Parameterize host name

wso2 · Aug 26, 2024 · 7fbe2b1 · 7fbe2b1
1 parent 808f4b9
commit 7fbe2b1
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 27 deletions.
diff --git a/modules/aws/EKS-Cluster/iam_role.tf b/modules/aws/EKS-Cluster/iam_role.tf
@@ -10,7 +10,8 @@
 # --------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "iam_role" {
-  name = join("-", [var.project, var.application, var.environment, var.region, "eks-iam-role"])
+  count = var.cluster_iam_role_arn != null ? 0 : 1
+  name  = join("-", [var.project, var.application, var.environment, var.region, "eks-iam-role"])
 
   assume_role_policy = <<POLICY
 {
@@ -30,8 +31,9 @@ POLICY
 }
 
 resource "aws_iam_role_policy_attachment" "amazon_eks_cluster_policy" {
+  count      = var.cluster_iam_role_arn != null ? 0 : 1
+  role       = aws_iam_role[0].iam_role.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
-  role       = aws_iam_role.iam_role.name
 
   depends_on = [
     aws_iam_role.iam_role
@@ -41,8 +43,9 @@ resource "aws_iam_role_policy_attachment" "amazon_eks_cluster_policy" {
 # Optionally, enable Security Groups for Pods
 # Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
 resource "aws_iam_role_policy_attachment" "amazon_eks_pc_resource_controller" {
+  count      = var.cluster_iam_role_arn != null ? 0 : 1
+  role       = aws_iam_role[0].iam_role.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
-  role       = aws_iam_role.iam_role.name
 
   depends_on = [
     aws_iam_role.iam_role
@@ -70,6 +73,7 @@ resource "aws_iam_openid_connect_provider" "eks_ca_oidc_provider" {
 
 # IAM Role for IAM Cluster Autoscaler
 resource "aws_iam_role" "cluster_autoscaler_role" {
+  count              = var.enable_autoscaler == false ? 0 : 1
   assume_role_policy = data.aws_iam_policy_document.cluster_autoscaler_sts_policy.json
   name               = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-autoscaler-iam-role"])
 
@@ -83,7 +87,8 @@ resource "aws_iam_role" "cluster_autoscaler_role" {
 # AWS Documentation: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "cluster_autoscaler_policy" {
-  name = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-autoscaler-iam-policy"])
+  count = var.enable_autoscaler == false ? 0 : 1
+  name  = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-autoscaler-iam-policy"])
   policy = jsonencode({
     Statement = [{
       Action = [
@@ -104,8 +109,9 @@ resource "aws_iam_policy" "cluster_autoscaler_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "eks_ca_iam_policy_attach" {
-  role       = aws_iam_role.cluster_autoscaler_role.name
-  policy_arn = aws_iam_policy.cluster_autoscaler_policy.arn
+  count      = var.enable_autoscaler == false ? 0 : 1
+  role       = aws_iam_role.cluster_autoscaler_role[0].name
+  policy_arn = aws_iam_policy.cluster_autoscaler_policy[0].arn
 
   depends_on = [
     aws_iam_role.cluster_autoscaler_role,
@@ -115,6 +121,7 @@ resource "aws_iam_role_policy_attachment" "eks_ca_iam_policy_attach" {
 
 # IAM Role for IAM Cluster LoadBalancer
 resource "aws_iam_role" "cluster_loadbalancer_role" {
+  count              = var.enable_cluster_loadbalancer == false ? 0 : 1
   assume_role_policy = data.aws_iam_policy_document.cluster_lb_sts_policy.json
   name               = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-lb-iam-role"])
 
@@ -127,7 +134,8 @@ resource "aws_iam_role" "cluster_loadbalancer_role" {
 # AWS Documentation: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "cluster_loadbalancer_policy" {
-  name = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-lb-iam-policy"])
+  count = var.enable_cluster_loadbalancer == false ? 0 : 1
+  name  = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-lb-iam-policy"])
   policy = jsonencode({
     Statement : [
       {
@@ -372,8 +380,9 @@ resource "aws_iam_policy" "cluster_loadbalancer_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_loadbalancer_policy_attach" {
-  role       = aws_iam_role.cluster_loadbalancer_role.name
-  policy_arn = aws_iam_policy.cluster_loadbalancer_policy.arn
+  count      = var.enable_cluster_loadbalancer == false ? 0 : 1
+  role       = aws_iam_role.cluster_loadbalancer_role[0].name
+  policy_arn = aws_iam_policy.cluster_loadbalancer_policy[0].arn
 
   depends_on = [
     aws_iam_role.cluster_loadbalancer_role,
@@ -383,6 +392,7 @@ resource "aws_iam_role_policy_attachment" "cluster_loadbalancer_policy_attach" {
 
