From f2b794346be0092ebef2f385929197d520e4b622 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 22:49:00 -0400 Subject: [PATCH] lints --- .gitignore | 2 + .pre-commit-config.yaml | 52 ++++++++++++++++++++- .tflint.hcl | 8 ++++ README.md | 22 +++------ aws_data.tf | 31 ------------ dns_zones.tf | 52 +++++++++++++-------- examples/simple/eks.tf | 3 +- examples/simple/providers.tf | 8 ++++ examples/testing/eks.tf | 1 - examples/testing/providers.tf | 7 +++ irsa_roles.tf | 21 ++------- main.tf | 6 +-- outputs.tf | 7 +-- prefixes.tf | 2 +- requirements.tf | 18 ++----- security_groups.tf | 4 +- sg_ports.tf | 34 +++++++------- terragrunt.hcl | 88 +++++++++++++++++++++++++++++++++++ variables.tf | 32 ------------- version.tf | 4 +- 20 files changed, 238 insertions(+), 164 deletions(-) create mode 100644 .gitignore create mode 100644 terragrunt.hcl diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cc5778c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.terraform/ +.terraform.lock.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7edd3aa..3fc319d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,7 +30,7 @@ repos: # JSON5 Linter - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.1.0 + rev: v4.0.0-alpha.8 hooks: - id: prettier # https://prettier.io/docs/en/options.html#parser @@ -41,4 +41,54 @@ repos: rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt + args: + - --hook-config=--parallelism-ci-cpu-cores=2 - id: terraform_docs + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terraform_tflint + name: Terraform validate with tflint + description: Validates all Terraform configuration files with TFLint. + require_serial: true + entry: hooks/terraform_tflint.sh + language: script + files: (\.tf|\.tfvars)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_fmt + name: Terragrunt fmt + description: Rewrites all Terragrunt configuration files to a canonical format. + entry: hooks/terragrunt_fmt.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_validate + name: Terragrunt validate + description: Validates all Terragrunt configuration files. + entry: hooks/terragrunt_validate.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_validate_inputs + name: Terragrunt validate inputs + description: Validates Terragrunt unused and undefined inputs. + entry: hooks/terragrunt_validate_inputs.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_providers_lock + name: Terragrunt providers lock + description: Updates provider signatures in dependency lock files using terragrunt. + entry: hooks/terragrunt_providers_lock.sh + language: script + files: (terragrunt|\.terraform\.lock)\.hcl$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 diff --git a/.tflint.hcl b/.tflint.hcl index a4029d7..30b0d2c 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -18,4 +18,12 @@ rule "aws_instance_invalid_type" { plugin "aws" { enabled = true + version = "0.32.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + +plugin "terraform" { + enabled = true + version = "0.9.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" } diff --git a/README.md b/README.md index 4acdc5f..14d8883 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,8 @@ kube-proxy |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 5.14.0 | -| [cloudinit](#requirement\_cloudinit) | >= 2.3.2 | -| [http](#requirement\_http) | >= 3.4.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.31.0 | | [null](#requirement\_null) | >= 3.2.1 | -| [time](#requirement\_time) | >= 0.9.1 | -| [tls](#requirement\_tls) | >= 4.0.4 | ## Providers @@ -55,7 +52,6 @@ kube-proxy | Name | Source | Version | |------|--------|---------| | [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | -| [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | @@ -64,8 +60,8 @@ kube-proxy | Name | Type | |------|------| -| [aws_ec2_tag.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | -| [aws_ec2_tag.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | | [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | @@ -82,10 +78,9 @@ kube-proxy | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_route53_zone.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | -| [aws_subnets.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_subnets.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -94,9 +89,6 @@ kube-proxy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | -| [account\_id](#input\_account\_id) | AWS account id | `string` | `""` | no | -| [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | @@ -108,8 +100,6 @@ kube-proxy | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | | [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no | -| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"269244441389-lab-gov-network-nonprod"` | no | -| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | 
{
  "us-gov-east-1": "vpc-070595c5b133243dd",
  "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
}
