Update dependencies, add testing

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
  - 'docs/**'
  - 'examples/**'
  - 'test/**'
+ - 'README.*'
 
 permissions:
  contents: write

README.md

@@ -281,7 +281,7 @@ Available targets:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eks_iam_policy"></a> [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 0.4.0 |
-| <a name="module_eks_iam_role"></a> [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 1.1.0 |
+| <a name="module_eks_iam_role"></a> [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 2.0.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -317,10 +317,10 @@ Available targets:
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_force_update"></a> [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false`. | `bool` | `null` | no |
-| <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | IAM policy for the service account. Required if `var.iam_role_enabled` is `true`. This will not do variable replacements. Please see `var.iam_policy_statements_template_path`. | `any` | `{}` | no |
+| <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account. | `any` | `{}` | no |
 | <a name="input_iam_role_enabled"></a> [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no |
-| <a name="input_iam_source_json_url"></a> [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. This will be used as the `source_json` meaning the `var.iam_policy_statements` and `var.iam_policy_statements_template_path` can override it. | `string` | `null` | no |
-| <a name="input_iam_source_policy_documents"></a> [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements defined in `source_policy_documents` or `source_json` must have unique sids. Statements with the same sid from documents assigned to the `override_json` and `override_policy_documents` arguments will override source statements. | `list(string)` | `null` | no |
+| <a name="input_iam_source_json_url"></a> [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`. | `string` | `null` | no |
+| <a name="input_iam_source_policy_documents"></a> [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of JSON IAM policy documents that are merged together into role's policy. Statements defined in `source_policy_documents` or `source_json` must have unique sids. | `list(string)` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_keyring"></a> [keyring](#input\_keyring) | Location of public keys used for verification. Used only if `verify` is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home`. | `string` | `null` | no |
 | <a name="input_kubernetes_namespace"></a> [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. Defaults to `default`. | `string` | `null` | no |

docs/terraform.md

@@ -19,7 +19,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eks_iam_policy"></a> [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 0.4.0 |
-| <a name="module_eks_iam_role"></a> [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 1.1.0 |
+| <a name="module_eks_iam_role"></a> [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 2.0.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -55,10 +55,10 @@
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_force_update"></a> [force\_update](#input\_force\_update) | Force resource update through delete/recreate if needed. Defaults to `false`. | `bool` | `null` | no |
-| <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | IAM policy for the service account. Required if `var.iam_role_enabled` is `true`. This will not do variable replacements. Please see `var.iam_policy_statements_template_path`. | `any` | `{}` | no |
+| <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | DEPRECATED, use `iam_source_policy_documents` instead: IAM policy (as `map(string)`)for the service account. | `any` | `{}` | no |
 | <a name="input_iam_role_enabled"></a> [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no |
-| <a name="input_iam_source_json_url"></a> [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. This will be used as the `source_json` meaning the `var.iam_policy_statements` and `var.iam_policy_statements_template_path` can override it. | `string` | `null` | no |
-| <a name="input_iam_source_policy_documents"></a> [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements defined in `source_policy_documents` or `source_json` must have unique sids. Statements with the same sid from documents assigned to the `override_json` and `override_policy_documents` arguments will override source statements. | `list(string)` | `null` | no |
+| <a name="input_iam_source_json_url"></a> [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. The downloaded policy will be combined with `iam_source_policy_statements`. | `string` | `null` | no |
+| <a name="input_iam_source_policy_documents"></a> [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of JSON IAM policy documents that are merged together into role's policy. Statements defined in `source_policy_documents` or `source_json` must have unique sids. | `list(string)` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_keyring"></a> [keyring](#input\_keyring) | Location of public keys used for verification. Used only if `verify` is true. Defaults to `/.gnupg/pubring.gpg` in the location set by `home`. | `string` | `null` | no |
 | <a name="input_kubernetes_namespace"></a> [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. Defaults to `default`. | `string` | `null` | no |

examples/complete/fixtures.us-east-2.tfvars

@@ -12,7 +12,30 @@ name = "helm"
 
 availability_zones = ["us-east-2a", "us-east-2b"]
 
