Adding documentation.

README.md

@@ -183,6 +183,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 | <a name="input_argocd_applications"></a> [argocd\_applications](#input\_argocd\_applications) | ARGO CD Applications config to bootstrap the cluster | `any` | `{}` | no |
 | <a name="input_argocd_enable"></a> [argocd\_enable](#input\_argocd\_enable) | Enable ARGO CD Kubernetes Addon | `bool` | `false` | no |
 | <a name="input_argocd_helm_chart"></a> [argocd\_helm\_chart](#input\_argocd\_helm\_chart) | ARGO CD Kubernetes Addon Configuration | `any` | `{}` | no |
+| <a name="input_argocd_manage_add_ons"></a> [argocd\_manage\_add\_ons](#input\_argocd\_manage\_add\_ons) | Enables managing add-on configuration via ArgoCD | `bool` | `false` | no |
 | <a name="input_aws_auth_additional_labels"></a> [aws\_auth\_additional\_labels](#input\_aws\_auth\_additional\_labels) | Additional kubernetes labels applied on aws-auth ConfigMap | `map(string)` | `{}` | no |
 | <a name="input_aws_for_fluentbit_enable"></a> [aws\_for\_fluentbit\_enable](#input\_aws\_for\_fluentbit\_enable) | Enabling FluentBit Addon on EKS Worker Nodes | `bool` | `false` | no |
 | <a name="input_aws_for_fluentbit_helm_chart"></a> [aws\_for\_fluentbit\_helm\_chart](#input\_aws\_for\_fluentbit\_helm\_chart) | Helm chart definition for aws\_for\_fluent\_bit | `any` | `{}` | no |

docs/add-ons/argocd.md

@@ -49,3 +49,30 @@ argocd_applications = {
   }
 }
 ```
+
+### Add-ons 
+
+A common operational pattern is to leverage Infrastructure as Code for provisioning EKS clusters (in addition to other AWS resources) and GitOps for managing cluster configuration. The framework provides support for this approach by leveraging the ArgoCD [App of Apps](https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/) pattern. 
+
+To configure the framework to leverage ArgoCD for managing add-ons, you must pass configuration for a root ArgoCD Application that points to your desired add-ons. You can specify the root application by setting the `add_on_application` value to true in your application configuration.  
+
+Additionally, you must set the `argocd_manage_add_ons` property to true. When this flag is set, the framework will still provision all AWS resources necessary to support add-on functionality, but it will not apply Helm charts directly via Terraform. Instead, the framework will pass AWS resource values needed for each add-on to ArgoCD via the values map of the root add-on Application. For specific values passed for each add-on, see the individual add-on documentation. 
+
+Sample configuration can be found below: 
+
+```
+argocd_enable           = true
+argocd_manage_add_ons   = true
+argocd_applications     = {
+  infra = {
+    namespace             = "argocd"
+    path                  = "<path>"
+    repo_url              = "<repo_url>"
+    target_revision       = "HEAD"
+    destination           = "https://kubernetes.default.svc"
+    project               = "default"
+    values                = {}
+    add_on_application    = true # Indicates the root add-on application. 
+  }
+}
+```

docs/add-ons/aws-for-fluent-bit.md

@@ -13,3 +13,15 @@ AWS provides a Fluent Bit image with plugins for both CloudWatch Logs and Kinesi
 ```hcl
 aws_for_fluentbit_enable = true
 ```
+
+### GitOps Configuration 
+
+The following properties are made available for use when managing the add-on via GitOps 
+
+```
+awsForFluentBit = {
+  enable       = true
+  logGroupName = "<log_group_name>"
+  logGroupArn  = "<log_group_arn>"
+}
+```
\ No newline at end of file

kubernetes-addons.tf

@@ -51,9 +51,8 @@ module "prometheus" {
   amp_workspace_id                = var.aws_managed_prometheus_enable ? module.aws_managed_prometheus[0].amp_workspace_id : ""
   amp_ingest_role_arn             = var.aws_managed_prometheus_enable ? module.aws_managed_prometheus[0].service_account_amp_ingest_role_arn : ""
   service_account_amp_ingest_name = local.service_account_amp_ingest_name
-  manage_via_gitops               = var.argocd_manage_add_ons
 
-  depends_on                      = [module.aws_eks]
+  depends_on = [module.aws_eks]
 }
 
 module "aws_load_balancer_controller" {
@@ -63,9 +62,8 @@ module "aws_load_balancer_controller" {
   lb_ingress_controller_helm_app = var.aws_lb_ingress_controller_helm_app
   eks_oidc_issuer_url            = module.aws_eks.cluster_oidc_issuer_url
   eks_oidc_provider_arn          = module.aws_eks.oidc_provider_arn
-  manage_via_gitops              = var.argocd_manage_add_ons
-  
-  depends_on                     = [module.aws_eks]
+
+  depends_on = [module.aws_eks]
 }
 
 module "nginx_ingress" {

kubernetes-addons/argocd/README.md

@@ -56,6 +56,7 @@ No modules.
