From 7f2b283ef5de11f7f893108d3aa83160d44bdf2b Mon Sep 17 00:00:00 2001
From: Valentin Widmer <widmerva@amazon.com>
Date: Tue, 3 Oct 2023 16:43:20 +0700
Subject: [PATCH 1/5] Add pattern for native network policy integration

---
 patterns/aws-vpc-cni-network-policy/README.md |  46 +++
 .../charts/backend/.helmignore                |  23 ++
 .../charts/backend/Chart.yaml                 |   5 +
 .../charts/backend/templates/deploy.yaml      |  25 ++
 .../charts/backend/templates/ns.yaml          |   4 +
 .../charts/backend/templates/svc.yaml         |  11 +
 .../charts/client/.helmignore                 |  23 ++
 .../demo-application/charts/client/Chart.yaml |   5 +
 .../charts/client/templates/deploy.yaml       |  11 +
 .../charts/client/templates/ns.yaml           |   6 +
 .../charts/client/templates/svc.yaml          |  11 +
 .../charts/frontend/.helmignore               |  23 ++
 .../charts/frontend/Chart.yaml                |   5 +
 .../charts/frontend/templates/deploy.yaml     |  25 ++
 .../charts/frontend/templates/ns.yaml         |   4 +
 .../charts/frontend/templates/svc.yaml        |  11 +
 .../charts/management-ui/.helmignore          |  23 ++
 .../charts/management-ui/Chart.yaml           |   5 +
 .../management-ui/templates/deploy.yaml       |  21 ++
 .../charts/management-ui/templates/ns.yaml    |   6 +
 .../charts/management-ui/templates/svc.yaml   |  12 +
 patterns/aws-vpc-cni-network-policy/main.tf   | 283 ++++++++++++++++++
 .../aws-vpc-cni-network-policy/outputs.tf     |   4 +
 .../aws-vpc-cni-network-policy/variables.tf   |   0
 .../aws-vpc-cni-network-policy/versions.tf    |  18 ++
 25 files changed, 610 insertions(+)
 create mode 100644 patterns/aws-vpc-cni-network-policy/README.md
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/.helmignore
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/deploy.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/svc.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/svc.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/deploy.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/svc.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/deploy.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/svc.yaml
 create mode 100644 patterns/aws-vpc-cni-network-policy/main.tf
 create mode 100644 patterns/aws-vpc-cni-network-policy/outputs.tf
 create mode 100644 patterns/aws-vpc-cni-network-policy/variables.tf
 create mode 100644 patterns/aws-vpc-cni-network-policy/versions.tf

