Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

What is the outcome that you are trying to reach?

The goal is to integrate Gatekeeper as an addon in the cluster to enhance policy enforcement and ensure compliance with organizational policies.

Describe the solution you would like

1. Add Gatekeeper as an addon in the cluster to leverage its policy enforcement capabilities.
2. Provide examples and documentation on how to create and manage policies using Gatekeeper.

Describe alternatives you have considered

• Continuing without Gatekeeper, which limits the ability to enforce policies and ensure compliance.

Additional context

Integrating Gatekeeper as an addon will enhance the cluster's security and compliance posture by enforcing policies at the Kubernetes API level.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Ability to install the ACK ec2 controller

This will allow to create resources

• DHCPOptions
• ElasticIPAddress
• Instance
• InternetGateway
• NATGateway
• RouteTable
• SecurityGroup
• Subnet
• TransitGateway
• VPC
• VPCEndpoint

Describe the solution you would like

Follow same pattern as the other controllers

Description

When using the ACK Controller for RDS, I encountered a problem using the Secrets Manager feature of RDS.

In my circumstance, I was using a custom KMS key and gave, to the IRSA role, permission to create the secret,
access the KMS key and allow the associated grants as documented in AWS documentation.

However the controller still failed citing insufficient permissions on the KMS key.

Upon using CloudTrail I discovered the controller was still performing kms:DescribeKey on the default KMS key (alias/secretsmanager), even though I had supplied a specific one for secret in the resource.

Once I permitted kms:DescribeKey on the default KMS key for secrets manager, everything started working properly.

I have three questions:

1. Can we please update the documentation to ensure that this is reflected in the required IAM permissions for the controller to avoid others having the same issues if using SecretsManager facility.
2. Is this a bug of the controller? should it only perform kms:DescribeKey on the key supplied in the CRD?
   If so, where should I report this?
3. Should an additional policy be created as an example for one that can be attached to the IAM IRSA role to fix this?

Versions

• Module version 2.0.1

Steps to reproduce the behavior:

Expected behavior

CRD for dummy single instance small RDS:

---
apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
  name: testdb
spec:
  allocatedStorage: 10
  autoMinorVersionUpgrade: true
  backupRetentionPeriod: 1
  dbInstanceClass: db.t4g.micro
  dbInstanceIdentifier: testdb
  dbSubnetGroupName: <pre-existing-group>
  deletionProtection: false
  engine: postgres
  engineVersion: "14"
  kmsKeyID: <alias or ARN of pre-existing KMS key>
  manageMasterUserPassword: true
  masterUserSecretKMSKeyID: <alias or ARN of pre-existing KMS key>
  masterUsername: "postgres"
  multiAZ: false
  networkType: IPV4
  publiclyAccessible: false
  storageEncrypted: true
  storageType: gp2
  vpcSecurityGroupIDs:
    - <pre-existing security group ID>

Extra IAM policy added to IRSA role:

data "aws_iam_policy_document" "this" {
  statement {
    sid = "AllowKMSUseByRDS"
    actions = [
      "kms:CreateGrant",
      "kms:DescribeKey",
      "kms:ListGrants",
      "kms:RevokeGrant",
    ]

    resources = local.kms_keys  # array of both custom KMS keys for EBS and secrets manager

    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = local.rds_services
    }
  }

  statement {
    sid = "AllowKMSUseForSMByIRSA"
    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:CreateGrant",
    ]

    resources = var.secretsmanager_kms_keys
  }

  statement {
    sid = "AllowSMUseByIRSA"
    actions = [
      "secretsmanager:CreateSecret",
      "secretsmanager:DeleteSecret",
      "secretsmanager:RotateSecret",
      "secretsmanager:TagResource",
    ]
    resources = [local.account_sm_arn]
  }
}

Expects to create DB and create a secret with the postgres randomly generated password.

