README.md

Platform for AWS

Deploys the Flightdeck Platform to an EKS cluster on AWS.

The following components are included:

• AWS Load Balancer Controller
• AWS Secrets Store Provider
• CertManager
• Cluster Autoscaler
• Fluent Bit for CloudWatch
• Istio
• Metrics Server
• Prometheus Adapter
• Prometheus Operator
• Reloader
• Secrets Store CSI Driver
• Sloth
• Vertical Pod Autoscaler

Appropriate IAM roles for service accounts are configured for Prometheus, Cluster Autoscaler, Cert Manager, External DNS, and Fluent Bit.

Deployment

You need a compatible EKS cluster to deploy the platform for AWS. You can use the cluster module to create compatible EKS clusters.

module "workload_platform" {
  source = "github.com/thoughtbot/flightdeck//aws/workload-platform?ref=v0.5.0"

  # Name of the EKS cluster to which the platform will be deployed
  cluster_name = "example-production-v1"

  # These roles will be added to the `aws-auth` ConfigMap as admins.
  # See the [EKS IAM documentation] for more information.
  admin_roles = ["arn:aws:iam::123456789012:role/devops"]

  # An Istio ingress gateway is created as part of the platform. Domains listed
  # here will be added to the gateway and certificate.
  domain_names = ["example.com", "www.example.com"]

  # Any tags you want to add to created resources like IAM roles.
  aws_tags = { Module = "platform/production-v1" }
}

# The Helm and Kubernetes providers must be set up to connect to your cluster.

provider "helm" {
  kubernetes {
    host                   = data.aws_eks_cluster.this.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
    token                  = data.aws_eks_cluster_auth.kubernetes.token
  }
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.this.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
  token                  = data.aws_eks_cluster_auth.kubernetes.token
}

data "aws_eks_cluster_auth" "kubernetes" {
  name = data.aws_eks_cluster.this.name
}

data "aws_eks_cluster" "this" {
  name = "example-production-v1"
}

Preventing Cluster Lockout

You are required to pass at least one role to be designated as a cluster administrator role. However, in case this role somehow loses admin privileges in the cluster, Flightdeck creates a special "breakglass" role you can use to regain access. This role is disabled by default and is always added as an admin regardless of what other roles you provide.

If you have the following cluster:

module "workload_platform" {
  source = "github.com/thoughtbot/flightdeck//aws/platform?ref=v0.6.0"

  # Name of the EKS cluster to which the platform will be deployed
  cluster_name = "example-production-v1"
}

The role will be named "example-production-v1-breakglass" and is disabled by default. To enable it, change the "Enabled" tag on the role to "True":

aws iam tag-role \
  --role-name example-production-v1-breakglass \
  --tags Key=Enabled,Value=True

You can then use it to manually edit the aws-auth ConfigMap:

% aws eks update-kubeconfig \
  --name example-production-v1 \
  --alias breakglass \
  --role-arn arn:aws:iam:ACCOUNT_ID::role/example-production-v1
% kubectl edit -n kube-system configmap aws-auth

Requirements

Name	Version
terraform	>= 0.14.8
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
auth_config_map	./modules/auth-config-map	n/a
aws_ebs_csi_driver	./modules/aws-ebs-csi-driver	n/a
aws_load_balancer_controller	./modules/load-balancer-controller	n/a
cloudwatch_logs	./modules/cloudwatch-logs	n/a
cluster_autoscaler_service_account_role	./modules/cluster-autoscaler-service-account-role	n/a
cluster_name	../cluster-name	n/a
common_platform	../../platform	n/a
dns_service_account_role	./modules/dns-service-account-role	n/a
ebs_csi_driver_service_account_role	./modules/ebs-csi-driver-service-account-role	n/a
network	../network-data	n/a
prometheus_service_account_role	./modules/prometheus-service-account-role	n/a
secrets_store_provider	./modules/secrets-store-provider	n/a

Resources

Name	Type
aws_caller_identity.this	data source
aws_region.current	data source
aws_route53_zone.managed	data source
aws_ssm_parameter.node_role_arn	data source
aws_ssm_parameter.oidc_issuer	data source
aws_ssm_parameter.opsgenie_api_key	data source
aws_ssm_parameter.pagerduty_routing_key	data source

