Merge pull request #65 from dasmeta/DMVP-2544-api-gw-controller

DMVP-2544: Add API-Gateway submodule
dasmeta · Jul 19, 2023 · 53a6ddd · 53a6ddd
2 parents 9554151 + 6d38ef7
commit 53a6ddd
Show file tree

Hide file tree

Showing 11 changed files with 226 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -201,6 +201,7 @@ worker_groups = {
 |------|--------|---------|
 | <a name="module_adot"></a> [adot](#module\_adot) | ./modules/adot | n/a |
 | <a name="module_alb-ingress-controller"></a> [alb-ingress-controller](#module\_alb-ingress-controller) | ./modules/aws-load-balancer-controller | n/a |
+| <a name="module_api-gw-controller"></a> [api-gw-controller](#module\_api-gw-controller) | ./modules/api-gw | n/a |
 | <a name="module_autoscaler"></a> [autoscaler](#module\_autoscaler) | ./modules/autoscaler | n/a |
 | <a name="module_cloudwatch-metrics"></a> [cloudwatch-metrics](#module\_cloudwatch-metrics) | ./modules/cloudwatch-metrics | n/a |
 | <a name="module_ebs-csi"></a> [ebs-csi](#module\_ebs-csi) | ./modules/ebs-csi | n/a |
@@ -230,6 +231,7 @@ worker_groups = {
 | <a name="input_adot_config"></a> [adot\_config](#input\_adot\_config) | n/a | `any` | <pre>{<br>  "accepte_namespace_regex": "(default|kube-system)",<br>  "additional_metrics": {}<br>}</pre> | no |
 | <a name="input_alb_log_bucket_name"></a> [alb\_log\_bucket\_name](#input\_alb\_log\_bucket\_name) | n/a | `string` | `""` | no |
 | <a name="input_alb_log_bucket_path"></a> [alb\_log\_bucket\_path](#input\_alb\_log\_bucket\_path) | ALB-INGRESS-CONTROLLER | `string` | `""` | no |
+| <a name="input_api_gw_deploy_region"></a> [api\_gw\_deploy\_region](#input\_api\_gw\_deploy\_region) | Region in which API gatewat will be configured | `string` | `""` | no |
 | <a name="input_autoscaler_image_patch"></a> [autoscaler\_image\_patch](#input\_autoscaler\_image\_patch) | The patch number of autoscaler image | `number` | `0` | no |
 | <a name="input_autoscaler_limits"></a> [autoscaler\_limits](#input\_autoscaler\_limits) | n/a | <pre>object({<br>    cpu    = string<br>    memory = string<br>  })</pre> | <pre>{<br>  "cpu": "100m",<br>  "memory": "600Mi"<br>}</pre> | no |
 | <a name="input_autoscaler_requests"></a> [autoscaler\_requests](#input\_autoscaler\_requests) | n/a | <pre>object({<br>    cpu    = string<br>    memory = string<br>  })</pre> | <pre>{<br>  "cpu": "100m",<br>  "memory": "600Mi"<br>}</pre> | no |
@@ -243,6 +245,7 @@ worker_groups = {
 | <a name="input_create_cert_manager"></a> [create\_cert\_manager](#input\_create\_cert\_manager) | If enabled it always gets deployed to the cert-manager namespace. | `bool` | `false` | no |
 | <a name="input_ebs_csi_version"></a> [ebs\_csi\_version](#input\_ebs\_csi\_version) | EBS CSI driver addon version | `string` | `"v1.15.0-eksbuild.1"` | no |
 | <a name="input_efs_id"></a> [efs\_id](#input\_efs\_id) | EFS filesystem id in AWS | `string` | `null` | no |
+| <a name="input_enable_api_gw_controller"></a> [enable\_api\_gw\_controller](#input\_enable\_api\_gw\_controller) | Weather enable API-GW controller or not | `bool` | `false` | no |
 | <a name="input_enable_ebs_driver"></a> [enable\_ebs\_driver](#input\_enable\_ebs\_driver) | Weather enable EBS-CSI driver or not | `bool` | `true` | no |
 | <a name="input_enable_efs_driver"></a> [enable\_efs\_driver](#input\_enable\_efs\_driver) | Weather install EFS driver or not in EKS | `bool` | `false` | no |
 | <a name="input_enable_kube_state_metrics"></a> [enable\_kube\_state\_metrics](#input\_enable\_kube\_state\_metrics) | Enable kube-state-metrics | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -375,3 +375,13 @@ module "ebs-csi" {
   cluster_oidc_arn = module.eks-cluster[0].oidc_provider_arn
   addon_version    = var.ebs_csi_version
 }
+
+module "api-gw-controller" {
+  source = "./modules/api-gw"
+
+  count = var.enable_api_gw_controller ? 1 : 0
+
+  cluster_name     = var.cluster_name
+  cluster_oidc_arn = module.eks-cluster[0].oidc_provider_arn
+  deploy_region    = var.api_gw_deploy_region
+}
diff --git a/modules/api-gw/README.md b/modules/api-gw/README.md
@@ -0,0 +1,63 @@
+# API Gateway controller
+
+To enable API-Gateway controller in EKS cluster you need to set
+```terraform
+module "eks" {
+
+...
+enable_api_gw_controller = true
+...
+
+}
+```
+
+## How to deploy API from EKS using controller
+API, and its dependent parts (integrations, routes, ...) are deployed with CRDs
+which you can find [here](https://aws-controllers-k8s.github.io/community/docs/tutorials/apigatewayv2-reference-example/)
