diff --git a/README.md b/README.md
index 5fff599..4de0870 100644
--- a/README.md
+++ b/README.md
@@ -255,7 +255,9 @@ boot_secrets = [
```
- follow the Jenkins X documentation around the installation of an [external Vault](https://jenkins-x.io/v3/admin/setup/secrets/vault/#external-vault) instance.
-To use AWS Secrets Manager instead of vault, set `use_vault` variable to false, and `use_asm` variable to true. You will also need a role that grants access to AWS Secrets Manager, this will be created for you by setting `create_asm_role` variable to true.
+To use AWS Secrets Manager instead of vault, set `use_vault` variable to false, and `use_asm` variable to true.
+You will also need a role that grants access to AWS Secrets Manager, this will be created for you by setting `create_asm_role` variable to true.
+Setting the above variables will add the asm role arn to the boot job service account, which is required for the boot job to interact with AWS secrets manager to populate secrets.
### NGINX
@@ -661,173 +663,168 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
### Module configuration
-
#### Providers
-| Name | Version |
-| --------------------------------------------------------- | ------- |
-| [aws](#provider_aws) | 3.64.2 |
-| [random](#provider_random) | 3.1.0 |
-
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 3.64.2 |
+| [random](#provider\_random) | 3.1.0 |
#### Modules
-| Name | Source | Version |
-| -------------------------------------------------------- | ----------------- | ------- |
-| [backup](#module_backup) | ./modules/backup | n/a |
-| [cluster](#module_cluster) | ./modules/cluster | n/a |
-| [dns](#module_dns) | ./modules/dns | n/a |
-| [health](#module_health) | ./modules/health | n/a |
-| [nginx](#module_nginx) | ./modules/nginx | n/a |
-| [vault](#module_vault) | ./modules/vault | n/a |
-
+| Name | Source | Version |
+|------|--------|---------|
+| [backup](#module\_backup) | ./modules/backup | n/a |
+| [cluster](#module\_cluster) | ./modules/cluster | n/a |
+| [dns](#module\_dns) | ./modules/dns | n/a |
+| [health](#module\_health) | ./modules/health | n/a |
+| [nginx](#module\_nginx) | ./modules/nginx | n/a |
+| [vault](#module\_vault) | ./modules/vault | n/a |
#### Requirements
-| Name | Version |
-| --------------------------------------------------------------------------- | ------------------- |
-| [terraform](#requirement_terraform) | >= 0.12.17, < 2.0.0 |
-| [aws](#requirement_aws) | >= 2.53.0, < 4.0 |
-| [helm](#requirement_helm) | ~> 2.0 |
-| [kubernetes](#requirement_kubernetes) | ~> 2.0 |
-| [local](#requirement_local) | ~> 2.0 |
-| [null](#requirement_null) | ~> 3.0 |
-| [random](#requirement_random) | ~> 3.0 |
-| [template](#requirement_template) | ~> 2.0 |
-
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.12.17, < 2.0.0 |
+| [aws](#requirement\_aws) | >= 2.53.0, < 4.0 |
+| [helm](#requirement\_helm) | ~> 2.0 |
+| [kubernetes](#requirement\_kubernetes) | ~> 2.0 |
+| [local](#requirement\_local) | ~> 2.0 |
+| [null](#requirement\_null) | ~> 3.0 |
+| [random](#requirement\_random) | ~> 3.0 |
+| [template](#requirement\_template) | ~> 2.0 |
#### Inputs
-| Name | Description | Type | Default | Required |
-| ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | :------: |
-| [additional_tekton_role_policy_arns](#input_additional_tekton_role_policy_arns) | Additional Policy ARNs to attach to Tekton IRSA Role | `list(string)` | `[]` | no |
-| [allowed_spot_instance_types](#input_allowed_spot_instance_types) | Allowed machine types for spot instances (must be same size) | `any` | `[]` | no |
-| [apex_domain](#input_apex_domain) | The main domain to either use directly or to configure a subdomain from | `string` | `""` | no |
-| [boot_secrets](#input_boot_secrets) | n/a | list(object({
name = string
value = string
type = string
})) | `[]` | no |
-| [cluster_encryption_config](#input_cluster_encryption_config) | Configuration block with encryption configuration for the cluster. | list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
-| [cluster_endpoint_private_access](#input_cluster_endpoint_private_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
-| [cluster_endpoint_private_access_cidrs](#input_cluster_endpoint_private_access_cidrs) | List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled. | `list(string)` | [
"0.0.0.0/0"
]
| no |
-| [cluster_endpoint_public_access](#input_cluster_endpoint_public_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no |
-| [cluster_endpoint_public_access_cidrs](#input_cluster_endpoint_public_access_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | [
"0.0.0.0/0"
]
| no |
-| [cluster_in_private_subnet](#input_cluster_in_private_subnet) | Flag to enable installation of cluster on private subnets | `bool` | `false` | no |
-| [cluster_name](#input_cluster_name) | Variable to provide your desired name for the cluster. The script will create a random name if this is empty | `string` | `""` | no |
