mathod/crossplane
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* scheme update

Browse Source
This commit is contained in:
Mathod
2025-11-26 06:47:28 +01:00
parent 8cfdb02186
commit 49f0002fc6
52 changed files with 186 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
providers/provider-argocd/README.md Normal file
View File

@@ -0,0 +1,2 @@
- https://marketplace.upbound.io/providers/crossplane-contrib/provider-argocd/latest
- https://github.com/crossplane-contrib/provider-argocd

0
providers/provider-argocd.yaml → providers/provider-argocd/provider-argocd.yaml
View File

16
providers/provider-family-aws/README.md Normal file
View File

@@ -0,0 +1,16 @@
- https://marketplace.upbound.io/providers/upbound/provider-family-aws/latest
- https://github.com/crossplane-contrib/provider-upjet-aws
- https://marketplace.upbound.io/providers/upbound/provider-aws-account/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-acm/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-budgets/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-eks/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-elbv2/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-iam/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-organizations/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-rds/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-redshift/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-route53/latest
- https://marketplace.upbound.io/providers/upbound/provider-aws-s3/
- https://marketplace.upbound.io/providers/upbound/provider-aws-vpc/latest

0
providers/provider-aws-account.yaml → providers/provider-family-aws/provider-aws-account.yaml
View File

0
providers/provider-aws-acm.yaml → providers/provider-family-aws/provider-aws-acm.yaml
View File

0
providers/provider-aws-budgets.yaml → providers/provider-family-aws/provider-aws-budgets.yaml
View File

0
providers/provider-aws-ec2.yaml → providers/provider-family-aws/provider-aws-ec2.yaml
View File

0
providers/provider-aws-eks.yaml → providers/provider-family-aws/provider-aws-eks.yaml
View File

0
providers/provider-aws-elbv2.yaml → providers/provider-family-aws/provider-aws-elbv2.yaml
View File

0
providers/provider-aws-iam.yaml → providers/provider-family-aws/provider-aws-iam.yaml
View File

0
providers/provider-aws-organizations.yaml → providers/provider-family-aws/provider-aws-organizations.yaml
View File

0
providers/provider-aws-rds.yaml → providers/provider-family-aws/provider-aws-rds.yaml
View File

0
providers/provider-aws-redshift.yaml → providers/provider-family-aws/provider-aws-redshift.yaml
View File

0
providers/provider-aws-route53.yaml → providers/provider-family-aws/provider-aws-route53.yaml
View File

0
providers/provider-aws-s3.yaml → providers/provider-family-aws/provider-aws-s3.yaml
View File

0
providers/provider-aws-vpc.yaml → providers/provider-family-aws/provider-aws-vpc.yaml
View File

0
providers/provider-aws-config.yaml → providers/provider-family-aws/provider-config.yaml
View File

82
providers/provider-family-aws/resources/objects/acm/certaws-composition.yaml Normal file
View File

@@ -0,0 +1,82 @@
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: awscert-composition
labels:
crossplane/provider: default
crossplane/xrd: xawscerts.crossplane.evina
spec:
compositeTypeRef:
apiVersion: crossplane.evina/v1alpha1
kind: XAWSCert
patchSets:
- name: region
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.region
- name: providerConfigRef
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.providerConfigRef
toFieldPath: spec.providerConfigRef.name
writeConnectionSecretsToNamespace: crossplane
resources:
- name: Certificate
base:
apiVersion: acm.aws.upbound.io/v1beta1
kind: Certificate
metadata:
labels:
resource: Certificate
spec:
forProvider:
validationMethod: DNS
tags:
Environment: #Environment
Project: #NomDuProject
CreatedBy: Crossplane
Team: infra
Region: eu-west-1
Service: ACM
patches:
- type: PatchSet
patchSetName: region
- type: PatchSet
patchSetName: providerConfigRef
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.domainName
toFieldPath: spec.forProvider.domainName
- type: ToCompositeFieldPath
fromFieldPath: status.atProvider.arn
toFieldPath: status.certificate.arn
- type: ToCompositeFieldPath
fromFieldPath: status.atProvider.domainValidationOptions
toFieldPath: status.certificate.domainValidationOptions
- name: Record
base:
apiVersion: route53.aws.upbound.io/v1beta1
kind: Record
metadata:
labels:
resource: Record
spec:
forProvider:
ttl: 300
patches:
- type: PatchSet
patchSetName: region
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.zoneId
toFieldPath: spec.forProvider.zoneId
- type: FromCompositeFieldPath
fromFieldPath: status.certificate.domainValidationOptions[0].resourceRecordName
toFieldPath: spec.forProvider.name
- type: FromCompositeFieldPath
fromFieldPath: status.certificate.domainValidationOptions[0].resourceRecordValue
toFieldPath: spec.forProvider.records[0]
- type: FromCompositeFieldPath
fromFieldPath: status.certificate.domainValidationOptions[0].resourceRecordType
toFieldPath: spec.forProvider.type
policy:
fromFieldPath: Required

