This repository contains opinionated Terraform modules used to deploy and configure an AWS EKS cluster for the StreamNative Platform. It is currently underpinned by the terraform-aws-eks module.

The working result is a Kubernetes cluster sized to your specifications, bootstrapped with StreamNative's Platform configuration, ready to receive a deployment of Apache Pulsar.

For more information on StreamNative Platform, head on over to our official documentation.

The Terraform command line tool is required and must be installed. It's what we're using to manage the creation of a Kubernetes cluster and its bootstrap configuration, along with the necessary cloud provider infrastructure.

We use Helm for deploying the StreamNative Platform charts on the cluster, and while not necessary, it's recommended to have it installed for debugging purposes.

Your caller identity must also have the necessary AWS IAM permissions to create and work with EC2 (EKS, VPCs, etc.) and Route53.

• aws command-line tool
• aws-iam-authenticator command line tool

EKS has multiple modes of network configuration for how you access the EKS cluster endpoint, as well as how the node groups communicate with the EKS control plane.

This Terraform module supports the following:

• Public (EKS) / Private (Node Groups): The EKS cluster API server is accessible from the internet, and node groups use a private VPC endpoint to communicate with the cluster's controle plane (default configuration)
• Public (EKS) / Public (Node Groups): The EKS cluster API server is accessible from the internet, and node groups use a public EKS endpoint to communicate with the cluster's control plane. This mode can be enabled by setting the input enable_node_group_private_networking = false in the module.

Note: Currently we do not support fully private EKS clusters with this module (i.e. all network traffic remains internal to the AWS VPC)

For your VPC configuration we require sets of public and private subnets (minimum of two each, one per AWS AZ). Both groups of subnets must have an outbound configuration to the internet. We also recommend using a seperate VPC reserved for the EKS cluster, with a minimum CIDR block per subnet of /24.

A Terraform sub-module is available that manages the VPC configuration to our specifications. It can be used in composition to the root module in this repo (see this example).

For more information on how EKS networking can be configured, refer to the following AWS guides:

• Networking in EKS
• Amazon EKS cluster endpoint access control
• De-mystifying cluster networking for Amazon EKS worker nodes

A bare minimum configuration to execute the module:

data "aws_eks_cluster" "cluster" {
  name = module.eks_cluster.eks_cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks_cluster.eks_cluster_id
}

provider "aws" {
  region = var.region
}

provider "helm" {
  kubernetes {
    host                   = data.aws_eks_cluster.cluster.endpoint
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
    token                  = data.aws_eks_cluster_auth.cluster.token
  }
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.cluster.token
  insecure               = false
}

variable "region" {
  default = "us-east-1"
}

module "sn_cluster" {
  source = "streamnative/cloud/aws"

  cluster_name                   = "sn-cluster-${var.region}"
  cluster_version                = "1.20"
  hosted_zone_id                 = "Z04554535IN8Z31SKDVQ2" # Change this to your hosted zone ID
  node_pool_instance_types       = ["c6i.xlarge"]
  extra_node_pool_instance_types = ["c6i.2xlarge"] # Defaults to empty list. Means don't create extra node pool
  node_pool_desired_size         = 2
  node_pool_min_size             = 1
  node_pool_max_size             = 6

  ## Note: EKS requires two subnets, each in their own availability zone
  public_subnet_ids  = ["subnet-abcde012", "subnet-bcde012a"]
  private_subnet_ids = ["subnet-vwxyz123", "subnet-efgh242a"]
  region             = var.region
  vpc_id             = "vpc-1234556abcdef"
}

In the example main.tf above, we create a StreamNative Platform EKS cluster using Kubernetes version 1.20, with two node groups (one per subnet¹), each group being set with a desired capacity of two and a maximum scaling of six, meaning four c6i.xlarge worker nodes in total will initially be created, but depending on cluster usage it can autoscale up to twelve.

Note: If you are creating more than one EKS cluster in an AWS account, it is necessary to set the input create_iam_policies_for_cluster_addon_services = false. Otherwise Terraform will error stating that resources already exist with the desired name. This is a temporary workaround and will be improved in later versions of the module.