-| [cluster_version](#input_cluster_version) | Kubernetes version to use for the EKS cluster. | `string` | n/a | yes |
-| [create_and_configure_subdomain](#input_create_and_configure_subdomain) | Flag to create an NS record set for the subdomain in the apex domain's Hosted Zone | `bool` | `false` | no |
-| [create_asm_role](#input_create_asm_role) | Flag to control AWS Secrets Manager iam roles creation | `bool` | `false` | no |
-| [create_autoscaler_role](#input_create_autoscaler_role) | Flag to control cluster autoscaler iam role creation | `bool` | `true` | no |
-| [create_bucketrepo_role](#input_create_bucketrepo_role) | Flag to control bucketrepo role | `bool` | `true` | no |
-| [create_cm_role](#input_create_cm_role) | Flag to control cert manager iam role creation | `bool` | `true` | no |
-| [create_cmcainjector_role](#input_create_cmcainjector_role) | Flag to control cert manager ca-injector iam role creation | `bool` | `true` | no |
-| [create_ctrlb_role](#input_create_ctrlb_role) | Flag to control controller build iam role creation | `bool` | `true` | no |
-| [create_eks](#input_create_eks) | Controls if EKS cluster and associated resources should be created or not. If you have an existing eks cluster for jx, set it to false | `bool` | `true` | no |
-| [create_exdns_role](#input_create_exdns_role) | Flag to control external dns iam role creation | `bool` | `true` | no |
-| [create_nginx](#input_create_nginx) | Decides whether we want to create nginx resources using terraform or not | `bool` | `false` | no |
-| [create_nginx_namespace](#input_create_nginx_namespace) | Boolean to control nginx namespace creation | `bool` | `true` | no |
-| [create_pipeline_vis_role](#input_create_pipeline_vis_role) | Flag to control pipeline visualizer role | `bool` | `true` | no |
-| [create_ssm_role](#input_create_ssm_role) | Flag to control AWS Parameter Store iam roles creation | `bool` | `false` | no |
-| [create_tekton_role](#input_create_tekton_role) | Flag to control tekton iam role creation | `bool` | `true` | no |
-| [create_velero_role](#input_create_velero_role) | Flag to control velero iam role creation | `bool` | `true` | no |
-| [create_vpc](#input_create_vpc) | Controls if VPC and related resources should be created. If you have an existing vpc for jx, set it to false | `bool` | `true` | no |
-| [desired_node_count](#input_desired_node_count) | The number of worker nodes to use for the cluster | `number` | `3` | no |
-| [enable_backup](#input_enable_backup) | Whether or not Velero backups should be enabled | `bool` | `false` | no |
-| [enable_external_dns](#input_enable_external_dns) | Flag to enable or disable External DNS in the final `jx-requirements.yml` file | `bool` | `false` | no |
-| [enable_key_name](#input_enable_key_name) | Flag to enable ssh key pair name | `bool` | `false` | no |
-| [enable_key_rotation](#input_enable_key_rotation) | Flag to enable kms key rotation | `bool` | `true` | no |
-| [enable_logs_storage](#input_enable_logs_storage) | Flag to enable or disable long term storage for logs | `bool` | `true` | no |
-| [enable_nat_gateway](#input_enable_nat_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no |
-| [enable_reports_storage](#input_enable_reports_storage) | Flag to enable or disable long term storage for reports | `bool` | `true` | no |
-| [enable_repository_storage](#input_enable_repository_storage) | Flag to enable or disable the repository bucket storage | `bool` | `true` | no |
-| [enable_spot_instances](#input_enable_spot_instances) | Flag to enable spot instances | `bool` | `false` | no |
-| [enable_tls](#input_enable_tls) | Flag to enable TLS in the final `jx-requirements.yml` file | `bool` | `false` | no |
-| [enable_worker_group](#input_enable_worker_group) | Flag to enable worker group. Setting this to false will provision a node group instead | `bool` | `true` | no |
-| [enable_worker_groups_launch_template](#input_enable_worker_groups_launch_template) | Flag to enable Worker Group Launch Templates | `bool` | `false` | no |
-| [encrypt_volume_self](#input_encrypt_volume_self) | Encrypt the ebs and root volume for the self managed worker nodes. This is only valid for the worker group launch template | `bool` | `false` | no |
-| [force_destroy](#input_force_destroy) | Flag to determine whether storage buckets get forcefully destroyed. If set to false, empty the bucket first in the aws s3 console, else terraform destroy will fail with BucketNotEmpty error | `bool` | `false` | no |
-| [force_destroy_subdomain](#input_force_destroy_subdomain) | Flag to determine whether subdomain zone get forcefully destroyed. If set to false, empty the sub domain first in the aws Route 53 console, else terraform destroy will fail with HostedZoneNotEmpty error | `bool` | `false` | no |
-| [ignoreLoadBalancer](#input_ignoreLoadBalancer) | Flag to specify if jx boot will ignore loadbalancer DNS to resolve to an IP | `bool` | `false` | no |
-| [install_kuberhealthy](#input_install_kuberhealthy) | Flag to specify if kuberhealthy operator should be installed | `bool` | `true` | no |
