diff --git a/CHANGELOG.md b/CHANGELOG.md
index d15e3e4..9de84c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,3 +14,7 @@
### fix
- **main.tf**: add operators ns here
+
+
+
+- change to trigger action
diff --git a/README.md b/README.md
index 791afd8..1997042 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ sys 0m2.015s
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 5.14.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
| [helm](#requirement\_helm) | >= 2.11.0 |
| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
| [null](#requirement\_null) | >= 3.2.1 |
@@ -41,9 +41,9 @@ sys 0m2.015s
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 6.0.0 |
-| [helm](#provider\_helm) | 3.0.1 |
-| [kubernetes](#provider\_kubernetes) | 2.37.1 |
+| [aws](#provider\_aws) | 6.8.0 |
+| [helm](#provider\_helm) | 3.0.2 |
+| [kubernetes](#provider\_kubernetes) | 2.38.0 |
| [null](#provider\_null) | 3.2.4 |
## Modules
@@ -51,14 +51,17 @@ sys 0m2.015s
| Name | Source | Version |
|------|--------|---------|
| [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
+| [subordinate\_ca](#module\_subordinate\_ca) | git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager | n/a |
## Resources
| Name | Type |
|------|------|
| [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_manifest.cluster_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_secret.ca_key_pair](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
@@ -70,12 +73,14 @@ sys 0m2.015s
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [cluster\_mailing\_list](#input\_cluster\_mailing\_list) | The mailing list for cluster notifications | `string` | `"cluster@example.com"` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| [namespace](#input\_namespace) | The namespace to deploy cert-manager resources into | `string` | `"cert-manager"` | no |
| [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
+| [profile](#input\_profile) | AWS config profile | `string` | n/a | yes |
| [region](#input\_region) | AWS region | `string` | n/a | yes |
| [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes |
| [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes |
-| [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
| [telemetry\_ns](#input\_telemetry\_ns) | Namespace to create where telemetry will be installed. | `string` | `"telemetry"` | no |
| [vpc\_id](#input\_vpc\_id) | Specify the VPC id that is used by this cluster | `string` | n/a | yes |
diff --git a/aws_data.tf b/aws-data.tf
similarity index 100%
rename from aws_data.tf
rename to aws-data.tf
diff --git a/cert-mgr-cluster-issuer.tf b/cert-mgr-cluster-issuer.tf
new file mode 100644
index 0000000..cc2729f
--- /dev/null
+++ b/cert-mgr-cluster-issuer.tf
@@ -0,0 +1,36 @@
+# Create a subordinate cert for the cert-manager clusterissuer.
+module "subordinate_ca" {
+ # tflint-ignore: terraform_module_pinned_source
+ source = "git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+ cluster_name = var.cluster_name
+ contact_email = var.cluster_mailing_list
+ validity_days = 365
+}
+
+resource "kubernetes_secret" "ca_key_pair" {
+ metadata {
+ name = "ca-key-pair"
+ namespace = var.namespace
+ }
+
+ binary_data = {
+ "tls.key" = module.subordinate_ca.certificate_tls_key
+ "tls.crt" = module.subordinate_ca.certificate_tls_crt
+ }
+}
+
+resource "kubernetes_manifest" "cluster_issuer" {
+ manifest = {
+ "apiVersion" = "cert-manager.io/v1"
+ "kind" = "ClusterIssuer"
+ "metadata" = {
+ "name" = "clusterissuer"
+ }
+ "spec" = {
+ "ca" = {
+ "secretName" = kubernetes_secret.ca_key_pair.metadata[0].name
+ }
+ }
+ }
+}
diff --git a/dba-clusterrole.tf.off b/dba-clusterrole.tf.off
new file mode 100644
index 0000000..e60e7b5
--- /dev/null
+++ b/dba-clusterrole.tf.off
@@ -0,0 +1,24 @@
+resource "kubernetes_cluster_role" "dba_administrator_cluster_role" {
+ metadata {
+ name = var.dba_administrator_role_name
+ }
+ aggregation_rule {
+ cluster_role_selectors {
+ match_labels = {
+ "rbac.authorization.k8s.io/aggregate-to-admin" = "true"
+ }
+ }
+ }
+
+ rule {
+ api_groups = ["cert-manager.io", "acme.cert-manager.io"]
+ resources = ["certificates", "challenges", "orders", "certificaterequests", "issuers"]
+ verbs = ["get", "list", "watch", "create", "update", "patch"]
+ }
+
+ rule {
+ verbs = ["get", "list", "watch", "create", "update", "patch"]
+ api_groups = ["networking.istio.io", "security.istio.io"]