diff --git a/patterns/aws-vpc-cni-network-policy/README.md b/patterns/aws-vpc-cni-network-policy/README.md
new file mode 100644
index 0000000000..efbf362326
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/README.md
@@ -0,0 +1,46 @@
+# Amazon EKS Cluster w/ ArgoCD
+
+This pattern demonstrates an EKS cluster that uses the native Network Policy support provided by the AWS VPC CNI (v1.14.0 or higher).
+
+- [Documentation](https://argo-cd.readthedocs.io/en/stable/)
+- [EKS Blueprints Add-ons Repo](https://github.com/aws-samples/eks-blueprints-add-ons)
+- [EKS Blueprints Workloads Repo](https://github.com/aws-samples/eks-blueprints-workloads)
+
+## Deploy
+
+See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.
+
+## Validate
+
+1. List out the pods running currently:
+
+    ```sh
+    kubectl get pods -A
+    ```
+
+    ```text
+   NAMESPACE         NAME                                       READY   STATUS    RESTARTS   AGE
+    [...]
+    client            client-xlffc                               1/1     Running   0          5m19s
+    [...]
+    management-ui     management-ui-qrb2g                        1/1     Running   0          5m24s
+    stars             backend-sz87q                              1/1     Running   0          5m23s
+    stars             frontend-cscnf                             1/1     Running   0          5m21s
+    [...]
+    ```
+
+    In your output, you should see pods in the namespaces shown in the following output. The NAMES of your pods and the number of pods in the READY column are different than those in the following output. Don't continue until you see pods with similar names and they all have Running in the STATUS column.
+
+2. Connect to the management user interface using the EXTERNAL IP of the running service and observe the traffic flow and restrictions based on the Network Policies deployed:
+
+    ```sh
+    kubectl get service/management-ui -n management-ui
+    ```
+
+    Open the browser based on the URL obtained from the previous step to see the connection map.
+
+## Destroy
+
+{%
+   include-markdown "../../docs/_partials/destroy.md"
+%}
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml
new file mode 100644
index 0000000000..9bb1dfbeef
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: backend
+description: A Helm chart to deploy the backend
+type: application
+version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/deploy.yaml
new file mode 100644
index 0000000000..e3c3c1d465
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/deploy.yaml
@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend 
+  namespace: stars
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: backend
+  template:
+    metadata:
+      labels:
+        role: backend 
+    spec:
+      containers:
+      - name: backend 
+        image: calico/star-probe:v0.1.0
+        imagePullPolicy: Always
+        command:
+        - probe
+        - --http-port=6379
+        - --urls=http://frontend.stars:80/status,http://backend.stars:6379/status,http://client.client:9000/status
+        ports:
+        - containerPort: 6379
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml
new file mode 100644
index 0000000000..2920a0c838
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml
@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: stars
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/svc.yaml
new file mode 100644
index 0000000000..5a579569ad
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/svc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend 
+  namespace: stars
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379 
+  selector:
+    role: backend
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml
new file mode 100644
index 0000000000..f608dbf0c4
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: client
+description: A Helm chart to deploy the client
+type: application
+version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
new file mode 100644
index 0000000000..00c8dca7fe
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: client
+  namespace: client
+spec:
+  ports:
+  - port: 9000 
+    targetPort: 9000
+  selector:
+    role: client 
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml
new file mode 100644
index 0000000000..2bded998f5
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml
@@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: client
+  labels:
+    role: client
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/svc.yaml
new file mode 100644
index 0000000000..cfd20be303
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/svc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: client
+  namespace: client
+spec:
+  ports:
+  - port: 9000 
+    targetPort: 9000
+  selector:
+    role: client
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml
new file mode 100644
index 0000000000..2fa4184aec
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: frontend
+description: A Helm chart to deploy the frontend
+type: application
+version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/deploy.yaml
new file mode 100644
index 0000000000..c1b0762c32
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/deploy.yaml
@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend 
+  namespace: stars
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: frontend
+  template:
+    metadata:
+      labels:
+        role: frontend 
+    spec:
+      containers:
+      - name: frontend 
+        image: calico/star-probe:v0.1.0
+        imagePullPolicy: Always
+        command:
+        - probe
+        - --http-port=80
+        - --urls=http://frontend.stars:80/status,http://backend.stars:6379/status,http://client.client:9000/status
+        ports:
+        - containerPort: 80
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml
new file mode 100644
index 0000000000..2920a0c838
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml
@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: stars
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/svc.yaml
new file mode 100644
index 0000000000..08fafd487b
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/svc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend 
+  namespace: stars
+spec:
+  ports:
+  - port: 80 
+    targetPort: 80 
+  selector:
+    role: frontend
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml
new file mode 100644
index 0000000000..93253b567b
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: management-ui
+description: A Helm chart to deploy the management-ui
+type: application
+version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/deploy.yaml
new file mode 100644
index 0000000000..555f338290
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/deploy.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: management-ui 
+  namespace: management-ui 
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      role: management-ui
+  template:
+    metadata:
+      labels:
+        role: management-ui 
+    spec:
+      containers:
+      - name: management-ui 
+        image: calico/star-collect:v0.1.0
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9001
