dfds · avnes · Sep 24, 2024 · Sep 20, 2024 · Sep 23, 2024 · Sep 23, 2024
@@ -35,6 +35,7 @@ resource "flux_bootstrap_git" "this" {
 # --------------------------------------------------
 
 resource "github_repository_file" "flux_monitoring_config_path" {
+ count = var.enable_monitoring ? 1 : 0
  repository = var.repository_name
  branch = data.github_branch.flux_branch.branch
  file = "${local.cluster_target_path}/${local.app_install_name}.yaml"
@@ -69,4 +70,4 @@ resource "github_repository_file" "custom_folder" {
  file = "platform-apps/${var.cluster_name}/custom/README.md"
  content = local.custom_folder_readme
  overwrite_on_create = var.overwrite_on_create
-}
+}
@@ -62,3 +62,9 @@ variable "token" {
 variable "cluster_ca_certificate" {
  type = string
 }
+
+variable "enable_monitoring" {
+ type = bool
+ default = false
+ description = "Enable monitoring for Flux"
+}
@@ -0,0 +1,29 @@
+# --------------------------------------------------
+# Flux CD in a shared responsibility model with
+# other platform teams
+# --------------------------------------------------
+
+data "github_repository" "main" {
+ full_name = "${var.repo_owner}/${var.repo_name}"
+}
+
+locals {
+ default_repo_branch = data.github_repository.main.default_branch
+ repo_branch = length(var.repo_branch) > 0 ? var.repo_branch : local.default_repo_branch
+ cluster_repo_path = "clusters/${var.cluster_name}"
+}
+
+resource "github_repository_file" "shared_manifests" {
+ repository = var.repo_name
+ branch = local.repo_branch
+ file = "${local.cluster_repo_path}/shared-manifests.yaml"
+ content = templatefile("${path.module}/values/shared-manifests.yaml", {
+ shared_manifests_repo_url = var.shared_manifests_repo_url
+ shared_manifests_repo_branch = var.shared_manifests_repo_branch
+ overlay_folder = var.overlay_folder
+ account_id = var.account_id
+ role_name = var.role_name
+ prune = var.prune
+ })
+ overwrite_on_create = var.overwrite_on_create
+}
@@ -0,0 +1,73 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: ssm-secrets
+ namespace: flux-system
+ annotations:
+ eks.amazonaws.com/role-arn: arn:aws:iam::${account_id}:role/${role_name}
+ eks.amazonaws.com/sts-regional-endpoints: "true"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+ name: shared-manifests-git
+ namespace: flux-system
+spec:
+ provider:
+ aws:
+ service: ParameterStore
+ region: eu-west-1
+ auth:
+ jwt:
+ serviceAccountRef:
+ name: ssm-secrets
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: shared-manifests-git
+ namespace: flux-system
+spec:
+ refreshInterval: 1m
+ secretStoreRef:
+ kind: SecretStore
+ name: shared-manifests-git
+ target:
+ name: shared-manifests-git
+ creationPolicy: Owner
+ data:
+ - secretKey: username
+ remoteRef:
+ key: /github/shared-manifests/owner
+ - secretKey: password
+ remoteRef:
+ key: /github/shared-manifests/token
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ name: shared-manifests-git
+ namespace: flux-system
+spec:
+ interval: 1m0s
+ secretRef:
+ name: shared-manifests-git
+ ref:
+ branch: ${shared_manifests_repo_branch}
+ url: ${shared_manifests_repo_url}
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: shared-manifests
+ namespace: flux-system
+spec:
+ interval: 1m0s
+ dependsOn:
+ - name: flux-system
+ sourceRef:
+ kind: GitRepository
+ name: shared-manifests-git
+ path: ./infrastructure/${overlay_folder}
+ prune: ${prune}
@@ -0,0 +1,56 @@
+variable "cluster_name" {
+ type = string
+}
+
+variable "overlay_folder" {
+ type = string
+}
+
+variable "repo_owner" {
+ type = string
+ description = "Name of the repo owner (previously: organization)"
+ sensitive = true
+}
+
+variable "repo_name" {
+ type = string
+ description = "Name of the Github repo to store the manifests in"
+}
+
+variable "repo_branch" {
+ type = string
+ description = "Override the default branch of the repo (optional)"
+ default = "main"
+}
+
+variable "overwrite_on_create" {
+ type = bool
+ default = true
+ description = "Enable overwriting existing files"
+}
+
+variable "shared_manifests_repo_url" {
+ type = string
+ default = ""
+ description = "The https url for your GitOps manifests"
+}
+
+variable "shared_manifests_repo_branch" {
+ type = string
+ default = "main"
+ description = "The default branch for your GitOps manifests"
+}
+
+variable "prune" {
+ type = bool
+ default = true
+ description = "Enable Garbage collection"
+}
+
+variable "account_id" {
+ type = string
+}
+
+variable "role_name" {
+ type = string
+}
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.3.0, < 1.6.0"
+
+ required_providers {
+ github = {
+ source = "integrations/github"
+ version = "~> 6.3.0"
+ }
+ }
+}
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.8.0"
+
+ required_providers {
+ github = {
+ source = "integrations/github"
+ version = "~> 6.3.0"
+ }
+ }
+}
@@ -260,7 +260,8 @@ locals {
 # --------------------------------------------------
 
 locals {
- fluxcd_apps_repo_url = "${var.fluxcd_apps_git_provider_url}${var.fluxcd_apps_repo_owner}/${var.fluxcd_apps_repo_name}"
+ fluxcd_apps_repo_url = "${var.fluxcd_apps_git_provider_url}${var.fluxcd_apps_repo_owner}/${var.fluxcd_apps_repo_name}"
+ shared_manifests_repo_url = "${var.fluxcd_apps_git_provider_url}${var.shared_manifests_repo_owner}/${var.shared_manifests_repo_name}"
 }
 