+ resources = ["virtualservices", "authorizationpolicies", "destinationrules", "peerauthentications", "requestauthentications"]
+ }
+}
diff --git a/dba-rolebinding.tf.off b/dba-rolebinding.tf.off
new file mode 100644
index 0000000..1a5fb54
--- /dev/null
+++ b/dba-rolebinding.tf.off
@@ -0,0 +1,40 @@
+locals {
+ dba_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.dba_managed_namespaces)
+ dba_k8s_group_name = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+resource "kubernetes_namespace" "dba_managed_namespaces" {
+ for_each = toset(local.dba_managed_namespaces)
+ metadata {
+ name = each.key
+ labels = {
+ istio-injection = "enabled"
+ }
+ }
+}
+
+resource "kubernetes_role_binding" "dba_admin_rolebinding" {
+ # for_each = toset(local.dba_managed_namespaces)
+ for_each = kubernetes_namespace.dba_managed_namespaces
+
+ metadata {
+ name = var.dba_admin_rolebinding_name
+ namespace = each.key
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.dba_administrator_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.dba_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ name = local.dba_k8s_group_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ # depends_on = [kubernetes_namespace.dba_managed_namespaces]
+}
diff --git a/dba.iam.tf.off b/dba.iam.tf.off
new file mode 100644
index 0000000..740664e
--- /dev/null
+++ b/dba.iam.tf.off
@@ -0,0 +1,109 @@
+locals {
+ policy_dba_k8s_group_name = replace(local.dba_k8s_group_name, local.prefixes["eks-user"], local.prefixes["eks-policy"])
+ role_dba_k8s_group_name = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.dba_k8s_group_name)
+}
+
+module "role_dba_administrator" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+ role_name = local.role_dba_k8s_group_name
+ role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.dba_k8s_group_name}"
+ enable_ldap_creation = false
+ assume_policy_document = data.aws_iam_policy_document.dba_administrator_allow_sts.json
+ attached_policies = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+resource "aws_iam_policy" "dba_administrator" {
+ name = local.policy_dba_k8s_group_name
+ path = "/"
+ description = "Policy for EKS ${var.cluster_name} IAM access ${var.dba_k8s_group_name}"
+ policy = data.aws_iam_policy_document.dba_administrator.json
+}
+
+locals {
+ dba_administrator_policy_statements = {
+ ECRRead = {
+ actions = [
+ "ecr:Describe*",
+ "ecr:Get*",
+ "ecr:ListImages",
+ "ecr:BatchGetImage",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:GetDownloadUrlForLayer",
+ ]
+ resources = ["*"]
+ }
+ EKSRead = {
+ actions = [
+ "eks:ListClusters",
+ ]
+ resources = ["*"]
+ }
+ EKSReadMyClusters = {
+ actions = [
+ "eks:DescribeCluster",
+ "eks:AccessKubernetesApi",
+ ]
+ resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
+ }
+ STSAssumeRole = {
+ actions = ["sts:AssumeRole"]
+ resources = [module.role_dba_administrator.role_arn]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "dba_administrator" {
+ dynamic "statement" {
+ for_each = local.dba_administrator_policy_statements
+ iterator = s
+ content {
+ sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+ effect = lookup(s.value, "effect", "Allow")
+ actions = lookup(s.value, "actions", [])
+ resources = lookup(s.value, "resources", [])
+ not_resources = lookup(s.value, "not_resources", [])
+ }
+ }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "dba_administrator_allow_sts" {
+ statement {
+ sid = "AllowSTSAssume"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = [
+ format(local.iam_arn, "root"),
+ ]
+ }
+ }
+}
+
+output "role_dba_administrator_arn" {
+ description = "DBA Adminstrator role ARN"
+ value = module.role_dba_administrator.role_arn
+}
+
+module "group_dba_administrator" {
+ # tflint-ignore: terraform_module_version
+ # tflint-ignore: terraform_module_pinned_source
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+ group_name = local.role_dba_k8s_group_name
+ attached_policies = [aws_iam_policy.dba_administrator.arn]
+
+}
+
+output "info_dba_administrator" {
+ description = "DBA Adminstrator IAM details"
+ value = {
+ role_name = module.role_dba_administrator.role_name
+ role_arn = module.role_dba_administrator.role_arn
+ group_name = module.group_dba_administrator.group_name
+ group_arn = module.group_dba_administrator.group_arn
+ }
+}
diff --git a/deployer-clusterrole.tf.off b/deployer-clusterrole.tf.off
new file mode 100644
index 0000000..7cede6e
--- /dev/null
+++ b/deployer-clusterrole.tf.off
@@ -0,0 +1,67 @@
+resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
+ metadata {
+ name = var.deployer_istiosystem_role_name
+ }
+
+ rule {
+ api_groups = ["acme.cert-manager.io"]
+ resources = ["challenges", "orders", "certificaterequests"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+ rule {
+ api_groups = ["cert-manager.io"]
+ resources = ["certificates"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+
+ rule {
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ api_groups = ["networking.istio.io"]
+ resources = ["gateways"]
+ }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+ metadata {
+ name = var.deployer_application_istio_role_name
+ }
+ rule {
+ api_groups = ["security.istio.io"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ resources = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+ }
+
+ rule {
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ api_groups = ["networking.istio.io"]
+ resources = ["virtualservices", "destinationrules", "gateways"]
+ }
+}
+
+resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
+ metadata {
+ name = var.deployer_application_role_name
+ }
+ aggregation_rule {
+ cluster_role_selectors {
+ match_labels = {
+ "rbac.authorization.k8s.io/aggregate-to-edit" = "true"
+ }
+ }
+ }
+
+ rule {
+ api_groups = ["acme.cert-manager.io"]
+ resources = ["challenges", "orders", "certificaterequests"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+ rule {
+ api_groups = ["cert-manager.io"]
+ resources = ["certificates"]
+ verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+ }
+
+}
diff --git a/deployer-rolebinding.tf.off b/deployer-rolebinding.tf.off
new file mode 100644
index 0000000..c4c0e14
--- /dev/null
+++ b/deployer-rolebinding.tf.off
@@ -0,0 +1,91 @@
+resource "kubernetes_role_binding" "deployer_istio_role_binding" {
+ metadata {
+ name = "deployer_istiosystem_role_binding"
+ namespace = var.istio_installed_namespace
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.deployer_istiosystem_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.cicd_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ # name = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+ name = local.cicd_k8s_iam_username
+ api_group = "rbac.authorization.k8s.io"
+ }
+}
+
+locals {
+ cicd_managed_namespaces = formatlist("%v-%v", var.cluster_name, var.cicd_managed_namespaces)
+ cicd_k8s_iam_username = format("%v%v-%v", local.prefixes["eks-user"], var.cluster_name, var.cicd_k8s_group_name)
+ cicd_k8s_group_name = format("%v%v-%v", local.prefixes["eks"], var.cluster_name, var.cicd_k8s_group_name)
+}
+
+resource "kubernetes_namespace" "cicd_managed_namespaces" {
+ for_each = toset(local.cicd_managed_namespaces)
+ metadata {
+ name = each.key
+ labels = {
+ istio-injection = "enabled"
+ }
+ }
+}
+
+
+resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" {
+ # for_each = toset(local.cicd_managed_namespaces)
+ for_each = kubernetes_namespace.cicd_managed_namespaces
+
+ metadata {
+ name = var.deployer_application_istio_rolebinding_name
+ namespace = each.key
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.deployer_application_istio_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.cicd_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ name = local.cicd_k8s_iam_username
+ api_group = "rbac.authorization.k8s.io"
+ }
+ # depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
+
+resource "kubernetes_role_binding" "deployer_application_rolebinding" {
+ # for_each = toset(local.cicd_managed_namespaces)
+ for_each = kubernetes_namespace.cicd_managed_namespaces
+
+ metadata {
+ name = var.deployer_application_rolebinding_name
+ namespace = each.key
+ }
+ role_ref {
+ api_group = "rbac.authorization.k8s.io"
+ kind = "ClusterRole"
+ name = var.deployer_application_role_name
+ }
+ subject {
+ kind = "User"
+ name = var.cicd_k8s_user_name
+ api_group = "rbac.authorization.k8s.io"
+ }
+ subject {
+ kind = "Group"
+ name = local.cicd_k8s_iam_username
+ api_group = "rbac.authorization.k8s.io"
+ }
+ # depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
diff --git a/deployer.iam.tf.off b/deployer.iam.tf.off
new file mode 100644
index 0000000..962d525
--- /dev/null
+++ b/deployer.iam.tf.off
@@ -0,0 +1,154 @@
+locals {
+ policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local.prefixes["eks-user"], local.prefixes["eks-policy"])
+ role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local.prefixes["eks-user"], "")