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.31 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.4.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.31 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.4.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [helm_release.api-gw-release](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_service_account.servciceaccount](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Chart version of api-gw | `string` | `"0.0.17"` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Cluster name to pass to role | `string` | n/a | yes |
+| <a name="input_cluster_oidc_arn"></a> [cluster\_oidc\_arn](#input\_cluster\_oidc\_arn) | Cluster OIDC arn to pass to policy | `string` | n/a | yes |
+| <a name="input_deploy_region"></a> [deploy\_region](#input\_deploy\_region) | Region in which API gatewat will be configured | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/api-gw/iam.tf b/modules/api-gw/iam.tf
@@ -0,0 +1,26 @@
+locals {
+  oidc_id = split("/", var.cluster_oidc_arn)[3]
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "this" {}
+
+resource "aws_iam_policy" "policy" {
+  name        = "AmazonEKSClusterApiGateway-${var.cluster_name}-${data.aws_region.current.name}"
+  path        = "/"
+  description = "Amazon EKS API gateway Policy"
+
+  policy = templatefile("${path.module}/policies/api-gw-policy.json", {
+    cluster_name = var.cluster_name
+  })
+}
+
+resource "aws_iam_role" "role" {
+  name = "api-gw-${var.cluster_name}-${data.aws_region.current.name}"
+  assume_role_policy = templatefile("${path.module}/policies/trusted-policy.json", {
+    oidc           = var.cluster_oidc_arn,
+    current_region = data.aws_region.current.name,
+  oidc_id = local.oidc_id })
+  managed_policy_arns = [aws_iam_policy.policy.arn]
+}
diff --git a/modules/api-gw/main.tf b/modules/api-gw/main.tf
@@ -0,0 +1,19 @@
+resource "helm_release" "api-gw-release" {
+  depends_on = [kubernetes_service_account.servciceaccount]
+
+  name       = "api-gateway-controller"
+  repository = "oci://public.ecr.aws/aws-controllers-k8s"
+  chart      = "apigatewayv2-chart"
+  version    = var.chart_version
+  namespace  = "kube-system"
+
+  set {
+    name  = "serviceAccount.create"
+    value = "false"
+  }
+
+  set {
+    name  = "aws.region"
+    value = var.deploy_region == "" ? data.aws_region.current.name : var.deploy_region
+  }
+}
diff --git a/modules/api-gw/policies/api-gw-policy.json b/modules/api-gw/policies/api-gw-policy.json
@@ -0,0 +1,32 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:SetDesiredCapacity",
+                "autoscaling:TerminateInstanceInAutoScalingGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:ResourceTag/k8s.io/cluster-autoscaler/${cluster_name}": "owned"
+                }
+            }
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:DescribeAutoScalingInstances",
+                "autoscaling:DescribeAutoScalingGroups",
+                "ec2:DescribeLaunchTemplateVersions",
+                "autoscaling:DescribeTags",
+                "autoscaling:DescribeLaunchConfigurations",
+                "ec2:DescribeInstanceTypes"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/modules/api-gw/policies/trusted-policy.json b/modules/api-gw/policies/trusted-policy.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "${oidc}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "oidc.eks.${current_region}.amazonaws.com/id/${oidc_id}:sub": "system:serviceaccount:kube-system:ack-apigatewayv2-controller"
+        }
+      }
+    }
+  ]
+}
diff --git a/modules/api-gw/sa.tf b/modules/api-gw/sa.tf
@@ -0,0 +1,9 @@
+resource "kubernetes_service_account" "servciceaccount" {
+  metadata {
+    name      = "api-gateway-controller"
+    namespace = "kube-system"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.role.arn
+    }
+  }
+}
diff --git a/modules/api-gw/variables.tf b/modules/api-gw/variables.tf
@@ -0,0 +1,20 @@
+variable "cluster_oidc_arn" {
+  type        = string
+  description = "Cluster OIDC arn to pass to policy"
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "Cluster name to pass to role"
+}
+
+variable "chart_version" {
+  description = "Chart version of api-gw"
+  type        = string
+  default     = "0.0.17"
+}
+
+variable "deploy_region" {
+  description = "Region in which API gatewat will be configured"
+  type        = string
+}
diff --git a/modules/api-gw/versions.tf b/modules/api-gw/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = "~> 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.31"
+    }
+
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.4.1"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -348,3 +348,15 @@ variable "autoscaler_requests" {
     memory = "600Mi"
   }
 }
+
+variable "enable_api_gw_controller" {
+  description = "Weather enable API-GW controller or not"
+  type        = bool
+  default     = false
+}
+
+variable "api_gw_deploy_region" {
+  description = "Region in which API gatewat will be configured"
+  type        = string
+  default     = ""
+}