 | <a name="input_argocd_applications"></a> [argocd\_applications](#input\_argocd\_applications) | ARGO CD Applications config to bootstrap the cluster | `any` | `{}` | no |
 | <a name="input_argocd_helm_chart"></a> [argocd\_helm\_chart](#input\_argocd\_helm\_chart) | ArgoCD Helm Chart Config values | `any` | `{}` | no |
 | <a name="input_eks_cluster_name"></a> [eks\_cluster\_name](#input\_eks\_cluster\_name) | Name for the EKS Cluster | `string` | n/a | yes |
+| <a name="input_gitops_add_on_config"></a> [gitops\_add\_on\_config](#input\_gitops\_add\_on\_config) | Configuration for managing add-ons via ArgoCD | `any` | `{}` | no |
 
 ## Outputs
 

kubernetes-addons/argocd/locals.tf

@@ -45,10 +45,10 @@ locals {
     var.argocd_helm_chart
   )
 
-	# Global Application Values
-	global_argo_values = {
-		region : data.aws_region.current.id
+  # Global Application Values
+  global_application_values = {
+    region : data.aws_region.current.id
     account : data.aws_caller_identity.current.account_id
     clusterName : var.eks_cluster_name
-	}
+  }
 }

kubernetes-addons/argocd/main.tf

@@ -100,7 +100,7 @@ resource "kubernetes_manifest" "argocd_application" {
           releaseName = each.key
           values : yamlencode(merge(
             each.value.values,
-            local.global_argo_values,
+            local.global_application_values,
             each.value.add_on_application ? var.gitops_add_on_config : {}
           ))
         }
@@ -132,4 +132,4 @@ resource "kubernetes_manifest" "argocd_application" {
     }
   }
   depends_on = [helm_release.argocd]
-}
\ No newline at end of file
+}

kubernetes-addons/argocd/variables.tf

@@ -36,5 +36,5 @@ variable "eks_cluster_name" {
 variable "gitops_add_on_config" {
   type        = any
   default     = {}
-  description = "Add-on configuration"
+  description = "Configuration for managing add-ons via ArgoCD"
 }

kubernetes-addons/aws-for-fluentbit/README.md

@@ -46,11 +46,13 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_for_fluentbit_helm_chart"></a> [aws\_for\_fluentbit\_helm\_chart](#input\_aws\_for\_fluentbit\_helm\_chart) | Helm chart definition for aws\_for\_fluent\_bit. | `any` | `{}` | no |
 | <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS cluster Id | `string` | n/a | yes |
+| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_argocd_gitops_config"></a> [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with GitOps |
 | <a name="output_aws_fluent_bit_cw_log_group_arn"></a> [aws\_fluent\_bit\_cw\_log\_group\_arn](#output\_aws\_fluent\_bit\_cw\_log\_group\_arn) | AWS Fluent Bit CloudWatch Log Group ARN |
 | <a name="output_aws_fluent_bit_cw_log_group_name"></a> [aws\_fluent\_bit\_cw\_log\_group\_name](#output\_aws\_fluent\_bit\_cw\_log\_group\_name) | AWS Fluent Bit CloudWatch Log Group Name |
 

kubernetes-addons/aws-for-fluentbit/outputs.tf

@@ -16,18 +16,18 @@
  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-output "log_group_name" {
+output "aws_fluent_bit_cw_log_group_name" {
   description = "AWS Fluent Bit CloudWatch Log Group Name"
   value       = aws_cloudwatch_log_group.eks_worker_logs.name
 }
 
-output "log_group_arn" {
+output "aws_fluent_bit_cw_log_group_arn" {
   description = "AWS Fluent Bit CloudWatch Log Group ARN"
   value       = aws_cloudwatch_log_group.eks_worker_logs.arn
 }
 
 output "argocd_gitops_config" {
-  description = "Configuration needed for GitOps"
+  description = "Configuration used for managing the add-on with GitOps"
   value = var.manage_via_gitops ? {
     enable       = true
     logGroupName = aws_cloudwatch_log_group.eks_worker_logs.name

kubernetes-addons/aws-load-balancer-controller/README.md

@@ -110,11 +110,13 @@ No modules.
