From 48d67b9204b0b0c0bfdd5cc1eaab9a8109d27b47 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 18:07:20 +0000 Subject: [PATCH 1/7] Adding creation of the ACM --- .../dev/helm/istio/istio_ingress_values.yaml | 9 +++++++ terraform-modules/aws/istio/main.tf | 12 ++++++++++ terraform-modules/aws/istio/variables.tf | 24 +++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml index 70223a28b..53df3691e 100644 --- a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml +++ b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml @@ -4,3 +4,12 @@ # # Setting to an internal load balancer # # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + + external-dns.alpha.kubernetes.io/hostname: app1.example.com,app2.example.com + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:354114410416:certificate/cab4cc86-e94a-4dec-afc2-579114208350 + service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: true + service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: 5 + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "expanse-elb-logs-dev" + # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html + # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" + # Setting this with Terraform since we need a custom TLS policy: https://github.q-internal.tech/qadium/shared-infra-automation/tree/master/aws-ent/qadium-dev/load-balancer/tls-policy diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf index a35632dfd..8b0c94222 100644 --- a/terraform-modules/aws/istio/main.tf +++ b/terraform-modules/aws/istio/main.tf @@ -76,3 +76,15 @@ resource "helm_release" "helm_chart_istio_egress" { helm_release.helm_chart_istio_base ] } + +module "acm_request_certificate" { + source = "cloudposse/acm-request-certificate/aws" + version = "0.16.0" + + count = var.create_acm_cert ? 1 : 0 + + domain_name = var.acm_domain_name + process_domain_validation_options = true + ttl = var.acm_ttl + subject_alternative_names = var.subject_alternative_names +} diff --git a/terraform-modules/aws/istio/variables.tf b/terraform-modules/aws/istio/variables.tf index 77703930a..8ed68ccc1 100644 --- a/terraform-modules/aws/istio/variables.tf +++ b/terraform-modules/aws/istio/variables.tf @@ -113,3 +113,27 @@ variable "helm_values_istio_egress" { default = "" description = "Additional helm values to pass in. These values would override the default in this module." } + +variable "create_acm_cert" { + type = bool + default = false + description = "Creates an ACM cert and applied to the istio ingress" +} + +variable "acm_domain_name" { + type = string + default = "example.com" + description = "The domain name to create a certificate for" +} + +variable "acm_ttl" { + type = string + default = "300" + description = "The certifcate TTL" +} + +variable acm_subject_alternative_names { + type = list(string) + default = ["*.example.com"] + description = "Subject alternative names for the cert (SAN)" +} From 462c97e7b01b377d0598b337994155a5e5137659 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 19:07:33 +0000 Subject: [PATCH 2/7] Adding templated istio ingress file --- terraform-modules/aws/istio/main.tf | 9 +++++++++ .../aws/istio/values/istio_ingress_values.tpl.yaml | 14 ++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 terraform-modules/aws/istio/values/istio_ingress_values.tpl.yaml diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf index 8b0c94222..654d3c21b 100644 --- a/terraform-modules/aws/istio/main.tf +++ b/terraform-modules/aws/istio/main.tf @@ -43,6 +43,14 @@ resource "helm_release" "helm_chart_istio_discovery" { ] } +data "template_file" "helm_chart_istio_ingress" { + template = file("${path.module}/values/istio_ingress_values.tpl.yaml") + + vars = { + acmARN = module.acm_request_certificate[0].arn + } +} + resource "helm_release" "helm_chart_istio_ingress" { count = var.install_helm_chart_istio_ingress chart = "${path.module}/istio-${var.istio_version}/manifests/charts/gateways/istio-ingress" @@ -52,6 +60,7 @@ resource "helm_release" "helm_chart_istio_ingress" { verify = var.verify values = [ + data.template_file.helm_chart_istio_ingress.rendered, var.helm_values_istio_ingress, ] diff --git a/terraform-modules/aws/istio/values/istio_ingress_values.tpl.yaml b/terraform-modules/aws/istio/values/istio_ingress_values.tpl.yaml new file mode 100644 index 000000000..d651a363a --- /dev/null +++ b/terraform-modules/aws/istio/values/istio_ingress_values.tpl.yaml @@ -0,0 +1,14 @@ +# gateways: +# istio-ingressgateway: +# serviceAnnotations: +# # Setting to an internal load balancer +# # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer +# service.beta.kubernetes.io/aws-load-balancer-internal: "true" + + # external-dns.alpha.kubernetes.io/hostname: app1.example.com,app2.example.com + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${acmARN} + # service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: true + # service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: 5 + # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "elb-logs-dev" + # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html + # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" From 6385801ca3b615c4e38cba92355891b3f2fe8555 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 19:13:35 +0000 Subject: [PATCH 3/7] Adding templated istio ingress file --- .../aws/dev/helm/istio/istio_ingress_values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml index 53df3691e..e8120904e 100644 --- a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml +++ b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml @@ -9,7 +9,7 @@ service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:354114410416:certificate/cab4cc86-e94a-4dec-afc2-579114208350 service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: true service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: 5 - service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "expanse-elb-logs-dev" + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "elb-logs-dev" # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" # Setting this with Terraform since we need a custom TLS policy: https://github.q-internal.tech/qadium/shared-infra-automation/tree/master/aws-ent/qadium-dev/load-balancer/tls-policy From 934c67ca9854d559b0e8e8309db946e065c235e5 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 19:13:57 +0000 Subject: [PATCH 4/7] Adding templated istio ingress file --- .../aws/dev/helm/istio/istio_ingress_values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml index e8120904e..a44864365 100644 --- a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml +++ b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml @@ -6,7 +6,7 @@ # service.beta.kubernetes.io/aws-load-balancer-internal: "true" external-dns.alpha.kubernetes.io/hostname: app1.example.com,app2.example.com - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:354114410416:certificate/cab4cc86-e94a-4dec-afc2-579114208350 + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:11114410111:certificate/cab4cc86-e94a-4dec-afc2-579114208350 service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: true service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: 5 service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "elb-logs-dev" From a177af871fba416c9e7172cf71150160a8c7b0ca Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 19:24:54 +0000 Subject: [PATCH 5/7] Fixing var name --- terraform-modules/aws/istio/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf index 654d3c21b..fb3028cb1 100644 --- a/terraform-modules/aws/istio/main.tf +++ b/terraform-modules/aws/istio/main.tf @@ -95,5 +95,5 @@ module "acm_request_certificate" { domain_name = var.acm_domain_name process_domain_validation_options = true ttl = var.acm_ttl - subject_alternative_names = var.subject_alternative_names + subject_alternative_names = var.acm_subject_alternative_names } From a9cc83d695283bb22b9850c20a53a47c6a641bce Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 19:32:54 +0000 Subject: [PATCH 6/7] Adding route53 zone --- terraform-modules/aws/istio/main.tf | 1 + terraform-modules/aws/istio/variables.tf | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf index fb3028cb1..867961320 100644 --- a/terraform-modules/aws/istio/main.tf +++ b/terraform-modules/aws/istio/main.tf @@ -96,4 +96,5 @@ module "acm_request_certificate" { process_domain_validation_options = true ttl = var.acm_ttl subject_alternative_names = var.acm_subject_alternative_names + zone_id = var.acm_route53_zone_id } diff --git a/terraform-modules/aws/istio/variables.tf b/terraform-modules/aws/istio/variables.tf index 8ed68ccc1..e1278550b 100644 --- a/terraform-modules/aws/istio/variables.tf +++ b/terraform-modules/aws/istio/variables.tf @@ -132,8 +132,14 @@ variable "acm_ttl" { description = "The certifcate TTL" } -variable acm_subject_alternative_names { +variable "acm_subject_alternative_names" { type = list(string) default = ["*.example.com"] description = "Subject alternative names for the cert (SAN)" } + +variable "acm_route53_zone_id" { + type = string + default = "" + description = "The route53 zone ID to perform DNS validation on the ACM cert" +} From a689fd03b5a7f1c559605da00fa3733f000d3794 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 11 Feb 2022 19:42:24 +0000 Subject: [PATCH 7/7] Templating input var --- terraform-modules/aws/istio/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf index 867961320..eaf02196e 100644 --- a/terraform-modules/aws/istio/main.tf +++ b/terraform-modules/aws/istio/main.tf @@ -44,7 +44,8 @@ resource "helm_release" "helm_chart_istio_discovery" { } data "template_file" "helm_chart_istio_ingress" { - template = file("${path.module}/values/istio_ingress_values.tpl.yaml") + template = var.helm_values_istio_ingress + #file("${path.module}/values/istio_ingress_values.tpl.yaml") vars = { acmARN = module.acm_request_certificate[0].arn @@ -61,7 +62,7 @@ resource "helm_release" "helm_chart_istio_ingress" { values = [ data.template_file.helm_chart_istio_ingress.rendered, - var.helm_values_istio_ingress, + # var.helm_values_istio_ingress, ] depends_on = [