aws-samples · athavr · Oct 16, 2025 · Oct 16, 2025 · Oct 27, 2025 · Oct 28, 2025
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/cleanup.sh b/manifests/modules/automation/controlplanes/kro/.workshop/cleanup.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+logmessage "Deleting resources created by kro..."
+
+kubectl delete webapplicationdynamodbs.kro.run/carts -n carts --ignore-not-found
+
+kubectl delete rgd/web-application-ddb --ignore-not-found
+
+kubectl delete rgd/web-application --ignore-not-found
+
+kubectl delete crd/webapplicationdynamodbs.kro.run --ignore-not-found
+
+kubectl delete crd/webapplications.kro.run --ignore-not-found
+
+uninstall-helm-chart kro kro-system
+
+set -e
+
+POD_ASSOCIATION_ID=$(aws eks list-pod-identity-associations --region $AWS_REGION --cluster-name $EKS_CLUSTER_NAME --service-account carts --namespace carts --output text --query 'associations[0].associationId')
+
+if [ "$POD_ASSOCIATION_ID" != "None" ]; then
+  logmessage "Deleting EKS Pod Identity Association..."
+
+  aws eks delete-pod-identity-association --region $AWS_REGION --association-id $POD_ASSOCIATION_ID --cluster-name $EKS_CLUSTER_NAME
+
+fi
+
+check=$(aws eks list-addons --cluster-name $EKS_CLUSTER_NAME --region $AWS_REGION --query "addons[? @ == 'eks-pod-identity-agent']" --output text)
+
+if [ ! -z "$check" ]; then
+  logmessage "Deleting EKS Pod Identity Agent addon..."
+
+  aws eks delete-addon --cluster-name $EKS_CLUSTER_NAME --addon-name eks-pod-identity-agent --region $AWS_REGION
+
+  aws eks wait addon-deleted --cluster-name $EKS_CLUSTER_NAME --addon-name eks-pod-identity-agent --region $AWS_REGION
+fi
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/manifests/kustomization.yaml b/manifests/modules/automation/controlplanes/kro/.workshop/manifests/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - nlb.yaml
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/manifests/nlb.yaml b/manifests/modules/automation/controlplanes/kro/.workshop/manifests/nlb.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ui-nlb
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: external
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
+  namespace: ui
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 80
+      targetPort: 8080
+      name: http
+  selector:
+    app.kubernetes.io/name: ui
+    app.kubernetes.io/instance: ui
+    app.kubernetes.io/component: service
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/terraform/main.tf b/manifests/modules/automation/controlplanes/kro/.workshop/terraform/main.tf
@@ -0,0 +1,103 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+  alias  = "virginia"
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+data "aws_ecrpublic_authorization_token" "token" {
+  provider = aws.virginia
+}
+
+
+module "eks_blueprints_addons" {
+  source  = "aws-ia/eks-blueprints-addons/aws"
+  version = "1.22.0"
+
+  enable_aws_load_balancer_controller = true
+  aws_load_balancer_controller = {
+    wait        = true
+    role_name   = "${var.addon_context.eks_cluster_id}-alb-controller"
+    policy_name = "${var.addon_context.eks_cluster_id}-alb-controller"
+  }
+
+  cluster_name      = var.addon_context.eks_cluster_id
+  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
+  cluster_version   = var.eks_cluster_version
+  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
+
+  eks_addons = {
+    eks-pod-identity-agent = {
+      addon_version = "v1.1.0-eksbuild.1"
+    }
+  }
+
+  observability_tag = null
+}
+
+resource "time_sleep" "blueprints_addons_sleep" {
+  depends_on = [
+    module.eks_blueprints_addons
+  ]
+
+  create_duration  = "15s"
+  destroy_duration = "15s"
+}
+
+resource "kubectl_manifest" "nlb" {
+  yaml_body = templatefile("${path.module}/templates/nlb.yaml", {
+
+  })
+
+  wait = true
+
+  depends_on = [time_sleep.blueprints_addons_sleep]
+}
+
+module "eks_ack_addons" {
+  source = "aws-ia/eks-ack-addons/aws"
+
+  # Cluster Info
+  cluster_name      = var.addon_context.eks_cluster_id
+  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
+  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
+
+  # ECR Credentials
+  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
+  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password
+
+  # Controllers to enable
+  enable_dynamodb               = true
+  enable_iam                    = true
+  enable_eks                    = true
+  dynamodb = {
+    wait        = true
+    role_name   = "${var.addon_context.eks_cluster_id}-ack-dynamo"
