aws-samples · niallthomson · Aug 9, 2025 · Aug 9, 2025 · Aug 9, 2025 · Aug 9, 2025
diff --git a/hack/validate-terraform.sh b/hack/validate-terraform.sh
@@ -36,4 +36,8 @@ done
 
 terraform -chdir="${conf_dir}" init -backend=false
 
+echo ""
+echo "Validating ${conf_dir}"
+echo ""
+
 terraform -chdir="${conf_dir}" validate
diff --git a/manifests/modules/fastpath/developers/.workshop/cleanup.sh b/manifests/modules/fastpath/developers/.workshop/cleanup.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -e
+
+# Common
+kubectl delete namespace ui --ignore-not-found
+kubectl delete namespace catalog --ignore-not-found
+kubectl delete namespace carts --ignore-not-found
+
+# Autoscaling
+kubectl delete pod load-generator --ignore-not-found
+
+uninstall-helm-chart keda keda
+kubectl delete ns keda --ignore-not-found
+
+# Identity
+POD_ASSOCIATION_ID=$(aws eks list-pod-identity-associations --region $AWS_REGION --cluster-name $EKS_CLUSTER_NAME --service-account carts --namespace carts --output text --query 'associations[0].associationId')
+
+if [ "$POD_ASSOCIATION_ID" != "None" ]; then
+  logmessage "Deleting EKS Pod Identity Association..."
+
+  aws eks delete-pod-identity-association --region $AWS_REGION --association-id $POD_ASSOCIATION_ID --cluster-name $EKS_CLUSTER_NAME
+
+fi
+
+pod_identity_check=$(aws eks list-addons --cluster-name $EKS_CLUSTER_NAME --region $AWS_REGION --query "addons[? @ == 'eks-pod-identity-agent']" --output text)
+
+if [ ! -z "$pod_identity_check" ]; then
+  logmessage "Deleting EKS Pod Identity Agent addon..."
+
+  aws eks delete-addon --cluster-name $EKS_CLUSTER_NAME --addon-name eks-pod-identity-agent --region $AWS_REGION
+
+  aws eks wait addon-deleted --cluster-name $EKS_CLUSTER_NAME --addon-name eks-pod-identity-agent --region $AWS_REGION
+fi
+
+# Storage
+csi_check=$(aws eks list-addons --cluster-name $EKS_CLUSTER_NAME --query "addons[? @ == 'aws-efs-csi-driver']" --output text)
+
+logmessage "Deleting EFS storage class..."
+
+kubectl delete storageclass efs-sc --ignore-not-found
+
+if [ ! -z "$csi_check" ]; then
+  logmessage "Deleting EFS CSI driver addon..."
+
+  aws eks delete-addon --cluster-name $EKS_CLUSTER_NAME --addon-name aws-efs-csi-driver
+
+  aws eks wait addon-deleted --cluster-name $EKS_CLUSTER_NAME --addon-name aws-efs-csi-driver
+fi
+
+# Ingress
+uninstall-helm-chart external-dns external-dns
+
+uninstall-helm-chart aws-load-balancer-controller kube-system
diff --git a/manifests/modules/fastpath/developers/.workshop/terraform/autoscaling.tf b/manifests/modules/fastpath/developers/.workshop/terraform/autoscaling.tf
@@ -0,0 +1,11 @@
+module "iam_assumable_role_keda" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "5.59.0"
+  create_role                   = true
+  role_name                     = "${var.addon_context.eks_cluster_id}-keda"
+  provider_url                  = var.addon_context.eks_oidc_issuer_url
+  role_policy_arns              = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/CloudWatchReadOnlyAccess"]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:keda:keda-operator"]
+
+  tags = var.tags
+}
diff --git a/manifests/modules/fastpath/developers/.workshop/terraform/exposing.tf b/manifests/modules/fastpath/developers/.workshop/terraform/exposing.tf
@@ -0,0 +1,42 @@
+resource "aws_route53_zone" "private_zone" {
+  name    = "retailstore.com"
+  comment = "Private hosted zone for EKS Workshop use"
+  vpc {
+    vpc_id = data.aws_vpc.this.id
+  }
+
+  force_destroy = true
+
+  tags = {
+    created-by = "eks-workshop-v2"
+    env        = var.addon_context.eks_cluster_id
+  }
+}
+
+module "eks_blueprints_addons" {
+  source  = "aws-ia/eks-blueprints-addons/aws"
+  version = "1.21.1"
+
+  cluster_name      = var.addon_context.eks_cluster_id
+  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
+  cluster_version   = var.eks_cluster_version
+  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
+
+  enable_external_dns            = true
+  external_dns_route53_zone_arns = [aws_route53_zone.private_zone.arn]
+  external_dns = {
+    create_role = true
+    role_name   = "${var.addon_context.eks_cluster_id}-external-dns"
+    policy_name = "${var.addon_context.eks_cluster_id}-external-dns"
+  }
+
+  enable_aws_load_balancer_controller = true
+  aws_load_balancer_controller = {
+    role_name   = "${var.addon_context.eks_cluster_id}-alb-controller"
+    policy_name = "${var.addon_context.eks_cluster_id}-alb-controller"
+  }
+
+  create_kubernetes_resources = false
+
+  observability_tag = null
+}
diff --git a/manifests/modules/fastpath/developers/.workshop/terraform/main.tf b/manifests/modules/fastpath/developers/.workshop/terraform/main.tf