| no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | | [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [profile](#input\_profile) | AWS config profile | `string` | `""` | no | @@ -157,7 +147,7 @@ kube-proxy | [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | -| [node\_group\_name](#output\_node\_group\_name) | ############################################################################### Additional ############################################################################### output "cluster\_autoscaler\_role\_name" { value = module.cluster\_autoscaler\_irsa\_role.iam\_role\_name } | +| [node\_group\_name](#output\_node\_group\_name) | name of the node group created for use by karpenter | | [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group | | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | diff --git a/aws_data.tf b/aws_data.tf index 7dead47..fb1697a 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -5,34 +5,3 @@ data "aws_region" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } -data "aws_subnets" "container-subnets" { - filter { - name = "tag:Name" - values = [local.container_subnets_name] - } - filter { - name = "vpc-id" - values = [data.aws_vpc.eks_vpc.id] - } -} -data "aws_subnets" "lb-subnets" { - filter { - name = "tag:Name" - values = [local.lb_subnets_name] - } - filter { - name = "vpc-id" - values = [data.aws_vpc.eks_vpc.id] - } -} -locals { - container_subnets_name = var.subnets_name - lb_subnets_name = var.lb_subnets_name - base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) - iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - common_arn = format("arn:%v:%%v:%v:%v:%%v", - data.aws_arn.current.partition, - data.aws_region.current.name, - data.aws_caller_identity.current.account_id) - -} diff --git a/dns_zones.tf b/dns_zones.tf index 34f087a..195e03a 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,11 +1,35 @@ #------------------------------------------------- # DNS Zone for EKS #------------------------------------------------- + +#------------------------------------------------- +# Locals +#------------------------------------------------- +data "aws_subnets" "container_subnets" { + filter { + name = "tag:Name" + values = [local.container_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} +data "aws_subnets" "lb_subnets" { + filter { + name = "tag:Name" + values = [local.lb_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} locals { + container_subnets_name = var.subnets_name + lb_subnets_name = var.lb_subnets_name cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) zone_ids = compact(var.zone_ids) } #------------------------------------------------- @@ -31,6 +55,7 @@ provider "aws" { provider "aws" { alias = "self" + # Commented as in testing we are assuming this role already # assume_role { # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) # session_name = var.os_username @@ -77,16 +102,6 @@ resource "aws_route53_zone_association" "self_zone_east" { depends_on = [aws_route53_vpc_association_authorization.self_zone] } -#--- -# zone list -#--- -data "aws_route53_zone" "zones" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - private_zone = true -} - resource "aws_route53_zone" "cluster_domain" { name = local.cluster_domain_name comment = local.cluster_domain_description @@ -121,10 +136,6 @@ data "aws_vpc" "dummy_vpc" { name = "tag:Name" values = ["vpc0-dummy"] } - # filter { - # name = "tag:eks-cluster-name" - # values = [var.cluster_name] - # } } resource "aws_vpc" "vpc" { @@ -136,18 +147,19 @@ resource "aws_vpc" "vpc" { { "Name" = "vpc0-dummy" }, ) } + # Tag existing subnets for EKS # Container subnets under data.aws_subnets.container-subnets # Load Balance subnets under data.aws_subnets.lb-subnets -resource "aws_ec2_tag" "container-subnets" { - for_each = toset(data.aws_subnets.container-subnets.ids) +resource "aws_ec2_tag" "container_subnets" { + for_each = toset(data.aws_subnets.container_subnets.ids) resource_id = each.value key = "kubernetes.io/cluster/${var.cluster_name}" value = "shared" } -resource "aws_ec2_tag" "lb-subnets" { - for_each = toset(data.aws_subnets.lb-subnets.ids) +resource "aws_ec2_tag" "lb_subnets" { + for_each = toset(data.aws_subnets.lb_subnets.ids) resource_id = each.value key = "kubernetes.io/role/internal-nlb" value = "1" diff --git a/examples/simple/eks.tf b/examples/simple/eks.tf index 5a851d1..48b55c5 100644 --- a/examples/simple/eks.tf +++ b/examples/simple/eks.tf @@ -1,6 +1,5 @@ module "eks" { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//" - #source = "git@github.it.census.gov:SOA/tfmod-eks.git//?ref=v1.0.0" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=1.0.1" vpc_name = var.vpc_name diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf index ce03e7a..c4b7c92 100644 --- a/examples/simple/providers.tf +++ b/examples/simple/providers.tf @@ -1,7 +1,15 @@ terraform { required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } + } } + provider "aws" { profile = var.profile region = var.region diff --git a/examples/testing/eks.tf b/examples/testing/eks.tf index 5c958ce..f5c3f2f 100644 --- a/examples/testing/eks.tf +++ b/examples/testing/eks.tf @@ -1,5 +1,4 @@ module "eks" { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//" source = "../.." vpc_name = var.vpc_name diff --git a/examples/testing/providers.tf b/examples/testing/providers.tf index ce03e7a..d88db95 100644 --- a/examples/testing/providers.tf +++ b/examples/testing/providers.tf @@ -1,5 +1,12 @@ terraform { required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } + } } provider "aws" { diff --git a/irsa_roles.tf b/irsa_roles.tf index db5a487..52754d7 100644 --- a/irsa_roles.tf +++ b/irsa_roles.tf @@ -1,3 +1,4 @@ +# tflint-ignore: terraform_module_version module "vpc_cni_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -15,6 +16,7 @@ module "vpc_cni_irsa_role" { tags = local.tags } +# tflint-ignore: terraform_module_version module "ebs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -30,6 +32,7 @@ module "ebs_csi_irsa_role" { tags = local.tags } +# tflint-ignore: terraform_module_version module "efs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -44,21 +47,3 @@ module "efs_csi_irsa_role" { } tags = local.tags } - -module "cluster_autoscaler_irsa_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - - role_name = "${var.cluster_name}-cluster-autoscaler" - - attach_cluster_autoscaler_policy = true - - cluster_autoscaler_cluster_names = [module.cluster.cluster_name] - - oidc_providers = { - main = { - provider_arn = module.cluster.oidc_provider_arn - namespace_service_accounts = ["kube-system:cluster-autoscaler"] - } - } - tags = local.tags -} diff --git a/main.tf b/main.tf index 7e80e18..fead34b 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,8 @@ locals { base_tags = { "eks-cluster-name" = var.cluster_name - "boc:tf_module_version" = local._module_version + "boc:tf_module_name" = local.module_name + "boc:tf_module_version" = local.module_version "boc:created_by" = "terraform" CostAllocation = var.tag_costallocation } @@ -44,7 +45,7 @@ locals { # 'nlb-policy' = aws_iam_policy.nlb-policy.arn } - ng_name = format("%v%v-nodegroup", local._prefixes["eks"], var.cluster_name) + ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) tags = merge(local.base_tags, var.tags) @@ -73,7 +74,6 @@ locals { module "cluster" { source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.20.0" - #version = "19.16.0" cluster_name = var.cluster_name cluster_version = var.cluster_version diff --git a/outputs.tf b/outputs.tf index 5db8b1a..15bc115 100644 --- a/outputs.tf +++ b/outputs.tf @@ -8,12 +8,12 @@ output "module_name" { description = "The name of this module." - value = local._module_name + value = local.module_name } output "module_version" { description = "The version of this module." - value = local._module_version + value = local.module_version } ################################################################################ @@ -281,5 +281,6 @@ output "self_managed_node_groups_autoscaling_group_names" { # value = module.cluster_autoscaler_irsa_role.iam_role_name # } output "node_group_name" { - value = local.ng_name + description = "name of the node group created for use by karpenter" + value = local.ng_name } diff --git a/prefixes.tf b/prefixes.tf index 03303f1..f677e0a 100644 --- a/prefixes.tf +++ b/prefixes.tf @@ -1,5 +1,5 @@ locals { - _prefixes = { + prefixes = { "efs" = "v-efs-" "s3" = "v-s3-" "ebs" = "v-ebs-" diff --git a/requirements.tf b/requirements.tf index 1bc9dda..958be0a 100644 --- a/requirements.tf +++ b/requirements.tf @@ -6,25 +6,13 @@ terraform { source = "hashicorp/aws" version = ">= 5.14.0" } - cloudinit = { - source = "hashicorp/cloudinit" - version = ">= 2.3.2" - } - http = { - source = "hashicorp/http" - version = ">= 3.4.0" + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.31.0" } null = { source = "hashicorp/null" version = ">= 3.2.1" } - time = { - source = "hashicorp/time" - version = ">= 0.9.1" - } - tls = { - source = "hashicorp/tls" - version = ">= 4.0.4" - } } } diff --git a/security_groups.tf b/security_groups.tf index 0dc3ded..6683944 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -1,7 +1,7 @@ locals { - all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local._prefixes["eks-security-group"], var.cluster_name) - additional_eks_cluster_sg_name = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name) + all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name) + additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name) } resource "aws_security_group" "all_worker_mgmt" { diff --git a/sg_ports.tf b/sg_ports.tf index 22ccfeb..8f9201c 100644 --- a/sg_ports.tf +++ b/sg_ports.tf @@ -1,56 +1,56 @@ locals { node_security_group_additional_rules = { - "ingress_nodes_ephemeral" = { - "description" = "Node to node ingress on ephemeral ports" - "from_port" = 80 - "protocol" = "tcp" - "self" = true - "to_port" = 65535 - "type" = "ingress" + ingress_nodes_ephemeral = { + description = "Node to node ingress on ephemeral ports" + from_port = 80 + protocol = "tcp" + self = true + to_port = 65535 + type = "ingress" } # metrics-server ingress_cluster_4443_webhook = { description = "Cluster API to node 4443/tcp webhook" - protocol = "tcp" from_port = 4443 + protocol = "tcp" + source_cluster_security_group = true to_port = 4443 type = "ingress" - source_cluster_security_group = true } # prometheus-adapter ingress_cluster_6443_webhook = { description = "Cluster API to node 6443/tcp webhook" - protocol = "tcp" from_port = 6443 + protocol = "tcp" + source_cluster_security_group = true to_port = 6443 type = "ingress" - source_cluster_security_group = true } # Karpenter ingress_cluster_8443_webhook = { description = "Cluster API to node 8443/tcp webhook" - protocol = "tcp" from_port = 8443 + protocol = "tcp" + source_cluster_security_group = true to_port = 8443 type = "ingress" - source_cluster_security_group = true } # ALB controller, NGINX ingress_cluster_9443_webhook = { description = "Cluster API to node 9443/tcp webhook" - protocol = "tcp" from_port = 9443 + protocol = "tcp" + source_cluster_security_group = true to_port = 9443 type = "ingress" - source_cluster_security_group = true } egress_all = { + cidr_blocks = ["0.0.0.0/0"] description = "Allow all egress" - protocol = "-1" from_port = 0 + protocol = "-1" to_port = 0 type = "egress" - cidr_blocks = ["0.0.0.0/0"] # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null } } diff --git a/terragrunt.hcl b/terragrunt.hcl new file mode 100644 index 0000000..676bf73 --- /dev/null +++ b/terragrunt.hcl @@ -0,0 +1,88 @@ +# include "root" { +# path = find_in_parent_folders() +# expose = true +# } + +locals { + # account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) + # region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + # In which AWS region are operations being performed + # account_id = local.account_vars.locals.aws_account_id + account_id = 123456789012 + # region = local.region_vars.locals.aws_region + region = "us-gov-east-1" + vpc_name = "vpc3-lab-dev" + cluster_name = "example-cluster" + cluster_version = "1.30" + vpc_domain_name = "dev.lab.csp2.census.gov" + eks_instance_disk_size = 100 + eks_vpc_name = "vpc3-lab-dev" + eks_ng_desired_size = 1 + eks_ng_max_size = 10 + eks_ng_min_size = 1 + operators_ns = "operators" + enable_cluster_creator_admin_permissions = true + cluster_endpoint_public_access = true + profile = "224384469011-lab-dev-gov" + cluster_mailing_list = "csvd@census.gov" + + # Tags applied to AWS objects created + tags = { + "Environment" = "dev" + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + } + + # aws_auth_roles = [ + # { + # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t3_b200ae7af469cdc8" + # aws_rolename : "" + # username : "admin" + # groups = ["system:masters"] + # }, + # { + # rolearn : "arn:aws-us-gov:iam::224384469011:role/r-inf-terraform" + # aws_rolename : "" + # username : "admin" + # groups = ["system:masters"] + # }, + # { + # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" + # aws_rolename : "" + # username : "admin" + # groups = ["system:masters"] + # } + # ] +} + +terraform { + source = "../tfmod-eks" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +inputs = { + # aws_account_id = local.account_id + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + # eks_vpc_name = local.eks_vpc_name + # eks_instance_types = local.eks_instance_types + eks_ng_desired_size = local.eks_ng_desired_size + eks_ng_max_size = local.eks_ng_max_size + eks_ng_min_size = local.eks_ng_min_size + operators_ns = local.operators_ns + enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions + cluster_endpoint_public_access = local.cluster_endpoint_public_access + tags = local.tags + # aws_auth_roles = local.aws_auth_roles + vpc_domain_name = local.vpc_domain_name + region = local.region + # creator = local.cluster_mailing_list + os_username = local.cluster_mailing_list + shared_vpc_label = "dev" +} diff --git a/variables.tf b/variables.tf index 2481239..c23678d 100644 --- a/variables.tf +++ b/variables.tf @@ -79,12 +79,6 @@ variable "operators_ns" { default = "operators" } -variable "access_entries" { - description = "Map of access entries to add to the cluster" - type = any - default = {} -} - ################################################################### # Common variables ################################################################### @@ -113,24 +107,12 @@ variable "profile" { default = "" } -variable "account_id" { - description = "AWS account id" - type = string - default = "" -} - variable "region" { description = "AWS config region" type = string default = "" } -variable "aws_environment" { - description = "AWS Environment (govcloud | east-west)" - type = string - default = "" -} - variable "os_username" { description = "OS username from environment variable, ideally as $USER" type = string @@ -141,20 +123,6 @@ variable "os_username" { # DNS variables ################################################################### -variable "main_dns_vpcs" { - description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" - type = map(string) - default = { - "us-gov-east-1" = "vpc-070595c5b133243dd" - "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" - } -} - -variable "main_dns_profile" { - description = "Profile name for AWS for the main DNS central account" - type = string - default = "269244441389-lab-gov-network-nonprod" -} variable "shared_vpc_label" { description = "Label to use for shared VPC for flowlogs and other things" diff --git a/version.tf b/version.tf index 96080a9..932356f 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_name = "tfmod-eks" - _module_version = "0.0.4" + module_name = "tfmod-eks" + module_version = "0.0.4" }