+    policy_name = "${var.addon_context.eks_cluster_id}-ack-dynamo"
+  }
+
+  iam = {
+    wait        = true
+    role_name   = "${var.addon_context.eks_cluster_id}-ack-iam"
+    policy_name = "${var.addon_context.eks_cluster_id}-ack-iam"
+  }
+
+  eks = {
+    wait        = true
+    role_name   = "${var.addon_context.eks_cluster_id}-ack-eks"
+    policy_name = "${var.addon_context.eks_cluster_id}-ack-eks"
+  }
+
+  tags = var.tags
+
+}
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/terraform/outputs.tf b/manifests/modules/automation/controlplanes/kro/.workshop/terraform/outputs.tf
@@ -0,0 +1,8 @@
+output "environment_variables" {
+  description = "Environment variables to be added to the IDE shell"
+  value = {
+    DYNAMO_ACK_VERSION  = var.dynamo_ack_version,
+    KRO_VERSION         = var.kro_version,
+    ACCOUNT_ID          = data.aws_caller_identity.current.account_id
+  }
+}
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/terraform/templates/nlb.yaml b/manifests/modules/automation/controlplanes/kro/.workshop/terraform/templates/nlb.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ui-nlb
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: external
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
+  namespace: ui
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 80
+      targetPort: 8080
+      name: http
+  selector:
+    app.kubernetes.io/name: ui
+    app.kubernetes.io/instance: ui
+    app.kubernetes.io/component: service
diff --git a/manifests/modules/automation/controlplanes/kro/.workshop/terraform/vars.tf b/manifests/modules/automation/controlplanes/kro/.workshop/terraform/vars.tf
@@ -0,0 +1,49 @@
+# tflint-ignore: terraform_unused_declarations
+variable "eks_cluster_id" {
+  description = "EKS cluster name"
+  type        = string
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "eks_cluster_version" {
+  description = "EKS cluster version"
+  type        = string
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "cluster_security_group_id" {
+  description = "EKS cluster security group ID"
+  type        = any
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "addon_context" {
+  description = "Addon context that can be passed directly to blueprints addon modules"
+  type        = any
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "tags" {
+  description = "Tags to apply to AWS resources"
+  type        = any
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "resources_precreated" {
+  description = "Have expensive resources been created already"
+  type        = bool
+}
+
+variable "dynamo_ack_version" {
+  description = "The version of Dynamo ACK to use"
+  type        = string
+  # renovate: datasource=github-releases depName=aws-controllers-k8s/dynamodb-controller
+  default = "1.5.2"
+}
+
+variable "kro_version" {
+  description = "The version of Kro to use"
+  type        = string
+  # renovate: datasource=github-releases depName=kro-run/kro
+  default = "0.4.1"
+}
diff --git a/manifests/modules/automation/controlplanes/kro/app/carts-ddb.yaml b/manifests/modules/automation/controlplanes/kro/app/carts-ddb.yaml
@@ -0,0 +1,22 @@
+apiVersion: kro.run/v1alpha1
+kind: WebApplicationDynamoDB
+metadata:
+  name: carts
+  namespace: carts
+spec:
+  # Basic types
+  appName: carts
+  replicas: 1
+  image: "public.ecr.aws/aws-containers/retail-store-sample-cart:1.2.1"
+  port: 8080
+
+  dynamodb:
+    tableName: "eks-workshop-carts-kro"
+
+  env:
+    RETAIL_CART_PERSISTENCE_PROVIDER: "dynamodb"
+    RETAIL_CART_PERSISTENCE_DYNAMODB_TABLE_NAME: "eks-workshop-carts-kro"
+
+  aws:
+    accountID: ${AWS_ACCOUNT_ID}
+    region: ${AWS_REGION}
diff --git a/manifests/modules/automation/controlplanes/kro/app/carts.yaml b/manifests/modules/automation/controlplanes/kro/app/carts.yaml
@@ -0,0 +1,18 @@
+apiVersion: kro.run/v1alpha1
+kind: WebApplication
+metadata:
+  name: carts
+  namespace: carts
+spec:
+  # Basic types
+  appName: carts
+  replicas: 1
+  image: "public.ecr.aws/aws-containers/retail-store-sample-cart:1.2.1"
+  port: 8080
+  env:
+    RETAIL_CART_PERSISTENCE_PROVIDER: "in-memory"
+    RETAIL_CART_PERSISTENCE_DYNAMODB_TABLE_NAME: "Items"
+    RETAIL_CART_PERSISTENCE_DYNAMODB_CREATE_TABLE: "false"
+
+  service:
+    enabled: true
diff --git a/manifests/modules/automation/controlplanes/kro/app/kustomization.yaml b/manifests/modules/automation/controlplanes/kro/app/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- carts-ddb.yaml