start re-working for example to work into module

examples/efk/copy_images.tf

@@ -0,0 +1,43 @@
+data "aws_ecr_authorization_token" "token" {}
+
+locals {
+  account_id       = data.aws_caller_identity.current.account_id
+  repo_parent_name = format("eks/%v", var.cluster_name)
+
+  account_ecr = format("%v.dkr.ecr.%v.amazonaws.com/%v", local.account_id, var.region, local.repo_parent_name)
+
+  images = [
+    # logging stack related images:
+    {
+      name  = "elastic/elasticsearch"
+      image = "docker.elastic.co/elasticsearch/elasticsearch"
+      tag   = var.elasticsearch_tag
+    },
+    {
+      name  = "elastic/kibana"
+      image = "docker.elastic.co/kibana/kibana"
+      tag   = var.kibana_tag
+    },
+    {
+      name  = "fluent/fluentd-kubernetes-daemonset"
+      image = "docker.io/fluent/fluentd-kubernetes-daemonset"
+      tag   = var.fluentd_tag
+    },
+  ]
+  image_repos = { for image in local.images : image.name => format("%v/%v", local.account_ecr, image.name) }
+}
+
+resource "null_resource" "copy_images" {
+  for_each = { for image in local.images : image.name => image }
+
+  provisioner "local-exec" {
+    command = "${path.module}/copy_image.sh"
+    environment = {
+      SOURCE_IMAGE         = format("%v:%v", each.value.image, each.value.tag)
+      DESTINATION_IMAGE    = format("%v/%v:%v", local.account_ecr, each.value.name, each.value.tag)
+      DESTINATION_USERNAME = data.aws_ecr_authorization_token.token.user_name
+      DESTINATION_PASSWORD = data.aws_ecr_authorization_token.token.password
+    }
+  }
+}
+

examples/efk/expose-kibana.yaml

@@ -0,0 +1,72 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kibana-cert
+  namespace: istio-system
+spec:
+  secretName: 'kibana-cert'
+  subject:
+    organizations:
+      - census.gov
+  dnsNames:
+  - 'kibana.test4.sandbox.csp2.census.gov'
+  issuerRef:
+    kind: 'ClusterIssuer'
+    name: 'clusterissuer'
+
+---
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: kibana
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      tls:
+        httpsRedirect: true
+      hosts:
+        - 'kibana.test4.sandbox.csp2.census.gov'
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        mode: SIMPLE
+        credentialName: "kibana-cert"
+      hosts:
+        - 'kibana.test4.sandbox.csp2.census.gov'
+
+---
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: kibana-routes
+  namespace: istio-system
+spec:
+  gateways:
+    - 'kibana'
+  hosts:
+    - 'kibana.test4.sandbox.csp2.census.gov'
+  http:
+    - name: "kibana-route"
+      match:
+        - uri:
+            prefix: "/"
+      headers:
+        request:
+          set:
+            X-Forwarded-Port: "443"
+      route:
+        - destination:
+            host: kibana-kibana.logging.svc.cluster.local
+            port: 
+              number: 5601
+

