feat(DMVP-4690): Add nginx ingress controller support

README.md

@@ -213,6 +213,7 @@ worker_groups = {
 | <a name="module_external-secrets"></a> [external-secrets](#module\_external-secrets) | ./modules/external-secrets | n/a |
 | <a name="module_fluent-bit"></a> [fluent-bit](#module\_fluent-bit) | ./modules/fluent-bit | n/a |
 | <a name="module_metrics-server"></a> [metrics-server](#module\_metrics-server) | ./modules/metrics-server | n/a |
+| <a name="module_nginx-ingress-controller"></a> [nginx-ingress-controller](#module\_nginx-ingress-controller) | ./modules/nginx-ingress-controller/ | n/a |
 | <a name="module_node-problem-detector"></a> [node-problem-detector](#module\_node-problem-detector) | ./modules/node-problem-detector | n/a |
 | <a name="module_olm"></a> [olm](#module\_olm) | ./modules/olm | n/a |
 | <a name="module_portainer"></a> [portainer](#module\_portainer) | ./modules/portainer | n/a |
@@ -271,6 +272,7 @@ worker_groups = {
 | <a name="input_map_roles"></a> [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_metrics_exporter"></a> [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no |
 | <a name="input_metrics_server_name"></a> [metrics\_server\_name](#input\_metrics\_server\_name) | n/a | `string` | `"metrics-server"` | no |
+| <a name="input_nginx_ingress_controller_config"></a> [nginx\_ingress\_controller\_config](#input\_nginx\_ingress\_controller\_config) | Nginx ingress controller configs | <pre>object({<br>    enabled          = optional(bool, false)<br>    name             = optional(string, "nginx")<br>    create_namespace = optional(bool, true)<br>    namespace        = optional(string, "ingress-nginx")<br>    replicacount     = optional(number, 3)<br>    metrics_enabled  = optional(bool, true)<br>  })</pre> | <pre>{<br>  "create_namespace": true,<br>  "enabled": false,<br>  "metrics_enabled": true,<br>  "name": "nginx",<br>  "namespace": "ingress-nginx",<br>  "replicacount": 3<br>}</pre> | no |
 | <a name="input_node_groups"></a> [node\_groups](#input\_node\_groups) | Map of EKS managed node group definitions to create | `any` | <pre>{<br>  "default": {<br>    "desired_size": 2,<br>    "iam_role_additional_policies": [<br>      "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"<br>    ],<br>    "instance_types": [<br>      "t3.large"<br>    ],<br>    "max_size": 4,<br>    "min_size": 2<br>  }<br>}</pre> | no |
 | <a name="input_node_groups_default"></a> [node\_groups\_default](#input\_node\_groups\_default) | Map of EKS managed node group default configurations | `any` | <pre>{<br>  "disk_size": 50,<br>  "iam_role_additional_policies": [<br>    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"<br>  ],<br>  "instance_types": [<br>    "t3.large"<br>  ]<br>}</pre> | no |
 | <a name="input_node_security_group_additional_rules"></a> [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | n/a | `any` | <pre>{<br>  "ingress_cluster_10250": {<br>    "description": "Metric server to node groups",<br>    "from_port": 10250,<br>    "protocol": "tcp",<br>    "self": true,<br>    "to_port": 10250,<br>    "type": "ingress"<br>  },<br>  "ingress_cluster_8443": {<br>    "description": "Metric server to node groups",<br>    "from_port": 8443,<br>    "protocol": "tcp",<br>    "source_cluster_security_group": true,<br>    "to_port": 8443,<br>    "type": "ingress"<br>  }<br>}</pre> | no |