Actual behavior

Fails with insufficient permissions for KMS key (KMS key ARN for custom secrets manager KMS key)

Additional context

Further examination in CloudTrail sees the a failure on kms:DescribeKey but for the default KMS key alias for secrets manager (alias/secretsmanager)

Modifying the policy to allow access (full or just kms:DescribeKey) to the default KMS key results in success, an example such statement is below:

  # Must grant DescribeKey to all KMS keys or ACK controller fails, even if the default KMS key is not used
  statement {
    sid = "AllowKMSDescribeKeyForRDS"
    actions = [
      "kms:DescribeKey",
    ]

    resources = ["arn:${local.partition}:kms:*:${local.account_id}:key/*"]

    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values   = local.rds_services
    }
  }

Note 1: I tried using ResourceAliases condition to limit the kms:DescribeKey permission to just the default secretsmanager KMS key but that, surprisingly, didn't work.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

To ensure consistency and maintainability, I suggest having all IAM policies within the module use the data "aws_iam_policy_document" format instead of directly embedding the JSON policy within the aws_iam_policy resource.

Describe the solution you would like

Adjust the policies from this to this format and then pass it to the source_policy_documents parameter like this.

Describe alternatives you have considered

N/A

Additional context

What is the outcome that you are trying to reach?

Add ElastiCache and an enablement variable similar to other controllers e.g.

enable_rds = true

Describe the solution you would like

Same behavior as the other controllers.

Describe alternatives you have considered

I can probably do this on my own using aws-ia/eks-blueprints-addon/aws, but it'd be nice if it supported it already. 👯

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon Managed service for Prometheus controller.
This would allow users to create Amazon Managed service for Prometheus resources (AlertManagerDefinition, RuleGroupsNamespace, Workspace) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Ability to install the ACK mq controller

This will allow to create Amazon MQ brokers (rabbitmq or activemq)

Describe the solution you would like

Follow same pattern as the other controllers

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

What is the outcome that you are trying to reach?

The goal is to integrate Argo CD as an addon in the cluster, with specific adjustments to ensure it works effectively with ACK related objects and to enhance its overall functionality and performance.

Describe the solution you would like

1. Adjust Argo CD to correctly track Application resources that contain ACK related objects. docs
2. Adjust Argo CD built-in health assessment for Kubernetes resources to ensure resources that don't have status don't fail. docs
3. Adjust Argo CD K8s Client QPS for CRDs growth. post
4. Enable Argo CD and Redis in high availability (HA) mode.
5. Add ingress to Argo CD to avoid using network load balancer services.

Describe alternatives you have considered

• Continuing without Argo CD integration, which limits the cluster's GitOps capabilities and management.

Additional context

Integrating Argo CD as an addon will enhance the cluster's GitOps capabilities, allowing management and deployment of applications. The specific adjustments will ensure compatibility with ACK related objects, improve health assessments, and provide high availability and scalable performance. Adding ingress will simplify access and reduce the dependency on network load balancer services.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Add Application Autoscaling, Cloudfront, Cloudtrail, ECS, EFS, and Kafka controllers.

Describe the solution you would like

Add Application Autoscaling, Cloudfront, Cloudtrail, ECS, EFS, and Kafka controllers.
Each controller should be installed with the latest current version of the helm chart.
Each controller irsa permissions should be set to the recommended permissions under config/iam.
Test each controller by deploying one of the resources test/e2e/resources and post the results in the PR.

Describe alternatives you have considered

N/A

Additional context

This is part of the effort to add all the 42 ACK controllers.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Add IAM, KMS, EC2, ACM, and EKS controllers.

Describe the solution you would like

Add IAM, KMS, EC2, ACM, and EKS controllers.

Describe alternatives you have considered

None.

Additional context

This is part of the effort to add all the 42 ACK controllers.

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

• Terraform version:

• Provider version(s):

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Terminal Output Screenshot(s)

Additional context

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon EC2 Container Registry controller.
This would allow users to create Amazon EC2 Container Registry resources (Repository, PullThroughCacheRule) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Description

Trying to customize apigatewayv2 helm installation and irsa role creation with minimal configuration fails on the IRSA role_policies as the lookup default value does not match the key type.

role_policies = lookup(var.apigatewayv2, "role_policies", {
    AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
    AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
  })

The default is an object {} while the map element role_policies is not defined afaik.