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml
new file mode 100644
index 0000000000..ef0a8ec158
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: management-ui 
+  labels:
+    role: management-ui
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/svc.yaml
new file mode 100644
index 0000000000..09b850d8d2
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/svc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: management-ui 
+  namespace: management-ui 
+spec:
+  type: LoadBalancer
+  ports:
+  - port: 80 
+    targetPort: 9001
+  selector:
+    role: management-ui
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf
new file mode 100644
index 0000000000..13323fb51e
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/main.tf
@@ -0,0 +1,283 @@
+provider "aws" {
+  region = local.region
+}
+
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    # This requires the awscli to be installed locally where Terraform is executed
+    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = module.eks.cluster_endpoint
+    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      # This requires the awscli to be installed locally where Terraform is executed
+      args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
+    }
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = basename(path.cwd)
+  region = "us-west-2"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Blueprint  = local.name
+    GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints"
+  }
+}
+
+################################################################################
+# Cluster
+################################################################################
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.16"
+
+  cluster_name                   = local.name
+  cluster_version                = "1.27" # Must be 1.25 or higher
+  cluster_endpoint_public_access = true
+  cluster_ip_family              = "ipv4" # Must be ipv4 or ipv6
+
+  # EKS Addons
+  cluster_addons = {
+    coredns    = {}
+    kube-proxy = {}
+    vpc-cni = {
+      preserve    = true
+      most_recent = true
+
+      timeouts = {
+        create = "25m"
+        delete = "10m"
+      }
+
+      configuration_values = jsonencode({
+        enableNetworkPolicy : "true",
+      })
+    }
+  }
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    initial = {
+      instance_types = ["m5.large"]
+
+      min_size     = 3
+      max_size     = 10
+      desired_size = 5
+    }
+  }
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
+
+################################################################################
+# Demo application
+################################################################################
+
+resource "helm_release" "management_ui" {
+  name             = "management-ui"
+  chart            = "./demo-application/charts/management-ui"
+  namespace        = "management-ui"
+  create_namespace = true
+
+  depends_on = [module.eks]
+}
+
+resource "helm_release" "backend" {
+  name             = "backend"
+  chart            = "./demo-application/charts/backend"
+  namespace        = "stars"
+  create_namespace = true
+
+  depends_on = [module.eks]
+}
+
+resource "helm_release" "frontend" {
+  name             = "backend"
+  chart            = "./demo-application/charts/frontend"
+  namespace        = "stars"
+  create_namespace = true
+
+  depends_on = [module.eks]
+}
+
+resource "helm_release" "client" {
+  name             = "backend"
+  chart            = "./demo-application/charts/client"
+  namespace        = "client"
+  create_namespace = true
+
+  depends_on = [module.eks]
+}
+
+################################################################################
+# Restrict access using K8S Network Policies
+################################################################################
+
+resource "kubectl_manifest" "default_deny_stars" {
+  yaml_body  = <<YAML
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: stars
+spec:
+  podSelector:
+    matchLabels: {}
+YAML
+  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+}
+
+# Block all ingress and egress traffic within the client ns
+resource "kubectl_manifest" "default_deny_client" {
+  yaml_body  = <<YAML
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: client
+spec:
+  podSelector:
+    matchLabels: {}
+YAML
+  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+}
+
+# Allow the management-ui to access the star application
+resource "kubectl_manifest" "allow_traffic_from_management_ui_to_application_components" {
+  yaml_body  = <<YAML
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: stars
+  name: allow-ui 
+spec:
+  podSelector:
+    matchLabels: {}
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              role: management-ui 
+YAML
+  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+}
+
+# Allow the management-ui to access the client application
+resource "kubectl_manifest" "allow_traffic_from_management_ui_to_client" {
+  yaml_body  = <<YAML
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: client 
+  name: allow-ui 
+spec:
+  podSelector:
+    matchLabels: {}
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              role: management-ui 
+YAML
+  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+}
+
+# Allow the frontend to access the backend
+resource "kubectl_manifest" "allow_traffic_from_frontend_to_backend" {
+  yaml_body  = <<YAML
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: stars
+  name: backend-policy
+spec:
+  podSelector:
+    matchLabels:
+      role: backend
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              role: frontend
+      ports:
+        - protocol: TCP
+          port: 6379
+
+YAML
+  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+}
+
+# Allow the client to access the frontend
+resource "kubectl_manifest" "allow_traffic_from_client_to_frontend" {
+  yaml_body  = <<YAML
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: stars
+  name: frontend-policy
+spec:
+  podSelector:
+    matchLabels:
+      role: frontend 
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              role: client
+      ports:
+        - protocol: TCP
+          port: 80
+YAML
+  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+}
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/outputs.tf b/patterns/aws-vpc-cni-network-policy/outputs.tf
new file mode 100644
index 0000000000..d79912bf44
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/outputs.tf
@@ -0,0 +1,4 @@
+output "configure_kubectl" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name}"
+}
diff --git a/patterns/aws-vpc-cni-network-policy/variables.tf b/patterns/aws-vpc-cni-network-policy/variables.tf
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/patterns/aws-vpc-cni-network-policy/versions.tf b/patterns/aws-vpc-cni-network-policy/versions.tf
new file mode 100644
index 0000000000..4b98ab82b1
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/versions.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.47"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.9"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.20"
+    }
+  }
+}