-kubernetes_version = "1.19"
+kubernetes_version = "1.26"
+addons = [
+ // https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-cni-latest-available-version
+ {
+ addon_name = "vpc-cni"
+ addon_version = null
+ resolve_conflicts = "NONE"
+ service_account_role_arn = null
+ },
+ // https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html
+ {
+ addon_name = "kube-proxy"
+ addon_version = null
+ resolve_conflicts = "NONE"
+ service_account_role_arn = null
+ },
+ // https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
+ {
+ addon_name = "coredns"
+ addon_version = null
+ resolve_conflicts = "NONE"
+ service_account_role_arn = null
+ },
+]
 
 oidc_provider_enabled = true
 
@@ -36,15 +59,15 @@ cluster_encryption_config_enabled = true
 
 ## helm related
 
-repository = "https://charts.helm.sh/incubator"
+repository = "https://aws.github.io/eks-charts/"
 
-chart = "raw"
+chart = "aws-node-termination-handler"
 
-chart_version = "0.2.5"
+chart_version = "0.21.0"
 
 create_namespace = true
 
-kubernetes_namespace = "echo"
+kubernetes_namespace = "test"
 
 atomic = true
 

examples/complete/main-eks.tf

@@ -34,7 +34,7 @@ locals {
 
 module "vpc" {
  source = "cloudposse/vpc/aws"
- version = "1.1.1"
+ version = "2.1.0"
 
  ipv4_primary_cidr_block = "172.16.0.0/16"
 
@@ -45,7 +45,7 @@ module "vpc" {
 
 module "subnets" {
  source = "cloudposse/dynamic-subnets/aws"
- version = "2.0.3"
+ version = "2.3.0"
 
  availability_zones = var.availability_zones
  vpc_id = module.vpc.vpc_id
@@ -58,11 +58,13 @@ module "subnets" {
  private_subnets_additional_tags = local.private_subnets_additional_tags
 
  context = module.this.context
+
+ depends_on = [module.vpc]
 }
 
 module "eks_cluster" {
  source = "cloudposse/eks-cluster/aws"
- version = "2.4.0"
+ version = "2.8.0"
 
  region = var.region
  vpc_id = module.vpc.vpc_id
@@ -81,26 +83,18 @@ module "eks_cluster" {
  cluster_encryption_config_resources = var.cluster_encryption_config_resources
 
  context = module.this.context
-}
 
-# Ensure ordering of resource creation to eliminate the race conditions when applying the Kubernetes Auth ConfigMap.
-# Do not create Node Group before the EKS cluster is created and the `aws-auth` Kubernetes ConfigMap is applied.
-# Otherwise, EKS will create the ConfigMap first and add the managed node role ARNs to it,
-# and the kubernetes provider will throw an error that the ConfigMap already exists (because it can't update the map, only create it).
-# If we create the ConfigMap first (to add additional roles/users/accounts), EKS will just update it by adding the managed node role ARNs.
-data "null_data_source" "wait_for_cluster_and_kubernetes_configmap" {
- inputs = {
- cluster_name = module.eks_cluster.eks_cluster_id
- kubernetes_config_map_id = module.eks_cluster.kubernetes_config_map_id
- }
+ addons = var.addons
+ addons_depends_on = [module.eks_node_group]
+ cluster_depends_on = [module.subnets]
 }
 
 module "eks_node_group" {
  source = "cloudposse/eks-node-group/aws"
- version = "2.4.0"
+ version = "2.10.0"
 
  subnet_ids = module.subnets.private_subnet_ids
- cluster_name = data.null_data_source.wait_for_cluster_and_kubernetes_configmap.outputs["cluster_name"]
+ cluster_name = module.eks_cluster.eks_cluster_id
  instance_types = var.instance_types
  desired_size = var.desired_size
  min_size = var.min_size

examples/complete/main.tf

@@ -10,6 +10,13 @@ provider "helm" {
  }
 }
 
+provider "kubernetes" {
+ host = module.eks_cluster.eks_cluster_endpoint
+ token = data.aws_eks_cluster_auth.kubernetes.token
+ cluster_ca_certificate = base64decode(module.eks_cluster.eks_cluster_certificate_authority_data)
+}
+
+
 module "helm_release" {
  source = "../../"
 
