From 2ee0b0866b69697a40b32ed472f4e0b14181abcc Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Tue, 6 Aug 2024 11:32:37 -0700 Subject: [PATCH] pre-commit + commitizen + lint fixes (#11) --- .cz.yaml | 8 ++ .github/dependabot.yml | 11 +++ .gitignore | 3 + .pre-commit-config.yaml | 99 +++++++++++++++++++++++ .releaserc.json | 36 +++++++++ .terraform-docs.yml | 44 ++++++++++ .tflint.hcl | 21 +++++ CHANGELOG.md | 34 ++++++++ README.md | 89 ++++++++++++++------- aws_data.tf | 31 ------- cluster_admin_group.tf.disable | 12 --- cluster_admin_policies.tf.disable | 129 ------------------------------ cluster_admin_roles.tf.disable | 26 ------ dns_zones.tf | 61 +++++++++----- examples/simple/eks.tf | 3 +- examples/simple/providers.tf | 8 ++ examples/terragrunt.hcl | 51 ++++++++++++ examples/testing/eks.tf | 1 - examples/testing/providers.tf | 7 ++ examples/testing/variables.tf | 2 +- irsa_roles.tf | 19 +++-- istio_ports.tf.disable | 84 ------------------- main.tf | 21 +++-- node_ports.tf.disable | 45 ----------- outputs.tf | 7 +- prefixes.tf | 2 +- requirements.tf | 16 ---- security_groups.tf | 5 +- sg_ports.tf | 36 ++++----- variables.tf | 33 +------- version.tf | 4 +- 31 files changed, 476 insertions(+), 472 deletions(-) create mode 100644 .cz.yaml create mode 100644 .github/dependabot.yml create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 .releaserc.json create mode 100644 .terraform-docs.yml create mode 100644 .tflint.hcl create mode 100644 CHANGELOG.md delete mode 100644 cluster_admin_group.tf.disable delete mode 100644 cluster_admin_policies.tf.disable delete mode 100644 cluster_admin_roles.tf.disable create mode 100644 examples/terragrunt.hcl delete mode 100644 istio_ports.tf.disable delete mode 100644 node_ports.tf.disable diff --git a/.cz.yaml b/.cz.yaml new file mode 100644 index 0000000..b1981ec --- /dev/null +++ b/.cz.yaml @@ -0,0 +1,8 @@ +--- +commitizen: + major_version_zero: true + name: cz_gitmoji + tag_format: $version + update_changelog_on_bump: true + version_provider: scm + version_scheme: semver2 diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..867570d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7103c45 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.terraform/ +.terraform.lock.hcl +.terragrunt-cache/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..3d8476f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,99 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + # Git style + - id: check-added-large-files + - id: check-merge-conflict + - id: check-vcs-permalinks + - id: forbid-new-submodules + - id: no-commit-to-branch + + # Common errors + - id: end-of-file-fixer + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + exclude: CHANGELOG.md + - id: check-yaml + - id: check-merge-conflict + - id: check-executables-have-shebangs + + # Cross platform + - id: check-case-conflict + - id: mixed-line-ending + args: [--fix=lf] + + # Security + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - id: detect-private-key + +# JSON5 Linter +- repo: https://github.com/pre-commit/mirrors-prettier + rev: v4.0.0-alpha.8 + hooks: + - id: prettier + files: '.json5$' + +# Terraform Hooks +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_fmt + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terraform_docs + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terraform_tflint + name: Terraform validate with tflint + description: Validates all Terraform configuration files with TFLint. + require_serial: true + entry: hooks/terraform_tflint.sh + language: script + files: (\.tf|\.tfvars)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_fmt + name: Terragrunt fmt + description: Rewrites all Terragrunt configuration files to a canonical format. + entry: hooks/terragrunt_fmt.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + ### DISABLED UNTIL MINIFIED TERRAGRUNT.HCL IS CREATED + # - id: terragrunt_validate + # name: Terragrunt validate + # description: Validates all Terragrunt configuration files. + # entry: hooks/terragrunt_validate.sh + # language: script + # files: (\.hcl)$ + # exclude: \.(terraform/.*|terragrunt-cache)$ + # args: + # - --hook-config=--parallelism-ci-cpu-cores=2 + # - id: terragrunt_validate_inputs + # name: Terragrunt validate inputs + # description: Validates Terragrunt unused and undefined inputs. + # entry: hooks/terragrunt_validate_inputs.sh + # language: script + # files: (\.hcl)$ + # exclude: \.(terraform/.*|terragrunt-cache)$ + # args: + # - --hook-config=--parallelism-ci-cpu-cores=2 + # - id: terragrunt_providers_lock + # name: Terragrunt providers lock + # description: Updates provider signatures in dependency lock files using terragrunt. + # entry: hooks/terragrunt_providers_lock.sh + # language: script + # files: (terragrunt|\.terraform\.lock)\.hcl$ + # exclude: \.