This creates an EKS cluster to your specifications, along with the following addons (and required IAM resources), which are enabled by default:

• AWS CSI Driver
• AWS Load Balancer Controller
• AWS Node Terminiation Handler
• cert-manager
• cluster-autoscaler
• external-dns
• external-secrets

When deploying StreamNative Platform, there are additional resources to be created alongside (and inside!) the EKS cluster:

• StreamNative operators for Pulsar
• Vault Operator
• Vault Resources
• Tiered Storage Resources (optional)

We have made this easy by creating additional Terraform modules that can be included alongside your EKS module composition. Consider adding the following to the example main.tf file above:

#######
### This module creates resources used for tiered storage offloading in Pulsar
#######
module "sn_tiered_storage_resources" {
  source = "streamnative/cloud/aws//modules/tiered-storage-resources"

  cluster_name         = module.sn_cluster.eks_cluster_id
  oidc_issuer          = module.sn_cluster.eks_cluster_oidc_issuer_string
  pulsar_namespace     = "my-pulsar-namespace"
  service_account_name = "pulsar"

  tags = {
    Project     = "StreamNative Platform"
    Environment = var.environment
  }

  depends_on = [
    module.sn_cluster
  ]
}

#######
### This module creates resources used by Vault for storing and retrieving secrets related to the Pulsar cluster
#######
module "sn_tiered_storage_vault_resources" {
  source = "streamnative/cloud/aws//modules/vault-resources"

  cluster_name         = module.sn_cluster.eks_cluster_id
  oidc_issuer          = module.sn_cluster.eks_cluster_oidc_issuer_string
  pulsar_namespace     = "my-pulsar-namespace" # The namespace where you will be installing Pulsar
  service_account_name = "vault"               # The name of the service account used by Vault in the Pulsar namespace

  tags = {
    Project     = "StreamNative Platform"
    Environment = var.environment
  }

  depends_on = [
    module.sn_cluster
  ]
}

#######
### This module installs the necessary operators for StreamNative Platform
### See: https://registry.terraform.io/modules/streamnative/charts/helm/latest
#######
module "sn_bootstrap" {
  source = "streamnative/charts/helm"

  enable_function_mesh_operator = true
  enable_vault_operator         = true
  enable_pulsar_operator        = true

  depends_on = [
    module.sn_cluster,
  ]
}

To apply the configuration initialize the Terraform module in the directory containing your own version of the main.tf from the examples above:

terraform init

Validate and apply the configuration:

terraform apply

We use a Helm chart to deploy StreamNative Platform on the receiving Kubernetes cluster. Refer to our official documentation for more info.

Note: Since this module manages all of the Kubernetes addon dependencies required by StreamNative Platform, it is not necessary to perform all of the steps outlined in the Helm chart's README.. Please reach out to your customer representative if you have questions.

By default, kubernetes-external-secrets is enabled on the EKS cluster and the corresponding IRSA has access to retrieve all secrets created in the cluster's region. To clamp down access, you can specify the ARNs for just the secrets needed by passing a list to the input asm_secret_arns in your composition:

module "sn_cluster" {
  source = "streamnative/cloud/aws"

  asm_secret_arns = [
    "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c",
    "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes192-4D5e6F",
    "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i",
  ]
}

You can also use secret prefixes and wildcards to scope access a bit more granularly, i.e. "arn:aws:secretsmanager:Region:AccountId:secret:TestEnv/*" and pass that to the module. Refer to the Secrets Manager docs for examples.

To get an ASM secret on the cluster, create an ExternalSecret manifiest yml file:

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: my-cluster-secret
spec:
  backendType: secretsManager
  data:
    - key: secret-prefix/secret-id
      name: my-cluster-secret

Refer to the official docs for more details.

You can also disable kubernetes-external-secrets by setting the input enable-external-secret = false in your composition of the terraform-aws-cloud (this) module.

[
  "0.0.0.0/0"
]

[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]

[
  "c6i.large"
]

list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))

list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))

[
  "c6i.large"
]

[]