 # IAM Role for CloudWatch Agents
 resource "aws_iam_role" "cluster_container_cloudwatch_fluent_bit_agent_role" {
+  count              = var.enable_fluent_bit == false ? 0 : 1
   assume_role_policy = data.aws_iam_policy_document.cluster_container_cloudwatch_fluent_bit_agent_sts_policy.json
   name               = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-ccw-iam-role"])
 
@@ -392,7 +402,8 @@ resource "aws_iam_role" "cluster_container_cloudwatch_fluent_bit_agent_role" {
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_container_cloudwatch_fluent_bit_agent_policy_attach" {
-  role       = aws_iam_role.cluster_container_cloudwatch_fluent_bit_agent_role.name
+  count      = var.enable_fluent_bit == false ? 0 : 1
+  role       = aws_iam_role.cluster_container_cloudwatch_fluent_bit_agent_role[0].name
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
 
   depends_on = [
@@ -444,6 +455,7 @@ resource "aws_iam_role_policy_attachment" "cluster_efs_csi_driver_role_policy_at
 
 # CloudWatch Agent Policy
 resource "aws_iam_role" "cluster_cloudwatch_agent_role" {
+  count              = var.enable_cloudwatch_agent == false ? 0 : 1
   assume_role_policy = data.aws_iam_policy_document.cluster_cloudwatch_agent_sts_policy.json
   name               = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-cw-iam-role"])
 
@@ -453,7 +465,8 @@ resource "aws_iam_role" "cluster_cloudwatch_agent_role" {
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_cloudwatch_agent_role_policy_attach" {
-  role       = aws_iam_role.cluster_cloudwatch_agent_role.name
+  count      = var.enable_cloudwatch_agent == false ? 0 : 1
+  role       = aws_iam_role.cluster_cloudwatch_agent_role[0].name
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
 
   depends_on = [

diff --git a/modules/aws/EKS-Cluster/outputs.tf b/modules/aws/EKS-Cluster/outputs.tf
@@ -22,20 +22,20 @@ output "eks_security_group_rule_id" {
   depends_on = [aws_subnet.eks_subnet]
 }
 output "autoscaler_role_arn" {
-  value      = aws_iam_role.cluster_autoscaler_role.arn
-  depends_on = [aws_iam_role.cluster_autoscaler_role]
+  value      = aws_iam_role.cluster_autoscaler_role[0].arn
+  depends_on = [aws_iam_role.cluster_autoscaler_role[0]]
 }
 output "lb_role_arn" {
-  value      = aws_iam_role.cluster_loadbalancer_role.arn
-  depends_on = [aws_iam_role.cluster_loadbalancer_role]
+  value      = aws_iam_role.cluster_loadbalancer_role[0].arn
+  depends_on = [aws_iam_role.cluster_loadbalancer_role[0]]
 }
 output "cloudwatch_fluent_bit_agent_role_arn" {
-  value      = aws_iam_role.cluster_container_cloudwatch_fluent_bit_agent_role.arn
-  depends_on = [aws_iam_role.cluster_container_cloudwatch_fluent_bit_agent_role]
+  value      = aws_iam_role.cluster_container_cloudwatch_fluent_bit_agent_role[0].arn
+  depends_on = [aws_iam_role.cluster_container_cloudwatch_fluent_bit_agent_role[0]]
 }
 output "cloudwatch_agent_role_arn" {
-  value      = aws_iam_role.cluster_cloudwatch_agent_role.arn
-  depends_on = [aws_iam_role.cluster_cloudwatch_agent_role]
+  value      = aws_iam_role.cluster_cloudwatch_agent_role[0].arn
+  depends_on = [aws_iam_role.cluster_cloudwatch_agent_role[0]]
 }
 output "ebs_csi_driver_role_arn" {
   value      = var.enable_ebs_csi_driver ? aws_iam_role.cluster_ebs_csi_driver_role[0].arn : null