(terraform/.*|terragrunt-cache)$ + # args: + # - --hook-config=--parallelism-ci-cpu-cores=2 + +- repo: https://github.com/ljnsn/cz-conventional-gitmoji + rev: v0.3.2 + hooks: + - id: conventional-gitmoji diff --git a/.releaserc.json b/.releaserc.json new file mode 100644 index 0000000..6e39031 --- /dev/null +++ b/.releaserc.json @@ -0,0 +1,36 @@ +{ + "branches": [ + "main", + "master" + ], + "ci": false, + "plugins": [ + "@semantic-release/commit-analyzer", + "@semantic-release/release-notes-generator", + [ + "@semantic-release/github", + { + "successComment": + "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", + "labels": false, + "releasedLabels": false + } + ], + [ + "@semantic-release/changelog", + { + "changelogFile": "CHANGELOG.md", + "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." + } + ], + [ + "@semantic-release/git", + { + "assets": [ + "CHANGELOG.md" + ], + "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + } + ] + ] +} diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..fabfb8d --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +output-values: + enabled: false + from: "" + +sort: + enabled: true + by: name + +settings: + anchor: true + color: true + default: true + description: true + escape: true + indent: 2 + required: true + sensitive: true + type: true diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..684d807 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,21 @@ +config { + module = true + force = false + disabled_by_default = false +} + +rule "aws_instance_invalid_type" { + enabled = true +} + +plugin "aws" { + enabled = true + version = "0.32.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + +plugin "terraform" { + enabled = true + version = "0.9.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" +} diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..7dd3b19 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,34 @@ +## 0.1.0 (2024-08-02) + +### ✨ Features + +- **main.tf**: added adot, snapshot-controller, and updated docs +- **amazon-cloudwatch-observability**: add cloudwatch addon instead of cloudwatch module + +### 🐛🚑️ Fixes + +- **main.tf**: no adot avail for 1.30 +- **main.tf**: remove operators due to timing issues +- **main.tf**: add time_sleep before operators create +- **main.tf**: removed invalied property >>> ⏰ 1m +- **main.tf**: add short sleep after kube update +- **main.tf**: update depends_on +- **main.tf**: fix irsa_role ref from update >>> ⏰ 5m +- **irsa_roles.tf**: use cannonical module ref +- **irsa_roles.tf**: update vars from module +- **dns_zones.tf**: added cluster name tag to vpc +- **dummy-vpc**: add filter and tag for dummy-vpc + +### 💚👷 CI & Build + +- **.cz.yaml**: update commitizen to use scm for version +- **cz**: update cz to use scm for version +- **test.yml**: added test.yml to demonstrate how commitizen and pre-commit-hooks work >>> ⏰ 15m +- **.github/dependabot.yml**: add dependabot for terraform +- **.cz.yaml**: add commitizen config file >>> ⏰ 2h + +### 📝💡 Documentation + +- update resource counts on apply/destroy +- **changelog**: moved old changelog to changelog.md +- **CHANGELOG.md**: added a changelog by running cz ch >>> ⏰ 15m diff --git a/README.md b/README.md index 47d7d46..f023066 100644 --- a/README.md +++ b/README.md @@ -5,48 +5,65 @@ The module creates an EKS cluster named cluster_name in the region using kuberen The cluster is configured with an oidc provider allowing service accounts to be configured with IRSA roles as needed. +## Addons Addons installed: -aws-efs-csi-driver -aws-ebs-csi-driver -coredns -kube-proxy - -# CHANGELOG -* 0.0.3 -- 2024-07-30 - - updated to use karpenter - - misc cleanup - - add hack dns for today until modules work -* 0.0.2 -- 2024-07-22 - - updated version.tf to 0.0.2 - - add kube.config update after cluster create - - update ami_type to AL2023 - - update upstream cluster module to 20.20.0 - - created changelog +* amazon-cloudwatch-observability +* aws-ebs-csi-driver +* aws-efs-csi-driver +* coredns +* kube-proxy +* snapshot-controller + +### Apply +Successful completion should show: +```terraform +Apply complete! Resources: 74 added, 0 changed, 0 destroyed. + +And should take around: +real 11m32.883s +user 0m18.010s +sys 0m2.131s +``` + +### Destroy +Successful destroy should show: +```terraform +Destroy complete! Resources: 74 destroyed. +real 11m22.795s +user 0m18.300s +sys 0m2.160s +``` +#### Changelog +Change logs are auto-generated with commitizen. + +[CHANGELOG.md](CHANGELOG.md) + + +## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 5.14.0 | -| [cloudinit](#requirement\_cloudinit) | >= 2.3.2 | -| [http](#requirement\_http) | >= 3.4.0 | | [null](#requirement\_null) | >= 3.2.1 | -| [time](#requirement\_time) | >= 0.9.1 | -| [tls](#requirement\_tls) | >= 4.0.4 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.14.0 | -| [null](#provider\_null) | >= 3.2.1 | +| [aws](#provider\_aws) | 5.61.