@@ -0,0 +1,10 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+
+data "aws_vpc" "this" {
+  tags = {
+    created-by = "eks-workshop-v2"
+    env        = var.addon_context.eks_cluster_id
+  }
+}
diff --git a/manifests/modules/fastpath/developers/.workshop/terraform/outputs.tf b/manifests/modules/fastpath/developers/.workshop/terraform/outputs.tf
@@ -0,0 +1,17 @@
+output "environment_variables" {
+  description = "Environment variables to be added to the IDE shell"
+  value = {
+    LBC_CHART_VERSION = var.load_balancer_controller_chart_version
+    LBC_ROLE_ARN      = module.eks_blueprints_addons.aws_load_balancer_controller.iam_role_arn
+    DNS_CHART_VERSION = var.external_dns_chart_version
+    DNS_ROLE_ARN      = module.eks_blueprints_addons.external_dns.iam_role_arn
+
+    EFS_CSI_ADDON_ROLE = module.efs_csi_driver_irsa.iam_role_arn
+
+    CARTS_DYNAMODB_TABLENAME = aws_dynamodb_table.carts.name
+    CARTS_IAM_ROLE           = module.iam_assumable_role_carts.iam_role_arn
+
+    KEDA_ROLE_ARN      = module.iam_assumable_role_keda.iam_role_arn
+    KEDA_CHART_VERSION = var.keda_chart_version
+  }
+}
diff --git a/manifests/modules/fastpath/developers/.workshop/terraform/pod_identity.tf b/manifests/modules/fastpath/developers/.workshop/terraform/pod_identity.tf
@@ -0,0 +1,166 @@
+resource "aws_dynamodb_table" "carts" {
+  #checkov:skip=CKV2_AWS_28:Point in time backup not required for workshop
+  name             = "${var.addon_context.eks_cluster_id}-carts"
+  hash_key         = "id"
+  billing_mode     = "PAY_PER_REQUEST"
+  stream_enabled   = true
+  stream_view_type = "NEW_AND_OLD_IMAGES"
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.cmk_dynamodb.arn
+  }
+
+  attribute {
+    name = "id"
+    type = "S"
+  }
+
+  attribute {
+    name = "customerId"
+    type = "S"
+  }
+
+  global_secondary_index {
+    name            = "idx_global_customerId"
+    hash_key        = "customerId"
+    projection_type = "ALL"
+  }
+
+  tags = var.tags
+}
+
+module "iam_assumable_role_carts" {
+  source                  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version                 = "5.59.0"
+  create_role             = true
+  role_requires_mfa       = false
+  role_name               = "${var.addon_context.eks_cluster_id}-carts-dynamo"
+  trusted_role_services   = ["pods.eks.amazonaws.com"]
+  custom_role_policy_arns = [aws_iam_policy.carts_dynamo.arn]
+  trusted_role_actions    = ["sts:AssumeRole", "sts:TagSession"]
+
+  tags = var.tags
+}
+
+resource "aws_iam_policy" "carts_dynamo" {
+  name        = "${var.addon_context.eks_cluster_id}-carts-dynamo"
+  path        = "/"
+  description = "Dynamo policy for carts application"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllAPIActionsOnCart",
+      "Effect": "Allow",
+      "Action": "dynamodb:*",
+      "Resource": [
+        "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.carts.name}",
+        "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_dynamodb_table.carts.name}/index/*"
+      ]
+    }
+  ]
+}
+EOF
+  tags   = var.tags
+}
+
+resource "aws_kms_key" "cmk_dynamodb" {
+  description             = "KMS CMK for DynamoDB"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.cmk_dynamodb.json
+}
+
+resource "aws_kms_alias" "cmk" {
+  name          = "alias/${var.addon_context.eks_cluster_id}-cmk-dynamodb"
+  target_key_id = aws_kms_key.cmk_dynamodb.key_id
+}
+
+data "aws_iam_policy_document" "cmk_dynamodb" {
+  statement {
+    sid = "Enable IAM User Permissions"
+    actions = [
+      "kms:*",
+    ]
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(
+          "arn:%s:iam::%s:root",
+          data.aws_partition.current.partition,
+          data.aws_caller_identity.current.account_id
+        )
+      ]
+    }
+    resources = ["*"]
+  }
+  statement {
+    sid = "Allow DynamoDB to get information about the CMK"
+    actions = [
+      "kms:Describe*",
+      "kms:Get*",
+      "kms:List*"
+    ]
+    effect = "Allow"
+    principals {
+      type = "Service"
+      identifiers = [
+        "dynamodb.amazonaws.com"
+      ]
+    }
+    resources = ["*"]
+  }
+  statement {
+    sid = "Allow principals to encrypt."
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:ViaService"
+      values   = ["dynamodb.*.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:CallerAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+  statement {
+    sid = "Allow principals to decrypt."
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey"
+    ]
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "kms:ViaService"
+      values   = ["dynamodb.*.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "kms:CallerAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+}