55
providers/provider-family-aws/resources/objects/acm/certaws.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: xawscerts.crossplane.evina
spec:
group: crossplane.evina
names:
kind: XAWSCert
plural: xawscerts
claimNames:
kind: AWSCert
plural: awscerts
defaultCompositionRef:
name: awscert-composition
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
parameters:
type: object
properties:
region:
description: Region where you want to deploy your serviceLoadBalancer
type: string
domainName:
description: Name of the domain to use
type: string
zoneId:
description: Name of the hosted zone to use
type: string
providerConfigRef:
description: Name of the Kubernetes provider config
type: string
required:
- region
- domainName
- zoneId
- providerConfigRef
status:
type: object
properties:
name:
description: name managed
type: string
certificate:
description: Values generated from the ACM API.
type: object
x-kubernetes-preserve-unknown-fields: true

13
providers/provider-family-aws/resources/objects/ec2/imported-ec2.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: ec2.aws.m.upbound.io/v1beta1
kind: Instance
metadata:
name: imported-ec2-instance
annotations:
crossplane.io/external-name: i-037556a7512bd1f4b
spec:
managementPolicies: ["Observe"]
forProvider:
region: eu-west-3
providerConfigRef:
name: default
kind: ProviderConfig

17
providers/provider-family-aws/resources/objects/ec2/test.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: ec2.aws.m.upbound.io/v1beta1
kind: Instance
metadata:
name: imported-ec2-instance
annotations:
crossplane.io/external-name: i-037556a7512bd1f4b
spec:
managementPolicies: ["*"]
forProvider:
region: eu-west-3
tags:
company: mathod
project: app1
environment: production
providerConfigRef:
name: default
kind: ProviderConfig

12
providers/provider-family-aws/resources/objects/iam/user.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: iam.aws.m.upbound.io/v1beta1
kind: User
metadata:
name: ksa
namespace: crossplane-system
labels:
testing.upbound.io/example-name: user
spec:
forProvider: {}
providerConfigRef:
name: default
kind: ProviderConfig

12
providers/provider-family-aws/resources/objects/iam/user2.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: iam.aws.m.upbound.io/v1beta1
kind: User
metadata:
name: hmi
namespace: crossplane-system
labels:
testing.upbound.io/example-name: user
spec:
forProvider: {}
providerConfigRef:
name: default
kind: ProviderConfig

197
providers/provider-family-aws/resources/objects/organization/README.md Normal file
View File

