feat: add possibility to use ACM certificates (#7)

* feat: add possibility to use ACM certificates

Author: Dariocent

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+# v0.13.0
+
+- Add possibility to use existing ACM certificates instead of Lets Encrypt
+
 # v0.12.0
 
 - Upgrade EKS node groups to Amazon Linux 2023 (AL2023). \

README.md

@@ -233,6 +233,7 @@ You can find examples of code that uses this Terraform module in the [examples](
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_acm_certificate_arn"></a> [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | If set, use AWS NLB TLS termination with this ACM cert ARN | `string` | `null` | no |
 | <a name="input_allowed_inbound_cidr_blocks"></a> [allowed\_inbound\_cidr\_blocks](#input\_allowed\_inbound\_cidr\_blocks) | The CIDR blocks from which inbound connections will be accepted. Use 0.0.0.0/0 for allowing all inbound traffic | `map(string)` | n/a | yes |
 | <a name="input_create_security_group_rules"></a> [create\_security\_group\_rules](#input\_create\_security\_group\_rules) | If True, add to the specified security group the rules required for allowing connectivity between the provisioned services among all the specified subnets. | `bool` | `false` | no |
 | <a name="input_eks_cloudwatch_observability_enabled"></a> [eks\_cloudwatch\_observability\_enabled](#input\_eks\_cloudwatch\_observability\_enabled) | If true, install the CloudWatch Observability add-on.<br/>  The add-on installs the CloudWatch agent to send infrastructure metrics from the cluster, <br/>  installs Fluent Bit to send container logs, and also enables CloudWatch Application Signals <br/>  to send application performance telemetry. | `bool` | `false` | no |
@@ -276,37 +277,37 @@ You can find examples of code that uses this Terraform module in the [examples](
 ## Resources
 
