From d5e4a0693680d2d487d7d4c0e1bf23d4331f4476 Mon Sep 17 00:00:00 2001
From: Xavier Mortelette <xavier.mortelette@pragmitil.com>
Date: Mon, 15 Jan 2024 09:30:00 +0100
Subject: [PATCH] Improve modules

---
 ingress/ingress.tf   | 40 ++++++++++++++++++++++++++------------
 ingress/variables.tf | 16 +++++++++++++--
 service/svc.tf       | 38 ++++++++++++++++++++++++++----------
 service/variables.tf | 46 +++++++++++++++++++++++++++++++++-----------
 4 files changed, 105 insertions(+), 35 deletions(-)

diff --git a/ingress/ingress.tf b/ingress/ingress.tf
index 9b54ce3..c4472eb 100644
--- a/ingress/ingress.tf
+++ b/ingress/ingress.tf
@@ -1,17 +1,36 @@
 
 locals {
+  name = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
   rules = [for v in var.dns_names : {
     "host" = "${v}"
     "http" = {
       "paths" = [for idx, svc in var.services : {
+        "path"     = "/${var.sub_paths[idx]}"
+        "pathType" = "Prefix"
         "backend" = {
           "service" = svc
         }
-        "path"     = "/${var.sub_paths[idx]}"
-        "pathType" = "Prefix"
       }]
     }
   }]
+  tls = var.enforce_tls ? [
+    {
+      secretName = var.cert_name != "" ? var.cert_name : "${local.name}-cert"
+      hosts      = var.dns_names
+    }
+  ] : []
+  middlewares = concat(
+    var.create_redirect ? ["${local.name}-https"] : [],
+    var.middlewares
+  )
+  annotations = merge(
+    var.entrypoint != "" ? {
+      "traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint
+    } : {},
+    length(local.middlewares) > 0 ? {
+      "traefik.ingress.kubernetes.io/router.middlewares" : "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
+    } : {},
+  )
 }
 
 resource "kubectl_manifest" "prj_certificate" {
@@ -20,15 +39,15 @@ resource "kubectl_manifest" "prj_certificate" {
     apiVersion: "cert-manager.io/v1"
     kind: "Certificate"
     metadata:
-      name: "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+      name: "${local.name}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
     spec:
-        secretName: "${var.instance}${var.component == "" ? "" : "-"}${var.component}-cert"
+        secretName: "${local.name}-cert"
         dnsNames: ${jsonencode(var.dns_names)}
         issuerRef:
-          name: "${var.issuer}"
           kind: "ClusterIssuer"
+          name: "${var.issuer}"
           group: "cert-manager.io"
   EOF
 }
@@ -39,7 +58,7 @@ resource "kubectl_manifest" "prj_https_redirect" {
     apiVersion: "traefik.containo.us/v1alpha1"
     kind: "Middleware"
     metadata:
-      name: "${var.instance}-https"
+      name: "${local.name}-https"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
     spec:
@@ -55,16 +74,13 @@ resource "kubectl_manifest" "prj_ingress" {
     apiVersion: "networking.k8s.io/v1"
     kind: "Ingress"
     metadata:
-      name: "${var.instance}${var.component == "" ? "" : "-${var.component}"}"
+      name: "${local.name}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
-      annotations:
-        "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in concat(["${var.instance}-https"], var.middlewares) : format("%s-%s@kubernetescrd", var.namespace, m)])}"
+      annotations: ${jsonencode(local.annotations)}
     spec:
       ingressClassName: "${var.ingress_class}"
       rules: ${jsonencode(local.rules)}
-      tls:
-      - hosts: ${jsonencode(var.dns_names)}
-        secretName: "${var.instance}${var.secret_component != "" ? "-${var.secret_component}" : var.component == "" ? "" : "-${var.component}"}-cert"
+      tls: ${jsonencode(local.tls)}
   EOF
 }
diff --git a/ingress/variables.tf b/ingress/variables.tf
index b1f21b1..6f760d8 100644
--- a/ingress/variables.tf
+++ b/ingress/variables.tf
@@ -30,17 +30,29 @@ variable "services" {
 