@@ -0,0 +1,197 @@
# AWS Organization with Crossplane - File Structure
## Directory Structure
```
aws-crossplane-infrastructure/
├── 01-prerequisites/
│ ├── namespace.yaml
│ ├── secret.yaml
│ └── provider-config.yaml
├── 02-organization/
│ ├── organization.yaml
│ ├── organizational-units.yaml
│ └── accounts.yaml
├── 03-policies/
│ ├── scp-deny-leave-org.yaml
│ ├── scp-restrict-regions.yaml
│ └── policy-attachments.yaml
├── 04-self-service/
│ ├── xrd-aws-account.yaml
│ ├── composition-aws-account.yaml
│ └── README.md
├── 05-rbac/
│ ├── role-account-claim-creator.yaml
│ └── rolebindings.yaml
└── 06-examples/
├── claim-frontend-dev.yaml
├── claim-backend-prod.yaml
└── claim-data-qa.yaml
```
## File Descriptions
### 01-prerequisites/
**namespace.yaml**
- Creates the `aws-organization` namespace
- Where all organization infrastructure lives
**secret.yaml**
- Stores AWS credentials
- Used by ProviderConfig
**provider-config.yaml**
- Configures the AWS provider
- References the credentials secret
### 02-organization/
**organization.yaml**
- Creates the AWS Organization
- Enables necessary AWS services
- Configures policy types
**organizational-units.yaml**
- Creates Production OU
- Creates Non-Production OU
- Creates Management OU
**accounts.yaml**
- Creates aws-prod account
- Creates aws-dev account
- Creates aws-qa account
### 03-policies/
**scp-deny-leave-org.yaml**
- Service Control Policy
- Prevents accounts from leaving organization
**scp-restrict-regions.yaml**
- Service Control Policy
- Restricts allowed AWS regions
**policy-attachments.yaml**
- Attaches SCPs to Organizational Units
- Links policies to accounts/OUs
### 04-self-service/
**xrd-aws-account.yaml**
- Composite Resource Definition
- Defines the API for account claims
- Specifies available fields
**composition-aws-account.yaml**
- Composition logic
- Maps claim fields to AWS resources
- Handles account creation automation
**README.md**
- Documentation for teams
- How to request an account
- Examples and usage
### 05-rbac/
**role-account-claim-creator.yaml**
- Kubernetes Role
- Permissions to create claims
**rolebindings.yaml**
- Binds roles to teams
- Per-namespace access control
### 06-examples/
**claim-frontend-dev.yaml**
- Example claim for frontend team
- Development environment
**claim-backend-prod.yaml**
- Example claim for backend team
- Production environment
**claim-data-qa.yaml**
- Example claim for data team
- QA environment
## Installation Order
Apply files in this order:
```bash
# 1. Install provider first (do this manually)
kubectl crossplane install provider \
xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0
# 2. Apply prerequisites
kubectl apply -f 01-prerequisites/
# 3. Wait for provider to be ready
kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations
# 4. Create organization structure
kubectl apply -f 02-organization/organization.yaml
# Wait for organization to be created
kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization
# 5. Get root ID and update OUs
ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}')
# Update the parentId in organizational-units.yaml with this ROOT_ID
# 6. Create OUs
kubectl apply -f 02-organization/organizational-units.yaml
# 7. Create accounts
kubectl apply -f 02-organization/accounts.yaml
# 8. Apply policies
kubectl apply -f 03-policies/
# 9. Set up self-service
kubectl apply -f 04-self-service/
# 10. Set up RBAC
kubectl apply -f 05-rbac/
# 11. Teams can now create claims!
kubectl apply -f 06-examples/
```
## Monitoring Commands
```bash
# Check all resources
kubectl get managed -n aws-organization
# Check specific resources
kubectl get organization -n aws-organization
kubectl get organizationalunit -n aws-organization
kubectl get account -n aws-organization
kubectl get policy -n aws-organization
# Check claims (in team namespaces)
kubectl get awsaccountclaim -A
# Debug a specific resource
kubectl describe account aws-prod -n aws-organization
```
## GitOps Structure (Optional)
If using ArgoCD/Flux:
```
├── base/
│ ├── 01-prerequisites/
│ ├── 02-organization/
│ ├── 03-policies/
│ └── 04-self-service/
└── overlays/
├── dev/
│ └── kustomization.yaml
└── prod/
└── kustomization.yaml
```

70
providers/provider-family-aws/resources/objects/organization/accounts.yaml Normal file
View File

@@ -0,0 +1,70 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Account
metadata:
name: aws-prod
namespace: aws-organization
labels:
environment: production
managed-by: crossplane
spec:
forProvider:
name: aws-prod
# IMPORTANT: Must be a unique email address
email: aws-prod@yourdomain.com
parentIdRef:
name: production-ou
roleName: OrganizationAccountAccessRole
tags:
Environment: Production
ManagedBy: Crossplane
CostCenter: Production
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Account
metadata:
name: aws-dev
namespace: aws-organization
labels:
environment: development
managed-by: crossplane
spec:
forProvider:
name: aws-dev
email: aws-dev@yourdomain.com # Must be unique
parentIdRef:
name: non-production-ou
roleName: OrganizationAccountAccessRole
tags:
Environment: Development
ManagedBy: Crossplane
CostCenter: NonProduction
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Account
metadata:
name: aws-qa
namespace: aws-organization
labels:
environment: qa
managed-by: crossplane
spec:
forProvider:
name: aws-qa
email: aws-qa@yourdomain.com # Must be unique
parentIdRef:
name: non-production-ou
roleName: OrganizationAccountAccessRole
tags:
Environment: QA
ManagedBy: Crossplane
CostCenter: NonProduction
providerConfigRef:
name: org-config
---

7
providers/provider-family-aws/resources/objects/organization/namespace.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: aws-organization
labels:
managed-by: crossplane
purpose: aws-organization-management

21
providers/provider-family-aws/resources/objects/organization/oragnization.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Organization
metadata:
name: my-organization
namespace: aws-organization
labels:
managed-by: crossplane
spec:
forProvider:
awsServiceAccessPrincipals:
- cloudtrail.amazonaws.com
- config.amazonaws.com
- sso.amazonaws.com
- account.amazonaws.com
- ram.amazonaws.com
enabledPolicyTypes:
- SERVICE_CONTROL_POLICY
- TAG_POLICY
featureSet: ALL
providerConfigRef:
name: org-config

