diff --git a/README.md b/README.md
index af3d848..94811c1 100644
--- a/README.md
+++ b/README.md
@@ -32,9 +32,9 @@ sys 0m2.015s
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 5.14.0 |
-| [helm](#requirement\_helm) | >= 2.11.0 |
-| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| [aws](#requirement\_aws) | ~> 5.14 |
+| [helm](#requirement\_helm) | ~> 2.11 |
+| [kubernetes](#requirement\_kubernetes) | ~> 2.23 |
## Providers
diff --git a/eks_console_access.tf b/eks_console_access.tf
index d93964b..403c170 100644
--- a/eks_console_access.tf
+++ b/eks_console_access.tf
@@ -12,26 +12,41 @@
# ```
locals {
+ helm_chart_urls = {
+ full = "https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml"
+ restricted = "https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml"
+ }
+
cluster_roles = [
{
name = "eks-console-full-access"
- url = "https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml"
+ url = local.helm_chart_urls.full
enabled = true
},
{
name = "eks-console-restricted-access"
- url = "https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml"
+ url = local.helm_chart_urls.restricted
enabled = true
- },
+ }
]
cluster_roles_map = { for cr in local.cluster_roles : cr.name => cr if cr.enabled }
}
resource "helm_release" "console_access" {
- for_each = local.cluster_roles_map
- chart = each.key
+ for_each = local.cluster_roles_map
+
name = each.key
+ chart = each.key
namespace = "default"
version = var.release_version
repository = "./"
+
+ timeout = 300
+ wait = true
+
+ lifecycle {
+ ignore_changes = [
+ version,
+ ]
+ }
}
diff --git a/main.tf b/main.tf
index dfa9dc5..cf838c3 100644
--- a/main.tf
+++ b/main.tf
@@ -5,7 +5,6 @@ locals {
"boc:created_by" = "terraform"
CostAllocation = var.tag_costallocation
}
-
tags = merge(local.base_tags, var.tags)
}
@@ -24,8 +23,12 @@ resource "kubernetes_storage_class" "gp3_encrypted" {
}
storage_provisioner = "ebs.csi.aws.com"
reclaim_policy = "Delete"
- volume_binding_mode = "Immediate"
+ volume_binding_mode = "WaitForFirstConsumer" # Changed from Immediate for better scheduling
allow_volume_expansion = "true"
+
+ # lifecycle {
+ # prevent_destroy = true # Protect storage class from accidental deletion
+ # }
}
resource "kubernetes_storage_class" "ebs_encrypted" {
@@ -48,7 +51,6 @@ resource "kubernetes_storage_class" "ebs_encrypted" {
}
module "efs" {
- # tflint-ignore: terraform_module_version
# tflint-ignore: terraform_module_pinned_source
source = "git@github.e.it.census.gov:terraform-modules/aws-efs.git?ref=master"
@@ -57,9 +59,16 @@ module "efs" {
subnet_ids = var.subnets
security_groups = [var.security_group_all_worker_mgmt_id]
+ lifecycle_policy = {
+ transition_to_ia = "AFTER_30_DAYS"
+ }
+
tags = merge(
local.tags,
- tomap({ "efs.csi.aws.com/cluster" = "true" }),
+ {
+ "efs.csi.aws.com/cluster" = "true"
+ "kubernetes.io/cluster" = var.cluster_name
+ }
)
}
diff --git a/requirements.tf b/requirements.tf
index ae62e15..93e8cbd 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -4,15 +4,15 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.14.0"
+ version = "~> 5.14"
}
helm = {
source = "hashicorp/helm"
- version = ">= 2.11.0"
+ version = "~> 2.11"
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = ">= 2.23.0"
+ version = "~> 2.23"
}
}
}