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

Versions

• Module version: 2.2.0

• Terraform version: 1.6.6

• Provider version(s):

• provider registry.terraform.io/gavinbunney/kubectl v1.14.0
• provider registry.terraform.io/hashicorp/aws v5.8.0
• provider registry.terraform.io/hashicorp/helm v2.13.1
• provider registry.terraform.io/hashicorp/kubernetes v2.29.0
• provider registry.terraform.io/hashicorp/random v3.4.3
• provider registry.terraform.io/hashicorp/time v0.11.1
• provider registry.terraform.io/viktorradnai/bcrypt v0.1.2

Reproduction Code [Required]

main.tf:

module "eks_ack_addons" {
  count              = var.enable_eks_ack_addons ? 1 : 0
  source             = "aws-ia/eks-ack-addons/aws"
  version            = "2.2.0"

  # Cluster Info
  cluster_name       = var.eks_cluster_name
  cluster_endpoint = data.aws_eks_cluster.cluster.endpoint
  oidc_provider_arn = var.eks_oidc_provider_arn

  # ECR Credentials
  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password


  enable_apigatewayv2 = var.enable_ack_api_gatewayv2_controller

  apigatewayv2 = var.apigatewayv2

  tags = var.tags
}

apigatewayv2 variable:

apigatewayv2 = {
    chart_version = "1.1.0"
    skip_crds = false
  }

Steps to reproduce the behavior:

terraform plan (with valid variables for eks cluster required vars)

Expected behavior

Helm chart is installed using chart_version, and IRSA role is created with default policies

Actual behavior

Terraform plan fails as the lookup for role policies for apigatewayv2 default return does not match the role_policies key type

Terminal Output Screenshot(s)

╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 118, in module "apigatewayv2":
│  118:   role_policies = lookup(var.apigatewayv2, "role_policies", {
│  119:     AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
│  120:     AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
│  121:   })
│     ├────────────────
│     │ while calling lookup(inputMap, key, default...)
│     │ local.iam_role_policy_prefix is "arn:aws:iam::aws:policy"
│ 
│ Invalid value for "default" parameter: the default value must have the same
│ type as the map elements.

Additional context

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

What is the outcome that you are trying to reach?

Keep the repo up to date, follow recommendations for installing the ack controllers in ack-system namespace.

Describe the solution you would like

1. Update all the modules used in the ACK deployment.
2. Update all the providers to their latest versions.
3. Update the EKS version to the latest supported release.
4. Add aliases in the output command for better clarity and usability.
5. Controllers should install in ack-system namespace by default, update main.tf defaults from local.<controller_name> to "ack-system"

Describe alternatives you have considered

No alternatives have been considered.

Additional context

These changes will keep the repository updated.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK Amazon Elastic Kubernetes Service controller.
This would allow users to create Amazon Elastic Kubernetes Service resources (Cluster, Addon, NodeGroup, FargateProfile) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Additional context

I'm using my fork of terraform-aws-eks-ack-addons with the terraform-aws-eks-blueprints.
You can see it's changes here, but I'll outline them in this issue too.

module "eks_blueprints_ack_addons" {
  source = "github.com/pdemagny/terraform-aws-eks-ack-addons?ref=feat-eks-support"

  cluster_id = module.eks_blueprints.eks_cluster_id
  # Wait for data plane to be ready
  data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

  enable_api_gatewayv2 = false
  enable_dynamodb      = false
  enable_s3            = false
  enable_rds           = false
  enable_amp           = false
  enable_eks           = true

  tags = local.tags
}

This controller requires to pay more attention to the iRSA settings as no single pre-existing IAM Policy covers the permissions needed to create all its resources.

The recommended inline policy from ACK is not enough either ... If you want to create NodeGroups or FargateProfiles, you need more permissions.
Hence the addition of the inline policies.

