lints

SCT-Engineering · Aug 1, 2024 · f2b7943 · f2b7943
1 parent 3e42428
commit f2b7943
Show file tree

Hide file tree

Showing 20 changed files with 238 additions and 164 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.terraform/
+.terraform.lock.hcl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -30,7 +30,7 @@ repos:
 
 # JSON5 Linter
 - repo: https://github.com/pre-commit/mirrors-prettier
-  rev: v3.1.0
+  rev: v4.0.0-alpha.8
   hooks:
   - id: prettier
     # https://prettier.io/docs/en/options.html#parser
@@ -41,4 +41,54 @@ repos:
   rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
   hooks:
     - id: terraform_fmt
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
     - id: terraform_docs
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
+    - id: terraform_tflint
+      name: Terraform validate with tflint
+      description: Validates all Terraform configuration files with TFLint.
+      require_serial: true
+      entry: hooks/terraform_tflint.sh
+      language: script
+      files: (\.tf|\.tfvars)$
+      exclude: \.(terraform/.*|terragrunt-cache)$
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
+    - id: terragrunt_fmt
+      name: Terragrunt fmt
+      description: Rewrites all Terragrunt configuration files to a canonical format.
+      entry: hooks/terragrunt_fmt.sh
+      language: script
+      files: (\.hcl)$
+      exclude: \.(terraform/.*|terragrunt-cache)$
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
+    - id: terragrunt_validate
+      name: Terragrunt validate
+      description: Validates all Terragrunt configuration files.
+      entry: hooks/terragrunt_validate.sh
+      language: script
+      files: (\.hcl)$
+      exclude: \.(terraform/.*|terragrunt-cache)$
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
+    - id: terragrunt_validate_inputs
+      name: Terragrunt validate inputs
+      description: Validates Terragrunt unused and undefined inputs.
+      entry: hooks/terragrunt_validate_inputs.sh
+      language: script
+      files: (\.hcl)$
+      exclude: \.(terraform/.*|terragrunt-cache)$
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
+    - id: terragrunt_providers_lock
+      name: Terragrunt providers lock
+      description: Updates provider signatures in dependency lock files using terragrunt.
+      entry: hooks/terragrunt_providers_lock.sh
+      language: script
+      files: (terragrunt|\.terraform\.lock)\.hcl$
+      exclude: \.(terraform/.*|terragrunt-cache)$
+      args:
+        - --hook-config=--parallelism-ci-cpu-cores=2
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -18,4 +18,12 @@ rule "aws_instance_invalid_type" {
 
 plugin "aws" {
   enabled = true
+  version = "0.32.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+plugin "terraform" {
+  enabled = true
+  version = "0.9.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
 }
diff --git a/README.md b/README.md
@@ -33,11 +33,8 @@ kube-proxy
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
-| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.3.2 |
-| <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.4.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.31.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
-| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0.4 |
 
 ## Providers
 
@@ -55,7 +52,6 @@ kube-proxy
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 |
-| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
@@ -64,8 +60,8 @@ kube-proxy
 
 | Name | Type |
 |------|------|
-| [aws_ec2_tag.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
-| [aws_ec2_tag.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
@@ -82,10 +78,9 @@ kube-proxy
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_route53_zone.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
-| [aws_subnets.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [aws_subnets.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -94,9 +89,6 @@ kube-proxy
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
-| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS account id | `string` | `""` | no |
-| <a name="input_aws_environment"></a> [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no |
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br>  "148.129.0.0/16",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
@@ -108,8 +100,6 @@ kube-proxy
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no |
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no |
 | <a name="input_lb_subnets_name"></a> [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no |
-| <a name="input_main_dns_profile"></a> [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"269244441389-lab-gov-network-nonprod"` | no |
-| <a name="input_main_dns_vpcs"></a> [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | <pre>{<br>  "us-gov-east-1": "vpc-070595c5b133243dd",<br>  "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"<br>}</pre> | no |
 | <a name="input_operators_ns"></a> [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
 | <a name="input_os_username"></a> [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | `""` | no |
@@ -157,7 +147,7 @@ kube-proxy
 | <a name="output_kms_key_policy"></a> [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
 | <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
 | <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
-| <a name="output_node_group_name"></a> [node\_group\_name](#output\_node\_group\_name) | ############################################################################### Additional ############################################################################### output "cluster\_autoscaler\_role\_name" { value = module.cluster\_autoscaler\_irsa\_role.iam\_role\_name } |
+| <a name="output_node_group_name"></a> [node\_group\_name](#output\_node\_group\_name) | name of the node group created for use by karpenter |
 | <a name="output_node_security_group_arn"></a> [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
 | <a name="output_node_security_group_id"></a> [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
 | <a name="output_oidc_provider"></a> [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |

diff --git a/aws_data.tf b/aws_data.tf
@@ -5,34 +5,3 @@ data "aws_region" "current" {}
 data "aws_arn" "current" {
   arn = data.aws_caller_identity.current.arn
 }
-data "aws_subnets" "container-subnets" {
-  filter {
-    name   = "tag:Name"
-    values = [local.container_subnets_name]
-  }
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.eks_vpc.id]
-  }
-}
-data "aws_subnets" "lb-subnets" {
-  filter {
-    name   = "tag:Name"
-    values = [local.lb_subnets_name]
-  }
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.eks_vpc.id]
-  }
-}
-locals {
-  container_subnets_name = var.subnets_name
-  lb_subnets_name        = var.lb_subnets_name
-  base_arn               = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
-  iam_arn                = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
-  common_arn = format("arn:%v:%%v:%v:%v:%%v",
-    data.aws_arn.current.partition,
-    data.aws_region.current.name,
-  data.aws_caller_identity.current.account_id)
-
-}
diff --git a/dns_zones.tf b/dns_zones.tf
@@ -1,11 +1,35 @@
 #-------------------------------------------------
 # DNS Zone for EKS
 #-------------------------------------------------
+
+#-------------------------------------------------
+# Locals
+#-------------------------------------------------
+data "aws_subnets" "container_subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [local.container_subnets_name]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.eks_vpc.id]
+  }
+}
+data "aws_subnets" "lb_subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [local.lb_subnets_name]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.eks_vpc.id]
+  }
+}
 locals {
+  container_subnets_name     = var.subnets_name
+  lb_subnets_name            = var.lb_subnets_name
   cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-  account_environment        = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region_short               = join("", [for c in split("-", var.region) : substr(c, 0, 1)])
   zone_ids                   = compact(var.zone_ids)
 }
 #-------------------------------------------------
@@ -31,6 +55,7 @@ provider "aws" {
 
 provider "aws" {
   alias = "self"
+  # Commented as in testing we are assuming this role already
   # assume_role {
   #   role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
   #   session_name = var.os_username
@@ -77,16 +102,6 @@ resource "aws_route53_zone_association" "self_zone_east" {
   depends_on = [aws_route53_vpc_association_authorization.self_zone]
 }
 
-#---
-# zone list
-#---
-data "aws_route53_zone" "zones" {
-  provider     = aws.self
-  for_each     = toset(local.zone_ids)
-  zone_id      = each.key
-  private_zone = true
-}
-
 resource "aws_route53_zone" "cluster_domain" {
   name          = local.cluster_domain_name
   comment       = local.cluster_domain_description
@@ -121,10 +136,6 @@ data "aws_vpc" "dummy_vpc" {
     name   = "tag:Name"
     values = ["vpc0-dummy"]
   }
-  # filter {
-  #   name   = "tag:eks-cluster-name"
-  #   values = [var.cluster_name]
-  # }
 }
 