 variable "create_redirect" {
   type    = bool
-  default = false
+  default = true
 }
 variable "create_cert" {
   type    = bool
   default = true
 }
+variable "enforce_tls" {
+  type    = bool
+  default = true
+}
 variable "sub_paths" {
   type    = list(string)
   default = [""]
 }
-variable "secret_component" {
+variable "cert_name" {
   type    = string
   default = ""
 }
+variable "entrypoint" {
+  type    = string
+  default = ""
+  validation {
+    condition     = contains(["", "web", "websecure"], var.entrypoint)
+    error_message = "Only empty \"\", web or websecure is allowed"
+  }
+}
diff --git a/service/svc.tf b/service/svc.tf
index 563208d..4bddf77 100644
--- a/service/svc.tf
+++ b/service/svc.tf
@@ -1,22 +1,40 @@
 locals {
-  ports = [ for idx, target in var.targets : {
-    "name" = target
-    "port"= var.ports[idx]
-    "protocol"= var.protocols[idx]
+  cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
+    "name"       = target
+    "port"       = var.ports[idx]
+    "protocol"   = var.protocols[idx]
     "targetPort" = target
-  }]
+  }] : []
+  node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
+    "port"       = port
+    "targetPort" = port
+    "nodePort"   = var.node_ports[idx]
+  }] : []
+  spec = {
+    "ClusterIP" = {
+      type     = "ClusterIP"
+      ports    = local.cluster_ports
+      selector = var.labels
+    },
+    "ExternalName" = {
+      type         = "ExternalName"
+      externalName = var.target_host
+    },
+    "NodePort" = {
+      type     = "NodePort"
+      selector = var.labels
+      ports    = local.node_ports
+    }
+  }
 }
 resource "kubectl_manifest" "service" {
-  yaml_body  = <<-EOF
+  yaml_body = <<-EOF
     apiVersion: v1
     kind: Service
     metadata:
       name: "${var.instance}-${var.component}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
-    spec:
-      type: ClusterIP
-      ports: ${jsonencode(local.ports)}
-      selector: ${jsonencode(var.labels)}
+    spec: ${jsonencode(local.spec[var.svc_type])}
   EOF
 }
diff --git a/service/variables.tf b/service/variables.tf
index 689d49b..e6eff23 100644
--- a/service/variables.tf
+++ b/service/variables.tf
@@ -1,24 +1,48 @@
 variable "component" {
-  type        = string
+  type = string
 }
 variable "instance" {
-  type        = string
+  type = string
 }
 variable "namespace" {
-  type        = string
+  type = string
 }
 variable "labels" {
-  type        = map(string)
+  type = map(string)
+}
+variable "svc_type" {
+  type    = string
+  default = "ClusterIP"
+  validation {
+    condition     = contains(["ClusterIP", "ExternalName", "NodePort"], var.svc_type)
+    error_message = "Only ClusterIP or ExternalName is allowed"
+  }
 }
 variable "ports" {
-  type        = list
-  default     = [80]
+  type    = list(number)
+  default = [80]
 }
 variable "targets" {
-  type        = list
-  default     = ["http"]
+  type    = list(string)
+  default = ["http"]
 }
 variable "protocols" {
-  type        = list
-  default     = ["TCP"]
-}
\ No newline at end of file
+  type    = list(any)
+  default = ["TCP"]
+  validation {
+    condition     = alltrue([for proto in var.protocols : contains(["TCP", "UDP"], proto)])
+    error_message = "Only TCP or UDP is allowed"
+  }
+}
+variable "target_host" {
+  type    = string
+  default = ""
+}
+variable "node_ports" {
+  type    = list(number)
+  default = [30080]
+  validation {
+    condition     = alltrue([for port in var.node_ports : port >= 30000 && port <= 32767])
+    error_message = "The range of valid ports is 30000-32767"
+  }
+}