 
-- resource.aws_iam_role.ebs_csi (/terraform-docs/main.tf#552)
-- resource.aws_iam_role_policy_attachment.ai_models__eks_access (/terraform-docs/main.tf#575)
-- resource.aws_iam_role_policy_attachment.backups__eks_access (/terraform-docs/main.tf#583)
-- resource.aws_iam_role_policy_attachment.ebs_csi_attach (/terraform-docs/main.tf#565)
-- resource.aws_s3_bucket.ai_models (/terraform-docs/main.tf#571)
-- resource.aws_s3_bucket.backups (/terraform-docs/main.tf#579)
-- resource.aws_secretsmanager_secret.admin_user_password (/terraform-docs/main.tf#402)
-- resource.aws_secretsmanager_secret.auth_jwt_key (/terraform-docs/main.tf#385)
-- resource.aws_secretsmanager_secret.google_sso_credentials (/terraform-docs/main.tf#529)
-- resource.aws_secretsmanager_secret.nebuly_credentials (/terraform-docs/main.tf#493)
-- resource.aws_secretsmanager_secret.okta_sso_credentials (/terraform-docs/main.tf#509)
-- resource.aws_secretsmanager_secret.openai_api_key (/terraform-docs/main.tf#482)
-- resource.aws_secretsmanager_secret.rds_analytics_credentials (/terraform-docs/main.tf#139)
-- resource.aws_secretsmanager_secret.rds_auth_credentials (/terraform-docs/main.tf#228)
-- resource.aws_secretsmanager_secret_version.admin_user_password (/terraform-docs/main.tf#410)
-- resource.aws_secretsmanager_secret_version.auth_jwt_key (/terraform-docs/main.tf#393)
-- resource.aws_secretsmanager_secret_version.google_sso_credentials (/terraform-docs/main.tf#538)
-- resource.aws_secretsmanager_secret_version.nebuly_credentials (/terraform-docs/main.tf#500)
-- resource.aws_secretsmanager_secret_version.okta_sso_credentials (/terraform-docs/main.tf#518)
-- resource.aws_secretsmanager_secret_version.openai_api_key (/terraform-docs/main.tf#489)
-- resource.aws_secretsmanager_secret_version.rds_analytics_password (/terraform-docs/main.tf#146)
-- resource.aws_secretsmanager_secret_version.rds_auth_password (/terraform-docs/main.tf#235)
-- resource.aws_security_group.eks_load_balancer (/terraform-docs/main.tf#418)
-- resource.aws_security_group_rule.allow_all_inbound_within_vpc (/terraform-docs/main.tf#456)
-- resource.aws_security_group_rule.allow_all_outbound_within_vpc (/terraform-docs/main.tf#467)
-- resource.aws_vpc_security_group_ingress_rule.eks_load_balancer_allow_http (/terraform-docs/main.tf#445)
-- resource.aws_vpc_security_group_ingress_rule.eks_load_balancer_allow_https (/terraform-docs/main.tf#436)
-- resource.random_password.admin_user_password (/terraform-docs/main.tf#398)
-- resource.random_password.rds_analytics (/terraform-docs/main.tf#134)
-- resource.random_password.rds_auth (/terraform-docs/main.tf#223)
+- resource.aws_iam_role.ebs_csi (/terraform-docs/main.tf#554)
+- resource.aws_iam_role_policy_attachment.ai_models__eks_access (/terraform-docs/main.tf#577)
+- resource.aws_iam_role_policy_attachment.backups__eks_access (/terraform-docs/main.tf#585)
+- resource.aws_iam_role_policy_attachment.ebs_csi_attach (/terraform-docs/main.tf#567)
+- resource.aws_s3_bucket.ai_models (/terraform-docs/main.tf#573)
+- resource.aws_s3_bucket.backups (/terraform-docs/main.tf#581)
+- resource.aws_secretsmanager_secret.admin_user_password (/terraform-docs/main.tf#404)
+- resource.aws_secretsmanager_secret.auth_jwt_key (/terraform-docs/main.tf#387)
+- resource.aws_secretsmanager_secret.google_sso_credentials (/terraform-docs/main.tf#531)
+- resource.aws_secretsmanager_secret.nebuly_credentials (/terraform-docs/main.tf#495)
+- resource.aws_secretsmanager_secret.okta_sso_credentials (/terraform-docs/main.tf#511)
+- resource.aws_secretsmanager_secret.openai_api_key (/terraform-docs/main.tf#484)
+- resource.aws_secretsmanager_secret.rds_analytics_credentials (/terraform-docs/main.tf#141)
+- resource.aws_secretsmanager_secret.rds_auth_credentials (/terraform-docs/main.tf#230)
+- resource.aws_secretsmanager_secret_version.admin_user_password (/terraform-docs/main.tf#412)
+- resource.aws_secretsmanager_secret_version.auth_jwt_key (/terraform-docs/main.tf#395)
+- resource.aws_secretsmanager_secret_version.google_sso_credentials (/terraform-docs/main.tf#540)
+- resource.aws_secretsmanager_secret_version.nebuly_credentials (/terraform-docs/main.tf#502)
+- resource.aws_secretsmanager_secret_version.okta_sso_credentials (/terraform-docs/main.tf#520)
+- resource.aws_secretsmanager_secret_version.openai_api_key (/terraform-docs/main.tf#491)
+- resource.aws_secretsmanager_secret_version.rds_analytics_password (/terraform-docs/main.tf#148)
+- resource.aws_secretsmanager_secret_version.rds_auth_password (/terraform-docs/main.tf#237)
+- resource.aws_security_group.eks_load_balancer (/terraform-docs/main.tf#420)
+- resource.aws_security_group_rule.allow_all_inbound_within_vpc (/terraform-docs/main.tf#458)
+- resource.aws_security_group_rule.allow_all_outbound_within_vpc (/terraform-docs/main.tf#469)
+- resource.aws_vpc_security_group_ingress_rule.eks_load_balancer_allow_http (/terraform-docs/main.tf#447)
+- resource.aws_vpc_security_group_ingress_rule.eks_load_balancer_allow_https (/terraform-docs/main.tf#438)
+- resource.random_password.admin_user_password (/terraform-docs/main.tf#400)
+- resource.random_password.rds_analytics (/terraform-docs/main.tf#136)
+- resource.random_password.rds_auth (/terraform-docs/main.tf#225)
 - resource.random_string.secrets_suffix (/terraform-docs/main.tf#26)
-- resource.tls_private_key.auth_jwt (/terraform-docs/main.tf#381)
+- resource.tls_private_key.auth_jwt (/terraform-docs/main.tf#383)
 - data source.aws_partition.current (/terraform-docs/main.tf#19)
 - data source.aws_subnet.subnets (/terraform-docs/main.tf#20)