examples/efk/main.tf

@@ -0,0 +1,241 @@
+resource "kubernetes_namespace" "logging" {
+  depends_on = [null_resource.copy_images]
+
+  metadata {
+    name = "logging"
+    labels = {
+      istio-injection = "enabled"
+    }
+  }
+}
+
+resource "helm_release" "elasticsearch" {
+  chart      = "elasticsearch"
+  version    = var.elasticsearch_chart_version
+  name       = "elasticsearch"
+  namespace  = kubernetes_namespace.logging.metadata[0].name
+  repository = "https://helm.elastic.co"
+
+  set {
+    name  = "image"
+    value = local.image_repos["elastic/elasticsearch"]
+  }
+  set {
+    name  = "imageTag"
+    value = var.elasticsearch_tag
+  }
+
+  #  set {
+  #    name  = "master.livenessProbe.enabled"
+  #    value = "false"
+  #  }
+  #  set {
+  #    name  = "master.readinessProbe.enabled"
+  #    value = "false"
+  #  }
+  #  set {
+  #    name  = "coordinating.livenessProbe.enabled"
+  #    value = "false"
+  #  }
+  #  set {
+  #    name  = "coordinating.readinessProbe.enabled"
+  #    value = "false"
+  #  }
+  #  set {
+  #    name  = "data.livenessProbe.enabled"
+  #    value = "false"
+  #  }
+  #  set {
+  #    name  = "data.readinessProbe.enabled"
+  #    value = "false"
+  #  }
+
+  timeout = 300
+}
+
+resource "helm_release" "kibana" {
+  chart      = "kibana"
+  version    = var.kibana_chart_version
+  name       = "kibana"
+  namespace  = kubernetes_namespace.logging.metadata[0].name
+  repository = "https://helm.elastic.co"
+
+  depends_on = [helm_release.elasticsearch]
+
+  set {
+    name  = "image"
+    value = local.image_repos["elastic/kibana"]
+  }
+  set {
+    name  = "imageTag"
+    value = var.kibana_tag
+  }
+
+  set {
+    name  = "persistence.storageClass"
+    value = "efs"
+  }
+
+  set {
+    name  = "elasticsearch.enabled"
+    value = "false"
+  }
+  set {
+    name  = "elasticsearch.external.hosts[0]"
+    value = "elasticsearch-coordinating-only.logging.svc.cluster.local"
+  }
+  set {
+    name  = "elasticsearch.external.port"
+    value = "9200"
+  }
+  set {
+    name  = "elasticsearch.hosts[0]"
+    value = "elasticsearch-coordinating-only.logging.svc.cluster.local"
+  }
+  set {
+    name  = "elasticsearch.port"
+    value = "9200"
+  }
+
+  #  set {
+  #    name  = "livenessProbe.enabled"
+  #    value = "false"
+  #  }
+  #  set {
+  #    name  = "readinessProbe.enabled"
+  #    value = "false"
+  #  }
+
+  timeout = 180
+}
+
+resource "kubernetes_config_map" "elasticsearch-output" {
+  metadata {
+    name      = "elasticsearch-output"
+    namespace = kubernetes_namespace.logging.metadata[0].name
+  }
+
+  data = {
+    "fluentd.conf" = <<EOF
+    # Ignore fluentd own events
+    <match fluent.**>
+      @type null
+    </match>
+
+    # TCP input to receive logs from the forwarders
+    <source>
+      @type forward
+      bind 0.0.0.0
+      port 24224
+    </source>
+
+    # HTTP input for the liveness and readiness probes
+    <source>
+      @type http
+      bind 0.0.0.0
+      port 9880
+    </source>
+
+    # Throw the healthcheck to the standard output instead of forwarding it
+    <match fluentd.healthcheck>
+      @type stdout
+    </match>
+
+    # Send the logs to the standard output
+    <match **>
+      @type elasticsearch
+      include_tag_key true
+      host "#{ENV['ELASTICSEARCH_HOST']}"
+      port "#{ENV['ELASTICSEARCH_PORT']}"
+      logstash_format true
+      <buffer>
+        @type file
+        path /opt/bitnami/fluentd/logs/buffers/logs.buffer
+        flush_thread_count 2
+        flush_interval 5s
+      </buffer>
+    </match>
+EOF
+  }
+}
+
+resource "kubernetes_config_map" "apache-log-parser" {
+  metadata {
+    name      = "apache-log-parser"
+    namespace = kubernetes_namespace.logging.metadata[0].name
+  }
+
+  data = {
+    "fluentd.conf" = <<EOF
+    # Ignore fluentd own events
+    <match fluent.**>
+      @type null
+    </match>
+
+    # HTTP input for the liveness and readiness probes
+    <source>
+      @type http
+      port 9880
+    </source>
+
+    # Throw the healthcheck to the standard output instead of forwarding it
+    <match fluentd.healthcheck>
+      @type stdout
+    </match>
+
+    # Get the logs from the containers running in the cluster
+    # This block parses logs using an expression valid for the Apache log format
+    # Update this depending on your application log format
+    <source>
+      @type tail
+      path /var/log/containers/*.log
+      pos_file /opt/bitnami/fluentd/logs/buffers/fluentd-docker.pos
+      tag www.log
+      <parse>
+        @type regexp
+        expression /^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \[(?<time>[^\]]*)\] \\"(?<method>\S+)(?: +(?<path>[^ ]*) +\S*)?\\" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)")?$/
+        time_format %d/%b/%Y:%H:%M:%S %z
+      </parse>
+    </source>
+
+    # Forward all logs to the aggregators
+    <match **>
+      @type forward
+      <server>
+        host fluentd-0.fluentd-headless.logging.svc.cluster.local
+        port 24224
+      </server>
+
+      <buffer>
+        @type file
+        path /opt/bitnami/fluentd/logs/buffers/logs.buffer
+        flush_thread_count 2
+        flush_interval 5s
+      </buffer>
+    </match>
+EOF
+  }
+}
+
+resource "helm_release" "fluentd" {
+  chart      = "fluentd"
+  version    = var.fluentd_chart_version
+  name       = "fluentd"
+  namespace  = kubernetes_namespace.logging.metadata[0].name
+  repository = "https://fluent.github.io/helm-charts"
+
+  depends_on = [helm_release.elasticsearch]
+
+  set {
+    name  = "image.repository"
+    value = local.image_repos["fluent/fluentd-kubernetes-daemonset"]
+  }
+  set {
+    name  = "image.tag"
+    value = var.fluentd_tag
+  }
+
+  timeout = 180
+}
+
+

examples/efk/providers.tf

@@ -0,0 +1,34 @@
+terraform {
+  required_version = ">= 0.12.31"
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_name
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = var.cluster_name
+}
+
+provider "aws" {
+  region  = var.region
+  profile = var.profile
+}
+
+provider "kubernetes" {
+  host = data.aws_eks_cluster.cluster.endpoint
+
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}
+
+provider "helm" {
+  kubernetes {
+    host = data.aws_eks_cluster.cluster.endpoint
+
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
+    token                  = data.aws_eks_cluster_auth.cluster.token
+  }
+}