From 54692ae570e3aa7fa456d875dc1ac5eb016979f7 Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Tue, 13 Jan 2026 10:09:42 -0800 Subject: [PATCH] Add EKS addons to deprecate tg modules (#46) - now uses aws provider 6.x - eks module updated to 21.6.1 - k8s version 1.34 support - added ingress route for metrics-server - added ingress route for cert-manager - tags on resources removed as they should be handled at provider (also provider throws on dupe tags) - added cert-manager as eks-addon - added metrics-server as eks-addon - added eks-node-monitoring-agent as eks-addon - added before_compute = true to vpc-cni and ebs-pod-identity addons - updated node-pool label for karpenter.sh/controller = true --- README.md | 26 ++------- access_entries.tf => access-entries.tf | 7 ++- additional-sg-rules.tf | 68 ++++++++++++++++++++++++ additional_sg_rules.tf | 21 -------- aws_data.tf => aws-data.tf | 2 - cluster-admin.tf => cluster-admin.tf.off | 13 ++--- cluster-role.tf => cluster-role.tf.off | 5 +- irsa_roles.tf => irsa-roles.tf | 4 -- main.tf | 59 ++++++++++---------- requirements.tf | 2 +- securitygroup.ports.tf | 51 ++++++------------ security_groups.tf => securitygroups.tf | 33 +++--------- variables.tf | 16 +----- 13 files changed, 144 insertions(+), 163 deletions(-) rename access_entries.tf => access-entries.tf (87%) create mode 100644 additional-sg-rules.tf delete mode 100644 additional_sg_rules.tf rename aws_data.tf => aws-data.tf (95%) rename cluster-admin.tf => cluster-admin.tf.off (93%) rename cluster-role.tf => cluster-role.tf.off (94%) rename irsa_roles.tf => irsa-roles.tf (96%) rename security_groups.tf => securitygroups.tf (79%) diff --git a/README.md b/README.md index 6109608..70396bf 100644 --- a/README.md +++ b/README.md @@ -97,14 +97,14 @@ efs-csi-controller 0 5m | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | ~> 5.0 | +| [aws](#requirement\_aws) | ~> 6.0 | | [null](#requirement\_null) | ~> 3.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.100.0 | +| [aws](#provider\_aws) | 6.27.0 | | [null](#provider\_null) | 3.2.4 | | [terraform](#provider\_terraform) | n/a | @@ -113,7 +113,7 @@ efs-csi-controller 0 5m | Name | Source | Version | |------|--------|---------| | [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a | -| [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v20.37.2 | +| [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.11.0 | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a | | [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a | @@ -123,39 +123,23 @@ efs-csi-controller 0 5m | Name | Type | |------|------| | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | -| [aws_iam_policy.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy_attachment.cluster-admin-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | -| [aws_iam_role.role_cluster-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.role_eks-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.eks-cluster-cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.eks-cluster-managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.eks-cluster-nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_vpc_security_group_egress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_ingress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.additional_ingress_rules_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | -| [aws_iam_policy.cluster_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.eks_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | +| [aws_iam_roles.sso_devs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -167,8 +151,6 @@ efs-csi-controller 0 5m | [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16",
  "10.0.0.0/16"
]
| no | | [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no | -| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no | -| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `true` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | | [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes | | [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no | diff --git a/access_entries.tf b/access-entries.tf similarity index 87% rename from access_entries.tf rename to access-entries.tf index d206d07..5f9c6ea 100644 --- a/access_entries.tf +++ b/access-entries.tf @@ -10,6 +10,11 @@ data "aws_iam_roles" "sso_admins" { path_prefix = "/aws-reserved/sso.amazonaws.com/" } +data "aws_iam_roles" "sso_devs" { + name_regex = "AWSReservedSSO_sc-developer" + path_prefix = "/aws-reserved/sso.amazonaws.com/" +} + data "aws_iam_roles" "roles" { name_regex = "r-inf-terraform(-eks)" } @@ -38,7 +43,7 @@ locals { } } viewers = { - for arn in tolist(data.aws_iam_roles.sso_read.arns) : + for arn in