From 029d29c373cb47738e692434a657fc058215c911 Mon Sep 17 00:00:00 2001
From: Valentin Widmer <widmerva@amazon.com>
Date: Tue, 3 Oct 2023 21:56:34 +0700
Subject: [PATCH 2/5] Fix conflicting namespaces

---
 .../charts/backend/templates/ns.yaml          |  4 --
 .../charts/client/templates/deploy.yaml       | 27 ++++++++---
 .../charts/client/templates/ns.yaml           |  6 ---
 .../charts/frontend/templates/ns.yaml         |  4 --
 .../charts/management-ui/templates/ns.yaml    |  6 ---
 patterns/aws-vpc-cni-network-policy/main.tf   | 48 +++++++++++++++++--
 .../aws-vpc-cni-network-policy/versions.tf    |  4 ++
 7 files changed, 67 insertions(+), 32 deletions(-)
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml

diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml
deleted file mode 100644
index 2920a0c838..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/ns.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: stars
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
index 00c8dca7fe..8d763dcede 100644
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
+++ b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
@@ -1,11 +1,24 @@
-apiVersion: v1
-kind: Service
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: client
+  name: client 
   namespace: client
 spec:
-  ports:
-  - port: 9000 
-    targetPort: 9000
+  replicas: 1
   selector:
-    role: client 
\ No newline at end of file
+    matchLabels:
+      role: client
+  template:
+    metadata:
+      labels:
+        role: client 
+    spec:
+      containers:
+      - name: client 
+        image: calico/star-probe:v0.1.0
+        imagePullPolicy: Always
+        command:
+        - probe
+        - --urls=http://frontend.stars:80/status,http://backend.stars:6379/status
+        ports:
+        - containerPort: 9000 
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml
deleted file mode 100644
index 2bded998f5..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/ns.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: client
-  labels:
-    role: client
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml
deleted file mode 100644
index 2920a0c838..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/ns.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: stars
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml
deleted file mode 100644
index ef0a8ec158..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/ns.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: management-ui 
-  labels:
-    role: management-ui
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf
index 13323fb51e..28cbb42d12 100644
--- a/patterns/aws-vpc-cni-network-policy/main.tf
+++ b/patterns/aws-vpc-cni-network-policy/main.tf
@@ -28,6 +28,20 @@ provider "helm" {
   }
 }
 
+provider "kubectl" {
+  apply_retry_count      = 5
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  load_config_file       = false
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    # This requires the awscli to be installed locally where Terraform is executed
+    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
+  }
+}
+
 data "aws_availability_zones" "available" {}
 
 locals {
@@ -124,13 +138,37 @@ module "vpc" {
 # Demo application
 ################################################################################
 
+resource "kubectl_manifest" "management_ui_namespace" {
+  yaml_body  = <<YAML
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: management-ui 
+  labels:
+    role: management-ui
+YAML
+  depends_on = [module.eks]
+}
+
+resource "kubectl_manifest" "client_namespace" {
+  yaml_body  = <<YAML
+apiVersion: v1
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: client
+  labels:
+    role: client
+YAML
+  depends_on = [module.eks]
+}
+
 resource "helm_release" "management_ui" {
   name             = "management-ui"
   chart            = "./demo-application/charts/management-ui"
   namespace        = "management-ui"
-  create_namespace = true
 
-  depends_on = [module.eks]
+  depends_on = [module.eks, kubectl_manifest.management_ui_namespace]
 }
 
 resource "helm_release" "backend" {
@@ -143,7 +181,7 @@ resource "helm_release" "backend" {
 }
 
 resource "helm_release" "frontend" {
-  name             = "backend"
+  name             = "frontend"
   chart            = "./demo-application/charts/frontend"
   namespace        = "stars"
   create_namespace = true
@@ -155,15 +193,15 @@ resource "helm_release" "client" {
   name             = "backend"
   chart            = "./demo-application/charts/client"
   namespace        = "client"
-  create_namespace = true
 
-  depends_on = [module.eks]
+  depends_on = [kubectl_manifest.management_ui_namespace]
 }
 
 ################################################################################
 # Restrict access using K8S Network Policies
 ################################################################################
 
+# Block all ingress and egress traffic within the stars ns
 resource "kubectl_manifest" "default_deny_stars" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
diff --git a/patterns/aws-vpc-cni-network-policy/versions.tf b/patterns/aws-vpc-cni-network-policy/versions.tf
index 4b98ab82b1..a2f5c89e44 100644
--- a/patterns/aws-vpc-cni-network-policy/versions.tf
+++ b/patterns/aws-vpc-cni-network-policy/versions.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.20"
     }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14"
+    }
   }
 }

From b1201ebc5166fec3b7666abd804945c9e11354ca Mon Sep 17 00:00:00 2001
From: Valentin Widmer <widmerva@amazon.com>
Date: Wed, 4 Oct 2023 15:28:22 +0700
Subject: [PATCH 3/5] Refactor helm_release to addons repository