48
providers/provider-family-aws/resources/objects/organization/organizational-unites.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: OrganizationalUnit
metadata:
name: production-ou
namespace: aws-organization
labels:
environment: production
managed-by: crossplane
spec:
forProvider:
name: Production
# IMPORTANT: Replace r-xxxx with your actual root ID
# Get it with: kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}'
parentId: "r-xxxx"
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: OrganizationalUnit
metadata:
name: non-production-ou
namespace: aws-organization
labels:
environment: non-production
managed-by: crossplane
spec:
forProvider:
name: NonProduction
parentId: "r-xxxx" # Replace with your root ID
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: OrganizationalUnit
metadata:
name: management-ou
namespace: aws-organization
labels:
environment: management
managed-by: crossplane
spec:
forProvider:
name: Management
parentId: "r-xxxx" # Replace with your root ID
providerConfigRef:
name: org-config

43
providers/provider-family-aws/resources/objects/organization/policy-attachments.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: PolicyAttachment
metadata:
name: leave-org-policy-prod
namespace: aws-organization
spec:
forProvider:
policyIdRef:
name: deny-leave-organization
targetIdRef:
name: production-ou
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: PolicyAttachment
metadata:
name: leave-org-policy-nonprod
namespace: aws-organization
spec:
forProvider:
policyIdRef:
name: deny-leave-organization
targetIdRef:
name: non-production-ou
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: PolicyAttachment
metadata:
name: region-policy-nonprod
namespace: aws-organization
spec:
forProvider:
policyIdRef:
name: deny-non-approved-regions
targetIdRef:
name: non-production-ou
providerConfigRef:
name: org-config

27
providers/provider-family-aws/resources/objects/organization/scp-deny-leave-org.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Policy
metadata:
name: deny-leave-organization
namespace: aws-organization
labels:
policy-type: scp
purpose: security
spec:
forProvider:
name: DenyLeaveOrganization
description: Prevent accounts from leaving the organization
type: SERVICE_CONTROL_POLICY
content: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrg",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
]
}
providerConfigRef:
name: org-config

42
providers/provider-family-aws/resources/objects/organization/scp-restrict-regions.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Policy
metadata:
name: deny-non-approved-regions
namespace: aws-organization
labels:
policy-type: scp
purpose: compliance
spec:
forProvider:
name: DenyNonApprovedRegions
description: Only allow specific AWS regions for compliance
type: SERVICE_CONTROL_POLICY
content: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"us-east-1",
"us-west-2"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/OrganizationAccountAccessRole",
"arn:aws:iam::*:role/Admin*"
]
}
}
}
]
}
providerConfigRef:
name: org-config

13
providers/provider-family-aws/resources/objects/organization/secret.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
name: aws-credentials
namespace: aws-organization
type: Opaque
stringData:
credentials: |
[default]
aws_access_key_id = YOUR_ACCESS_KEY_HERE
aws_secret_access_key = YOUR_SECRET_KEY_HERE
# Optional: Add region if needed
# region = us-east-1

90
providers/provider-family-aws/resources/objects/rds/README.md Normal file
View File

@@ -0,0 +1,90 @@
# Best Practices
1) Name scheming
Nom des resources = <kind>-<app>-<environment>
2) Tagging
# Providers
| Name | Version |
|---|---|
| [provider-aws-rds](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | 1.2.1 |
| [provider-aws-iam](https://marketplace.upbound.io/providers/upbound/provider-aws-iam/v1.2.1) | 1.2.1 |
| [provider-aws-ec2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | 1.2.1 |
# CompositeResources
| Provider | Kind |
|---|---|
| [IAM](https://marketplace.upbound.io/providers/upbound/provider-aws-iam/v1.2.1) | [Role](https://marketplace.upbound.io/providers/upbound/provider-aws-iam/v1.2.1/resources/iam.aws.upbound.io/Role/v1beta1) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [Cluster](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/Cluster/v1beta1) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ClusterRoleAssociation](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ClusterRoleAssociation/v1beta1) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [SubnetGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/SubnetGroup/v1beta1) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ClusterInstance](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ClusterInstance/v1beta1) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [Instance](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/Instance/v1beta2) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ClusterParameterGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ClusterParameterGroup/v1beta1) |
| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ParameterGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ParameterGroup/v1beta1) |
| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroup/v1beta1) |
| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroupRule](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroupRule/v1beta1) |
| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroupIngressRule](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroupIngressRule/v1beta1) |
| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroupEgressRule](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroupEgressRule/v1beta1) |
# Claim example
```yaml
apiVersion: crossplane.evina/v1alpha1
kind: RDS
metadata:
namespace: crossplane-system
name: claimed-
spec:
compositionRef:
name: rds-composition
parameters:
region:
app:
environment:
engine:
```
## Inputs
| Name | Description | Value |Required |
|---|---|---|---|
| region | AWS Region where the provider will operate | eu-west-1 | Required |
| app | Name of the app (Used for Tagging/Naming) | dcbprotect / karpenter / brandprotect / grafana | Required |
| environment | Environment where the claim will operate (Used for Tag/Naming) | dev / staging / production | Required |
| account | Environment where the claim will operate (Used for Tagging) | 169590266381 | Recommended |
| engineVersion | The engine version to use | 5.7.mysql_aurora.2.11.2 | Required |
| providerConfigRef | Target a specific account | provider-aws-config.yaml | Required |
| instanceClass | Instance used to host the database | db.t3.medium | Required |
# Outputs
# TODO
- [x] Import and observe all resources from terraform
- [ ] Create a managed resources with crossplane
- [x] IAM
- [x] Role
- [x] RDS
- [ ] Cluster
- [x] SubnetGroup
- [ ] ClusterInstance
- [x] Instance
- [x] ClusterParameterGroup
- [x] ParameterGroup
- [x] EC2
- [x] SecurityGroup
- [ ] SecurityGroupRule (Générer une managedResources pour faire le lien entre une compo RDS et APP)
- [ ] SecurityGroupIngressRule (Générer une managedResources pour faire le lien entre une compo RDS et APP)
- [x] SecurityGroupEgressRule
- [ ] Check Tags
- [ ] Check when to use Refs
- [ ] How to create more instances from claim
- [ ] Create a certIdentifier ?
- [ ] Ajouter une resource roleAssociation for RDS and IAM role created
- [ ] Ajoute automatiquement la description "Managed by terraform" SubnetGroup ??
- [ ] Create composition and definition