+ iam_policies_cicd = ["p-inf-manage-access-keys"]
+}
+
+data "aws_iam_policy" "cicd_deployer_policies" {
+ for_each = toset(local.iam_policies_cicd)
+ name = each.key
+}
+
+module "service_cicd_deployer" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-user.git?ref=tf-upgrade"
+
+ iam_username = local.cicd_k8s_iam_username
+ username = ""
+ email_address = ""
+ groups = ["g-inf-ip-restriction"]
+ generate_password = false
+ service_account = true
+ enable_sending_mail = false
+ create_access_keys = false
+ profile = var.profile
+ pgp_key_file = "./init/tf-gpg-key.b64"
+
+ attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+}
+module "role_cicd_deployer" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+ role_name = local.role_cicd_k8s_group_name
+ role_description = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}"
+ enable_ldap_creation = false
+ assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json
+ # attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+ attached_policies = [aws_iam_policy.cicd_deployer.arn]
+
+}
+
+resource "aws_iam_policy" "cicd_deployer" {
+ name = local.policy_cicd_k8s_group_name
+ path = "/"
+ description = "Policy for EKS ${var.cluster_name} IAM access ${var.cicd_k8s_group_name}"
+ policy = data.aws_iam_policy_document.cicd_deployer.json
+}
+
+locals {
+ cicd_deployer_policy_statements = {
+ ECRRead = {
+ actions = [
+ "ecr:Describe*",
+ "ecr:Get*",
+ "ecr:ListImages",
+ "ecr:BatchGetImage",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:GetDownloadUrlForLayer",
+ ]
+ resources = ["*"]
+ }
+ ECRWrite = {
+ # effect = "Deny"
+ actions = [
+ "ecr:BatchDeleteImage",
+ "ecr:CompleteLayerUpload",
+ "ecr:CreateRepository",
+ "ecr:DeleteRepository",
+ "ecr:InitiateLayerUpload",
+ "ecr:PutImage",
+ "ecr:UploadLayerPart"
+ ]
+ # not_resources = [format(local.common_arn, "ecr", format("repository/eks/%v/*", var.cluster_name))]
+ not_resources = [format(local.common_arn, "ecr", "repository/eks/*")]
+ }
+ EKSRead = {
+ actions = [
+ "eks:ListClusters",
+ ]
+ resources = ["*"]
+ }
+ EKSReadMyClusters = {
+ actions = [
+ "eks:AccessKubernetesApi",
+ "eks:DescribeCluster",
+ ]
+ resources = [format(local.common_arn, "eks", format("%v/%v", "cluster", var.cluster_name))]
+ }
+ # IAMRead = {
+ # actions = [
+ # "iam:ListRoles",
+ # ]
+ # resources = ["*"]
+ # }
+ }
+}
+
+data "aws_iam_policy_document" "cicd_deployer" {
+ dynamic "statement" {
+ for_each = local.cicd_deployer_policy_statements
+ iterator = s
+ content {
+ sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+ effect = lookup(s.value, "effect", "Allow")
+ actions = lookup(s.value, "actions", [])
+ resources = lookup(s.value, "resources", [])
+ not_resources = lookup(s.value, "not_resources", [])
+ }
+ }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "cicd_deployer_allow_sts" {
+ statement {
+ sid = "AllowSTSAssume"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = [
+ format(local.iam_arn, "root"),
+ ]
+ }
+ }
+}
+
+output "service_cicd_deployer_arn" {
+ description = "CICD Deployer user ARN"
+ value = module.service_cicd_deployer.user_arn
+}
+
+output "service_cicd_deployer_username" {
+ description = "CICD Deployer username"
+ value = module.service_cicd_deployer.user_name
+}
+
+module "group_cicd_deployer" {
+ # tflint-ignore: terraform_module_version
+ # tflint-ignore: terraform_module_pinned_source
+ source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+ group_name = local.cicd_k8s_group_name
+ attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+}
+
+output "info_cicd_deployer" {
+ description = "CID Deployer IAM details"
+ value = {
+ user_name = module.service_cicd_deployer.user_name
+ user_arn = module.service_cicd_deployer.user_arn
+ group_name = module.group_cicd_deployer.group_name
+ group_arn = module.group_cicd_deployer.group_arn
+ }
+}
diff --git a/eks_console_access.tf b/eks-console-access.tf
similarity index 100%
rename from eks_console_access.tf
rename to eks-console-access.tf
diff --git a/main.tf b/main.tf
index 2dc98d4..a56d603 100644
--- a/main.tf
+++ b/main.tf
@@ -1,9 +1,7 @@
locals {
base_tags = {
- "eks-cluster-name" = var.cluster_name
"boc:tf_module_version" = local.module_version
"boc:created_by" = "terraform"
- CostAllocation = var.tag_costallocation
}
tags = merge(local.base_tags, var.tags)
@@ -81,6 +79,9 @@ resource "kubernetes_storage_class" "efs_sc" {
resource "kubernetes_namespace" "operators" {
metadata {
name = var.operators_ns
