = ["CreateNamespace=true"]
+  }
+}
+
+module "lb_controller_argo_helm" {
+  source = "../../"
+
+  enabled           = true
+  argo_enabled      = true
+  argo_helm_enabled = true
+
+  cluster_name                     = module.eks_cluster.eks_cluster_id
+  cluster_identity_oidc_issuer     = module.eks_cluster.eks_cluster_identity_oidc_issuer
+  cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+
+  helm_release_name = "aws-lbc-argo-helm"
+  namespace         = "aws-lb-controller-argo-helm"
+
+  argo_namespace = "argo"
+  argo_sync_policy = {
+    "automated" : {}
+    "syncOptions" = ["CreateNamespace=true"]
+  }
 }