From 01fe1111d00783b527440fee56551533353ea359 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 18:04:52 -0400 Subject: [PATCH] add operators_ns --- README.md | 38 +++++++++++++++++++++++++++++++++++--- main.tf | 9 +++++++++ version.tf | 2 +- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 47d7d46..4a9a60b 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ coredns kube-proxy # CHANGELOG +* 0.0.4 -- 2024-07-31 + - add operators_ns * 0.0.3 -- 2024-07-30 - updated to use karpenter - misc cleanup @@ -24,6 +26,9 @@ kube-proxy - update upstream cluster module to 20.20.0 - created changelog + +## Requirements + | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | @@ -39,13 +44,17 @@ kube-proxy | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 5.14.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | >= 5.14.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | >= 5.14.0 | +| [aws.self](#provider\_aws.self) | >= 5.14.0 | +| [kubernetes](#provider\_kubernetes) | n/a | | [null](#provider\_null) | >= 3.2.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.8.5 | +| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | | [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | @@ -55,17 +64,30 @@ kube-proxy | Name | Type | |------|------| +| [aws_ec2_tag.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | +| [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | +| [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route53_zone.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_subnets.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -73,24 +95,34 @@ kube-proxy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | +| [account\_id](#input\_account\_id) | AWS account id | `string` | `""` | no | | [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version number to use for this EKS cluster. See https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.27"` | no | -| [domain](#input\_domain) | The DNS domain name of the cluster. | `string` | n/a | yes | | [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | The size of the disk of the worker nodes in gigabytes. 40 is the approximate minimum. Needs to hold the all of the normal operating system files plus every image that will be used in the cluster. | `number` | `80` | no | | [eks\_instance\_types](#input\_eks\_instance\_types) | EKS worker node instance types | `list(string)` | 
[
  "t3.xlarge"
]
| no | | [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Node Group desired size | `number` | `4` | no | | [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Node Group maximum size | `number` | `15` | no | | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | +| [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no | +| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"269244441389-lab-gov-network-nonprod"` | no | +| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | 
{
  "us-gov-east-1": "vpc-070595c5b133243dd",
  "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
}
| no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | +| [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [profile](#input\_profile) | AWS config profile | `string` | `""` | no | +| [region](#input\_region) | AWS config region | `string` | `""` | no | +| [region\_map](#input\_region\_map) | AWS region map | `map(string)` | 
{
  "east": "us-gov-east-1",
  "west": "us-gov-west-1"
}
| no | +| [route53\_endpoints](#input\_route53\_endpoints) | Map of target route53 endpoints (for inbound) central VPCs | `map(map(string))` | 
{
  "route53_main": {
    "account_id": "269244441389",
    "alias": "lab-gov-network-nonprod",
    "us-gov-east-1": "vpc-070595c5b133243dd",
    "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
  }
}
| no | +| [shared\_vpc\_label](#input\_shared\_vpc\_label) | Label to use for shared VPC for flowlogs and other things | `string` | `null` | no | | [subnets\_name](#input\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-container-*"` | no | | [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no | +| [vpc\_domain\_name](#input\_vpc\_domain\_name) | The DNS domain name of the vpc the cluster is in. | `string` | n/a | yes | | [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes | +| [zone\_ids](#input\_zone\_ids) | List of Route53 PHZ IDs to associate with a (local/remote) VPC | `list(string)` | `[]` | no | ## Outputs @@ -100,7 +132,6 @@ kube-proxy | [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created | | [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled | | [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | -| [cluster\_autoscaler\_role\_name](#output\_cluster\_autoscaler\_role\_name) | | | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster | | [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server | | [cluster\_fqdn](#output\_cluster\_fqdn) | The cluster\_name.domain | @@ -126,6 +157,7 @@ kube-proxy | [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | +| [node\_group\_name](#output\_node\_group\_name) | ############################################################################### Additional ############################################################################### output "cluster\_autoscaler\_role\_name" { value = module.cluster\_autoscaler\_irsa\_role.iam\_role\_name } | | [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group | | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | diff --git a/main.tf b/main.tf index 60f4400..3a03cd2 100644 --- a/main.tf +++ b/main.tf @@ -176,3 +176,12 @@ resource "null_resource" "kube_config_create" { command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" } } + +#### NEED TO MOVE THIS TO A PROPER PLACE - Added to tfmod-eks to validate kube_config_create +#### 07-31-2024 - mcm (remove this if group decides on putting in config) +resource "kubernetes_namespace" "operators" { + depends_on = [null_resource.kube_config_create] + metadata { + name = var.operators_ns + } +} diff --git a/version.tf b/version.tf index 04110bc..96080a9 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { _module_name = "tfmod-eks" - _module_version = "0.0.3" + _module_version = "0.0.4" }