concat(tolist(data.aws_iam_roles.sso_read.arns), tolist(data.aws_iam_roles.sso_devs.arns)) : arn => { principal_arn = arn kubernetes_groups = ["eks-console-dashboard-restricted-access-group"] diff --git a/additional-sg-rules.tf b/additional-sg-rules.tf new file mode 100644 index 0000000..f2b3c77 --- /dev/null +++ b/additional-sg-rules.tf @@ -0,0 +1,68 @@ +locals { + node_security_group_additional_rules = { + ingress_nodes_ephemeral = { + description = "Node to node ingress on ephemeral ports" + from_port = 80 + protocol = "tcp" + self = true + to_port = 65535 + type = "ingress" + } + # ALB controller, NGINX + ingress_cluster_9443_webhook = { + description = "Cluster API to node 9443/tcp webhook" + from_port = 9443 + protocol = "tcp" + source_cluster_security_group = true + to_port = 9443 + type = "ingress" + } + # no longer required as of k8s v1.34+ + # ingress_metrics_server = { + # description = "Metrics server" + # from_port = 10251 + # protocol = "tcp" + # source_cluster_security_group = true + # to_port = 10251 + # type = "ingress" + # } + ingress_cert_manager_webhook = { + description = "cert-manager webhook" + from_port = 10260 + protocol = "tcp" + source_cluster_security_group = true + to_port = 10260 + type = "ingress" + } + } + cluster_security_group_additional_rules = { + api_internal_148_129 = { + cidr_blocks = ["148.129.0.0/16"] + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + description = "Census Internal 148.129/16" + }, + api_internal_192_168 = { + cidr_blocks = ["192.168.0.0/16"] + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + description = "Census Internal 192.168/16" + }, + api_internal_172_16 = { + cidr_blocks = ["172.16.0.0/12"] + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + description = "Census Internal 172.16/12" + }, + api_internal_10_0 = { + cidr_blocks = ["10.0.0.0/8"] + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + description = "Census Internal 10/8" + } + } +} diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf deleted file mode 100644 index ae2b6f1..0000000 --- a/additional_sg_rules.tf +++ /dev/null @@ -1,21 +0,0 @@ -locals { - node_security_group_additional_rules = { - ingress_nodes_ephemeral = { - description = "Node to node ingress on ephemeral ports" - from_port = 80 - protocol = "tcp" - self = true - to_port = 65535 - type = "ingress" - } - # ALB controller, NGINX - ingress_cluster_9443_webhook = { - description = "Cluster API to node 9443/tcp webhook" - from_port = 9443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 9443 - type = "ingress" - } - } -} diff --git a/aws_data.tf b/aws-data.tf similarity index 95% rename from aws_data.tf rename to aws-data.tf index 4c35bb2..1402bc0 100644 --- a/aws_data.tf +++ b/aws-data.tf @@ -1,7 +1,5 @@ data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } diff --git a/cluster-admin.tf b/cluster-admin.tf.off similarity index 93% rename from cluster-admin.tf rename to cluster-admin.tf.off index 3f0efa5..fe06daf 100644 --- a/cluster-admin.tf +++ b/cluster-admin.tf.off @@ -1,9 +1,12 @@ #--- # cluster-admin +# This is deprecated by +# enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions +# in main.tf #--- locals { iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) + common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id) eks_resources = ["cluster", "addon", "nodegroup", "identityproviderconfig"] admin_policy_statements = { @@ -58,7 +61,7 @@ locals { "ssm:GetParameter", ] resources = [ - format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.name, "", "parameter/aws/service/eks/*") + format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.id, "", "parameter/aws/service/eks/*") ] } EKSReadMyClusters = { @@ -83,7 +86,6 @@ resource "aws_iam_role" "role_cluster-admin" { assume_role_policy = data.aws_iam_policy_document.allow_sts.json force_detach_policies = true - tags = var.tags } resource "aws_iam_policy_attachment" "cluster-admin-attach" { @@ -100,11 +102,6 @@ resource "aws_iam_policy" "cluster-admin-policy" { path = "/" description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources" policy = data.aws_iam_policy_document.cluster-admin-policy.json - - tags = merge( - local.base_tags, - var.tags - ) } data "aws_iam_policy_document" "cluster-admin-policy" { diff --git a/cluster-role.tf b/cluster-role.tf.off similarity index 94% rename from cluster-role.tf rename to cluster-role.tf.off index 7347e64..be6d5a6 100644 --- a/cluster-role.tf +++ b/cluster-role.tf.off @@ -1,5 +1,8 @@ #--- -# cluster +# cluster role +# This is deprecated by +# enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions +# in main.tf #--- locals { cluster_managed_policy_list = [ diff --git a/irsa_roles.tf b/irsa-roles.tf similarity