main.tf

@@ -59,6 +59,8 @@ locals {
 
   rds_instance_name_analytics = "${var.resource_prefix}platformanalytics"
   rds_instance_name_auth      = "${var.resource_prefix}platformauth"
+
+  acm_certificate_arn = var.acm_certificate_arn == null ? "" : trimspace(var.acm_certificate_arn)
 }
 
 
@@ -586,7 +588,6 @@ resource "aws_iam_role_policy_attachment" "backups__eks_access" {
 }
 
 
-
 # ------ Post provisioning ------ #
 locals {
   secret_provider_class_name        = "nebuly-platform"
@@ -609,9 +610,10 @@ locals {
   bootstrap_helm_values = templatefile(
     "${path.module}/templates/helm-values-bootstrap.tpl.yaml",
     {
-      eks_region       = var.region
-      eks_cluster_name = local.eks_cluster_name
-      eks_iam_role_arn = module.eks_iam_role.iam_role_arn
+      eks_region          = var.region
+      eks_cluster_name    = local.eks_cluster_name
+      eks_iam_role_arn    = module.eks_iam_role.iam_role_arn
+      acm_certificate_arn = local.acm_certificate_arn
     }
   )
   helm_values = templatefile(
@@ -655,6 +657,8 @@ locals {
       auth_postgres_server_url      = module.rds_postgres_auth.db_instance_address
       auth_postgres_db_name         = "auth"
       eks_iam_role_arn              = module.eks_iam_role.iam_role_arn
+
+      acm_certificate_arn = local.acm_certificate_arn
     },
   )
   secret_provider_class = templatefile(

templates/helm-values-bootstrap.tpl.yaml

@@ -8,3 +8,16 @@ cluster-autoscaler:
       name: cluster-autoscaler
       annotations:
         eks.amazonaws.com/role-arn: ${eks_iam_role_arn}
+%{ if length(trimspace(acm_certificate_arn)) > 0 }
+ingress-nginx:
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "${acm_certificate_arn}"
+        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+      targetPorts:
+        https: http
+%{ endif }

templates/helm-values.tpl.yaml

@@ -10,35 +10,41 @@ serviceAccount:
   annotations:
     eks.amazonaws.com/role-arn: ${eks_iam_role_arn}
 
+%{ if length(trimspace(acm_certificate_arn)) == 0 }
 # Cert-manager issuer.
 # Remove this section if you're not using cert-manager for SSL certificates.
 clusterIssuer:
   enabled: true
   name: letsencrypt
   email: support@nebuly.ai
+%{ endif }
 
 backend:
   image:
     repository: "ghcr.io/nebuly-ai/nebuly-backend"
   ingress:
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: "/$2"
+      %{ if length(trimspace(acm_certificate_arn)) == 0 }
       # ------------
       # Cert-manager issuer.
       # Remove this section if you're not using cert-manager for SSL certificates.
       cert-manager.io/cluster-issuer: letsencrypt
       # ------------
+      %{ endif }
     enabled: true
     className: "nginx"
     hosts:
       - host: ${platform_domain}
         paths:
           - path: /backend(/|$)(.*)
             pathType: ImplementationSpecific
+    %{ if length(trimspace(acm_certificate_arn)) == 0 }
     tls:
       - secretName: nebuly-tls
         hosts:
           - ${platform_domain}
+    %{ endif }
 