289
providers/provider-family-aws/resources/objects/rds/composition.yaml.stop Normal file
View File

@@ -0,0 +1,289 @@
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: rds-composition
labels:
crossplane/provider: default
crossplane/xrd: xrdss.crossplane.evina
spec:
compositeTypeRef:
apiVersion: crossplane.evina/v1alpha1
kind: XRDS
patchSets:
- name: region
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.region
- name: providerConfigRef
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.providerConfigRef
toFieldPath: spec.providerConfigRef.name
writeConnectionSecretsToNamespace: crossplane
resources:
###################################################################################################
- name: Role
base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
claim: rds
provider: iam
kind: role
app: mathodprotect
environment: dev
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
}
}
]
}
tags:
region: eu-west-1
app: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: role
patches:
- type: PatchSet
patchSetName: providerConfigRef
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.app
- fromFieldPath: spec.parameters.environment
strategy: string
string:
fmt: "rds-iam-role-%s-%s"
toFieldPath: "metadata.annotations[crossplane.io/external-name]"
###################################################################################################
# - name: Cluster
# base:
# apiVersion: rds.aws.upbound.io/v1beta1
# kind: Cluster
# metadata:
# name: cluster-mathodprotect-dev
# labels:
# resources: Cluster
# spec:
# forProvider:
# availabilityZones:
# - eu-west-1a
# - eu-west-1b
# - eu-west-1c
# engine: aurora-mysql
# engineMode: provisioned
# engineVersion: 5.7.mysql_aurora.2.11.2
# databaseName: mathodProtect
# autoGeneratePassword: true
# masterPasswordSecretRef:
# key: tropsecure
# name: cluster-mathodprotect-dev-password
# namespace: crossplane-system
# port: 3306
# dbClusterParameterGroupName: clusterparametergroup-mathodprotect-dev
# # iamRoles:
# # - arn:aws:iam::453702081005:role/IAM-Role-Aurora
# # vpcSecurityGroupIds:
# # - sg-0292740ac642cbce9
# vpcSecurityGroupIdRefs:
# - name: securitygroup-mathodprotect-dev
# masterUsername: mathod
# copyTagsToSnapshot: true
# finalSnapshotIdentifier: test-final
# dbSubnetGroupName: subnetgroup-mathodprotect-dev
# # dbSubnetGroupNameRef:
# backupRetentionPeriod: 1
# preferredBackupWindow: 23:48-00:18
# preferredMaintenanceWindow: tue:22:51-tue:23:21
# tags:
# region: eu-west-1
# project: mathodprotect
# environment: dev
# account: "169590266381"
# composition: rds
# managedResources: cluster
# writeConnectionSecretToRef:
# name: rds-mathod-protect-password
# namespace: crossplane-system
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef
###################################################################################################
# - name: SubnetGroup
# base:
# apiVersion: rds.aws.upbound.io/v1beta1
# kind: SubnetGroup
# metadata:
# name: subnetgroup-mathodprotect-dev
# labels:
# resource: SubnetGroup
# spec:
# forProvider:
# subnetIds: # Replace to use subnetIdRefs
# - subnet-0c0a38354f2a028c8
# - subnet-06dc47da5b4eae974
# - subnet-0f3ee2a757ce85ad1
# # subnetIdRefs:
# tags:
# region: eu-west-1
# project: mathodprotect
# environment: dev
# account: "169590266381"
# composition: rds
# managedResources: subnetgroup
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef
###################################################################################################
# - name: ClusterInstance
# base:
# apiVersion: rds.aws.upbound.io/v1beta1
# kind: ClusterInstance
# metadata:
# name: clusterinstance-mathodprotect-dev
# labels:
# resources: ClusterInstance
# spec:
# forProvider:
# # clusterIdentifier: cluster-mathodprotect-dev
# # id: backoffice-staging-eu-west-1-aurora-cluster-instance-0
# clusterIdentifierRef:
# name: cluster-mathodprotect-dev
# engine: aurora-mysql
# instanceClass: db.t3.medium
# publiclyAccessible: false
# caCertIdentifier: rds-ca-2019
# # dbParameterGroupName:
# dbParameterGroupNameRef:
# name: parametergroup-mathodprotect-dev
# # dbSubnetGroupName:
# dbSubnetGroupNameRef:
# name: subnetgroup-mathodprotect-dev
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef
###################################################################################################
# - name: ClusterParameterGroup
# base:
# apiVersion: rds.aws.upbound.io/v1beta1
# kind: ClusterParameterGroup
# metadata:
# name: clusterparametergroup-mathodprotect-dev
# labels:
# resources: ClusterParameterGroup
# spec:
# forProvider:
# family: aurora-mysql5.7
# parameter:
# - applyMethod: immediate
# name: aurora_load_from_s3_role
# value: arn:aws:iam::169590266381:role/role-mathodprotect-dev
# - applyMethod: immediate
# name: aurora_select_into_s3_role
# value: arn:aws:iam::169590266381:role/role-mathodprotect-dev
# - applyMethod: immediate
# name: aws_default_s3_role
# value: arn:aws:iam::169590266381:role/role-mathodprotect-dev
# - applyMethod: immediate
# name: innodb_online_alter_log_max_size
# value: "21474836480"
# - applyMethod: immediate
# name: slow_query_log
# value: "1"
# tags:
# region: eu-west-1
# app: mathodprotect
# environment: dev
# account: "169590266381"
# composition: rds
# managedResources: clusterparametergroup
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef
###################################################################################################
# - name: ParameterGroup
# base:
# apiVersion: rds.aws.upbound.io/v1beta1
# kind: ParameterGroup
# metadata:
# name: parametergroup-mathodprotect-dev
# labels:
# resources: ParameterGroup
# spec:
# forProvider:
# family: aurora-mysql5.7
# tags:
# region: eu-west-1
# app: mathodprotect
# environment: dev
# account: "169590266381"
# composition: rds
# managedResources: parametergroup
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef
###################################################################################################
# - name: SecurityGroup
# base:
# apiVersion: ec2.aws.upbound.io/v1beta1
# kind: SecurityGroup
# metadata:
# name: securitygroup-mathodprotect-dev
# spec:
# forProvider:
# name: securitygroup-mathodprotect-dev
# vpcId: vpc-029aa16a171ccb018
# # vpcIdRef:
# tags:
# region: eu-west-1
# app: mathodprotect
# environment: dev
# account: "169590266381"
# composition: rds
# managedResources: securitygroup
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef
###################################################################################################
# - name: SecurityGroupEgressRule
# base:
# apiVersion: ec2.aws.upbound.io/v1beta1
# kind: SecurityGroupEgressRule
# metadata:
# name: securitygroupegressrule-mathodprotect-dev
# spec:
# forProvider:
# cidrIpv4: 0.0.0.0/0
# ipProtocol: "-1"
# securityGroupIdRef:
# name: securitygroup-mathodprotect-dev
# patches:
# - type: PatchSet
# patchSetName: region
# - type: PatchSet
# patchSetName: providerConfigRef

49
providers/provider-family-aws/resources/objects/rds/definition.yaml.stop Normal file
View File

@@ -0,0 +1,49 @@
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: xrdss.crossplane.evina
spec:
group: crossplane.evina
names:
kind: XRDS
plural: xrdss
claimNames:
kind: RDS
plural: rdss
defaultCompositionRef:
name: rds-composition
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
parameters:
type: object
properties:
region:
description: AWS Region where the provider will operate
type: string
app:
description:
type: string
environment:
description:
type: string
engineVersion:
description:
type: string
providerConfigRef:
description: Name of the Kubernetes provider config
type: string
required:
- region
- app
- environment
# - engineVersion
- providerConfigRef

221
providers/provider-family-aws/resources/objects/rds/managedResources.yaml.stop Normal file
View File