-| [iops](#input_iops) | The IOPS value | `number` | `0` | no |
-| [is_jx2](#input_is_jx2) | Flag to specify if jx2 related resources need to be created | `bool` | `true` | no |
-| [jx_bot_token](#input_jx_bot_token) | Bot token used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
-| [jx_bot_username](#input_jx_bot_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
-| [jx_git_operator_values](#input_jx_git_operator_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
-| [jx_git_url](#input_jx_git_url) | URL for the Jenkins X cluster git repository | `string` | `""` | no |
-| [key_name](#input_key_name) | The ssh key pair name | `string` | `""` | no |
-| [local-exec-interpreter](#input_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | [
"/bin/bash",
"-c"
]
| no |
-| [lt_desired_nodes_per_subnet](#input_lt_desired_nodes_per_subnet) | The number of worker nodes in each Subnet (AZ) if using Launch Templates | `number` | `1` | no |
-| [lt_max_nodes_per_subnet](#input_lt_max_nodes_per_subnet) | The maximum number of worker nodes in each Subnet (AZ) if using Launch Templates | `number` | `2` | no |
-| [lt_min_nodes_per_subnet](#input_lt_min_nodes_per_subnet) | The minimum number of worker nodes in each Subnet (AZ) if using Launch Templates | `number` | `1` | no |
-| [manage_apex_domain](#input_manage_apex_domain) | Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider | `bool` | `true` | no |
-| [manage_subdomain](#input_manage_subdomain) | Flag to control subdomain creation/management | `bool` | `true` | no |
-| [map_accounts](#input_map_accounts) | Additional AWS account numbers to add to the aws-auth configmap. | `list(string)` | `[]` | no |
-| [map_roles](#input_map_roles) | Additional IAM roles to add to the aws-auth configmap. | list(object({
rolearn = string
username = string
groups = list(string)
})) | `[]` | no |
-| [map_users](#input_map_users) | Additional IAM users to add to the aws-auth configmap. | list(object({
userarn = string
username = string
groups = list(string)
})) | `[]` | no |
-| [max_node_count](#input_max_node_count) | The maximum number of worker nodes to use for the cluster | `number` | `5` | no |
-| [min_node_count](#input_min_node_count) | The minimum number of worker nodes to use for the cluster | `number` | `3` | no |
-| [nginx_chart_version](#input_nginx_chart_version) | nginx chart version | `string` | n/a | yes |
-| [nginx_namespace](#input_nginx_namespace) | Name of the nginx namespace | `string` | `"nginx"` | no |
-| [nginx_release_name](#input_nginx_release_name) | Name of the nginx release name | `string` | `"nginx-ingress"` | no |
-| [nginx_values_file](#input_nginx_values_file) | Name of the values file which holds the helm chart values | `string` | `"nginx_values.yaml"` | no |
-| [node_group_ami](#input_node_group_ami) | ami type for the node group worker intances | `string` | `"AL2_x86_64"` | no |
-| [node_group_disk_size](#input_node_group_disk_size) | node group worker disk size | `string` | `"50"` | no |
-| [node_groups_managed](#input_node_groups_managed) | List of managed node groups to be created and their respective settings | `any` | {
"eks-jx-node-group": {}
} | no |
-| [node_machine_type](#input_node_machine_type) | The instance type to use for the cluster's worker nodes | `string` | `"m5.large"` | no |
-| [private_subnets](#input_private_subnets) | The private subnet CIDR block to use in the created VPC | `list(string)` | [
"10.0.4.0/24",
"10.0.5.0/24",
"10.0.6.0/24"
]
| no |
-| [production_letsencrypt](#input_production_letsencrypt) | Flag to use the production environment of letsencrypt in the `jx-requirements.yml` file | `bool` | `false` | no |
-| [profile](#input_profile) | The AWS Profile used to provision the EKS Cluster | `string` | `null` | no |
-| [public_subnets](#input_public_subnets) | The public subnet CIDR block to use in the created VPC | `list(string)` | [
"10.0.1.0/24",
"10.0.2.0/24",
"10.0.3.0/24"
]
| no |
-| [region](#input_region) | The region to create the resources into | `string` | `"us-east-1"` | no |
-| [registry](#input_registry) | Registry used to store images | `string` | `""` | no |
-| [s3_kms_arn](#input_s3_kms_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no |
-| [single_nat_gateway](#input_single_nat_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
-| [spot_price](#input_spot_price) | The spot price ceiling for spot instances | `string` | `"0.1"` | no |
-| [subdomain](#input_subdomain) | The subdomain to be added to the apex domain. If subdomain is set, it will be appended to the apex domain in `jx-requirements-eks.yml` file | `string` | `""` | no |
-| [subnets](#input_subnets) | The subnet ids to create EKS cluster in if create_vpc is false | `list(string)` | `[]` | no |
-| [tls_cert](#input_tls_cert) | TLS certificate encrypted with Base64 | `string` | `""` | no |
-| [tls_email](#input_tls_email) | The email to register the LetsEncrypt certificate with. Added to the `jx-requirements.yml` file | `string` | `""` | no |