Here is what I've come up with after testing every resources:

################################################################################
# Elastic Kubernetes Service
################################################################################

locals {
  eks_name = "ack-eks"
}

module "eks" {
  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon?ref=v4.12.2"

  count = var.enable_eks ? 1 : 0

  helm_config = merge(
    {
      name             = local.eks_name
      chart            = "eks-chart"
      repository       = "oci://public.ecr.aws/aws-controllers-k8s"
      version          = "v0.1.7"
      namespace        = local.eks_name
      create_namespace = true
      description      = "ACK eks Controller v2 Helm chart deployment configuration"
      values = [
        # shortens pod name from `ack-eks-eks-chart-xxxxxxxxxxxxx` to `ack-eks-xxxxxxxxxxxxx`
        <<-EOT
          nameOverride: ack-eks
        EOT
      ]
    },
    var.eks_helm_config
  )

  set_values = [
    {
      name  = "serviceAccount.name"
      value = local.eks_name
    },
    {
      name  = "serviceAccount.create"
      value = false
    },
    {
      name  = "aws.region"
      value = local.region
    }
  ]

  irsa_config = {
    create_kubernetes_namespace = true
    kubernetes_namespace        = try(var.eks_helm_config.namespace, local.eks_name)

    create_kubernetes_service_account = true
    kubernetes_service_account        = local.eks_name

    irsa_iam_policies = [aws_iam_policy.ack_eks_policy[0].arn, data.aws_iam_policy.eks[0].arn]
  }

  addon_context = local.addon_context
}

resource "aws_iam_policy" "ack_eks_policy" {
  count = var.enable_eks ? 1 : 0

  name        = "${local.cluster_id}-ack-eks-sa-policy"
  description = "IAM policy for ${local.eks_name} Service Account"
  path        = "/"
  policy      = data.aws_iam_policy_document.ack_eks_policy_document[0].json

  tags = local.tags
}

data "aws_iam_policy_document" "ack_eks_policy_document" {
  count = var.enable_eks ? 1 : 0

  statement {
    sid       = "ACKEKSPolicy1" # Recommended ACK inline Policy, see https://github.com/aws-controllers-k8s/eks-controller/blob/main/config/iam/recommended-inline-policy
    effect    = "Allow"
    actions   = ["eks:*"]
    resources = ["*"]
  }

  statement {
    sid    = "ACKEKSPolicy2" # iam:GetRole is required to create NodeGroups and iam:CreateServiceLinkedRole is required to create FargateProfiles
    effect = "Allow"
    actions = [
      "iam:GetRole",
      "iam:CreateServiceLinkedRole"
    ]
    resources = ["*"]
  }

  statement {
    sid       = "ACKEKSPolicy3" # Required to create NodeGroups
    effect    = "Allow"
    actions   = ["iam:PassRole"]
    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
      values   = ["eks.amazonaws.com"]
    }
  }
}

data "aws_iam_policy" "eks" {
  count = var.enable_eks ? 1 : 0

  name = "AmazonEKSServicePolicy"
}

Here are my test results:

EKS

Cluster

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Cluster
metadata:
  name: my-ack-test-cluster
spec:
  name: my-ack-test-cluster
  roleARN: arn:aws:iam::<REDACTED>:role/crossplane-ack-meetup-cluster-role
  resourcesVPCConfig:
    endpointPrivateAccess: true
    endpointPublicAccess: true
    subnetIDs:
      - "subnet-02421b2bc404c9324"
      - "subnet-0604d52bdcb46e8b6"

2022-12-01T13:37:10.936Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Cluster", "namespace": "default", "name": "my-ack-test-cluster", "is_adopted": false, "generation": 1}

Addon

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
  name: vpc-cni
spec:
  name: vpc-cni
  addonVersion: "v1.12.0-eksbuild.1"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"
---
apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
  name: coredns
spec:
  name: coredns
  addonVersion: "v1.8.7-eksbuild.3"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"
---
apiVersion: eks.services.k8s.aws/v1alpha1
kind: Addon
metadata:
  name: kube-proxy
spec:
  name: kube-proxy
  addonVersion: "v1.23.13-eksbuild.2"
  clusterName: my-ack-test-cluster
  resolveConflicts: "OVERWRITE"

