From f01a7281ac0a3e0dbb352a077738b3816f287240 Mon Sep 17 00:00:00 2001
From: Anthony Zawacki <anthony.c.zawacki@census.gov>
Date: Fri, 1 Sep 2023 15:51:05 -0400
Subject: [PATCH] initial commit

---
 .gitignore      |  38 +++++++++++++++++
 README.md       |   1 +
 main.tf         | 111 ++++++++++++++++++++++++++++++++++++++++++++++++
 outputs.tf      |  27 ++++++++++++
 requirements.tf |  14 ++++++
 variables.tf    |  33 ++++++++++++++
 version.tf      |   4 ++
 7 files changed, 228 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 main.tf
 create mode 100644 outputs.tf
 create mode 100644 requirements.tf
 create mode 100644 variables.tf
 create mode 100644 version.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7c1cae9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,38 @@
+# Local .terraform directories
+**/.terraform/*
+
+# terraform lock file.
+**/.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data,
+# such as password, private keys, and other secrets. These should not be
+# part of version control as they are data points which are potentially
+# sensitive and subject to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources
+# locally and so are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..255b3a7
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+# tfmod-eks-storage-classes
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..39b20a2
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,111 @@
+data "aws_vpc" "eks_vpc" {
+  filter {
+    name   = "tag:Name"
+    values = [var.vpc_name]
+  }
+}
+
+data "aws_subnets" "subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [var.subnets_name]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.eks_vpc.id]
+  }
+}
+
+data "aws_subnet" "subnets" {
+  for_each = toset(data.aws_subnets.subnets.ids)
+  id       = each.key
+}
+
+data "aws_ebs_default_kms_key" "current" {}
+
+data "aws_kms_key" "ebs_key" {
+  key_id = data.aws_ebs_default_kms_key.current.key_arn
+}
+
+locals {
+  vpc_id         = data.aws_vpc.eks_vpc.id
+  vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
+  subnets        = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
+
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+    CostAllocation          = var.tag_costallocation
+  }
+}
+
+resource "kubernetes_storage_class" "gp3_encrypted" {
+  metadata {
+    name = "gp3-encrypted"
+    annotations = {
+      "storageclass.kubernetes.io/is-default-class" = "true"
+    }
+  }
+  parameters = {
+    fsType    = "ext4"
+    type      = "gp3"
+    encrypted = "true"
+    #    kms_key_id = data.aws_kms_key.ebs_key.arn
+    kmsKeyId = data.aws_kms_key.ebs_key.arn
+  }
+  storage_provisioner    = "ebs.csi.aws.com"
+  reclaim_policy         = "Delete"
+  volume_binding_mode    = "Immediate"
+  allow_volume_expansion = "true"
+}
+
+resource "kubernetes_storage_class" "ebs_encrypted" {
+  metadata {
+    name = "gp2-encrypted"
+    annotations = {
+      "storageclass.kubernetes.io/is-default-class" = "false"
+    }
+  }
+  parameters = {
+    fsType    = "ext4"
+    type      = "gp2"
+    encrypted = "true"
+    #    kms_key_id = data.aws_kms_key.ebs_key.arn
+    kmsKeyId = data.aws_kms_key.ebs_key.arn
+  }
+  storage_provisioner    = "kubernetes.io/aws-ebs"
+  reclaim_policy         = "Delete"
+  volume_binding_mode    = "Immediate"
+  allow_volume_expansion = "true"
+}
+
+module "efs" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-efs.git"
+
+  name            = var.cluster_name
+  vpc_id          = local.vpc_id
+  subnet_ids      = local.subnets
+  security_groups = [var.security_group_all_worker_mgmt_id]
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    tomap({ "efs.csi.aws.com/cluster" = "true" }),
+  )
+}
+
+resource "kubernetes_storage_class" "efs-sc" {
+  depends_on = [module.efs]
+
+  metadata {
+    name = "efs"
+  }
+  storage_provisioner = "efs.csi.aws.com"
+  parameters = {
+    provisioningMode = "efs-ap"
+    fileSystemId     = module.efs.id
+    directoryPerms   = "700"
+  }
+  mount_options = ["tls"]
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..5e56618
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,27 @@
+################################################################################
+# Module information
+################################################################################
+
+output "module_name" {
+  description = "The name of this module."
+  value       = local._module_name
+}
+
+output "module_version" {
+  description = "The version of this module."
+  value       = local._module_version
+}
+
+################################################################################
+# Storage classes
+################################################################################
+
+output "rwo_storage_class" {
+  description = "Kubernetes storage class that supports read/write once."
+  value       = kubernetes_storage_class.gp3_encrypted.metadata[0].name
+}
+
+output "rwx_storage_class" {
+  description = "Kubernetes storage class that supports read/write many."
+  value       = kubernetes_storage_class.efs-sc.metadata[0].name
+}
diff --git a/requirements.tf b/requirements.tf
new file mode 100644
index 0000000..677f4fd
--- /dev/null
+++ b/requirements.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.23.0"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..d73a8db
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,33 @@
+variable "cluster_name" {
+  description = "EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev)"
+  type        = string
+}
+
+variable "vpc_name" {
+  description = "Define the VPC name that will be used by this cluster"
+  type        = string
+}
+
+variable "subnets_name" {
+  description = "Define the name of the subnets to be used by this cluster"
+  type        = string
+  default     = "*-container-*"
+}
+
+variable "security_group_all_worker_mgmt_id" {
+  description = "The security group representing all of the worker nodes in the cluster."
+  type        = string
+}
+
+variable "tag_costallocation" {
+  description = "Tag CostAllocation (default)"
+  type        = string
+  default     = "csvd:infrastructure"
+}
+
+variable "tags" {
+  description = "AWS Tags to apply to appropriate resources"
+  type        = map(string)
+  default     = {}
+}
+
diff --git a/version.tf b/version.tf
new file mode 100644
index 0000000..e233d91
--- /dev/null
+++ b/version.tf
@@ -0,0 +1,4 @@
+locals {
+  _module_name    = "tfmod-eks-storage-classes"
+  _module_version = "unknown"
+}