-| [tls_key](#input_tls_key) | TLS key encrypted with Base64 | `string` | `""` | no |
-| [use_asm](#input_use_asm) | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no |
-| [use_kms_s3](#input_use_kms_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
-| [use_vault](#input_use_vault) | Flag to control vault resource creation | `bool` | `true` | no |
-| [vault_url](#input_vault_url) | URL to an external Vault instance in case Jenkins X does not create its own system Vault | `string` | `""` | no |
-| [vault_user](#input_vault_user) | The AWS IAM Username whose credentials will be used to authenticate the Vault pods against AWS | `string` | `""` | no |
-| [velero_namespace](#input_velero_namespace) | Kubernetes namespace for Velero | `string` | `"velero"` | no |
-| [velero_schedule](#input_velero_schedule) | The Velero backup schedule in cron notation to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup.yaml)) | `string` | `"0 * * * *"` | no |
-| [velero_ttl](#input_velero_ttl) | The the lifetime of a velero backup to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup)) | `string` | `"720h0m0s"` | no |
-| [velero_username](#input_velero_username) | The username to be assigned to the Velero IAM user | `string` | `"velero"` | no |
-| [volume_size](#input_volume_size) | The volume size in GB | `number` | `50` | no |
-| [volume_type](#input_volume_type) | The volume type to use. Can be standard, gp2 or io1 | `string` | `"gp2"` | no |
-| [vpc_cidr_block](#input_vpc_cidr_block) | The vpc CIDR block | `string` | `"10.0.0.0/16"` | no |
-| [vpc_id](#input_vpc_id) | The VPC to create EKS cluster in if create_vpc is false | `string` | `""` | no |
-| [vpc_name](#input_vpc_name) | The name of the VPC to be created for the cluster | `string` | `"tf-vpc-eks"` | no |
-
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [additional\_tekton\_role\_policy\_arns](#input\_additional\_tekton\_role\_policy\_arns) | Additional Policy ARNs to attach to Tekton IRSA Role | `list(string)` | `[]` | no |
+| [allowed\_spot\_instance\_types](#input\_allowed\_spot\_instance\_types) | Allowed machine types for spot instances (must be same size) | `any` | `[]` | no |
+| [apex\_domain](#input\_apex\_domain) | The main domain to either use directly or to configure a subdomain from | `string` | `""` | no |
+| [asm\_role](#input\_asm\_role) | Specify arn of the ASM role (custom not created by the module) | `string` | `""` | no |
+| [boot\_secrets](#input\_boot\_secrets) | n/a | list(object({
name = string
value = string
type = string
})) | `[]` | no |
+| [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster. | list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
+| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
+| [cluster\_endpoint\_private\_access\_cidrs](#input\_cluster\_endpoint\_private\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled. | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no |
+| [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [cluster\_in\_private\_subnet](#input\_cluster\_in\_private\_subnet) | Flag to enable installation of cluster on private subnets | `bool` | `false` | no |
+| [cluster\_name](#input\_cluster\_name) | Variable to provide your desired name for the cluster. The script will create a random name if this is empty | `string` | `""` | no |
+| [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster. | `string` | n/a | yes |
+| [create\_and\_configure\_subdomain](#input\_create\_and\_configure\_subdomain) | Flag to create an NS record set for the subdomain in the apex domain's Hosted Zone | `bool` | `false` | no |
+| [create\_asm\_role](#input\_create\_asm\_role) | Flag to control AWS Secrets Manager iam roles creation | `bool` | `false` | no |
+| [create\_autoscaler\_role](#input\_create\_autoscaler\_role) | Flag to control cluster autoscaler iam role creation | `bool` | `true` | no |
+| [create\_bucketrepo\_role](#input\_create\_bucketrepo\_role) | Flag to control bucketrepo role | `bool` | `true` | no |
+| [create\_cm\_role](#input\_create\_cm\_role) | Flag to control cert manager iam role creation | `bool` | `true` | no |
+| [create\_cmcainjector\_role](#input\_create\_cmcainjector\_role) | Flag to control cert manager ca-injector iam role creation | `bool` | `true` | no |
+| [create\_ctrlb\_role](#input\_create\_ctrlb\_role) | Flag to control controller build iam role creation | `bool` | `true` | no |
+| [create\_eks](#input\_create\_eks) | Controls if EKS cluster and associated resources should be created or not. If you have an existing eks cluster for jx, set it to false | `bool` | `true` | no |
+| [create\_exdns\_role](#input\_create\_exdns\_role) | Flag to control external dns iam role creation | `bool` | `true` | no |
+| [create\_nginx](#input\_create\_nginx) | Decides whether we want to create nginx resources using terraform or not | `bool` | `false` | no |