 resource "aws_vpc" "vpc" {
@@ -136,18 +147,19 @@ resource "aws_vpc" "vpc" {
     { "Name" = "vpc0-dummy" },
   )
 }
+
 # Tag existing subnets for EKS
 # Container subnets under data.aws_subnets.container-subnets
 # Load Balance subnets under data.aws_subnets.lb-subnets
-resource "aws_ec2_tag" "container-subnets" {
-  for_each    = toset(data.aws_subnets.container-subnets.ids)
+resource "aws_ec2_tag" "container_subnets" {
+  for_each    = toset(data.aws_subnets.container_subnets.ids)
   resource_id = each.value
   key         = "kubernetes.io/cluster/${var.cluster_name}"
   value       = "shared"
 }
 
-resource "aws_ec2_tag" "lb-subnets" {
-  for_each    = toset(data.aws_subnets.lb-subnets.ids)
+resource "aws_ec2_tag" "lb_subnets" {
+  for_each    = toset(data.aws_subnets.lb_subnets.ids)
   resource_id = each.value
   key         = "kubernetes.io/role/internal-nlb"
   value       = "1"

diff --git a/examples/simple/eks.tf b/examples/simple/eks.tf
@@ -1,6 +1,5 @@
 module "eks" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//"
-  #source = "git@github.it.census.gov:SOA/tfmod-eks.git//?ref=v1.0.0"
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=1.0.1"
 
   vpc_name = var.vpc_name
 

diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf
@@ -1,7 +1,15 @@
 terraform {
   required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14.0"
+    }
+  }
 }
 
+
 provider "aws" {
   profile = var.profile
   region  = var.region

diff --git a/examples/testing/eks.tf b/examples/testing/eks.tf
@@ -1,5 +1,4 @@
 module "eks" {
-  # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//"
   source = "../.."
 
   vpc_name                                 = var.vpc_name

diff --git a/examples/testing/providers.tf b/examples/testing/providers.tf
@@ -1,5 +1,12 @@
 terraform {
   required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14.0"
+    }
+  }
 }
 
 provider "aws" {

diff --git a/irsa_roles.tf b/irsa_roles.tf
@@ -1,3 +1,4 @@
+# tflint-ignore: terraform_module_version
 module "vpc_cni_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
@@ -15,6 +16,7 @@ module "vpc_cni_irsa_role" {
   tags = local.tags
 }
 
+# tflint-ignore: terraform_module_version
 module "ebs_csi_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
@@ -30,6 +32,7 @@ module "ebs_csi_irsa_role" {
   tags = local.tags
 }
 
+# tflint-ignore: terraform_module_version
 module "efs_csi_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
@@ -44,21 +47,3 @@ module "efs_csi_irsa_role" {
   }
   tags = local.tags
 }
-
-module "cluster_autoscaler_irsa_role" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_name = "${var.cluster_name}-cluster-autoscaler"
-
-  attach_cluster_autoscaler_policy = true
-
-  cluster_autoscaler_cluster_names = [module.cluster.cluster_name]
-
-  oidc_providers = {
-    main = {
-      provider_arn               = module.cluster.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:cluster-autoscaler"]
-    }
-  }
-  tags = local.tags
-}
diff --git a/main.tf b/main.tf
@@ -34,7 +34,8 @@ locals {
 
   base_tags = {
     "eks-cluster-name"      = var.cluster_name
-    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local.module_name
+    "boc:tf_module_version" = local.module_version
     "boc:created_by"        = "terraform"
     CostAllocation          = var.tag_costallocation
   }
@@ -44,7 +45,7 @@ locals {
     #  'nlb-policy' = aws_iam_policy.nlb-policy.arn
   }
 
-  ng_name = format("%v%v-nodegroup", local._prefixes["eks"], var.cluster_name)
+  ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
 
   tags = merge(local.base_tags, var.tags)
 
@@ -73,7 +74,6 @@ locals {
 
 module "cluster" {
   source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.20.0"
-  #version = "19.16.0"
 
   cluster_name                             = var.cluster_name
   cluster_version                          = var.cluster_version