Inputs

Name	Description	Type	Default	Required
admin_roles	Additional IAM roles which have admin cluster privileges	list(string)	n/a	yes
aws_ebs_csi_driver_values	Overrides to pass to the Helm chart	list(string)	[]	no
aws_ebs_csi_driver_version	Version of the ebs csi driver to install	string	null	no
aws_load_balancer_controller_values	Overrides to pass to the Helm chart	list(string)	[]	no
aws_load_balancer_controller_version	Version of aws-load-balancer-controller to install	string	null	no
aws_namespace	Prefix to be applied to created AWS resources	list(string)	[]	no
aws_tags	Tags to be applied to created AWS resources	map(string)	{}	no
cert_manager_values	Overrides to pass to the Helm chart	list(string)	[]	no
certificate_issuer	YAML spec for certificate issuer; defaults to self-signed	string	null	no
cluster_autoscaler_values	Overrides to pass to the Helm chart	list(string)	[]	no
cluster_name	Name of the EKS cluster	string	n/a	yes
custom_groups	List of custom RBAC groups to be assigned to an IAM role for custom cluster privileges,	map(list(string))	{}	no
custom_roles	Additional IAM roles which have custom cluster privileges	map(string)	{}	no
domain_names	Domains which are allowed in this cluster	list(string)	[]	no
external_dns_enabled	Set to true to enable External DNS	bool	false	no
external_dns_values	Overrides to pass to the Helm chart	list(string)	[]	no
federated_prometheus_values	Overrides to pass to the Helm chart	list(string)	[]	no
flightdeck_prometheus_values	Overrides to pass to the Helm chart	list(string)	[]	no
fluent_bit_enable_kubernetes_annotations	Set to true to add Kubernetes annotations to log output	bool	false	no
fluent_bit_enable_kubernetes_labels	Set to true to add Kubernetes labels to log output	bool	false	no
fluent_bit_values	Overrides to pass to the Helm chart	list(string)	[]	no
hosted_zones	Hosted zones this cluster is allowed to update	list(string)	[]	no
istio_base_values	Overrides to pass to the Helm chart	list(string)	[]	no
istio_ingress_values	Overrides to pass to the Helm chart	list(string)	[]	no
istiod_values	Overrides to pass to the Helm chart	list(string)	[]	no
k8s_namespace	Kubernetes namespace in which resources should be created	string	"flightdeck"	no
logs_prefix	Prefix for CloudWatch log groups	string	"/flightdeck"	no
logs_retention_in_days	Number of days for which logs should be retained	number	30	no
logs_skip_destroy	Set to false to destroy the log group with the platform	bool	true	no
metrics_server_values	Overrides to pass to the Helm chart	list(string)	[]	no
metrics_server_version	Version of the Metrics Server to install	string	null	no
monitoring_account_id	ID of the account in which monitoring resources are found	string	null	no
node_roles	Additional node roles which can join the cluster	list(string)	[]	no
opsgenie_parameter	SSM parameter containing the OpsGenie api key	string	null	no
pagerduty_parameter	SSM parameter containing the Pagerduty routing key	string	null	no
prometheus_adapter_values	Overrides to pass to the Helm chart	list(string)	[]	no
prometheus_data_source	Prometheus datasource object with necessary details required to connect to the Prometheus workspace for centralized ingestion	object({ # The name of the Prometheus workspace for centralized injestion name = string # The Prometheus workspace host. # A sample value for AWs managed Prometheus will be aps-workspaces.us-east-1.amazonaws.com host = string # The Prometheus workspace query path. # A sample value for AWs managed Prometheus will be workspaces/ws-xxxxx-xxx-xxx-xxx-xxxxxxx/api/v1/query query_path = string # The region for the Prometheus workspace created for centralized injestion path. region = string # The ARN of the AWS IAM role enabling this cluster to use the Prometheus workspace for centralized ingestion role_arn = string # The write path for the Prometheus workspace. # A sample value for AWs managed Prometheus will be workspaces/ws-xxxxx-xxx-xxx-xxx-xxxxxxx/api/v1/remote_write write_path = string # The url for the Prometheus workspace. # A sample value for AWs managed Prometheus will be https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-xxxxx-xxx-xxx-xxx-xxxxxxx url = string })	{ "host": null, "name": null, "query_path": null, "region": null, "role_arn": null, "url": null, "write_path": null }	no
prometheus_operator_values	Overrides to pass to the Helm chart	list(string)	[]	no
reloader_values	Overrides to pass to the Helm chart	list(string)	[]	no
reloader_version	Version of external-dns to install	string	null	no
secret_store_driver_values	Overrides to pass to the Helm chart	list(string)	[]	no
secret_store_driver_version	Version of the secret store driver to install	string	null	no
secret_store_provider_values	Overrides to pass to the Helm chart	list(string)	[]	no
vertical_pod_autoscaler_values	Overrides to pass to the Helm chart	list(string)	[]	no

Outputs

Name	Description
breakglass_role_arn	ARN for a breakglass role in case of cluster lockout