+| [create\_nginx\_namespace](#input\_create\_nginx\_namespace) | Boolean to control nginx namespace creation | `bool` | `true` | no |
+| [create\_pipeline\_vis\_role](#input\_create\_pipeline\_vis\_role) | Flag to control pipeline visualizer role | `bool` | `true` | no |
+| [create\_ssm\_role](#input\_create\_ssm\_role) | Flag to control AWS Parameter Store iam roles creation | `bool` | `false` | no |
+| [create\_tekton\_role](#input\_create\_tekton\_role) | Flag to control tekton iam role creation | `bool` | `true` | no |
+| [create\_velero\_role](#input\_create\_velero\_role) | Flag to control velero iam role creation | `bool` | `true` | no |
+| [create\_vpc](#input\_create\_vpc) | Controls if VPC and related resources should be created. If you have an existing vpc for jx, set it to false | `bool` | `true` | no |
+| [desired\_node\_count](#input\_desired\_node\_count) | The number of worker nodes to use for the cluster | `number` | `3` | no |
+| [enable\_backup](#input\_enable\_backup) | Whether or not Velero backups should be enabled | `bool` | `false` | no |
+| [enable\_external\_dns](#input\_enable\_external\_dns) | Flag to enable or disable External DNS in the final `jx-requirements.yml` file | `bool` | `false` | no |
+| [enable\_key\_name](#input\_enable\_key\_name) | Flag to enable ssh key pair name | `bool` | `false` | no |
+| [enable\_key\_rotation](#input\_enable\_key\_rotation) | Flag to enable kms key rotation | `bool` | `true` | no |
+| [enable\_logs\_storage](#input\_enable\_logs\_storage) | Flag to enable or disable long term storage for logs | `bool` | `true` | no |
+| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no |
+| [enable\_reports\_storage](#input\_enable\_reports\_storage) | Flag to enable or disable long term storage for reports | `bool` | `true` | no |
+| [enable\_repository\_storage](#input\_enable\_repository\_storage) | Flag to enable or disable the repository bucket storage | `bool` | `true` | no |
+| [enable\_spot\_instances](#input\_enable\_spot\_instances) | Flag to enable spot instances | `bool` | `false` | no |
+| [enable\_tls](#input\_enable\_tls) | Flag to enable TLS in the final `jx-requirements.yml` file | `bool` | `false` | no |
+| [enable\_worker\_group](#input\_enable\_worker\_group) | Flag to enable worker group. Setting this to false will provision a node group instead | `bool` | `true` | no |
+| [enable\_worker\_groups\_launch\_template](#input\_enable\_worker\_groups\_launch\_template) | Flag to enable Worker Group Launch Templates | `bool` | `false` | no |
+| [encrypt\_volume\_self](#input\_encrypt\_volume\_self) | Encrypt the ebs and root volume for the self managed worker nodes. This is only valid for the worker group launch template | `bool` | `false` | no |
+| [force\_destroy](#input\_force\_destroy) | Flag to determine whether storage buckets get forcefully destroyed. If set to false, empty the bucket first in the aws s3 console, else terraform destroy will fail with BucketNotEmpty error | `bool` | `false` | no |
+| [force\_destroy\_subdomain](#input\_force\_destroy\_subdomain) | Flag to determine whether subdomain zone get forcefully destroyed. If set to false, empty the sub domain first in the aws Route 53 console, else terraform destroy will fail with HostedZoneNotEmpty error | `bool` | `false` | no |
+| [ignoreLoadBalancer](#input\_ignoreLoadBalancer) | Flag to specify if jx boot will ignore loadbalancer DNS to resolve to an IP | `bool` | `false` | no |
+| [install\_kuberhealthy](#input\_install\_kuberhealthy) | Flag to specify if kuberhealthy operator should be installed | `bool` | `true` | no |
+| [iops](#input\_iops) | The IOPS value | `number` | `0` | no |
+| [is\_jx2](#input\_is\_jx2) | Flag to specify if jx2 related resources need to be created | `bool` | `true` | no |
+| [jx\_bot\_token](#input\_jx\_bot\_token) | Bot token used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
+| [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
+| [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
+| [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenkins X cluster git repository | `string` | `""` | no |
+| [key\_name](#input\_key\_name) | The ssh key pair name | `string` | `""` | no |
+| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | [
"/bin/bash",
"-c"
]
| no |
+| [lt\_desired\_nodes\_per\_subnet](#input\_lt\_desired\_nodes\_per\_subnet) | The number of worker nodes in each Subnet (AZ) if using Launch Templates | `number` | `1` | no |
+| [lt\_max\_nodes\_per\_subnet](#input\_lt\_max\_nodes\_per\_subnet) | The maximum number of worker nodes in each Subnet (AZ) if using Launch Templates | `number` | `2` | no |
+| [lt\_min\_nodes\_per\_subnet](#input\_lt\_min\_nodes\_per\_subnet) | The minimum number of worker nodes in each Subnet (AZ) if using Launch Templates | `number` | `1` | no |
+| [manage\_apex\_domain](#input\_manage\_apex\_domain) | Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider | `bool` | `true` | no |