@@ -0,0 +1,221 @@
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
name: role-mathodprotect-dev
labels:
resource: Role
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
}
}
]
}
tags:
region: eu-west-1
app: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: role
providerConfigRef:
name: dev
---
apiVersion: rds.aws.upbound.io/v1beta1
kind: SubnetGroup
metadata:
name: subnetgroup-mathodprotect-dev
labels:
resource: SubnetGroup
spec:
forProvider:
region: eu-west-1
subnetIds: # Replace to use subnetIdRefs
- subnet-0c0a38354f2a028c8
- subnet-06dc47da5b4eae974
- subnet-0f3ee2a757ce85ad1
# subnetIdRefs:
tags:
region: eu-west-1
project: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: subnetgroup
providerConfigRef:
name: dev
---
apiVersion: rds.aws.upbound.io/v1beta1
kind: Cluster
metadata:
name: cluster-mathodprotect-dev
labels:
resources: Cluster
spec:
forProvider:
region: eu-west-1
availabilityZones:
- eu-west-1a
- eu-west-1b
- eu-west-1c
engine: aurora-mysql
engineMode: provisioned
engineVersion: 5.7.mysql_aurora.2.11.2
databaseName: mathodProtect
autoGeneratePassword: true
masterPasswordSecretRef:
key: tropsecure
name: cluster-mathodprotect-dev-password
namespace: crossplane-system
port: 3306
dbClusterParameterGroupName: clusterparametergroup-mathodprotect-dev
# iamRoles:
# - arn:aws:iam::453702081005:role/IAM-Role-Aurora
# vpcSecurityGroupIds:
# - sg-0292740ac642cbce9
vpcSecurityGroupIdRefs:
- name: securitygroup-mathodprotect-dev
masterUsername: mathod
copyTagsToSnapshot: true
finalSnapshotIdentifier: test-final
dbSubnetGroupName: subnetgroup-mathodprotect-dev
# dbSubnetGroupNameRef:
backupRetentionPeriod: 1
preferredBackupWindow: 23:48-00:18
preferredMaintenanceWindow: tue:22:51-tue:23:21
tags:
region: eu-west-1
project: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: cluster
writeConnectionSecretToRef:
name: rds-mathod-protect-password
namespace: crossplane-system
providerConfigRef:
name: dev
---
apiVersion: rds.aws.upbound.io/v1beta1
kind: ClusterInstance
metadata:
name: clusterinstance-mathodprotect-dev
labels:
resources: ClusterInstance
spec:
forProvider:
region: eu-west-1
# clusterIdentifier: cluster-mathodprotect-dev
# id: backoffice-staging-eu-west-1-aurora-cluster-instance-0
clusterIdentifierRef:
name: cluster-mathodprotect-dev
engine: aurora-mysql
instanceClass: db.t3.medium
publiclyAccessible: false
caCertIdentifier: rds-ca-2019
# dbParameterGroupName:
dbParameterGroupNameRef:
name: parametergroup-mathodprotect-dev
# dbSubnetGroupName:
dbSubnetGroupNameRef:
name: subnetgroup-mathodprotect-dev
providerConfigRef:
name: dev
---
apiVersion: rds.aws.upbound.io/v1beta1
kind: ClusterParameterGroup
metadata:
name: clusterparametergroup-mathodprotect-dev
labels:
resources: ClusterParameterGroup
spec:
forProvider:
region: eu-west-1
family: aurora-mysql5.7
parameter:
- applyMethod: immediate
name: aurora_load_from_s3_role
value: arn:aws:iam::169590266381:role/role-mathodprotect-dev
- applyMethod: immediate
name: aurora_select_into_s3_role
value: arn:aws:iam::169590266381:role/role-mathodprotect-dev
- applyMethod: immediate
name: aws_default_s3_role
value: arn:aws:iam::169590266381:role/role-mathodprotect-dev
- applyMethod: immediate
name: innodb_online_alter_log_max_size
value: "21474836480"
- applyMethod: immediate
name: slow_query_log
value: "1"
tags:
region: eu-west-1
app: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: clusterparametergroup
providerConfigRef:
name: dev
---
apiVersion: rds.aws.upbound.io/v1beta1
kind: ParameterGroup
metadata:
name: parametergroup-mathodprotect-dev
labels:
resources: ParameterGroup
spec:
forProvider:
region: eu-west-1
family: aurora-mysql5.7
tags:
region: eu-west-1
app: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: parametergroup
providerConfigRef:
name: dev
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
metadata:
name: securitygroup-mathodprotect-dev
spec:
forProvider:
region: eu-west-1
name: securitygroup-mathodprotect-dev
vpcId: vpc-029aa16a171ccb018
# vpcIdRef:
tags:
region: eu-west-1
app: mathodprotect
environment: dev
account: "169590266381"
composition: rds
managedResources: securitygroup
providerConfigRef:
name: dev
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroupEgressRule
metadata:
name: securitygroupegressrule-mathodprotect-dev
spec:
forProvider:
region: eu-west-1
cidrIpv4: 0.0.0.0/0
ipProtocol: "-1"
securityGroupIdRef:
name: securitygroup-mathodprotect-dev
providerConfigRef:
name: dev

