Lab environment testing and updates to module to accomidate

examples/simple/eks.tf

@@ -1,5 +1,5 @@
 module "eks" {
-  source = "git@github.it.census.gov:SOA/tfmod-eks.git//"
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//"
   #source = "git@github.it.census.gov:SOA/tfmod-eks.git//?ref=v1.0.0"
 
   vpc_name = var.vpc_name

examples/testing/eks.tf

@@ -0,0 +1,18 @@
+module "eks" {
+  # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//"
+  source = "../.."
+
+  vpc_name                                 = var.vpc_name
+  cluster_name                             = var.cluster_name
+  cluster_version                          = var.cluster_version
+  domain                                   = var.domain
+  eks_instance_disk_size                   = var.eks_instance_disk_size
+  eks_instance_types                       = var.eks_instance_types
+  eks_ng_desired_size                      = var.eks_ng_desired_size
+  eks_ng_max_size                          = var.eks_ng_max_size
+  eks_ng_min_size                          = var.eks_ng_min_size
+  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
+  access_entries                           = var.access_entries
+  enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
+  tags                                     = var.tags
+}

examples/testing/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_version = ">= 1.5.0"
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.region
+}

examples/testing/variables.tf

@@ -0,0 +1,81 @@
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "profile" {
+  description = "AWS config profile"
+  type        = string
+}
+
+variable "cluster_name" {
+  description = "EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev)"
+  type        = string
+}
+
+variable "cluster_version" {
+  description = "The Kubernetes version number to use for this EKS cluster. See https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html"
+  type        = string
+  default     = "1.27"
+}
+
+variable "vpc_name" {
+  description = "AWS vpc in which the cluster will reside"
+  type        = string
+}
+
+variable "cluster_endpoint_public_access" {
+  type = bool
+}
+
+variable "enable_cluster_creator_admin_permissions" {
+  description = "Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry"
+  type        = bool
+  default     = true
+}
+
+variable "domain" {
+  description = "The DNS domain name of the cluster."
+  type        = string
+}
+
+variable "eks_instance_disk_size" {
+  description = "The size of the disk of the worker nodes in gigabytes. 40 is the approximate minimum.  Needs to hold the all of the normal operating system files plus every image that will be used in the cluster."
+  type        = number
+  default     = 40
+}
+
+variable "eks_instance_types" {
+  description = "EKS worker node instance types"
+  type        = list(string)
+  default = [
+    "t3.xlarge"
+  ]
+}
+
+variable "access_entries" {
+  description = "Map of access entries to add to the cluster"
+  type        = any
+  default     = {}
+}
+
+variable "eks_ng_min_size" {
+  description = "Node Group minimum size"
+  type        = number
+  default     = 4
+}
+variable "eks_ng_desired_size" {
+  description = "Node Group desired size"
+  type        = number
+  default     = 4
+}
+variable "eks_ng_max_size" {
+  description = "Node Group maximum size"
+  type        = number
+  default     = 15
+}
+variable "tags" {
+  description = "AWS Tags to apply to appropriate resources"
+  type        = map(string)
+  default     = {}
+}

main.tf

@@ -47,16 +47,39 @@ locals {
   ng_name = format("%v%v-nodegroup", local._prefixes["eks"], var.cluster_name)
 
   tags = merge(local.base_tags, var.tags)
+
+  # Access entries are the latest AWS model for managing cluster access: https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
+  # They make reference to depricating the aws-auth ConfigMap, but this baseline enables access management with both EKS API and ConfigMap
+  # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native
+  # RBAC constructs in Roles and ClusterRoles and bindings.
+  # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy
+  # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand 
+  # out to these clusters.
+  # access_entries = {
+  #   inf-admin-t2 = {
+  #     principal_arn     = "arn:aws-us-gov:iam::224384469011:role/aws-reserved/sso.amazonaws.com/us-gov-east-1/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa"
+  #     kubernetes_groups = []
+  #     policy_associations = {
+  #       admin = {
+  #         policy_arn = "arn:aws-us-gov:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+  #         access_scope = {
+  #           type = "cluster"
+  #         }
+  #       }
+  #     }
+  #   }
+  # }
 }
 
 module "cluster" {
-  source  = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.8.5"
+  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.8.5"
   #version = "19.16.0"
 
-  cluster_name    = var.cluster_name
-  cluster_version = var.cluster_version
-  cluster_endpoint_public_access = var.cluster_endpoint_public_access
+  cluster_name                             = var.cluster_name
+  cluster_version                          = var.cluster_version
+  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
+  # access_entries                           = local.access_entries
 
   cluster_enabled_log_types = [
     "audit",
@@ -71,10 +94,10 @@ module "cluster" {
 
   cluster_addons = {
     coredns = {
-      most_recent = false
+      most_recent = true
     }
     kube-proxy = {
-      most_recent = false
+      most_recent = true
     }
     vpc-cni = {
       most_recent              = false
@@ -94,10 +117,14 @@ module "cluster" {
     ami_type = "AL2_x86_64"
   }
 
-  node_security_group_additional_rules = merge(
-    local.ingress_rules,
-    local.egress_rules,
-  )
+  node_security_group_enable_recommended_rules = false
+
+  # node_security_group_additional_rules = merge(
+  #   local.ingress_rules,
+  #   local.egress_rules,
+  # )
+
+  node_security_group_additional_rules = local.node_security_group_additional_rules
 
   eks_managed_node_groups = {
     node_group = {

node_ports.tf.disable

@@ -0,0 +1,45 @@
+locals {
+  ingress_rules {
+    ingress_nodes_ephemeral = {
+      "description" = "Node to node ingress on ephemeral ports"
+      "protocol"    = -1
+      "from_port"   = 0
+      "to_port"     = 0
+      "type"        = "ingress"
+      "self"        = true
+    }
+  }
+#   ingress_nodes_ephemeral = {
+#     "description": "Node to node ingress on ephemeral ports custom",
+#     "protocol": -1,
+#     "from_port": 0,
+#     "to_port": 0,
+#     "type": "ingress",
+#     "self": true
+#   }
+}
+
+
+        #  {
+        #         "cidr_blocks": [],
+        #         "description": "Envoy inbound",
+        #         "from_port": 15006,
+        #         "ipv6_cidr_blocks": [],
+        #         "prefix_list_ids": [],
+        #         "protocol": "tcp",
+        #         "security_groups": [],
+        #         "self": true,
+        #         "to_port": 15006
+        #       },
+
+#   ingress_rules = {
+#     for ikey, ivalue in local.istio_ports :
+#     "${ikey}_ingress" => {
+#       description = ivalue.description
+#       protocol    = "tcp"
+#       from_port   = ivalue.from_port
+#       to_port     = ivalue.to_port
+#       type        = "ingress"
+#       self        = true
+#     }
+#   }