+| [manage\_subdomain](#input\_manage\_subdomain) | Flag to control subdomain creation/management | `bool` | `true` | no |
+| [map\_accounts](#input\_map\_accounts) | Additional AWS account numbers to add to the aws-auth configmap. | `list(string)` | `[]` | no |
+| [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | list(object({
rolearn = string
username = string
groups = list(string)
})) | `[]` | no |
+| [map\_users](#input\_map\_users) | Additional IAM users to add to the aws-auth configmap. | list(object({
userarn = string
username = string
groups = list(string)
})) | `[]` | no |
+| [max\_node\_count](#input\_max\_node\_count) | The maximum number of worker nodes to use for the cluster | `number` | `5` | no |
+| [min\_node\_count](#input\_min\_node\_count) | The minimum number of worker nodes to use for the cluster | `number` | `3` | no |
+| [nginx\_chart\_version](#input\_nginx\_chart\_version) | nginx chart version | `string` | n/a | yes |
+| [nginx\_namespace](#input\_nginx\_namespace) | Name of the nginx namespace | `string` | `"nginx"` | no |
+| [nginx\_release\_name](#input\_nginx\_release\_name) | Name of the nginx release name | `string` | `"nginx-ingress"` | no |
+| [nginx\_values\_file](#input\_nginx\_values\_file) | Name of the values file which holds the helm chart values | `string` | `"nginx_values.yaml"` | no |
+| [node\_group\_ami](#input\_node\_group\_ami) | ami type for the node group worker intances | `string` | `"AL2_x86_64"` | no |
+| [node\_group\_disk\_size](#input\_node\_group\_disk\_size) | node group worker disk size | `string` | `"50"` | no |
+| [node\_groups\_managed](#input\_node\_groups\_managed) | List of managed node groups to be created and their respective settings | `any` | {
"eks-jx-node-group": {}
} | no |
+| [node\_machine\_type](#input\_node\_machine\_type) | The instance type to use for the cluster's worker nodes | `string` | `"m5.large"` | no |
+| [private\_subnets](#input\_private\_subnets) | The private subnet CIDR block to use in the created VPC | `list(string)` | [
"10.0.4.0/24",
"10.0.5.0/24",
"10.0.6.0/24"
]
| no |
+| [production\_letsencrypt](#input\_production\_letsencrypt) | Flag to use the production environment of letsencrypt in the `jx-requirements.yml` file | `bool` | `false` | no |
+| [profile](#input\_profile) | The AWS Profile used to provision the EKS Cluster | `string` | `null` | no |
+| [public\_subnets](#input\_public\_subnets) | The public subnet CIDR block to use in the created VPC | `list(string)` | [
"10.0.1.0/24",
"10.0.2.0/24",
"10.0.3.0/24"
]
| no |
+| [region](#input\_region) | The region to create the resources into | `string` | `"us-east-1"` | no |
+| [registry](#input\_registry) | Registry used to store images | `string` | `""` | no |
+| [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no |
+| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
+| [spot\_price](#input\_spot\_price) | The spot price ceiling for spot instances | `string` | `"0.1"` | no |
+| [subdomain](#input\_subdomain) | The subdomain to be added to the apex domain. If subdomain is set, it will be appended to the apex domain in `jx-requirements-eks.yml` file | `string` | `""` | no |
+| [subnets](#input\_subnets) | The subnet ids to create EKS cluster in if create\_vpc is false | `list(string)` | `[]` | no |
+| [tls\_cert](#input\_tls\_cert) | TLS certificate encrypted with Base64 | `string` | `""` | no |
+| [tls\_email](#input\_tls\_email) | The email to register the LetsEncrypt certificate with. Added to the `jx-requirements.yml` file | `string` | `""` | no |
+| [tls\_key](#input\_tls\_key) | TLS key encrypted with Base64 | `string` | `""` | no |
+| [use\_asm](#input\_use\_asm) | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no |
+| [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
+| [use\_vault](#input\_use\_vault) | Flag to control vault resource creation | `bool` | `true` | no |
+| [vault\_url](#input\_vault\_url) | URL to an external Vault instance in case Jenkins X does not create its own system Vault | `string` | `""` | no |
+| [vault\_user](#input\_vault\_user) | The AWS IAM Username whose credentials will be used to authenticate the Vault pods against AWS | `string` | `""` | no |
+| [velero\_namespace](#input\_velero\_namespace) | Kubernetes namespace for Velero | `string` | `"velero"` | no |
+| [velero\_schedule](#input\_velero\_schedule) | The Velero backup schedule in cron notation to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup.yaml)) | `string` | `"0 * * * *"` | no |
+| [velero\_ttl](#input\_velero\_ttl) | The the lifetime of a velero backup to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup)) | `string` | `"720h0m0s"` | no |
+| [velero\_username](#input\_velero\_username) | The username to be assigned to the Velero IAM user | `string` | `"velero"` | no |
+| [volume\_size](#input\_volume\_size) | The volume size in GB | `number` | `50` | no |
+| [volume\_type](#input\_volume\_type) | The volume type to use. Can be standard, gp2 or io1 | `string` | `"gp2"` | no |
+| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The vpc CIDR block | `string` | `"10.0.0.0/16"` | no |
+| [vpc\_id](#input\_vpc\_id) | The VPC to create EKS cluster in if create\_vpc is false | `string` | `""` | no |
+| [vpc\_name](#input\_vpc\_name) | The name of the VPC to be created for the cluster | `string` | `"tf-vpc-eks"` | no |
#### Outputs
-| Name | Description |
-| -------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [backup_bucket_url](#output_backup_bucket_url) | The bucket where backups from velero will be stored |
-| [cert_manager_iam_role](#output_cert_manager_iam_role) | The IAM Role that the Cert Manager pod will assume to authenticate |
-| [cluster_asm_iam_role](#output_cluster_asm_iam_role) | The IAM Role that the External Secrets pod will assume to authenticate (Secrets Manager) |
-| [cluster_autoscaler_iam_role](#output_cluster_autoscaler_iam_role) | The IAM Role that the Jenkins X UI pod will assume to authenticate |
-| [cluster_name](#output_cluster_name) | The name of the created cluster |
-| [cluster_oidc_issuer_url](#output_cluster_oidc_issuer_url) | The Cluster OIDC Issuer URL |
-| [cluster_ssm_iam_role](#output_cluster_ssm_iam_role) | The IAM Role that the External Secrets pod will assume to authenticate (Parameter Store) |
-| [cm_cainjector_iam_role](#output_cm_cainjector_iam_role) | The IAM Role that the CM CA Injector pod will assume to authenticate |
-| [connect](#output_connect) | "The cluster connection string to use once Terraform apply finishes,
this command is already executed as part of the apply, you may have to provide the region and
profile as environment variables " |
-| [controllerbuild_iam_role](#output_controllerbuild_iam_role) | The IAM Role that the ControllerBuild pod will assume to authenticate |
-| [eks_module](#output_eks_module) | The output of the terraform-aws-modules/eks/aws module for use in terraform |
-| [external_dns_iam_role](#output_external_dns_iam_role) | The IAM Role that the External DNS pod will assume to authenticate |
-| [jx_requirements](#output_jx_requirements) | The jx-requirements rendered output |
-| [lts_logs_bucket](#output_lts_logs_bucket) | The bucket where logs from builds will be stored |
-| [lts_reports_bucket](#output_lts_reports_bucket) | The bucket where test reports will be stored |
-| [lts_repository_bucket](#output_lts_repository_bucket) | The bucket that will serve as artifacts repository |
-| [pipeline_viz_iam_role](#output_pipeline_viz_iam_role) | The IAM Role that the pipeline visualizer pod will assume to authenticate |
-| [subdomain_nameservers](#output_subdomain_nameservers) | ---------------------------------------------------------------------------- DNS ---------------------------------------------------------------------------- |
-| [tekton_bot_iam_role](#output_tekton_bot_iam_role) | The IAM Role that the build pods will assume to authenticate |
-| [vault_dynamodb_table](#output_vault_dynamodb_table) | The Vault DynamoDB table |
-| [vault_kms_unseal](#output_vault_kms_unseal) | The Vault KMS Key for encryption |
-| [vault_unseal_bucket](#output_vault_unseal_bucket) | The Vault storage bucket |
-| [vault_user_id](#output_vault_user_id) | The Vault IAM user id |
-| [vault_user_secret](#output_vault_user_secret) | The Vault IAM user secret |
-| [vpc_id](#output_vpc_id) | The ID of the VPC |
-
+| Name | Description |
+|------|-------------|
+| [backup\_bucket\_url](#output\_backup\_bucket\_url) | The bucket where backups from velero will be stored |
+| [cert\_manager\_iam\_role](#output\_cert\_manager\_iam\_role) | The IAM Role that the Cert Manager pod will assume to authenticate |
+| [cluster\_asm\_iam\_role](#output\_cluster\_asm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Secrets Manager) |
+| [cluster\_autoscaler\_iam\_role](#output\_cluster\_autoscaler\_iam\_role) | The IAM Role that the Jenkins X UI pod will assume to authenticate |
+| [cluster\_name](#output\_cluster\_name) | The name of the created cluster |
+| [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The Cluster OIDC Issuer URL |
+| [cluster\_ssm\_iam\_role](#output\_cluster\_ssm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Parameter Store) |
+| [cm\_cainjector\_iam\_role](#output\_cm\_cainjector\_iam\_role) | The IAM Role that the CM CA Injector pod will assume to authenticate |
+| [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,
this command is already executed as part of the apply, you may have to provide the region and
profile as environment variables " |
+| [controllerbuild\_iam\_role](#output\_controllerbuild\_iam\_role) | The IAM Role that the ControllerBuild pod will assume to authenticate |
+| [eks\_module](#output\_eks\_module) | The output of the terraform-aws-modules/eks/aws module for use in terraform |
+| [external\_dns\_iam\_role](#output\_external\_dns\_iam\_role) | The IAM Role that the External DNS pod will assume to authenticate |
+| [jx\_requirements](#output\_jx\_requirements) | The jx-requirements rendered output |