---
 patterns/aws-vpc-cni-network-policy/README.md |  17 ++-
 .../demo-application}/.helmignore             |   0
 .../charts/demo-application/Chart.yaml        |   5 +
 .../templates/backend-deploy.yaml}            |   0
 .../templates/backend-svc.yaml}               |   0
 .../templates/client-deploy.yaml}             |   0
 .../demo-application/templates/client-ns.yaml |   6 +
 .../templates/client-svc.yaml}                |   0
 .../templates/frontend-deploy.yaml}           |   0
 .../templates/frontend-svc.yaml}              |   0
 .../templates/management-ui-deploy.yaml}      |   0
 .../templates/management-ui-ns.yaml           |   6 +
 .../templates/management-ui-svc.yaml}         |   0
 .../demo-application/templates/stars-ns.yaml  |   4 +
 .../charts/backend/Chart.yaml                 |   5 -
 .../charts/client/.helmignore                 |  23 ---
 .../demo-application/charts/client/Chart.yaml |   5 -
 .../charts/frontend/.helmignore               |  23 ---
 .../charts/frontend/Chart.yaml                |   5 -
 .../charts/management-ui/.helmignore          |  23 ---
 .../charts/management-ui/Chart.yaml           |   5 -
 patterns/aws-vpc-cni-network-policy/main.tf   | 132 +++++++-----------
 .../aws-vpc-cni-network-policy/outputs.tf     |   2 +-
 23 files changed, 80 insertions(+), 181 deletions(-)
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/backend => charts/demo-application}/.helmignore (100%)
 create mode 100644 patterns/aws-vpc-cni-network-policy/charts/demo-application/Chart.yaml
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/backend/templates/deploy.yaml => charts/demo-application/templates/backend-deploy.yaml} (100%)
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/backend/templates/svc.yaml => charts/demo-application/templates/backend-svc.yaml} (100%)
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/client/templates/deploy.yaml => charts/demo-application/templates/client-deploy.yaml} (100%)
 create mode 100644 patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-ns.yaml
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/client/templates/svc.yaml => charts/demo-application/templates/client-svc.yaml} (100%)
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/frontend/templates/deploy.yaml => charts/demo-application/templates/frontend-deploy.yaml} (100%)
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/frontend/templates/svc.yaml => charts/demo-application/templates/frontend-svc.yaml} (100%)
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/management-ui/templates/deploy.yaml => charts/demo-application/templates/management-ui-deploy.yaml} (100%)
 create mode 100644 patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-ns.yaml
 rename patterns/aws-vpc-cni-network-policy/{demo-application/charts/management-ui/templates/svc.yaml => charts/demo-application/templates/management-ui-svc.yaml} (100%)
 create mode 100644 patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/stars-ns.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore
 delete mode 100644 patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml

diff --git a/patterns/aws-vpc-cni-network-policy/README.md b/patterns/aws-vpc-cni-network-policy/README.md
index efbf362326..1a41550939 100644
--- a/patterns/aws-vpc-cni-network-policy/README.md
+++ b/patterns/aws-vpc-cni-network-policy/README.md
@@ -1,10 +1,15 @@
-# Amazon EKS Cluster w/ ArgoCD
+# Amazon EKS Cluster w/ Network Policies
 
-This pattern demonstrates an EKS cluster that uses the native Network Policy support provided by the AWS VPC CNI (v1.14.0 or higher).
+This pattern demonstrates an EKS cluster that uses the native Network Policy support provided by the Amazon VPC CNI (1.14.0 or higher).
 
-- [Documentation](https://argo-cd.readthedocs.io/en/stable/)
-- [EKS Blueprints Add-ons Repo](https://github.com/aws-samples/eks-blueprints-add-ons)
-- [EKS Blueprints Workloads Repo](https://github.com/aws-samples/eks-blueprints-workloads)
+- [Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html)
+- [Launch Blog](https://aws.amazon.com/blogs/containers/amazon-vpc-cni-now-supports-kubernetes-network-policies/)
+
+## Scenario
+
+This pattern deploys an Amazon EKS Cluster with Network Policies support implemented by the Amazon VPC CNI. Further it deploys a simple demo application (distributed as a Helm Chart) and some sample Network Policies to restrict the traffic between different components of the application.
+
+For a detailed description of the demo application and the Network Policies, please refer to the Stars demo of network policy section in the official [Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html).
 
 ## Deploy
 
@@ -37,7 +42,7 @@ See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started
     kubectl get service/management-ui -n management-ui
     ```
 
-    Open the browser based on the URL obtained from the previous step to see the connection map.
+    Open the browser based on the URL obtained from the previous step to see the connection map and restrictions put in place by the Network Policies deployed.
 