index 96% rename from irsa_roles.tf rename to irsa-roles.tf index 9d06500..f3e20b7 100644 --- a/irsa_roles.tf +++ b/irsa-roles.tf @@ -14,7 +14,6 @@ module "vpc_cni_irsa_role" { namespace_service_accounts = ["kube-system:aws-node"] } } - tags = local.tags } module "ebs_csi_irsa_role" { @@ -31,7 +30,6 @@ module "ebs_csi_irsa_role" { namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] } } - tags = local.tags } module "efs_csi_irsa_role" { @@ -48,7 +46,6 @@ module "efs_csi_irsa_role" { namespace_service_accounts = ["kube-system:efs-csi-controller-sa"] } } - tags = local.tags } module "cloudwatch_observability_irsa_role" { @@ -67,5 +64,4 @@ module "cloudwatch_observability_irsa_role" { ] } } - tags = local.tags } diff --git a/main.tf b/main.tf index a3b1324..9c127fc 100644 --- a/main.tf +++ b/main.tf @@ -1,17 +1,10 @@ locals { additional_policies = {} - base_tags = { - "boc:eks_cluster_name" = var.cluster_name - "boc:tf_module_name" = local.module_name - "boc:tf_module_version" = local.module_version - "karpenter.sh/discovery" = var.cluster_name - } - max_tag_count = 45 - ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) - subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0] - tags = merge(local.base_tags, var.tags) - vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block - vpc_id = data.aws_vpc.eks_vpc.id + max_tag_count = 45 + ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) + subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0] + vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block + vpc_id = data.aws_vpc.eks_vpc.id } resource "terraform_data" "subnet_validation" { @@ -26,18 +19,18 @@ resource "terraform_data" "subnet_validation" { } module "cluster" { - source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v20.37.2" + source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.11.0" access_entries = local.access_entries cloudwatch_log_group_retention_in_days = var.cloudwatch_retention_days - cluster_endpoint_private_access = var.cluster_endpoint_private_access - cluster_endpoint_public_access = var.cluster_endpoint_public_access - cluster_name = var.cluster_name - cluster_upgrade_policy = { support_type = "STANDARD" } - cluster_version = var.cluster_version + endpoint_private_access = true + endpoint_public_access = false + name = var.cluster_name + upgrade_policy = { support_type = "STANDARD" } + kubernetes_version = var.cluster_version enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions - cluster_enabled_log_types = [ + enabled_log_types = [ "api", "audit", "authenticator", @@ -48,7 +41,7 @@ module "cluster" { vpc_id = local.vpc_id subnet_ids = local.subnets - cluster_addons = { + addons = { amazon-cloudwatch-observability = { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn @@ -61,35 +54,48 @@ module "cluster" { most_recent = true service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn } + cert-manager = { + most_recent = true + } coredns = { most_recent = true } - eks-pod-identity-agent = { + eks-node-monitoring-agent = { most_recent = true } + eks-pod-identity-agent = { + most_recent = true + before_compute = true + } kube-proxy = { most_recent = true } + # kube-state-metrics = { + # most_recent = true + # } + metrics-server = { + most_recent = true + } snapshot-controller = { most_recent = true } vpc-cni = { most_recent = true service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn + before_compute = true } } - eks_managed_node_group_defaults = { - ami_type = "BOTTLEROCKET_x86_64" - } - node_security_group_enable_recommended_rules = true node_security_group_additional_rules = local.node_security_group_additional_rules + security_group_additional_rules = local.cluster_security_group_additional_rules + eks_managed_node_groups = { karpenter_controllers = { name = local.ng_name + ami_type = "BOTTLEROCKET_x86_64" capacity_type = "ON_DEMAND" instance_types = var.eks_instance_types @@ -114,11 +120,10 @@ module "cluster" { } } labels = { - intent = "control-apps" + "karpenter.sh/controller" = "true" } } } - tags = local.tags } # Tag existing subnets for EKS diff --git a/requirements.tf b/requirements.tf index 970fa07..a1b6903 100644 --- a/requirements.tf +++ b/requirements.