2022-12-01T15:16:11.236Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "vpc-cni", "is_adopted": false, "generation": 1}
2022-12-01T15:16:11.950Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "coredns", "is_adopted": false, "generation": 1}
2022-12-01T15:16:12.802Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Addon", "namespace": "default", "name": "kube-proxy", "is_adopted": false, "generation": 1}

NodeGroup

apiVersion: eks.services.k8s.aws/v1alpha1
kind: Nodegroup
metadata:
  name: my-ack-test-ng
spec:
  name: my-ack-test-ng
  clusterName: my-ack-test-cluster
  subnets:
    - "subnet-02421b2bc404c9324"
    - "subnet-0604d52bdcb46e8b6"
  nodeRole: arn:aws:iam::<REDACTED>:role/crossplane-ack-meetup-cluster-role
  scalingConfig:
    minSize: 1
    maxSize: 1
    desiredSize: 1

2022-12-01T15:23:06.006Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Nodegroup", "namespace": "default", "name": "my-ack-test-ng", "is_adopted": false, "generation": 1}
2022-12-01T15:51:13.894Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Nodegroup", "namespace": "default", "name": "my-ack-test-ng", "generation": 3}

FargateProfile

❯ cat pod-execution-role-trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:eks:eu-west-1:<REDACTED>:fargateprofile/my-ack-test-cluster/*"
        }
      },
      "Principal": {
        "Service": "eks-fargate-pods.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
❯ aws iam create-role \       
  --role-name AmazonEKSFargatePodExecutionRole \
  --assume-role-policy-document file://"pod-execution-role-trust-policy.json"
❯ aws iam attach-role-policy \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \
  --role-name AmazonEKSFargatePodExecutionRole

apiVersion: eks.services.k8s.aws/v1alpha1
kind: FargateProfile
metadata:
  name: my-ack-test-profile
spec:
  name: my-ack-test-profile
  clusterName: my-ack-test-cluster
  podExecutionRoleARN: arn:aws:iam::<REDACTED>:role/AmazonEKSFargatePodExecutionRole
  subnets:
    - "subnet-087c10af4f1bc624b"
    - "subnet-0f29941bb08e3c58a"
  selectors:
    - namespace: default

2022-12-01T21:07:24.631Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "FargateProfile", "namespace": "default", "name": "my-ack-test-profile", "is_adopted": false, "generation": 1}
2022-12-01T21:11:29.696Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "FargateProfile", "namespace": "default", "name": "my-ack-test-profile", "generation": 2}

In the end, the created NodeGroup can't join the created Cluster because of the lacking RBAC mapping from the missing aws-auth ConfigMap, and the missing security group rules.
But stricly on the controller side, the create & delete actions are allowed with this set of IAM permissions.

I'm proposing this changes in #34

I'm also going to propose the change in recommended iam policy upstream.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Add Kinesis, CloudWatch Logs and Network Firewall controllers.

Describe the solution you would like

Add Kinesis, CloudWatch Logs and Network Firewall controllers.
Each controller should be installed with the latest current version of the helm chart.
Each controller irsa permissions should be set to the recommended permissions under config/iam.
Test each controller by deploying one of the resources test/e2e/resources and post the results in the PR.

Describe alternatives you have considered

N/A

Additional context

This is part of the effort to add all the 42 ACK controllers.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

What is the outcome that you are trying to reach?

Many customers require a fully private deployment for security reasons. The goal is to provide a pattern that supports this need by including examples and configurations for a fully private ACK deployment using Terraform.

Describe the solution you would like

This issue aims to add a fully private pattern to the existing examples. The pattern would include:

• An EKS cluster with a private endpoint example. doc
• Additional cluster security group rules allowing private communication.
• ECR pull through cache to ensure images come from a private ECR instead of the internet. example
• Addons with private images and proxy examples.
• VPC endpoints to ensure ACK can communicate with AWS services that have endpoints available. example
• Documentation on how to communicate with services that do not provide endpoints, such as IAM.