16
providers/provider-family-aws/resources/objects/s3/bucket-generate.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: s3.aws.m.upbound.io/v1beta1
kind: Bucket
metadata:
generateName: app1-bucket-mathod-
namespace: crossplane-system
spec:
forProvider:
region: eu-west-3
tags:
company: mathod
project: app1
environment: production
providerConfigRef:
name: default
kind: ProviderConfig

16
providers/provider-family-aws/resources/objects/s3/bucket.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: s3.aws.m.upbound.io/v1beta1
kind: Bucket
metadata:
name: app1-bucket-mathod
namespace: crossplane-system
spec:
forProvider:
region: eu-west-3
tags:
company: mathod
project: app1
environment: production
providerConfigRef:
name: default
kind: ProviderConfig

2
providers/provider-gitlab/README.md Normal file
View File

@@ -0,0 +1,2 @@
- https://marketplace.upbound.io/providers/crossplane-contrib/provider-gitlab/latest
- https://github.com/crossplane-contrib/provider-gitlab

6
providers/provider-gitlab/provider-gitlab.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: crossplane-contrib-provider-gitlab
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.14.0

2
providers/provider-helm/README.md Normal file
View File

@@ -0,0 +1,2 @@
- https://marketplace.upbound.io/providers/upbound/provider-helm/latest
- https://github.com/crossplane-contrib/provider-helm

0
providers/provider-helm.yaml → providers/provider-helm/provider-helm.yaml
View File

2
providers/provider-kubernetes/README.md Normal file
View File

@@ -0,0 +1,2 @@
- https://marketplace.upbound.io/providers/upbound/provider-kubernetes/latest
- https://github.com/crossplane-contrib/provider-kubernetes

0
providers/provider-kubernetes.yaml → providers/provider-kubernetes/provider-kubernetes.yaml
View File

2
providers/provider-opentofu/README.md Normal file
View File

@@ -0,0 +1,2 @@
- https://marketplace.upbound.io/providers/upbound/provider-opentofu/latest
- https://github.com/upbound/provider-opentofu

0
providers/provider-opentofu.yaml → providers/provider-opentofu/provider-opentofu.yaml
View File

11
providers/provider-opentofu/resources/objects/test/02-secret-gitea-credentials.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-credentials
namespace: crossplane-system
type: Opaque
stringData:
credentials: |
credentials "gitea.mathod.fr" {
token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

44
providers/provider-opentofu/resources/objects/test/03-providerconfig.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: opentofu.m.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: gitea-tofu-config
namespace: crossplane-system
spec:
configuration: |
terraform {
required_providers {
gitea = {
source = "go-gitea/gitea"
version = "~> 0.20.0"
}
}
// Modules _must_ use remote state. The provider does not persist state.
backend "kubernetes" {
secret_suffix = "providerconfig-gitea"
namespace = "crossplane-system"
in_cluster_config = true
}
}
provider "gitea" {
base_url = var.gitea_url
token = var.gitea_token
}
variable "gitea_url" {
type = string
}
variable "gitea_token" {
type = string
sensitive = true
}
pluginCache: true
credentials:
- filename: .tofurc
source: Secret
secretRef:
name: gitea-provider-creds
namespace: crossplane-system
key: credentials

68
providers/provider-opentofu/resources/objects/test/04-workspace-user.yaml Normal file
View File

@@ -0,0 +1,68 @@
apiVersion: opentofu.m.upbound.io/v1beta1
kind: Workspace
metadata:
name: gitea-user
namespace: crossplane-system
spec:
forProvider:
source: Inline
module: |
resource "gitea_user" "developer" {
username = var.username
login_name = var.login_name
email = var.email
password = var.password
must_change_password = var.must_change_password
admin = var.admin
}
output "user_id" {
value = gitea_user.developer.id
}
output "username" {
value = gitea_user.developer.username
}
variable "username" {
type = string
}
variable "login_name" {
type = string
}
variable "email" {
type = string
}
variable "password" {
type = string
sensitive = true
}
variable "must_change_password" {
type = bool
default = true
}
variable "admin" {
type = bool
default = false
}
vars:
- key: username
value: "dev-user"
- key: login_name
value: "dev-user"
- key: email
value: "dev@example.com"
- key: password
value: "ChangeMe123!"
- key: must_change_password
value: "true"
- key: admin
value: "false"
providerConfigRef:
kind: ProviderConfig
name: gitea-tofu-config

0
providers/provider-opentofu/resources/objects/test/05-workspace-repo.yaml Normal file
View File