 ## Destroy
 
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/.helmignore b/patterns/aws-vpc-cni-network-policy/charts/demo-application/.helmignore
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/.helmignore
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/.helmignore
diff --git a/patterns/aws-vpc-cni-network-policy/charts/demo-application/Chart.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/Chart.yaml
new file mode 100644
index 0000000000..7a8d00dd4e
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/charts/demo-application/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: demo-application
+description: A Helm chart to deploy the demo-application
+type: application
+version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/backend-deploy.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/deploy.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/backend-deploy.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/backend-svc.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/templates/svc.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/backend-svc.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-deploy.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/deploy.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-deploy.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-ns.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-ns.yaml
new file mode 100644
index 0000000000..91f714e9cb
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: client
+  labels:
+    role: client
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-svc.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/client/templates/svc.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/client-svc.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/frontend-deploy.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/deploy.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/frontend-deploy.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/frontend-svc.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/templates/svc.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/frontend-svc.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/deploy.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-deploy.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/deploy.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-deploy.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-ns.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-ns.yaml
new file mode 100644
index 0000000000..ef0a8ec158
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: management-ui 
+  labels:
+    role: management-ui
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/svc.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-svc.yaml
similarity index 100%
rename from patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/templates/svc.yaml
rename to patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/management-ui-svc.yaml
diff --git a/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/stars-ns.yaml b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/stars-ns.yaml
new file mode 100644
index 0000000000..de71efa857
--- /dev/null
+++ b/patterns/aws-vpc-cni-network-policy/charts/demo-application/templates/stars-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stars
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml
deleted file mode 100644
index 9bb1dfbeef..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/backend/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: backend
-description: A Helm chart to deploy the backend
-type: application
-version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore
deleted file mode 100644
index 0e8a0eb36f..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml
deleted file mode 100644
index f608dbf0c4..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/client/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: client
-description: A Helm chart to deploy the client
-type: application
-version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore
deleted file mode 100644
index 0e8a0eb36f..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml
deleted file mode 100644
index 2fa4184aec..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/frontend/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: frontend
-description: A Helm chart to deploy the frontend
-type: application
-version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore
deleted file mode 100644
index 0e8a0eb36f..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml b/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml
deleted file mode 100644
index 93253b567b..0000000000
--- a/patterns/aws-vpc-cni-network-policy/demo-application/charts/management-ui/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: management-ui
-description: A Helm chart to deploy the management-ui
-type: application
-version: 1.0.0
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf
index 28cbb42d12..3d7dc2e321 100644
--- a/patterns/aws-vpc-cni-network-policy/main.tf
+++ b/patterns/aws-vpc-cni-network-policy/main.tf
@@ -68,26 +68,6 @@ module "eks" {
   cluster_name                   = local.name
   cluster_version                = "1.27" # Must be 1.25 or higher
   cluster_endpoint_public_access = true
-  cluster_ip_family              = "ipv4" # Must be ipv4 or ipv6
-
-  # EKS Addons
-  cluster_addons = {
-    coredns    = {}
-    kube-proxy = {}
-    vpc-cni = {
-      preserve    = true
-      most_recent = true
-
-      timeouts = {
-        create = "25m"
-        delete = "10m"
-      }
-
-      configuration_values = jsonencode({
-        enableNetworkPolicy : "true",
-      })
-    }
-  }
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
@@ -135,73 +115,55 @@ module "vpc" {
 }
 
 ################################################################################
-# Demo application
+# EKS Addons (demo application)
 ################################################################################
 
-resource "kubectl_manifest" "management_ui_namespace" {
-  yaml_body  = <<YAML
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: management-ui 
-  labels:
-    role: management-ui
-YAML
-  depends_on = [module.eks]
-}
-
-resource "kubectl_manifest" "client_namespace" {
-  yaml_body  = <<YAML
-apiVersion: v1
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: client
-  labels:
-    role: client
-YAML
-  depends_on = [module.eks]
-}
-
-resource "helm_release" "management_ui" {
-  name             = "management-ui"
-  chart            = "./demo-application/charts/management-ui"
-  namespace        = "management-ui"
+module "addons" {
+  source  = "aws-ia/eks-blueprints-addons/aws"
+  version = "~> 1.0"
 
-  depends_on = [module.eks, kubectl_manifest.management_ui_namespace]
-}
-
-resource "helm_release" "backend" {
-  name             = "backend"
-  chart            = "./demo-application/charts/backend"
-  namespace        = "stars"
-  create_namespace = true
+  cluster_name      = module.eks.cluster_name
+  cluster_endpoint  = module.eks.cluster_endpoint
+  cluster_version   = module.eks.cluster_version
+  oidc_provider_arn = module.eks.oidc_provider_arn
 
-  depends_on = [module.eks]
-}
+  # EKS Addons
+  eks_addons = {
+    coredns    = {}
+    kube-proxy = {}
+    vpc-cni = {
+      preserve    = true
+      most_recent = true # Must be 1.14.0 or higher
 
-resource "helm_release" "frontend" {
-  name             = "frontend"
-  chart            = "./demo-application/charts/frontend"
-  namespace        = "stars"
-  create_namespace = true
+      timeouts = {
+        create = "25m"
+        delete = "10m"
+      }
 
-  depends_on = [module.eks]
-}
+      # Must enable network policy support
+      configuration_values = jsonencode({
+        enableNetworkPolicy : "true",
+      })
+    }
+  }
 
-resource "helm_release" "client" {
-  name             = "backend"
-  chart            = "./demo-application/charts/client"
-  namespace        = "client"
+  # Deploy demo-application
+  helm_releases = {
+    demo-application = {
+      description = "A Helm chart to deploy the network policy demo application"
+      namespace   = "default"
+      chart       = "./charts/demo-application"
+    }
+  }
 
-  depends_on = [kubectl_manifest.management_ui_namespace]
+  tags = local.tags
 }
 
 ################################################################################
-# Restrict access using K8S Network Policies
+# Restrict traffic flow using Network Policies
 ################################################################################
 