Describe alternatives you have considered

• Continuing with the current public deployment patterns, which do not meet the security requirements of many customers.

Additional context

This new pattern will help address the security concerns of customers who require fully private deployments. It will provide comprehensive examples and configurations to ensure all components can operate within a private network environment, aligning with best practices for security and compliance.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Add Lambda, SQS, and SNS controllers.

Describe the solution you would like

Add Lambda, SQS, and SNS controllers.

Describe alternatives you have considered

None.

Additional context

This is part of the effort to add all the 42 ACK controllers.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Add Keyspaces, CloudWatch, MQ, Organizations, Route 53, Route 53 Resolver and Secrets Manager controllers.

Describe the solution you would like

Add Keyspaces, CloudWatch, MQ, Organizations, Route 53, Route 53 Resolver and Secrets Manager controllers.
Each controller should be installed with the latest current version of the helm chart.
Each controller irsa permissions should be set to the recommended permissions under config/iam.
Test each controller by deploying one of the resources test/e2e/resources and post the results in the PR.

Describe alternatives you have considered

N/A

Additional context

This is part of the effort to add all the 42 ACK controllers.

Description

When inspecting the target group for the load balancer, I noticed that the pod is unhealthy

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Add SageMaker, ECR, MemoryDB, and OpenSearch controllers.

Describe the solution you would like

Add SageMaker, ECR, MemoryDB, and OpenSearch controllers.
Each controller should be installed with the latest current version of the helm chart.
Each controller irsa permissions should be set to the recommended permissions under config/iam.
Test each controller by deploying one of the resources test/e2e/resources and post the results in the PR.

Describe alternatives you have considered

None.

Additional context

This is part of the effort to add all the 42 ACK controllers.

Description

If, using the existing example, you disable the emrcontainers and/or step functions as follows:

# Controllers to enable
# ... other parts elided
enable_emrcontainers = false
enable_sfn = false

Then terraform responds with the following output:

│ Error: Invalid index
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 592, in module "emrcontainers":
│  592:     AmazonEmrContainers = aws_iam_policy.emrcontainers[0].arn
│     ├────────────────
│     │ aws_iam_policy.emrcontainers is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
╷
│ Error: Invalid index
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 773, in module "sfn":
│  773:     AWSStepFunctionsIamPassRole = aws_iam_policy.sfnpasspolicy[0].arn
│     ├────────────────
│     │ aws_iam_policy.sfnpasspolicy is empty tuple
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.

This is always reproducible with v2.0.0 of the provider (latest at time of writing)

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version: v2.0.0

• Terraform version: 1.5.2

• Provider version(s):

Terraform v1.5.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.6.2
+ provider registry.terraform.io/hashicorp/helm v2.10.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.21.1

Reproduction Code

See example above in the description.
This is verifiable with the example code in this repository.

Expected behavior

Resources to be provisioned

Actual behavior

Error reported as above.

Terminal Output Screenshot(s)

Error reported as above.

Additional context

I believe this can easily be solved by either a conditional assignment:
(e.g.)

AmazonEmrContainers = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null

or by the use of try:

AmazonEmrContainers = try(aws_iam_policy.emrcontainers[0].arn, null)

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Rename examples folder to test to match addons repo

Describe the solution you would like

Describe alternatives you have considered

Additional context

It would be good to add an architecture diagram for the example microservices-applicatio

Having a picture on (api gateway -> sample app -> dynamodb) with what's running in the cluster and outside managed services

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Ability to include ACK Addons when using the EKS Blueprints GitOps-Bridge

Describe the solution you would like

Implement similar support as the EKS Blueprints GitOps-Bridge like aws-ia/terraform-aws-eks-blueprints-addons#209

Describe alternatives you have considered

N/A

Additional context

This have being implemented in ArgoCD on Amazon EKS Workshop here https://github.com/aws-samples/argocd-on-amazon-eks-workshop/blob/riv23/terraform/spokes/main.tf#L229-L254