+ labels = {
+ istio-injection = "enabled"
+ }
}
}
@@ -92,3 +93,34 @@ resource "kubernetes_namespace" "telemetry" {
}
}
}
+
+# locals {
+# aws_auth_users = [
+# {
+# userarn = module.service_cicd_deployer.user_arn
+# aws_username = ""
+# username = var.cicd_k8s_user_name
+# groups = [local.cicd_k8s_group_name]
+# },
+# ]
+# aws_auth_roles = [
+# {
+# rolearn : module.role_dba_administrator.role_arn
+# aws_rolename : ""
+# username : var.dba_k8s_user_name
+# groups = [local.dba_k8s_group_name]
+# },
+# ]
+# }
+
+# module "awsauth_cluster-roles" {
+# source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth?ref=tf-upgrade"
+
+# region = var.region
+# profile = var.profile
+# cluster_name = var.cluster_name
+# aws_auth_users = local.aws_auth_users
+# aws_auth_roles = local.aws_auth_roles
+
+# keep_temporary_files = false
+# }
diff --git a/requirements.tf b/requirements.tf
index 32e5c6f..23f9f8e 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.14.0"
+ version = "~> 6.0"
}
helm = {
source = "hashicorp/helm"
diff --git a/variables.tf b/variables.tf
index b755841..6b74bc4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -9,6 +9,12 @@ variable "region" {
type = string
}
+# tflint-ignore: terraform_unused_declarations
+variable "profile" {
+ description = "AWS config profile"
+ type = string
+}
+
variable "vpc_id" {
description = "Specify the VPC id that is used by this cluster"
type = string
@@ -36,14 +42,102 @@ variable "telemetry_ns" {
default = "telemetry"
}
-variable "tag_costallocation" {
- description = "Tag CostAllocation (default)"
- type = string
- default = "csvd:infrastructure"
-}
-
variable "tags" {
description = "AWS Tags to apply to appropriate resources"
type = map(string)
default = {}
}
+
+# variable "deployer_istiosystem_role_name" {
+# description = "The kubernetes cluster role name of CIDR Deployer"
+# type = string
+# default = "deployer-istiosystem-role"
+# }
+
+# variable "deployer_application_role_name" {
+# description = "The kubernetes cluster role name of CICD Deployer"
+# type = string
+# default = "deployer-application-role"
+# }
+
+# variable "deployer_application_istio_role_name" {
+# description = "The kubernetes cluster role name of CICD Deployer"
+# type = string
+# default = "deployer-application-istio-role"
+# }
+
+# variable "dba_administrator_role_name" {
+# description = "The kubernetes cluster role name of DBA Administrator"
+# type = string
+# default = "dba-admin-role"
+# }
+
+# variable "istio_installed_namespace" {
+# description = "Namespace that Istio installed"
+# type = string
+# default = "istio-system"
+# }
+
+# variable "cicd_k8s_user_name" {
+# description = "The user name of CICD Deployer"
+# type = string
+# default = "cicd-deployer"
+# }
+# variable "cicd_k8s_group_name" {
+# description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)"
+# type = string
+# default = "cicd-deployer"
+# }
+
+# variable "dba_k8s_user_name" {
+# description = "the user name of DBA Administrator"
+# type = string
+# default = "dba-admin"
+# }
+# variable "dba_k8s_group_name" {
+# description = "The Group name of dba-admin belongs to (excluding prefix for service account and cluster)"
+# type = string
+# default = "dba-admin"
+# }
+
+# variable "deployer_application_rolebinding_name" {
+# description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+# type = string
+# default = "deployer-application-rolebinding"
+# }
+
+# variable "deployer_application_istio_rolebinding_name" {
+# description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+# type = string
+# default = "deployer-application-istio-rolebinding"
+# }
+
+# variable "dba_admin_rolebinding_name" {
+# description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+# type = string
+# default = "dba-admin-rolebinding"
+# }
+
+# variable "cicd_managed_namespaces" {
+# description = "Deployer managed namespaces that deploy can create resources in (excluding cluster name prefix)"
+# type = list(any)
+# default = []
+# }
+
+# variable "dba_managed_namespaces" {
+# description = "DBA admin managed namespaces (excluding cluster name prefix)"
+# type = list(any)
+# default = []
+# }
+
+variable "namespace" {
+ description = "The namespace to deploy cert-manager resources into"
+ type = string
+ default = "cert-manager"
+}
+
+variable "cluster_mailing_list" {
+ description = "The mailing list for cluster notifications"
+ type = string
+ default = "cluster@example.com"
+}