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.61.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.61.0 | +| [aws.self](#provider\_aws.self) | 5.61.0 | +| [null](#provider\_null) | 3.2.2 | ## Modules | Name | Source | Version | |------|--------|---------| -| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.8.5 | -| [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | +| [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | +| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | @@ -55,9 +72,17 @@ kube-proxy | Name | Type | |------|------| +| [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | +| [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | +| [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -65,7 +90,10 @@ kube-proxy | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_subnets.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -73,24 +101,29 @@ kube-proxy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | -| [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version number to use for this EKS cluster. See https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.27"` | no | -| [domain](#input\_domain) | The DNS domain name of the cluster. | `string` | n/a | yes | | [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | The size of the disk of the worker nodes in gigabytes. 40 is the approximate minimum. Needs to hold the all of the normal operating system files plus every image that will be used in the cluster. | `number` | `80` | no | | [eks\_instance\_types](#input\_eks\_instance\_types) | EKS worker node instance types | `list(string)` | 
[
  "t3.xlarge"
]
| no | | [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Node Group desired size | `number` | `4` | no | | [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Node Group maximum size | `number` | `15` | no | | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | -| [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | +| [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no | +| [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [profile](#input\_profile) | AWS config profile | `string` | `""` | no | +| [region](#input\_region) | AWS config region | `string` | `""` | no | +| [region\_map](#input\_region\_map) | AWS region map | `map(string)` | 
{
  "east": "us-gov-east-1",
  "west": "us-gov-west-1"
}
| no | +| [route53\_endpoints](#input\_route53\_endpoints) | Map of target route53 endpoints (for inbound) central VPCs | `map(map(string))` | 
{
  "route53_main": {
    "account_id": "269244441389",
    "alias": "lab-gov-network-nonprod",
    "us-gov-east-1": "vpc-070595c5b133243dd",
    "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
  }
}
| no | +| [shared\_vpc\_label](#input\_shared\_vpc\_label) | Label to use for shared VPC for flowlogs and other things | `string` | `null` | no | | [subnets\_name](#input\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-container-*"` | no | | [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no | +| [vpc\_domain\_name](#input\_vpc\_domain\_name) | The DNS domain name of the vpc the cluster is in. | `string` | n/a | yes | | [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes | +| [zone\_ids](#input\_zone\_ids) | List of Route53 PHZ IDs to associate with a (local/remote) VPC | `list(string)` | `[]` | no | ## Outputs @@ -100,7 +133,6 @@ kube-proxy | [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created | | [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled | | [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | -| [cluster\_autoscaler\_role\_name](#output\_cluster\_autoscaler\_role\_name) | | | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster | | [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server | | [cluster\_fqdn](#output\_cluster\_fqdn) | The cluster\_name.domain | @@ -126,6 +158,7 @@ kube-proxy | [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | +| [node\_group\_name](#output\_node\_group\_name) | name of the node group created for use by karpenter | | [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group | | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | diff --git a/aws_data.tf b/aws_data.tf index 7dead47..fb1697a 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -5,34 +5,3 @@ data "aws_region" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } -data "aws_subnets" "container-subnets" { - filter { - name = "tag:Name" - values = [local.container_subnets_name] - } - filter { - name = "vpc-id" - values = [data.aws_vpc.eks_vpc.id] - } -} -data "aws_subnets" "lb-subnets" { - filter { - name = "tag:Name" - values = [local.lb_subnets_name] - } - filter { - name = "vpc-id" - values = [data.aws_vpc.eks_vpc.id] - } -} -locals { - container_subnets_name = var.subnets_name - lb_subnets_name = var.lb_subnets_name - base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) - iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - common_arn = format("arn:%v:%%v:%v:%v:%%v", - data.aws_arn.current.partition, - data.aws_region.current.name, - data.aws_caller_identity.current.account_id) - -} diff --git a/cluster_admin_group.tf.disable b/cluster_admin_group.tf.disable deleted file mode 100644 index 5ee158f..0000000 --- a/cluster_admin_group.tf.disable +++ /dev/null @@ -1,12 +0,0 @@ -module "group_cluster-admin" { - source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git" - - group_name = format("%v%v-cluster-admin", local._prefixes["eks"], var.cluster_name) - attached_policies = [aws_iam_policy.cluster-admin-policy.arn, aws_iam_policy.cluster-admin_assume_policy.arn] - - tags = merge( - local.base_tags, - var.tags, - ) -} - diff --git a/cluster_admin_policies.tf.disable b/cluster_admin_policies.tf.disable deleted file mode 100644 index ea3f658..0000000 --- a/cluster_admin_policies.tf.disable +++ /dev/null @@ -1,129 +0,0 @@ -#--- -# cluster admin policy -#--- -locals { - eks_resources = ["cluster", "addon", "nodegroup", "identityproviderconfig"] - - admin_policy_statements = { - ECRRead = { - actions = [ - "ecr:Describe*", - "ecr:Get*", - "ecr:ListImages", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - ] - resources = ["*"] - } - ECRWrite = { - actions = [ - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:CreateRepository", - "ecr:DeleteRepository", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart" - ] - resources = [format(local.common_arn, "ecr", format("repository/eks/%v/* ", var.cluster_name))] - } - EKSRead = { - actions = [ - "eks:ListClusters", - "eks:ListAddons", - "eks:ListNodegroups", - "eks:DescribeCluster", - "eks:DescribeAddon*", - "eks:DescribeNodegroup", - ] - resources = [ - format(local.common_arn, "eks", "cluster/*"), - format(local.common_arn, "eks", "addon/*"), - format(local.common_arn, "eks", "addons/*"), - format(local.common_arn, "eks", "/addons/*"), - format(local.common_arn, "eks", "nodegroup/*"), - ] - } - IAMRead = { - actions = [ - "iam:ListRoles", - ] - resources = ["*"] - } - SSMGet = { - actions = [ - "ssm:GetParameter", - ] - resources = [ - format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.name, "", "parameter/aws/service/eks/*") - ] - } - EKSReadMyClusters = { - actions = [ - "eks:List*", - "eks:Read*", - "eks:Describe*", - "eks:AccessKubernetesApi", - ] - resources = flatten(concat( - tolist([format(local.common_arn, "eks", format("/clusters/%v/addons", var.cluster_name))]), - [for r in local.eks_resources : tolist([ - format(local.common_arn, "eks", format("%v/%v", r, var.cluster_name)), - format(local.common_arn, "eks", format("%v/%v/*", r, var.cluster_name)) - ])])) - } - } -} - -data "aws_iam_policy_document" "cluster-admin-policy" { - dynamic "statement" { - for_each = local.admin_policy_statements - iterator = s - content { - sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key) - effect = lookup(s.value, "effect", "Allow") - actions = lookup(s.value, "actions", []) - resources = lookup(s.value, "resources", []) - } - } -} - -resource "aws_iam_policy" "cluster-admin-policy" { - name = format("%v%v-cluster-admin", local._prefixes["eks-policy"], var.cluster_name) - path = "/" - description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources" - policy = data.aws_iam_policy_document.cluster-admin-policy.json - - tags = merge( - local.base_tags, - var.tags, - ) -} - -#--- -# cluster admin assume policy -#--- -resource "aws_iam_policy" "cluster-admin_assume_policy" { - name = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) - path = "/" - description = "Allow for assume role to the cluster-admin role for ${var.cluster_name}" - policy = data.aws_iam_policy_document.cluster-admin_assume_policy.json - - tags = merge( - local.base_tags, - var.tags, - var.application_tags, - tomap({ "Name" = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) }), - ) -} - -data "aws_iam_policy_document" "cluster-admin_assume_policy" { - statement { - sid = "AllowSTSAssumeClusterAdminRole" - effect = "Allow" - actions = ["sts:AssumeRole"] - resources = [module.role_cluster-admin.role_arn] - } -} - diff --git a/cluster_admin_roles.tf.disable b/cluster_admin_roles.tf.disable deleted file mode 100644 index 0c2a97c..0000000 --- a/cluster_admin_roles.tf.disable +++ /dev/null @@ -1,26 +0,0 @@ -#--- -# cluster-admin -#--- -module "role_cluster-admin" { - source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" - - role_name = format("%v%v-cluster-admin", local._prefixes["eks"], var.cluster_name) - role_description = "SAML EKS cluster admin Role for ${var.cluster_name}" - enable_ldap_creation = false - assume_policy_document = data.aws_iam_policy_document.allow_sts.json - # assume_policy_document = data.aws_iam_policy_document.cluster-admin_combined.json - attached_policies = [aws_iam_policy.cluster-admin-policy.arn] - - tags = merge( - local.base_tags, - local.common_tags, - var.tags, - var.application_tags, - ) -} - -output "role_cluster-admin-role_arn" { - description = "Role ARN for EKS Cluster Admin Role" - value = module.role_cluster-admin.role_arn -} - diff --git a/dns_zones.tf b/dns_zones.tf index c54d080..af4f1fd 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,15 +1,39 @@ #------------------------------------------------- -# DNS Zone for EKS +# DNS Zone for EKS #------------------------------------------------- + +#------------------------------------------------- +# Locals +#------------------------------------------------- +data "aws_subnets" "container_subnets" { + filter { + name = "tag:Name" + values = [local.container_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} +data "aws_subnets" "lb_subnets" { + filter { + name = "tag:Name" + values = [local.lb_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} locals { + container_subnets_name = var.subnets_name + lb_subnets_name = var.lb_subnets_name cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) zone_ids = compact(var.zone_ids) } #------------------------------------------------- -# Providers for Cross Account DNS Action +# Providers for Cross Account DNS Action #------------------------------------------------- provider "aws" { alias = "route53_main_east" @@ -31,6 +55,7 @@ provider "aws" { provider "aws" { alias = "self" + # Commented as in testing we are assuming this role already # assume_role { # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) # session_name = var.os_username @@ -77,16 +102,6 @@ resource "aws_route53_zone_association" "self_zone_east" { depends_on = [aws_route53_vpc_association_authorization.self_zone] } -#--- -# zone list -#--- -data "aws_route53_zone" "zones" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - private_zone = true -} - resource "aws_route53_zone" "cluster_domain" { name = local.cluster_domain_name comment = local.cluster_domain_description @@ -121,10 +136,10 @@ data "aws_vpc" "dummy_vpc" { name = "tag:Name" values = ["vpc0-dummy"] } - # filter { - # name = "tag:eks-cluster-name" - # values = [var.cluster_name] - # } + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] + } } resource "aws_vpc" "vpc" { @@ -134,20 +149,22 @@ resource "aws_vpc" "vpc" { tags = merge( var.tags, { "Name" = "vpc0-dummy" }, + { "eks-cluster-name" = var.cluster_name } ) } + # Tag existing subnets for EKS # Container subnets under data.aws_subnets.container-subnets # Load Balance subnets under data.aws_subnets.lb-subnets -resource "aws_ec2_tag" "container-subnets" { - for_each = toset(data.aws_subnets.container-subnets.ids) +resource "aws_ec2_tag" "container_subnets" { + for_each = toset(data.aws_subnets.container_subnets.ids) resource_id = each.value key = "kubernetes.io/cluster/${var.cluster_name}" value = "shared" } -resource "aws_ec2_tag" "lb-subnets" { - for_each = toset(data.aws_subnets.lb-subnets.ids) +resource "aws_ec2_tag" "lb_subnets" { + for_each = toset(data.aws_subnets.lb_subnets.ids) resource_id = each.value key = "kubernetes.io/role/internal-nlb" value = "1" diff --git a/examples/simple/eks.tf b/examples/simple/eks.tf index 5a851d1..48b55c5 100644 --- a/examples/simple/eks.tf +++ b/examples/simple/eks.tf @@ -1,6 +1,5 @@ module "eks" { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//" - #source = "git@github.it.census.gov:SOA/tfmod-eks.git//?ref=v1.0.0" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=1.0.1" vpc_name = var.vpc_name diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf index ce03e7a..c4b7c92 100644 --- a/examples/simple/providers.tf +++ b/examples/simple/providers.tf @@ -1,7 +1,15 @@ terraform { required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } + } } + provider "aws" { profile = var.profile region = var.region diff --git a/examples/terragrunt.hcl b/examples/terragrunt.hcl new file mode 100644 index 0000000..3181d3e --- /dev/null +++ b/examples/terragrunt.hcl @@ -0,0 +1,51 @@ +locals { + account_id = 123456789012 + region = "us-gov-east-1" + vpc_name = "vpc3-lab-dev" + cluster_name = "example-cluster" + cluster_version = "1.30" + vpc_domain_name = "dev.lab.csp2.census.gov" + eks_instance_disk_size = 100 + eks_vpc_name = "vpc3-lab-dev" + eks_ng_desired_size = 1 + eks_ng_max_size = 10 + eks_ng_min_size = 1 + operators_ns = "operators" + enable_cluster_creator_admin_permissions = true + cluster_endpoint_public_access = true + profile = "224384469011-lab-dev-gov" + cluster_mailing_list = "csvd@census.gov" + + # Tags applied to AWS objects created + tags = { + "Environment" = "dev" + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + } +} + +terraform { + source = "../../tfmod-eks" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +inputs = { + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + eks_ng_desired_size = local.eks_ng_desired_size + eks_ng_max_size = local.eks_ng_max_size + eks_ng_min_size = local.eks_ng_min_size + enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions + cluster_endpoint_public_access = local.cluster_endpoint_public_access + tags = local.tags + vpc_domain_name = local.vpc_domain_name + region = local.region + os_username = local.cluster_mailing_list + shared_vpc_label = "dev" +} diff --git a/examples/testing/eks.tf b/examples/testing/eks.tf index 5c958ce..f5c3f2f 100644 --- a/examples/testing/eks.tf +++ b/examples/testing/eks.tf @@ -1,5 +1,4 @@ module "eks" { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//" source = "../.." vpc_name = var.vpc_name diff --git a/examples/testing/providers.tf b/examples/testing/providers.tf index ce03e7a..d88db95 100644 --- a/examples/testing/providers.tf +++ b/examples/testing/providers.tf @@ -1,5 +1,12 @@ terraform { required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } + } } provider "aws" { diff --git a/examples/testing/variables.tf b/examples/testing/variables.tf index 6369824..2e107e9 100644 --- a/examples/testing/variables.tf +++ b/examples/testing/variables.tf @@ -78,4 +78,4 @@ variable "tags" { description = "AWS Tags to apply to appropriate resources" type = map(string) default = {} -} \ No newline at end of file +} diff --git a/irsa_roles.tf b/irsa_roles.tf index db5a487..a1129b5 100644 --- a/irsa_roles.tf +++ b/irsa_roles.tf @@ -1,3 +1,4 @@ +# tflint-ignore: terraform_module_version module "vpc_cni_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -15,6 +16,7 @@ module "vpc_cni_irsa_role" { tags = local.tags } +# tflint-ignore: terraform_module_version module "ebs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -30,6 +32,7 @@ module "ebs_csi_irsa_role" { tags = local.tags } +# tflint-ignore: terraform_module_version module "efs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -45,19 +48,19 @@ module "efs_csi_irsa_role" { tags = local.tags } -module "cluster_autoscaler_irsa_role" { +# tflint-ignore: terraform_module_version +module "cloudwatch_observability_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - role_name = "${var.cluster_name}-cluster-autoscaler" - - attach_cluster_autoscaler_policy = true - - cluster_autoscaler_cluster_names = [module.cluster.cluster_name] + role_name = "${var.cluster_name}-cloudwatch-observability" + attach_cloudwatch_observability_policy = true oidc_providers = { main = { - provider_arn = module.cluster.oidc_provider_arn - namespace_service_accounts = ["kube-system:cluster-autoscaler"] + provider_arn = module.cluster.oidc_provider_arn + namespace_service_accounts = [ + "amazon-cloudwatch:cloudwatch-agent" + ] } } tags = local.tags diff --git a/istio_ports.tf.disable b/istio_ports.tf.disable deleted file mode 100644 index 7351588..0000000 --- a/istio_ports.tf.disable +++ /dev/null @@ -1,84 +0,0 @@ -locals { - istio_ports = [ - { - description = "Envoy admin port / outbound" - from_port = 15000 - to_port = 15001 - }, - { - description = "Debug port" - from_port = 15004 - to_port = 15004 - }, - { - description = "Envoy inbound" - from_port = 15006 - to_port = 15006 - }, - { - description = "HBONE mTLS tunnel port / secure networks XDS and CA services (Plaintext)" - from_port = 15008 - to_port = 15010 - }, - { - description = "XDS and CA services (TLS and mTLS)" - from_port = 15012 - to_port = 15012 - }, - { - description = "Control plane monitoring" - from_port = 15014 - to_port = 15014 - }, - { - description = "Control plane monitoring" - from_port = 15017 - to_port = 15017 - }, - { - description = "Merged Prometheus telemetry data from Istio agent, Envoy, and application, Health checks" - from_port = 15020 - to_port = 15021 - }, - { - description = "DNS port" - from_port = 15053 - to_port = 15053 - }, - { - description = "Envoy Prometheus telemetry" - from_port = 15090 - to_port = 15090 - }, - { - description = "aws-load-balancer-controller" - from_port = 9443 - to_port = 9443 - }, - ] - - ingress_rules = { - for ikey, ivalue in local.istio_ports : - "${ikey}_ingress" => { - description = ivalue.description - protocol = "tcp" - from_port = ivalue.from_port - to_port = ivalue.to_port - type = "ingress" - self = true - } - } - - egress_rules = { - for ekey, evalue in local.istio_ports : - "${ekey}_egress" => { - description = evalue.description - protocol = "tcp" - from_port = evalue.from_port - to_port = evalue.to_port - type = "egress" - self = true - } - } - -} diff --git a/main.tf b/main.tf index 60f4400..f444ab0 100644 --- a/main.tf +++ b/main.tf @@ -34,17 +34,16 @@ locals { base_tags = { "eks-cluster-name" = var.cluster_name - "boc:tf_module_version" = local._module_version + "boc:tf_module_name" = local.module_name + "boc:tf_module_version" = local.module_version "boc:created_by" = "terraform" CostAllocation = var.tag_costallocation } - # TBD - Why do we need nlb-policy additional_policies = { - # 'nlb-policy' = aws_iam_policy.nlb-policy.arn } - ng_name = format("%v%v-nodegroup", local._prefixes["eks"], var.cluster_name) + ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) tags = merge(local.base_tags, var.tags) @@ -53,7 +52,7 @@ locals { # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native # RBAC constructs in Roles and ClusterRoles and bindings. # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy - # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand + # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand # out to these clusters. access_entries = { inf-admin-t2 = { @@ -73,7 +72,6 @@ locals { module "cluster" { source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.20.0" - #version = "19.16.0" cluster_name = var.cluster_name cluster_version = var.cluster_version @@ -82,8 +80,8 @@ module "cluster" { access_entries = local.access_entries cluster_enabled_log_types = [ - "audit", "api", + "audit", "authenticator", "controllerManager", "scheduler", @@ -111,6 +109,13 @@ module "cluster" { most_recent = true service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn } + amazon-cloudwatch-observability = { + most_recent = true + service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn + } + snapshot-controller = { + most_recent = true + } } eks_managed_node_group_defaults = { @@ -170,7 +175,7 @@ resource "aws_security_group_rule" "allow_sidecar_injection" { # Update KubeConfig after cluster complete ################################################################ resource "null_resource" "kube_config_create" { - depends_on = [module.cluster.cluster_name] + depends_on = [module.cluster.time_sleep] provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" diff --git a/node_ports.tf.disable b/node_ports.tf.disable deleted file mode 100644 index 403a3d6..0000000 --- a/node_ports.tf.disable +++ /dev/null @@ -1,45 +0,0 @@ -locals { - ingress_rules { - ingress_nodes_ephemeral = { - "description" = "Node to node ingress on ephemeral ports" - "protocol" = -1 - "from_port" = 0 - "to_port" = 0 - "type" = "ingress" - "self" = true - } - } -# ingress_nodes_ephemeral = { -# "description": "Node to node ingress on ephemeral ports custom", -# "protocol": -1, -# "from_port": 0, -# "to_port": 0, -# "type": "ingress", -# "self": true -# } -} - - - # { - # "cidr_blocks": [], - # "description": "Envoy inbound", - # "from_port": 15006, - # "ipv6_cidr_blocks": [], - # "prefix_list_ids": [], - # "protocol": "tcp", - # "security_groups": [], - # "self": true, - # "to_port": 15006 - # }, - -# ingress_rules = { -# for ikey, ivalue in local.istio_ports : -# "${ikey}_ingress" => { -# description = ivalue.description -# protocol = "tcp" -# from_port = ivalue.from_port -# to_port = ivalue.to_port -# type = "ingress" -# self = true -# } -# } \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index 5db8b1a..15bc115 100644 --- a/outputs.tf +++ b/outputs.tf @@ -8,12 +8,12 @@ output "module_name" { description = "The name of this module." - value = local._module_name + value = local.module_name } output "module_version" { description = "The version of this module." - value = local._module_version + value = local.module_version } ################################################################################ @@ -281,5 +281,6 @@ output "self_managed_node_groups_autoscaling_group_names" { # value = module.cluster_autoscaler_irsa_role.iam_role_name # } output "node_group_name" { - value = local.ng_name + description = "name of the node group created for use by karpenter" + value = local.ng_name } diff --git a/prefixes.tf b/prefixes.tf index 03303f1..f677e0a 100644 --- a/prefixes.tf +++ b/prefixes.tf @@ -1,5 +1,5 @@ locals { - _prefixes = { + prefixes = { "efs" = "v-efs-" "s3" = "v-s3-" "ebs" = "v-ebs-" diff --git a/requirements.tf b/requirements.tf index 1bc9dda..2f6cccc 100644 --- a/requirements.tf +++ b/requirements.tf @@ -6,25 +6,9 @@ terraform { source = "hashicorp/aws" version = ">= 5.14.0" } - cloudinit = { - source = "hashicorp/cloudinit" - version = ">= 2.3.2" - } - http = { - source = "hashicorp/http" - version = ">= 3.4.0" - } null = { source = "hashicorp/null" version = ">= 3.2.1" } - time = { - source = "hashicorp/time" - version = ">= 0.9.1" - } - tls = { - source = "hashicorp/tls" - version = ">= 4.0.4" - } } } diff --git a/security_groups.tf b/security_groups.tf index 2a46467..6683944 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -1,7 +1,7 @@ locals { - all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local._prefixes["eks-security-group"], var.cluster_name) - additional_eks_cluster_sg_name = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name) + all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name) + additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name) } resource "aws_security_group" "all_worker_mgmt" { @@ -69,4 +69,3 @@ resource "aws_security_group" "additional_eks_cluster_sg" { cidr_blocks = ["0.0.0.0/0"] } } - diff --git a/sg_ports.tf b/sg_ports.tf index b93db24..8f9201c 100644 --- a/sg_ports.tf +++ b/sg_ports.tf @@ -1,57 +1,57 @@ locals { node_security_group_additional_rules = { - "ingress_nodes_ephemeral" = { - "description" = "Node to node ingress on ephemeral ports" - "from_port" = 80 - "protocol" = "tcp" - "self" = true - "to_port" = 65535 - "type" = "ingress" + ingress_nodes_ephemeral = { + description = "Node to node ingress on ephemeral ports" + from_port = 80 + protocol = "tcp" + self = true + to_port = 65535 + type = "ingress" } # metrics-server ingress_cluster_4443_webhook = { description = "Cluster API to node 4443/tcp webhook" - protocol = "tcp" from_port = 4443 + protocol = "tcp" + source_cluster_security_group = true to_port = 4443 type = "ingress" - source_cluster_security_group = true } # prometheus-adapter ingress_cluster_6443_webhook = { description = "Cluster API to node 6443/tcp webhook" - protocol = "tcp" from_port = 6443 + protocol = "tcp" + source_cluster_security_group = true to_port = 6443 type = "ingress" - source_cluster_security_group = true } # Karpenter ingress_cluster_8443_webhook = { description = "Cluster API to node 8443/tcp webhook" - protocol = "tcp" from_port = 8443 + protocol = "tcp" + source_cluster_security_group = true to_port = 8443 type = "ingress" - source_cluster_security_group = true } # ALB controller, NGINX ingress_cluster_9443_webhook = { description = "Cluster API to node 9443/tcp webhook" - protocol = "tcp" from_port = 9443 + protocol = "tcp" + source_cluster_security_group = true to_port = 9443 type = "ingress" - source_cluster_security_group = true } egress_all = { + cidr_blocks = ["0.0.0.0/0"] description = "Allow all egress" - protocol = "-1" from_port = 0 + protocol = "-1" to_port = 0 type = "egress" - cidr_blocks = ["0.0.0.0/0"] # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null } } -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 2481239..e83369e 100644 --- a/variables.tf +++ b/variables.tf @@ -73,12 +73,7 @@ variable "eks_ng_max_size" { default = 15 } -variable "operators_ns" { - description = "Namespace to create where operators will be installed." - type = string - default = "operators" -} - +# tflint-ignore: terraform_unused_declarations variable "access_entries" { description = "Map of access entries to add to the cluster" type = any @@ -113,24 +108,12 @@ variable "profile" { default = "" } -variable "account_id" { - description = "AWS account id" - type = string - default = "" -} - variable "region" { description = "AWS config region" type = string default = "" } -variable "aws_environment" { - description = "AWS Environment (govcloud | east-west)" - type = string - default = "" -} - variable "os_username" { description = "OS username from environment variable, ideally as $USER" type = string @@ -141,20 +124,6 @@ variable "os_username" { # DNS variables ################################################################### -variable "main_dns_vpcs" { - description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" - type = map(string) - default = { - "us-gov-east-1" = "vpc-070595c5b133243dd" - "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" - } -} - -variable "main_dns_profile" { - description = "Profile name for AWS for the main DNS central account" - type = string - default = "269244441389-lab-gov-network-nonprod" -} variable "shared_vpc_label" { description = "Label to use for shared VPC for flowlogs and other things" diff --git a/version.tf b/version.tf index 04110bc..ae23120 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_name = "tfmod-eks" - _module_version = "0.0.3" + module_name = "tfmod-eks" + module_version = "0.1.0" }