The integration will look like this with the new variable create_kubernetes_resources = false

################################################################################
# EKS ACK Addons
################################################################################
module "eks_ack_addons" {
  source = "github.com/csantanapr/terraform-aws-eks-ack-addons?ref=gitops-bridge"


  cluster_name      = module.eks.cluster_name
  cluster_endpoint  = module.eks.cluster_endpoint
  oidc_provider_arn = module.eks.oidc_provider_arn

  # Using GitOps Bridge
  create_kubernetes_resources = false

  # ACK Controllers to enable
  enable_apigatewayv2      = try(local.aws_addons.enable_ack_apigatewayv2, false)
  enable_dynamodb          = try(local.aws_addons.enable_ack_dynamodb, false)
  enable_s3                = try(local.aws_addons.enable_ack_s3, false)
  enable_rds               = try(local.aws_addons.enable_ack_rds, false)
  enable_prometheusservice = try(local.aws_addons.enable_ack_prometheusservice, false)
  enable_emrcontainers     = try(local.aws_addons.enable_ack_emrcontainers, false)
  enable_sfn               = try(local.aws_addons.enable_ack_sfn, false)
  enable_eventbridge       = try(local.aws_addons.enable_ack_eventbridge, false)

  tags = local.tags
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Hi, I'd like to add the ability to install the ACK AWS Key Management Service (KMS) controller.
This would allow users to create AWS Key Management Service (KMS) resources (Key, Alias, Grant) with ACK.

Describe the solution you would like

Nothing fancy, following the same pattern as the other controllers is the way.

Additional context

I'm using my fork of terraform-aws-eks-ack-addons with the terraform-aws-eks-blueprints.
You can see it's changes here, but I'll outline them in this issue too.

module "eks_blueprints_ack_addons" {
  source = "github.com/pdemagny/terraform-aws-eks-ack-addons?ref=feat-kms-support"

  cluster_id = module.eks_blueprints.eks_cluster_id
  # Wait for data plane to be ready
  data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

  enable_api_gatewayv2 = false
  enable_dynamodb      = false
  enable_s3            = false
  enable_rds           = false
  enable_amp           = false
  enable_kms           = true

  tags = local.tags
}

This controller requires to pay more attention to the iRSA settings as no single pre-existing IAM Policy covers the permissions needed to create all its resources.

The recommended inline policy from ACK is not enough ... If you want to Delete or Rotate Keys, or Create and Revoke Grants, you need more permissions.
Hence the addition of the inline policies.

Here is what I've come up with after testing every resources:

################################################################################
# Key Management Service
################################################################################

locals {
  kms_name = "ack-kms"
}

module "kms" {
  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon?ref=v4.12.2"

  count = var.enable_kms ? 1 : 0

  helm_config = merge(
    {
      name             = local.kms_name
      chart            = "kms-chart"
      repository       = "oci://public.ecr.aws/aws-controllers-k8s"
      version          = "v0.1.3"
      namespace        = local.kms_name
      create_namespace = true
      description      = "ACK kms Controller v2 Helm chart deployment configuration"
      values = [
        # shortens pod name from `ack-kms-kms-chart-xxxxxxxxxxxxx` to `ack-kms-xxxxxxxxxxxxx`
        <<-EOT
          nameOverride: ack-kms
        EOT
      ]
    },
    var.kms_helm_config
  )

  set_values = [
    {
      name  = "serviceAccount.name"
      value = local.kms_name
    },
    {
      name  = "serviceAccount.create"
      value = false
    },
    {
      name  = "aws.region"
      value = local.region
    }
  ]

  irsa_config = {
    create_kubernetes_namespace = true
    kubernetes_namespace        = try(var.kms_helm_config.namespace, local.kms_name)

    create_kubernetes_service_account = true
    kubernetes_service_account        = local.kms_name

    irsa_iam_policies = [aws_iam_policy.ack_kms_policy[0].arn, data.aws_iam_policy.kms[0].arn]
  }