@@ -21,8 +28,12 @@ module "helm_release" {
  chart = var.chart
  chart_version = var.chart_version
 
- create_namespace = var.create_namespace
- kubernetes_namespace = var.kubernetes_namespace
+ create_namespace_with_kubernetes = var.create_namespace
+ kubernetes_namespace = var.kubernetes_namespace
+ service_account_namespace = var.kubernetes_namespace
+ service_account_name = "aws-node-termination-handler"
+ iam_role_enabled = true
+ iam_source_policy_documents = [one(data.aws_iam_policy_document.node_termination_handler[*].json)]
 
  eks_cluster_oidc_issuer_url = module.eks_cluster.eks_cluster_identity_oidc_issuer
 
@@ -34,4 +45,29 @@ module "helm_release" {
  values = [
  file("${path.module}/values.yaml")
  ]
+
+ context = module.this.context
+
+ depends_on = [
+ module.eks_cluster,
+ module.eks_node_group,
+ ]
+}
+
+data "aws_iam_policy_document" "node_termination_handler" {
+ #bridgecrew:skip=BC_AWS_IAM_57:Skipping `Ensure IAM policies does not allow write access without constraint` because this is a test case
+ statement {
+ sid = ""
+ effect = "Allow"
+ resources = ["*"]
+
+ actions = [
+ "autoscaling:CompleteLifecycleAction",
+ "autoscaling:DescribeAutoScalingInstances",
+ "autoscaling:DescribeTags",
+ "ec2:DescribeInstances",
+ "sqs:DeleteMessage",
+ "sqs:ReceiveMessage",
+ ]
+ }
 }

examples/complete/outputs.tf

@@ -46,3 +46,10 @@ output "metadata" {
  description = "Block status of the deployed release."
  value = module.helm_release.metadata
 }
+
+## EKS cluster
+
+output "eks_cluster_id" {
+ description = "The name of the cluster"
+ value = module.eks_cluster.eks_cluster_id
+}

examples/complete/values.yaml

@@ -1,6 +1,6 @@
 image:
  repository: "amazon/aws-node-termination-handler"
- tag: "v1.13.1"
+ tag: "v1.13.3"
  pullPolicy: IfNotPresent
 
 podMonitor:

examples/complete/variables.tf

@@ -270,3 +270,15 @@ variable "postrender_binary_path" {
  description = "Relative or full path to command binary."
  default = null
 }
+
+### EKS Addons
+variable "addons" {
+ type = list(object({
+ addon_name = string
+ addon_version = string
+ resolve_conflicts = string
+ service_account_role_arn = string
+ }))
+ description = "Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources"
+ default = []
+}

examples/complete/versions.tf

@@ -2,9 +2,17 @@ terraform {
  required_version = ">= 1.0"
 
  required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.9.0"
+ }
  helm = {
  source = "hashicorp/helm"
  version = ">= 2.2"
  }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = ">= 2.7.1"
+ }
  }
 }

main.tf

@@ -25,7 +25,7 @@ module "eks_iam_policy" {
 
 module "eks_iam_role" {
  source = "cloudposse/eks-iam-role/aws"
- version = "1.1.0"
+ version = "2.0.0"
 
  enabled = local.iam_role_enabled
 
@@ -38,6 +38,8 @@ module "eks_iam_role" {
  permissions_boundary = var.permissions_boundary
 
  context = module.this.context
+
+ depends_on = [module.eks_iam_policy]
 }
 
 resource "kubernetes_namespace" "default" {

test/src/Makefile

@@ -13,11 +13,7 @@ init:
 
 .PHONY : test
 ## Run tests
-test:
- @echo Terratest not implemented in this project
- @exit 1
-
-real_test: init
+test: init
  go mod download
  go test -v -timeout 60m