   volumeMounts:
     - name: secrets-store
@@ -61,22 +67,26 @@ eventIngestion:
   ingress:
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: "/$2"
+      %{ if length(trimspace(acm_certificate_arn)) == 0 }
       # ------------
       # Cert-manager issuer.
       # Remove this section if you're not using cert-manager for SSL certificates.
       cert-manager.io/cluster-issuer: letsencrypt
       # ------------
+      %{ endif }
     enabled: true
     className: "nginx"
     hosts:
       - host: ${platform_domain}
         paths:
           - path: /event-ingestion(/|$)(.*)
             pathType: ImplementationSpecific
+    %{ if length(trimspace(acm_certificate_arn)) == 0 }
     tls:
       - secretName: nebuly-tls
         hosts:
           - ${platform_domain}
+    %{ endif }
 
 aiModels:
   registry: aws_s3
@@ -209,8 +219,8 @@ auth:
   microsoft:
     enabled: false
 
-  # Optional Okta SSO
   %{ if okta_sso_enabled }
+  # Optional Okta SSO
   okta:
     enabled: ${okta_sso_enabled}
     issuer: ${okta_sso_issuer}
@@ -248,22 +258,26 @@ auth:
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: "/auth/$2"
       nginx.ingress.kubernetes.io/use-regex: "true"
+      %{ if length(trimspace(acm_certificate_arn)) == 0 }
       # ------------
       # Cert-manager issuer.
       # Remove this section if you're not using cert-manager for SSL certificates.
       cert-manager.io/cluster-issuer: letsencrypt
       # ------------
+      %{ endif }
     enabled: true
     className: "nginx"
     hosts:
       - host: ${platform_domain}
         paths:
           - path: "/backend/auth(/|$)(.*)"
             pathType: ImplementationSpecific
+    %{ if length(trimspace(acm_certificate_arn)) == 0 }
     tls:
       - secretName: nebuly-tls
         hosts:
           - ${platform_domain}
+    %{ endif }
 
 frontend:
   image:
@@ -275,21 +289,25 @@ frontend:
   ingress:
     enabled: true
     annotations:
+      %{ if length(trimspace(acm_certificate_arn)) == 0 }
       # ------------
       # Cert-manager issuer.
       # Remove this section if you're not using cert-manager for SSL certificates.
       cert-manager.io/cluster-issuer: letsencrypt
       # ------------
+      %{ endif }
     className: "nginx"
     hosts:
       - host: ${platform_domain}
         paths:
           - path: /
             pathType: Prefix
+    %{ if length(trimspace(acm_certificate_arn)) == 0 }
     tls:
       - secretName: nebuly-tls
         hosts:
           - ${platform_domain}
+    %{ endif }
 
 openAi:
   enabled: true

variables.tf

@@ -414,3 +414,20 @@ variable "eks_enable_prefix_delegation" {
   type        = bool
   default     = false
 }
+
+### Certificates ###
+variable "acm_certificate_arn" {
+  type        = string
+  default     = null
+  description = "If set, use AWS NLB TLS termination with this ACM cert ARN"
+
+  validation {
+    condition = (
+      var.acm_certificate_arn == null
+      || length(trimspace(var.acm_certificate_arn)) == 0
+      || can(regex("^arn:aws:acm:[a-z0-9-]+:\\d{12}:certificate\\/[0-9a-f-]+$", trimspace(var.acm_certificate_arn)))
+    )
+    error_message = "acm_certificate_arn must be a valid ACM certificate ARN, e.g. arn:aws:acm:eu-west-1:123456789012:certificate/<uuid>."
+  }
+}
+