alb-ingress-controller.tf

@@ -0,0 +1,23 @@
+module "alb-ingress-controller" {
+  source = "./modules/aws-load-balancer-controller"
+
+  count = var.create ? 1 : 0
+
+  account_id = local.account_id
+  region     = local.region
+
+  cluster_name                = module.eks-cluster[0].cluster_id
+  eks_oidc_root_ca_thumbprint = local.eks_oidc_root_ca_thumbprint
+  oidc_provider_arn           = module.eks-cluster[0].oidc_provider_arn
+  enable_waf                  = var.enable_waf_for_alb
+
+  ## the load balancer access logs sync to s3=>lambda=>cloudwatch was disabled/commented-out so this params also need/can be commented,
+  ## after then the fix be applied for enabling this functionality we can uncomment them
+  # create_alb_log_bucket       = true
+  # alb_log_bucket_name = var.alb_log_bucket_name != "" ? var.alb_log_bucket_name : "${module.eks-cluster[0].cluster_id}-ingress-controller-log-bucket"
+  # alb_log_bucket_path = var.alb_log_bucket_path != "" ? var.alb_log_bucket_path : module.eks-cluster[0].cluster_id
+
+  depends_on = [
+    module.eks-cluster
+  ]
+}

main.tf

@@ -232,30 +232,6 @@ module "cloudwatch-metrics" {
   cluster_name                = module.eks-cluster[0].cluster_id
 }
 
-module "alb-ingress-controller" {
-  source = "./modules/aws-load-balancer-controller"
-
-  count = var.create ? 1 : 0
-
-  account_id = local.account_id
-  region     = local.region
-
-  cluster_name                = module.eks-cluster[0].cluster_id
-  eks_oidc_root_ca_thumbprint = local.eks_oidc_root_ca_thumbprint
-  oidc_provider_arn           = module.eks-cluster[0].oidc_provider_arn
-  enable_waf                  = var.enable_waf_for_alb
-
-  ## the load balancer access logs sync to s3=>lambda=>cloudwatch was disabled/commented-out so this params also need/can be commented,
-  ## after then the fix be applied for enabling this functionality we can uncomment them
-  # create_alb_log_bucket       = true
-  # alb_log_bucket_name = var.alb_log_bucket_name != "" ? var.alb_log_bucket_name : "${module.eks-cluster[0].cluster_id}-ingress-controller-log-bucket"
-  # alb_log_bucket_path = var.alb_log_bucket_path != "" ? var.alb_log_bucket_path : module.eks-cluster[0].cluster_id
-
-  depends_on = [
-    module.eks-cluster
-  ]
-}
-
 module "metrics-server" {
   source = "./modules/metrics-server"
 

modules/nginx-ingress-controller/README.md

@@ -0,0 +1,39 @@
+# nginx-ingress-controller
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.ingress-nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Create namespace or use existing one | `bool` | `true` | no |
+| <a name="input_metrics_enabled"></a> [metrics\_enabled](#input\_metrics\_enabled) | Enable metric export | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name | `string` | `"nginx"` | no |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace name | `string` | `"ingress-nginx"` | no |
+| <a name="input_replicacount"></a> [replicacount](#input\_replicacount) | Nginx Ingress controller replica count | `number` | `3` | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/nginx-ingress-controller/main.tf

@@ -0,0 +1,13 @@
+resource "helm_release" "ingress-nginx" {
+  name       = var.name
+  repository = "https://kubernetes.github.io/ingress-nginx"
+  values = [
+    templatefile("${path.module}/values.yaml.tpl", {
+      replicacount    = var.replicacount
+      metrics_enabled = var.metrics_enabled
+    })
+  ]
+  chart            = "ingress-nginx"
+  namespace        = var.namespace
+  create_namespace = true
+}

modules/nginx-ingress-controller/tests/basic/README.md

@@ -0,0 +1,29 @@
+# basic
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_this"></a> [this](#module\_this) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/nginx-ingress-controller/tests/basic/main.tf