-# Block all ingress and egress traffic within the stars ns
+# Block all ingress and egress traffic within the stars namespace
 resource "kubectl_manifest" "default_deny_stars" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -213,10 +175,10 @@ spec:
   podSelector:
     matchLabels: {}
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Block all ingress and egress traffic within the client ns
+# Block all ingress and egress traffic within the client namespace
 resource "kubectl_manifest" "default_deny_client" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -228,10 +190,10 @@ spec:
   podSelector:
     matchLabels: {}
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the management-ui to access the star application
+# Allow the management-ui to access the star application pods
 resource "kubectl_manifest" "allow_traffic_from_management_ui_to_application_components" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -248,10 +210,10 @@ spec:
             matchLabels:
               role: management-ui 
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the management-ui to access the client application
+# Allow the management-ui to access the client application pods
 resource "kubectl_manifest" "allow_traffic_from_management_ui_to_client" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -268,10 +230,10 @@ spec:
             matchLabels:
               role: management-ui 
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the frontend to access the backend
+# Allow the frontend pod to access the backend pod within the stars namespace
 resource "kubectl_manifest" "allow_traffic_from_frontend_to_backend" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -293,10 +255,10 @@ spec:
           port: 6379
 
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
 
-# Allow the client to access the frontend
+# Allow the client pod to access the frontend pod within the stars namespace
 resource "kubectl_manifest" "allow_traffic_from_client_to_frontend" {
   yaml_body  = <<YAML
 kind: NetworkPolicy
@@ -317,5 +279,5 @@ spec:
         - protocol: TCP
           port: 80
 YAML
-  depends_on = [helm_release.management_ui, helm_release.frontend, helm_release.backend, helm_release.client]
+  depends_on = [module.addons]
 }
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/outputs.tf b/patterns/aws-vpc-cni-network-policy/outputs.tf
index d79912bf44..c952ef95d0 100644
--- a/patterns/aws-vpc-cni-network-policy/outputs.tf
+++ b/patterns/aws-vpc-cni-network-policy/outputs.tf
@@ -1,4 +1,4 @@
 output "configure_kubectl" {
   description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
-  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name}"
+  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --alias ${module.eks.cluster_name} --region ${local.region}"
 }

From 489d8b4669a5771d220fe22db0df3d5bbc982b33 Mon Sep 17 00:00:00 2001
From: Valentin Widmer <widmerva@amazon.com>
Date: Mon, 9 Oct 2023 15:14:56 +0700
Subject: [PATCH 4/5] Migrate network policies from kubectl to kubernetes
 provider

---
 patterns/aws-vpc-cni-network-policy/main.tf   | 224 +++++++++---------
 .../aws-vpc-cni-network-policy/versions.tf    |   4 -
 2 files changed, 115 insertions(+), 113 deletions(-)

diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf
index 3d7dc2e321..2f1d6d3966 100644
--- a/patterns/aws-vpc-cni-network-policy/main.tf
+++ b/patterns/aws-vpc-cni-network-policy/main.tf
@@ -28,20 +28,6 @@ provider "helm" {
   }
 }
 
-provider "kubectl" {
-  apply_retry_count      = 5
-  host                   = module.eks.cluster_endpoint
-  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-  load_config_file       = false
-
-  exec {
-    api_version = "client.authentication.k8s.io/v1beta1"
-    command     = "aws"
-    # This requires the awscli to be installed locally where Terraform is executed
-    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
-  }
-}
-
 data "aws_availability_zones" "available" {}
 
 locals {
@@ -164,120 +150,140 @@ module "addons" {
 ################################################################################
 
 # Block all ingress and egress traffic within the stars namespace
-resource "kubectl_manifest" "default_deny_stars" {
-  yaml_body  = <<YAML
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  name: default-deny
-  namespace: stars
-spec:
-  podSelector:
-    matchLabels: {}
-YAML
+resource "kubernetes_network_policy_v1" "default_deny_stars" {
+  metadata {
+    name      = "default-deny"
+    namespace = "stars"
+  }
+  spec {
+    policy_types = ["Ingress"]
+    pod_selector {
+      match_labels = {}
+    }
+  }
   depends_on = [module.addons]
 }
 
 # Block all ingress and egress traffic within the client namespace
-resource "kubectl_manifest" "default_deny_client" {
-  yaml_body  = <<YAML
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  name: default-deny
-  namespace: client
-spec:
-  podSelector:
-    matchLabels: {}
-YAML
+resource "kubernetes_network_policy_v1" "default_deny_client" {
+  metadata {
+    name      = "default-deny"
+    namespace = "client"
+  }
+  spec {
+    policy_types = ["Ingress"]
+    pod_selector {
+      match_labels = {}
+    }
+  }
   depends_on = [module.addons]
 }
 