+| [lts\_logs\_bucket](#output\_lts\_logs\_bucket) | The bucket where logs from builds will be stored |
+| [lts\_reports\_bucket](#output\_lts\_reports\_bucket) | The bucket where test reports will be stored |
+| [lts\_repository\_bucket](#output\_lts\_repository\_bucket) | The bucket that will serve as artifacts repository |
+| [pipeline\_viz\_iam\_role](#output\_pipeline\_viz\_iam\_role) | The IAM Role that the pipeline visualizer pod will assume to authenticate |
+| [subdomain\_nameservers](#output\_subdomain\_nameservers) | ---------------------------------------------------------------------------- DNS ---------------------------------------------------------------------------- |
+| [tekton\_bot\_iam\_role](#output\_tekton\_bot\_iam\_role) | The IAM Role that the build pods will assume to authenticate |
+| [vault\_dynamodb\_table](#output\_vault\_dynamodb\_table) | The Vault DynamoDB table |
+| [vault\_kms\_unseal](#output\_vault\_kms\_unseal) | The Vault KMS Key for encryption |
+| [vault\_unseal\_bucket](#output\_vault\_unseal\_bucket) | The Vault storage bucket |
+| [vault\_user\_id](#output\_vault\_user\_id) | The Vault IAM user id |
+| [vault\_user\_secret](#output\_vault\_user\_secret) | The Vault IAM user secret |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
## FAQ: Frequently Asked Questions
diff --git a/main.tf b/main.tf
index 83ba2de..f796f92 100644
--- a/main.tf
+++ b/main.tf
@@ -102,6 +102,7 @@ module "cluster" {
enable_reports_storage = var.enable_reports_storage
enable_repository_storage = var.enable_repository_storage
boot_secrets = var.boot_secrets
+ use_asm = var.use_asm
}
// ----------------------------------------------------------------------------
diff --git a/modules/cluster/charts.tf b/modules/cluster/charts.tf
index 40868ac..b6c147d 100644
--- a/modules/cluster/charts.tf
+++ b/modules/cluster/charts.tf
@@ -25,6 +25,12 @@ resource "helm_release" "jx-git-operator" {
name = "username"
value = var.jx_bot_username
}
+
+ set {
+ name = "bootServiceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+ value = local.boot_iam_role
+ }
+
set_sensitive {
name = "password"
value = var.jx_bot_token
diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf
index 8d23cb4..896d027 100644
--- a/modules/cluster/irsa.tf
+++ b/modules/cluster/irsa.tf
@@ -396,9 +396,7 @@ data "aws_iam_policy_document" "secrets-manager-policy" {
"secretsmanager:UpdateSecret",
]
resources = [
- "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/lighthouse/*",
- "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/jx/*",
- "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:secret/data/nexus/*"
+ "arn:${data.aws_partition.current.partition}:secretsmanager:${var.region}:${local.project}:secret:*"
]
}
statement {
@@ -424,7 +422,7 @@ module "iam_assumable_role_secrets-secrets-manager" {
role_name = "${local.cluster_trunc}-external-secrets-secrets-manager"
provider_url = local.oidc_provider_url
role_policy_arns = [var.create_asm_role ? aws_iam_policy.secrets-manager[0].arn : ""]
- oidc_fully_qualified_subjects = ["system:serviceaccount:${local.secret-infra-namespace}:kubernetes-external-secrets"]
+ oidc_fully_qualified_subjects = ["system:serviceaccount:${local.secret-infra-namespace}:kubernetes-external-secrets", "system:serviceaccount:${local.git-operator-namespace}:jx-boot-job"]
}
// ----------------------------------------------------------------------------
// External Secrets - Parameter Store
diff --git a/modules/cluster/local.tf b/modules/cluster/local.tf
index 10a5e5b..6c6e87a 100644
--- a/modules/cluster/local.tf
+++ b/modules/cluster/local.tf
@@ -13,7 +13,9 @@ locals {
cluster_trunc = substr(var.cluster_name, 0, 35)
cert-manager-namespace = "cert-manager"
secret-infra-namespace = "secret-infra"
+ git-operator-namespace = "jx-git-operator"
project = data.aws_caller_identity.current.account_id
+ boot_iam_role = var.use_asm ? (var.create_asm_role ? module.iam_assumable_role_secrets-secrets-manager.this_iam_role_arn : var.asm_role) : ""
node_group_defaults = {
ami_type = var.node_group_ami
diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
index ffeb239..53c4839 100644
--- a/modules/cluster/variables.tf
+++ b/modules/cluster/variables.tf
@@ -429,3 +429,15 @@ variable "boot_secrets" {
}))
default = []
}
+
+variable "use_asm" {
+ description = "Flag to specify if AWS Secrets manager is being used"
+ type = bool
+ default = false
+}
+
+variable "asm_role" {
+ description = "Specify arn of the ASM role (custom not created by the module)"
+ type = string
+ default = ""
+}
diff --git a/variables.tf b/variables.tf
index 4630990..e359196 100644
--- a/variables.tf
+++ b/variables.tf
@@ -466,6 +466,12 @@ variable "use_asm" {
default = false
}
+variable "asm_role" {
+ description = "Specify arn of the ASM role (custom not created by the module)"
+ type = string
+ default = ""
+}
+
variable "install_kuberhealthy" {
description = "Flag to specify if kuberhealthy operator should be installed"
type = bool