 # --------------------------------------------------

@@ -458,6 +458,7 @@ module "platform_fluxcd" {
  endpoint = data.aws_eks_cluster.eks.endpoint
  token = data.aws_eks_cluster_auth.eks.token
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data)
+ enable_monitoring = var.monitoring_kube_prometheus_stack_deploy || var.grafana_deploy ? true : false
 
  providers = {
  github = github.fluxcd
@@ -995,3 +996,51 @@ module "github_arc_runners" {
 
  depends_on = [module.platform_fluxcd, module.github_arc_ss_controller]
 }
+
+# --------------------------------------------------
+# Flux CD in a shared responsibility model with
+# other platform teams
+# --------------------------------------------------
+
+module "shared_manifests_git_owner" {
+ source = "../../_sub/security/ssm-parameter-store"
+ count = var.shared_manifests_deploy ? 1 : 0
+ key_name = "/github/shared-manifests/owner"
+ key_description = "Git owner for the shared Flux manifests"
+ key_value = var.fluxcd_bootstrap_repo_owner
+ tag_createdby = var.ssm_param_createdby != null ? var.ssm_param_createdby : "k8s-services"
+}
+
+module "shared_manifests_git_token" {
+ source = "../../_sub/security/ssm-parameter-store"
+ count = var.shared_manifests_deploy ? 1 : 0
+ key_name = "/github/shared-manifests/token"
+ key_description = "Git owner's token for the shared Flux manifests"
+ key_value = var.fluxcd_bootstrap_repo_owner_token
+ tag_createdby = var.ssm_param_createdby != null ? var.ssm_param_createdby : "k8s-services"
+}
+
+module "shared_manifests" {
+ source = "../../_sub/compute/k8s-shared-manifests"
+ count = var.shared_manifests_deploy ? 1 : 0
+ cluster_name = var.eks_cluster_name
+ overlay_folder = var.shared_manifests_overlay_folder
+ repo_owner = var.fluxcd_bootstrap_repo_owner
+ repo_name = var.fluxcd_bootstrap_repo_name
+ repo_branch = var.fluxcd_bootstrap_repo_branch
+ overwrite_on_create = var.fluxcd_bootstrap_overwrite_on_create
+ shared_manifests_repo_url = local.shared_manifests_repo_url
+ shared_manifests_repo_branch = var.shared_manifests_repo_branch
+ account_id = var.aws_workload_account_id
+ role_name = var.external_secrets_ssm_iam_role_name
+
+ providers = {
+ github = github.fluxcd
+ }
+
+ depends_on = [
+ module.shared_manifests_git_owner,
+ module.shared_manifests_git_token,
+ module.external_secrets_ssm
+ ]
+}
@@ -468,7 +468,6 @@ variable "fluxcd_bootstrap_overwrite_on_create" {
  description = "Enable overwriting existing files"
 }
 
-
 # --------------------------------------------------
 # GitOps apps used by Flux CD
 # --------------------------------------------------
@@ -1613,3 +1612,48 @@ variable "github_arc_runners_memory_limit" {
  description = "Memory request for the runner pods"
  default = "8Gi"
 }
+
+# --------------------------------------------------
+# Optional
+# --------------------------------------------------
+
+variable "ssm_param_createdby" {
+ type = string
+ description = "The value that will be used for the createdBy key when tagging any SSM parameters"
+ default = null
+}
+
+# --------------------------------------------------
+# Flux CD in a shared responsibility model with
+# other platform teams
+# --------------------------------------------------
+
+variable "shared_manifests_repo_name" {
+ type = string
+ default = ""
+ description = "The repo name for your GitOps manifests"
+}
+
+variable "shared_manifests_repo_branch" {
+ type = string
+ default = "main"
+ description = "The default branch for your GitOps manifests"
+}
+
+variable "shared_manifests_repo_owner" {
+ type = string
+ default = "main"
+ description = "The repo owner for your GitOps manifests"
+}
+
+variable "shared_manifests_deploy" {
+ type = bool
+ description = "Deploy Flux manifests from a shared responsibily repo"
+ default = false
+}
+
+variable "shared_manifests_overlay_folder" {
+ type = string
+ description = "Which overlay folder to deploy"
+ default = "production"
+}
@@ -291,8 +291,20 @@ inputs = {
  # --------------------------------------------------
  # Github ARC SS Controller
  # --------------------------------------------------
- 
+
  github_arc_ss_controller_deploy = true
  github_arc_ss_controller_helm_chart_version = "0.9.3"
 
+ # --------------------------------------------------
+ # Flux CD in a shared responsibility model with
+ # other platform teams
+ # --------------------------------------------------
+
+ shared_manifests_repo_name = "shared-manifests"
+ shared_manifests_repo_branch = "main"
+ shared_manifests_repo_owner = "dfds"
+
+ shared_manifests_deploy = true
+ shared_manifests_overlay_folder = "qa"
+
 }