 # Allow the management-ui to access the star application pods
-resource "kubectl_manifest" "allow_traffic_from_management_ui_to_application_components" {
-  yaml_body  = <<YAML
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  namespace: stars
-  name: allow-ui 
-spec:
-  podSelector:
-    matchLabels: {}
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              role: management-ui 
-YAML
+resource "kubernetes_network_policy_v1" "allow_ui_to_stars" {
+  metadata {
+    name      = "allow-ui"
+    namespace = "stars"
+  }
+  spec {
+    policy_types = ["Ingress"]
+    pod_selector {
+      match_labels = {}
+    }
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            role = "management-ui"
+          }
+        }
+      }
+    }
+  }
   depends_on = [module.addons]
 }
 
 # Allow the management-ui to access the client application pods
-resource "kubectl_manifest" "allow_traffic_from_management_ui_to_client" {
-  yaml_body  = <<YAML
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  namespace: client 
-  name: allow-ui 
-spec:
-  podSelector:
-    matchLabels: {}
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              role: management-ui 
-YAML
+resource "kubernetes_network_policy_v1" "allow_ui_to_client" {
+  metadata {
+    name      = "allow-ui"
+    namespace = "client"
+  }
+  spec {
+    policy_types = ["Ingress"]
+    pod_selector {
+      match_labels = {}
+    }
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            role = "management-ui"
+          }
+        }
+      }
+    }
+  }
   depends_on = [module.addons]
 }
 
 # Allow the frontend pod to access the backend pod within the stars namespace
-resource "kubectl_manifest" "allow_traffic_from_frontend_to_backend" {
-  yaml_body  = <<YAML
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  namespace: stars
-  name: backend-policy
-spec:
-  podSelector:
-    matchLabels:
-      role: backend
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              role: frontend
-      ports:
-        - protocol: TCP
-          port: 6379
-
-YAML
+resource "kubernetes_network_policy_v1" "allow_frontend_to_backend" {
+  metadata {
+    name      = "backend-policy"
+    namespace = "stars"
+  }
+  spec {
+    policy_types = ["Ingress"]
+    pod_selector {
+      match_labels = {
+        role = "backend"
+      }
+    }
+    ingress {
+      from {
+        pod_selector {
+          match_labels = {
+            role = "frontend"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = "6379"
+      }
+    }
+  }
   depends_on = [module.addons]
 }
 
 # Allow the client pod to access the frontend pod within the stars namespace
-resource "kubectl_manifest" "allow_traffic_from_client_to_frontend" {
-  yaml_body  = <<YAML
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  namespace: stars
-  name: frontend-policy
-spec:
-  podSelector:
-    matchLabels:
-      role: frontend 
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              role: client
-      ports:
-        - protocol: TCP
-          port: 80
-YAML
+resource "kubernetes_network_policy_v1" "allow_client_to_backend" {
+  metadata {
+    name      = "frontend-policy"
+    namespace = "stars"
+  }
+
+  spec {
+    policy_types = ["Ingress"]
+    pod_selector {
+      match_labels = {
+        role = "frontend"
+      }
+    }
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            role = "client"
+          }
+        }
+      }
+      ports {
+        protocol = "TCP"
+        port     = "80"
+      }
+    }
+  }
   depends_on = [module.addons]
 }
\ No newline at end of file
diff --git a/patterns/aws-vpc-cni-network-policy/versions.tf b/patterns/aws-vpc-cni-network-policy/versions.tf
index a2f5c89e44..4b98ab82b1 100644
--- a/patterns/aws-vpc-cni-network-policy/versions.tf
+++ b/patterns/aws-vpc-cni-network-policy/versions.tf
@@ -14,9 +14,5 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.20"
     }
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = ">= 1.14"
-    }
   }
 }

From 78a673bcc7bb5ba5d3bbac74c47dab26fd2fc64b Mon Sep 17 00:00:00 2001
From: Valentin Widmer <widmerva@amazon.com>
Date: Tue, 10 Oct 2023 13:34:02 +0700
Subject: [PATCH 5/5] Add docs and run pre-commit scripts

---
 docs/patterns/aws-vpc-cni-network-policy.md | 7 +++++++
 patterns/aws-vpc-cni-network-policy/main.tf | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 docs/patterns/aws-vpc-cni-network-policy.md

diff --git a/docs/patterns/aws-vpc-cni-network-policy.md b/docs/patterns/aws-vpc-cni-network-policy.md
new file mode 100644
index 0000000000..4ea881ace2
--- /dev/null
+++ b/docs/patterns/aws-vpc-cni-network-policy.md
@@ -0,0 +1,7 @@
+---
+title: AWS VPC CNI Network Policy
+---
+
+{%
+   include-markdown "../../patterns/aws-vpc-cni-network-policy/README.md"
+%}
diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf
index 2f1d6d3966..204407c62f 100644
--- a/patterns/aws-vpc-cni-network-policy/main.tf
+++ b/patterns/aws-vpc-cni-network-policy/main.tf
@@ -286,4 +286,4 @@ resource "kubernetes_network_policy_v1" "allow_client_to_backend" {
     }
   }
   depends_on = [module.addons]
-}
\ No newline at end of file
+}