@@ -0,0 +1,4 @@
+module "this" {
+  source = "../../"
+
+}

modules/nginx-ingress-controller/values.yaml.tpl

@@ -0,0 +1,8 @@
+controller:
+  config:
+    use-forwarded-headers: "true"
+    enable-underscores-in-headers: 'true'
+  replicaCount: ${replicacount}
+
+  metrics:
+    enabled: ${metrics_enabled}

modules/nginx-ingress-controller/variables.tf

@@ -0,0 +1,29 @@
+variable "name" {
+  type        = string
+  default     = "nginx"
+  description = "Name"
+}
+
+variable "namespace" {
+  type        = string
+  default     = "ingress-nginx"
+  description = "Namespace name"
+}
+
+variable "create_namespace" {
+  type        = bool
+  default     = true
+  description = "Create namespace or use existing one"
+}
+
+variable "replicacount" {
+  type        = number
+  default     = 3
+  description = "Nginx Ingress controller replica count"
+}
+
+variable "metrics_enabled" {
+  type        = bool
+  default     = true
+  description = "Enable metric export"
+}

modules/nginx-ingress-controller/version.tf

@@ -0,0 +1,5 @@
+terraform {
+  required_providers {
+    helm = ">= 2.0"
+  }
+}

nginx-ingress-controller.tf

@@ -0,0 +1,11 @@
+module "nginx-ingress-controller" {
+  source = "./modules/nginx-ingress-controller/"
+
+  count = var.nginx_ingress_controller_config.enabled ? 1 : 0
+
+  name             = var.nginx_ingress_controller_config.name
+  create_namespace = var.nginx_ingress_controller_config.create_namespace
+  namespace        = var.nginx_ingress_controller_config.namespace
+  replicacount     = var.nginx_ingress_controller_config.replicacount
+  metrics_enabled  = var.nginx_ingress_controller_config.metrics_enabled
+}

tests/basic/README.md

@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
 
 ## Modules
 

tests/eks-nginx-ingress-controller/0-setup.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "eu-central-1"
+}

tests/eks-nginx-ingress-controller/1-example.tf

@@ -0,0 +1,38 @@
+# Prepare for test
+data "aws_availability_zones" "available" {}
+data "aws_vpcs" "ids" {
+  tags = {
+    Name = "default"
+  }
+}
+data "aws_subnet_ids" "subnets" {
+  vpc_id = data.aws_vpcs.ids.ids[0]
+}
+
+# test
+module "basic" {
+  source = "../.."
+
+  cluster_name = "test-cluster-345678"
+
+  vpc = {
+    link = {
+      id                 = data.aws_vpcs.ids.ids[0]
+      private_subnet_ids = data.aws_subnet_ids.subnets.ids
+    }
+  }
+
+  alarms = {
+    enabled   = false
+    sns_topic = ""
+  }
+
+  nginx_ingress_controller_config = {
+    enabled          = true
+    name             = "nginx"
+    create_namespace = true
+    namespace        = "ingress-nginx"
+    replicacount     = 3
+    metrics_enabled  = true
+  }
+}

tests/eks-nginx-ingress-controller/README.md

@@ -0,0 +1,35 @@
+# eks-nginx-ingress-controller
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_basic"></a> [basic](#module\_basic) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_subnet_ids.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
+| [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

variables.tf

@@ -310,6 +310,28 @@ variable "metrics_exporter" {
   description = "Metrics Exporter, can use cloudwatch or adot"
 }
 
+variable "nginx_ingress_controller_config" {
+  type = object({
+    enabled          = optional(bool, false)
+    name             = optional(string, "nginx")
+    create_namespace = optional(bool, true)
+    namespace        = optional(string, "ingress-nginx")
+    replicacount     = optional(number, 3)
+    metrics_enabled  = optional(bool, true)
+  })
+
+  default = {
+    enabled          = false
+    name             = "nginx"
+    create_namespace = true
+    namespace        = "ingress-nginx"
+    replicacount     = 3
+    metrics_enabled  = true
+  }
+
+  description = "Nginx ingress controller configs"
+}
+
 variable "adot_config" {
   description = "accept_namespace_regex defines the list of namespaces from which metrics will be exported, and additional_metrics defines additional metrics to export."
   type = object({