 | <a name="input_eks_oidc_issuer_url"></a> [eks\_oidc\_issuer\_url](#input\_eks\_oidc\_issuer\_url) | The URL on the EKS cluster OIDC Issuer | `string` | n/a | yes |
 | <a name="input_eks_oidc_provider_arn"></a> [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true`. | `string` | n/a | yes |
 | <a name="input_lb_ingress_controller_helm_app"></a> [lb\_ingress\_controller\_helm\_app](#input\_lb\_ingress\_controller\_helm\_app) | Helm chart definition for lb\_ingress\_controller. | `any` | `{}` | no |
+| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_gitops_config"></a> [gitops\_config](#output\_gitops\_config) | Configuration used for managing the add-on with GitOps |
 | <a name="output_ingress_name"></a> [ingress\_name](#output\_ingress\_name) | n/a |
 | <a name="output_ingress_namespace"></a> [ingress\_namespace](#output\_ingress\_namespace) | n/a |
 

kubernetes-addons/aws-load-balancer-controller/main.tf

@@ -17,7 +17,6 @@
  */
 
 resource "helm_release" "lb_ingress" {
-  count                      = var.manage_via_gitops ? 0 : 1
   name                       = local.lb_ingress_controller_helm_app["name"]
   repository                 = local.lb_ingress_controller_helm_app["repository"]
   chart                      = local.lb_ingress_controller_helm_app["chart"]

kubernetes-addons/aws-load-balancer-controller/outputs.tf

@@ -22,9 +22,4 @@ output "ingress_namespace" {
 
 output "ingress_name" {
   value = local.lb_ingress_controller_helm_app["name"]
-}
-
-output "gitops_config" {
-  description = "Configuration needed for GitOps"
-  value       = var.manage_via_gitops ? { enable = true } : null
 }
\ No newline at end of file

kubernetes-addons/aws-load-balancer-controller/variables.tf

@@ -36,10 +36,3 @@ variable "eks_oidc_provider_arn" {
   type        = string
   description = "The ARN of the OIDC Provider if `enable_irsa = true`."
 }
-
-variable "manage_via_gitops" {
-  type        = bool
-  default     = false
-  description = "Determines if the add-on should be managed via GitOps."
-}
-

kubernetes-addons/prometheus/README.md

@@ -92,11 +92,14 @@ No modules.
 | <a name="input_amp_ingest_role_arn"></a> [amp\_ingest\_role\_arn](#input\_amp\_ingest\_role\_arn) | n/a | `string` | `""` | no |
 | <a name="input_amp_workspace_id"></a> [amp\_workspace\_id](#input\_amp\_workspace\_id) | n/a | `string` | `""` | no |
 | <a name="input_aws_managed_prometheus_enable"></a> [aws\_managed\_prometheus\_enable](#input\_aws\_managed\_prometheus\_enable) | n/a | `bool` | `false` | no |
+| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
 | <a name="input_prometheus_helm_chart"></a> [prometheus\_helm\_chart](#input\_prometheus\_helm\_chart) | n/a | `any` | `{}` | no |
 | <a name="input_service_account_amp_ingest_name"></a> [service\_account\_amp\_ingest\_name](#input\_service\_account\_amp\_ingest\_name) | n/a | `string` | `""` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_gitops_config"></a> [gitops\_config](#output\_gitops\_config) | Configuration needed for managing the add-on with GitOps |
 
 <!--- END_TF_DOCS --->

kubernetes-addons/prometheus/main.tf

@@ -17,7 +17,6 @@
  */
 
 resource "helm_release" "prometheus" {
-  count                      = var.manage_via_gitops ? 0 : 1
   name                       = local.prometheus_helm_app["name"]
   repository                 = local.prometheus_helm_app["repository"]
   chart                      = local.prometheus_helm_app["chart"]

kubernetes-addons/prometheus/outputs.tf

-/*
- * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
- * SPDX-License-Identifier: MIT-0
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy of this
- * software and associated documentation files (the "Software"), to deal in the Software
- * without restriction, including without limitation the rights to use, copy, modify,
- * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
- * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
- * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- */
-
-output "amp_ingest_role_arn" {
-  value = var.amp_ingest_role_arn
-}
-
-output "amp_workspace_url" {
-  value = local.amp_workspace_url
-}
-
-output "gitops_config" {
-  description = "Configuration needed for GitOps"
-  value = var.manage_via_gitops ? {
-    enable           = true
-    ampIngestRoleArn = var.amp_ingest_role_arn
-    ampWorkspaceUrl  = local.amp_workspace_url
-  } : null
-}

kubernetes-addons/prometheus/variables.tf

@@ -40,9 +40,3 @@ variable "prometheus_helm_chart" {
   type    = any
   default = {}
 }
-
-variable "manage_via_gitops" {
-  type        = bool
-  default     = false
-  description = "Determines if the add-on should be managed via GitOps."
-}
\ No newline at end of file

locals.tf

@@ -84,13 +84,8 @@ locals {
   service_account_amp_ingest_name = format("%s-%s", module.aws_eks.cluster_id, "amp-ingest")
   service_account_amp_query_name  = format("%s-%s", module.aws_eks.cluster_id, "amp-query")
 
-  # Indicates if add-on modules should deploy Helm charts or not. 
-  deploy_helm_chart = !var.argocd_manage_add_ons
-
   # Configuration for managing add-ons via GitOps.
   gitops_add_on_config = {
     awsForFluentBit           = var.aws_for_fluentbit_enable ? module.aws_for_fluent_bit[0].gitops_config : null
-    awsLoadBalancerController = var.aws_load_balancer_controller_enable ? module.aws_load_balancer_controller[0].gitops_config : null
-    prometheus                = var.prometheus_enable ? module.prometheus[0].gitops_config : null
   }
 }

main.tf

@@ -107,5 +107,4 @@ module "emr_on_eks" {
   zone           = var.zone
 
   depends_on = [module.aws_eks, kubernetes_config_map.aws_auth]
-
-}
\ No newline at end of file
+}