diff --git a/modules/aws/EKS-Cluster/variables.tf b/modules/aws/EKS-Cluster/variables.tf
@@ -89,3 +89,27 @@ variable "enable_efs_csi_driver" {
   description = "Enable EFS CSI Driver"
   default     = false
 }
+variable "enable_autoscaler" {
+  type        = bool
+  description = "Enable Cluster Autoscaler"
+  default     = false
+}
+variable "enable_cluster_loadbalancer" {
+  type        = bool
+  description = "Enable Cluster Load Balancer"
+  default     = false
+}
+variable "enable_fluent_bit" {
+  type        = bool
+  description = "Enable Fluent Bit"
+  default     = false
+}
+variable "enable_cloudwatch_agent" {
+  type        = bool
+  description = "Enable CloudWatch Agent"
+  default     = false
+}
+variable "cluster_iam_role_arn" {
+  type        = string
+  description = "IAM Role ARN for the EKS Cluster"
+}
diff --git a/modules/aws/EKS-Node-Group/eks_node_group.tf b/modules/aws/EKS-Node-Group/eks_node_group.tf
@@ -12,7 +12,7 @@
 resource "aws_eks_node_group" "eks_node_group" {
   cluster_name    = var.eks_cluster_name
   node_group_name = join("-", [var.eks_cluster_name, var.node_group_name, "node-group"])
-  node_role_arn   = aws_iam_role.iam_role.arn
+  node_role_arn   = var.node_iam_role_arn == null ? aws_iam_role.iam_role.arn : var.node_iam_role_arn
   subnet_ids      = var.subnet_ids
   version         = var.k8s_version
   labels          = var.labels

diff --git a/modules/aws/EKS-Node-Group/iam_role.tf b/modules/aws/EKS-Node-Group/iam_role.tf
@@ -10,7 +10,8 @@
 # --------------------------------------------------------------------------------------
 
 resource "aws_iam_role" "iam_role" {
-  name = join("-", [var.eks_cluster_name, var.node_group_name, "eks-node-group-iam-role"])
+  count = var.node_iam_role_arn != null ? 0 : 1
+  name  = join("-", [var.eks_cluster_name, var.node_group_name, "eks-node-group-iam-role"])
 
   assume_role_policy = jsonencode({
     Statement = [{
@@ -27,8 +28,9 @@ resource "aws_iam_role" "iam_role" {
 
 # Required as per https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
 resource "aws_iam_role_policy_attachment" "amazon_eks_worker_node_policy" {
+  count      = var.node_iam_role_arn != null ? 0 : 1
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-  role       = aws_iam_role.iam_role.name
+  role       = aws_iam_role[0].iam_role.name
 
   depends_on = [
     aws_iam_role.iam_role
@@ -37,8 +39,9 @@ resource "aws_iam_role_policy_attachment" "amazon_eks_worker_node_policy" {
 
 # Required as per https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
 resource "aws_iam_role_policy_attachment" "amazon_eks_cni_policy" {
+  count      = var.node_iam_role_arn != null ? 0 : 1
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = aws_iam_role.iam_role.name
+  role       = aws_iam_role[0].iam_role.name
 
   depends_on = [
     aws_iam_role.iam_role
@@ -48,7 +51,8 @@ resource "aws_iam_role_policy_attachment" "amazon_eks_cni_policy" {
 # Required as per https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
 resource "aws_iam_role_policy_attachment" "amazon_ec2_container_registry_read_only" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = aws_iam_role.iam_role.name
+  count      = var.node_iam_role_arn != null ? 0 : 1
+  role       = aws_iam_role[0].iam_role.name
 
   depends_on = [
     aws_iam_role.iam_role
@@ -108,7 +112,8 @@ resource "aws_iam_role_policy_attachment" "eks_ca_iam_policy_attach" {
 # AWS Documentation: https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "amazon_ec2_cache_policy" {
-  name = join("-", [var.eks_cluster_name, var.node_group_name, "eks-cluster-ecr-pull-cache-policy"])
+  count = var.node_iam_role_arn != null ? 0 : 1
+  name  = join("-", [var.eks_cluster_name, var.node_group_name, "eks-cluster-ecr-pull-cache-policy"])
   policy = jsonencode({
     Statement = [{
       Action = [
@@ -125,8 +130,9 @@ resource "aws_iam_policy" "amazon_ec2_cache_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "amazon_ec2_cache_policy_attachment" {
-  policy_arn = aws_iam_policy.amazon_ec2_cache_policy.arn
-  role       = aws_iam_role.iam_role.name
+  count      = var.node_iam_role_arn != null ? 0 : 1
+  policy_arn = aws_iam_policy[0].amazon_ec2_cache_policy.arn
+  role       = aws_iam_role[0].iam_role.name
 
   depends_on = [
     aws_iam_role.iam_role

diff --git a/modules/aws/EKS-Node-Group/variables.tf b/modules/aws/EKS-Node-Group/variables.tf
@@ -9,6 +9,11 @@
 #
 # --------------------------------------------------------------------------------------
 
+variable "node_iam_role_arn" {
+  type        = string
+  description = "IAM role ARN to be associated with the node group"
+  default     = null
+}
 variable "eks_cluster_name" {
   description = "Name of the EKS cluster"
   type        = string