feat: initialize Terraform sources (#1)

Add 05_eks_cluster layer to create the AWS EKS cluster and its base resources.
Add 10_eks_resources layer to deploy Kubernetes addons or Kubernetes resources in general and their IAM IRSA associated resources.
Update README.md.
Add linter.yml GitHub Actions workflows.

.github/workflows/linter.yml

@@ -0,0 +1,26 @@
+---
+
+name: Lint Code Base
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Lint Code Base
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Lint Code Base
+        uses: github/super-linter/slim@v4
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,33 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc

README.md

@@ -1,2 +1,55 @@
 # aws-eks-irsa
+
+[![GitHub Super-Linter](https://github.com/taufort/aws-eks-irsa/actions/workflows/linter.yml/badge.svg)](https://github.com/marketplace/actions/super-linter)
+
 This project is a configuration example on how to setup IRSA on AWS EKS.
+
+## Prerequisites
+
+You need several tools to be able to interact with the infrastructure of this project:
+- Terraform
+- Terragrunt
+- aws CLI v2
+- kubectl
+
+You can install those tools on your computer thanks to [tfswitch](https://github.com/warrensbox/terraform-switcher) and
+to [tgswitch](https://github.com/warrensbox/tgswitch).
+
+## How to initialize the infrastructure on an AWS account?
+
+You first need to update the content of the local Terragrunt variable called `aws_profile` in file named
+[terragrunt-global-config.hcl](terraform/terragrunt-global-config.hcl) to point to your AWS profile and not mine ;).
+
+Once this is done, you can apply infrastructure with Terragrunt as such:
+```bash
+cd terraform
+terragrunt run-all init
+terragrunt run-all apply
+```
+The first Terragrunt command will run `terraform init` in every Terraform layer in the `terraform` folder. The second
+Terragrunt command will run `terraform apply` in each layer.
+
+> On the first apply, Terragrunt will ask you if you want to create the Terraform states S3 bucket if it does not exist
+on your AWS account. It will also create a DynamoDB table for state locking.
+
+## How is the AWS IAM OIDC provider created?
+
+By default, the IAM OIDC provider is created by the
+[AWS EKS blueprints for Terraform](https://github.com/aws-ia/terraform-aws-eks-blueprints/)
+with the input `enable_irsa` which is set to `true` by default.
+
+To show you how it works, I decided to set that input to `false` and create the OIDC provider with the AWS
+provider resources myself (you can find those resources in the file named [irsa.tf](terraform/05_eks_cluster/irsa.tf)).
+
+## How to access the EKS cluster?
+
+`~/.kube/config` file gets updated with the EKS cluster details and certificate thanks to the below command:
+
+```bash
+aws eks --region eu-west-3 update-kubeconfig --name aws-eks-irsa --profile <YOUR_AWS_PROFILE>
+```
+
+Then, you can interact with the Kubernetes cluster with `kubectl` commands:
+```bash
+kubectl get pods -n kube-system
+```

terraform/05_eks_cluster/backend.tf

@@ -0,0 +1,11 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    bucket         = "taufort-aws-eks-irsa-tf-states"
+    dynamodb_table = "taufort-aws-eks-irsa-tf-states"
+    encrypt        = true
+    key            = "05_eks_cluster/terraform.tfstate"
+    profile        = "ippon-sandbox"
+    region         = "eu-west-3"
+  }
+}

terraform/05_eks_cluster/cloudwatch.tf

@@ -0,0 +1,45 @@
+module "cloudwatch_kms" {
+  source  = "terraform-aws-modules/kms/aws"
+  version = "~> 1.2"
+
+  description = "CloudWatch logs usage"
+  key_usage   = "ENCRYPT_DECRYPT"
+
+  # Policy
+  key_administrators = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+  key_statements = [
+    {
+      sid = "CloudWatchLogs"
+      actions = [
+        "kms:Encrypt*",
+        "kms:Decrypt*",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:Describe*"
+      ]
+      resources = ["*"]
+
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+        }
+      ]
+
+      conditions = [
+        {
+          test     = "ArnLike"
+          variable = "kms:EncryptionContext:aws:logs:arn"
+          values = [
+            "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:*",
+          ]
+        }
+      ]
+    }
+  ]
+
+  # Aliases
+  aliases = ["${var.project}/cloudwatch"]
+
+  tags = local.tags
+}

terraform/05_eks_cluster/data.tf

@@ -0,0 +1,5 @@
+data "aws_caller_identity" "current" {
+}
+
+data "aws_region" "current" {
+}