  addon_context = local.addon_context
}

resource "aws_iam_policy" "ack_kms_policy" {
  count = var.enable_kms ? 1 : 0

  name        = "${local.cluster_id}-ack-kms-sa-policy"
  description = "IAM policy for ${local.kms_name} Service Account"
  path        = "/"
  policy      = data.aws_iam_policy_document.ack_kms_policy_document[0].json

  tags = local.tags
}

data "aws_iam_policy_document" "ack_kms_policy_document" {
  count = var.enable_kms ? 1 : 0

  statement {
    sid    = "ACKKMSPolicy"
    effect = "Allow"
    actions = [
      "kms:ScheduleKeyDeletion",
      "kms:EnableKeyRotation",
      "kms:CreateGrant",
      "kms:RevokeGrant"
    ]
    resources = ["*"]
  }
}

data "aws_iam_policy" "kms" {
  count = var.enable_kms ? 1 : 0

  name = "AWSKeyManagementServicePowerUser"
}

Here are my test results:

KMS

Key

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Key
metadata:
  name: my-ack-test-key
spec:
  description: a kms key
  enableKeyRotation: true

2022-12-09T13:40:03.389Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Key", "namespace": "default", "name": "my-ack-test-key", "is_adopted": false, "generation": 1}
2022-12-09T14:22:03.949Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Key", "namespace": "default", "name": "my-ack-test-key", "generation": 3}

Alias

---
apiVersion: kms.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  name: my-ack-test-key-alias
spec:
  name: alias/my-ack-test-key-alias
  targetKeyRef:
    from:
      name: my-ack-test-key

2022-12-09T13:40:03.547Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Alias", "namespace": "default", "name": "my-ack-test-key-alias", "is_adopted": false, "generation": 1}
2022-12-09T14:22:03.936Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Alias", "namespace": "default", "name": "my-ack-test-key-alias", "generation": 2}

Grant

apiVersion: kms.services.k8s.aws/v1alpha1
kind: Grant
metadata:
  name: my-ack-test-grant
spec:
  granteePrincipal: arn:aws:iam::<REDACTED>:user/<REDACTED>
  keyID: <REDACTED>
  name: my-ack-test-grant
  operations:
    - Encrypt
  retiringPrincipal: arn:aws:iam::<REDACTED>:user/<REDACTED>

2022-12-09T14:05:21.758Z INFO ackrt created new resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Grant", "namespace": "default", "name": "my-ack-test-grant", "is_adopted": false, "generation": 1}
2022-12-09T14:11:07.860Z INFO ackrt deleted resource {"account": "", "role": "", "region": "eu-west-1", "kind": "Grant", "namespace": "default", "name": "my-ack-test-grant", "generation": 3}

I'm proposing this change in #35

I'm also going to propose the change in recommended iam policy upstream.

Description

Document the location of the source code for the sample application
There is a container victorgucanada/new-dynamo-nodejs:latest being reference, but no link to a github repo that contains the code.
If the code is a couple of lines I would just embed the code into the deployment yaml

• ✋ I have searched the open/closed issues and my issue is not listed.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

What is the outcome that you are trying to reach?

The goal is to provide users with the flexibility to choose between deploying addons with IRSA (IAM Roles for Service Accounts) or EKS Pod Identity Association. Currently, each addon has its own IRSA, which is the expected behavior.

Describe the solution you would like

Implement a logic that by default deploys the addons using IRSA. However, if a variable like create_pod_identity_association is set to true, the addons should be deployed using Pod Identity Association instead. This would give users the option to choose the method that best suits their needs.

Here is a fully working example that demonstrates this implementation.

Describe alternatives you have considered

• Creating separate configurations for IRSA and Pod Identity, but this could lead to redundancy and complexity in managing the configurations.

Additional context

This new logic will help users who prefer to use EKS Pod Identity for their addons, offering a more flexible and customizable deployment approach. It will ensure that the default behavior remains consistent with current expectations while providing an easy way to switch to Pod Identity if desired.