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0" + version = "~> 6.0" } null = { source = "hashicorp/null" diff --git a/securitygroup.ports.tf b/securitygroup.ports.tf index 0535c58..288178a 100644 --- a/securitygroup.ports.tf +++ b/securitygroup.ports.tf @@ -70,6 +70,12 @@ locals { from_port = 9443 to_port = 9443 }, + { + component = "metrics-server" + description = "metrics-server endpoint" + from_port = 10251 + to_port = 10251 + }, { component = "cert-manager" description = "cert-manager-webhook" @@ -78,21 +84,6 @@ locals { } ] - sg_additional_ports_2 = [ - { - component = "istio" - description = "XDS and CA services (TLS and mTLS)" - from_port = 15012 - to_port = 15012 - }, - { - component = "istio" - description = "Webhook container port, forwarded from 443" - from_port = 15017 - to_port = 15017 - } - ] - sg_additional_ingress_rules = { for ikey, ivalue in local.sg_additional_ports : "${ikey}_ingress" => { @@ -116,18 +107,6 @@ locals { self = true } } - - sg_additional_ingress_rules_2 = { - for ikey, ivalue in local.sg_additional_ports_2 : - "${ikey}_ingress" => { - description = ivalue.description - protocol = "tcp" - from_port = ivalue.from_port - to_port = ivalue.to_port - type = "ingress" - self = true - } - } } resource "aws_vpc_security_group_ingress_rule" "additional" { @@ -152,13 +131,13 @@ resource "aws_vpc_security_group_egress_rule" "additional" { referenced_security_group_id = each.value.self ? aws_security_group.additional_eks_cluster_sg.id : null } -resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" { - for_each = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v } - security_group_id = aws_security_group.extra_cluster_sg.id +# resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" { +# for_each = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v } +# security_group_id = aws_security_group.extra_cluster_sg.id - description = each.value.description - from_port = each.value.from_port - to_port = each.value.to_port - ip_protocol = each.value.protocol - referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id -} +# description = each.value.description +# from_port = each.value.from_port +# to_port = each.value.to_port +# ip_protocol = each.value.protocol +# referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id +# } diff --git a/security_groups.tf b/securitygroups.tf similarity index 79% rename from security_groups.tf rename to securitygroups.tf index 9712bda..a30f716 100644 --- a/security_groups.tf +++ b/securitygroups.tf @@ -5,15 +5,9 @@ locals { } resource "aws_security_group" "additional_eks_cluster_sg" { - name = local.additional_eks_cluster_sg_name - - tags = merge( - local.base_tags, - var.tags, - { "Name" = local.additional_eks_cluster_sg_name }, - ) - - vpc_id = data.aws_vpc.eks_vpc.id + name = local.additional_eks_cluster_sg_name + description = format("Security group for additional access for EKS cluster %v", var.cluster_name) + vpc_id = data.aws_vpc.eks_vpc.id ingress { from_port = 0 @@ -46,15 +40,9 @@ resource "aws_security_group" "additional_eks_cluster_sg" { # once setup, you cannot change any ports here resource "aws_security_group" "all_worker_mgmt" { - name = local.all_worker_mgmt_name - - tags = merge( - local.base_tags, - var.tags, - { "Name" = local.all_worker_mgmt_name }, - ) - - vpc_id = local.vpc_id + name = local.all_worker_mgmt_name + description = format("Security group for all worker management access for EKS cluster %v", var.cluster_name) + vpc_id = local.vpc_id ingress { from_port = 0 @@ -79,14 +67,7 @@ resource "aws_security_group" "all_worker_mgmt" { resource "aws_security_group" "extra_cluster_sg" { name = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) description = format("Security group for additional access for EKS cluster %v", var.cluster_name) - - tags = merge( - local.base_tags, - var.tags, - { "Name" = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) }, - ) - - vpc_id = data.aws_vpc.eks_vpc.id + vpc_id = data.aws_vpc.eks_vpc.id ingress { from_port = 0 diff --git a/variables.tf b/variables.tf index 9e86fcb..be02865 100644 --- a/variables.tf +++ b/variables.tf @@ -11,23 +11,11 @@ variable "cluster_version" { description = "Kubernetes version to use for the EKS cluster" type = string validation { - condition = can(regex("^[0-9]+\\.[0-9]+$", var.cluster_version)) && contains(["1.31", "1.32", "1.33"], var.cluster_version) - error_message = "Cluster version must be in the format 'x.y' (e.g., '1.33') and must be one of: 1.31, 1.32, 1.33" + condition = can(regex("^[0-9]+\\.[0-9]+$", var.cluster_version)) && contains(["1.31", "1.32", "1.33", "1.34"], var.cluster_version) + error_message = "Cluster version must be in the format 'x.y' (e.g., '1.33') and must be one of: 1.31, 1.32, 1.33, 1.34" } } -variable "cluster_endpoint_private_access" { - description = "Whether the EKS cluster API server endpoint is privately accessible" - type = bool - default = true -} - -variable "cluster_endpoint_public_access" { - description = "Whether the EKS cluster API server endpoint is publicly accessible" - type = bool - default = true -} - variable "enable_cluster_creator_admin_permissions" { description = "Grant admin permissions to the cluster creator" type = bool