From f3dbb69cec9d7929881b35fa1b4d6d27a64ab398 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 4 Dec 2024 21:48:59 -0500 Subject: [PATCH 1/4] feature(output): add outputs for providers --- README.md | 3 +++ aws_data.tf | 6 ++++++ outputs.tf | 13 ++++++++++--- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d493a1f..826fd4f 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,8 @@ Change logs are auto-generated with commitizen. | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | +| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | @@ -178,6 +180,7 @@ Change logs are auto-generated with commitizen. | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | | [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` | +| [provider\_kubernetes\_config](#output\_provider\_kubernetes\_config) | the values for configuring kube provider | | [security\_group\_all\_worker\_mgmt\_id](#output\_security\_group\_all\_worker\_mgmt\_id) | The security group to manage all of the worker nodes. | | [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created | | [self\_managed\_node\_groups\_autoscaling\_group\_names](#output\_self\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by self-managed node groups | diff --git a/aws_data.tf b/aws_data.tf index fb1697a..27b9124 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -5,3 +5,9 @@ data "aws_region" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } +data "aws_eks_cluster" "eks" { + name = module.cluster.cluster_id +} +data "aws_eks_cluster_auth" "eks" { + name = module.cluster.cluster_id +} diff --git a/outputs.tf b/outputs.tf index 66a9aaa..3ce8c6e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -277,10 +277,17 @@ output "self_managed_node_groups_autoscaling_group_names" { ################################################################################ # Additional ################################################################################ -# output "cluster_autoscaler_role_name" { -# value = module.cluster_autoscaler_irsa_role.iam_role_name -# } output "node_group_name" { description = "name of the node group created for use by karpenter" value = local.ng_name } + +output "provider_kubernetes_config" { + description = "the values for configuring kube provider" + value = { + host = data.aws_eks_cluster.eks.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data) + token = data.aws_eks_cluster_auth.eks.token + } + sensitive = true +} From 257014f7800f7512ac2d84a5473bc091756cbc9d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 6 Dec 2024 15:14:50 -0500 Subject: [PATCH 2/4] export auth from cluster --- README.md | 3 +-- aws_data.tf | 6 ++---- outputs.tf | 8 +++----- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 826fd4f..e9482bb 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,6 @@ Change logs are auto-generated with commitizen. | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | -| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | @@ -164,6 +163,7 @@ Change logs are auto-generated with commitizen. | [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | ID of the cluster security group | | [cluster\_status](#output\_cluster\_status) | Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` | | [cluster\_tls\_certificate\_sha1\_fingerprint](#output\_cluster\_tls\_certificate\_sha1\_fingerprint) | The SHA1 fingerprint of the public key of the cluster's certificate | +| [cluster\_token](#output\_cluster\_token) | the token for kube config to access the cluster | | [cluster\_version](#output\_cluster\_version) | The Kubernetes version for the cluster | | [ebs\_csi\_irsa\_role](#output\_ebs\_csi\_irsa\_role) | The arn/name/unique\_id of the irsa role for the ebs-csi-driver addon | | [efs\_csi\_irsa\_role](#output\_efs\_csi\_irsa\_role) | The arn/name/unique\_id of the irsa role for the efs-csi-driver addon | @@ -180,7 +180,6 @@ Change logs are auto-generated with commitizen. | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | | [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` | -| [provider\_kubernetes\_config](#output\_provider\_kubernetes\_config) | the values for configuring kube provider | | [security\_group\_all\_worker\_mgmt\_id](#output\_security\_group\_all\_worker\_mgmt\_id) | The security group to manage all of the worker nodes. | | [self\_managed\_node\_groups](#output\_self\_managed\_node\_groups) | Map of attribute maps for all self managed node groups created | | [self\_managed\_node\_groups\_autoscaling\_group\_names](#output\_self\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by self-managed node groups | diff --git a/aws_data.tf b/aws_data.tf index 27b9124..ce3cba6 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -5,9 +5,7 @@ data "aws_region" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } -data "aws_eks_cluster" "eks" { - name = module.cluster.cluster_id -} + data "aws_eks_cluster_auth" "eks" { - name = module.cluster.cluster_id + name = module.cluster.cluster_name } diff --git a/outputs.tf b/outputs.tf index 3ce8c6e..37f647d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -282,12 +282,10 @@ output "node_group_name" { value = local.ng_name } -output "provider_kubernetes_config" { - description = "the values for configuring kube provider" +output "cluster_token" { + description = "the token for kube config to access the cluster" value = { - host = data.aws_eks_cluster.eks.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data) - token = data.aws_eks_cluster_auth.eks.token + token = data.aws_eks_cluster_auth.eks.token } sensitive = true } From a0c196f982294201ee87432cef4662c2318dce08 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 18 Dec 2024 15:12:22 -0500 Subject: [PATCH 3/4] remove the write to kubeconfig --- README.md | 9 ++------- aws_data.tf | 2 -- main.tf | 11 ----------- requirements.tf | 4 ---- variables.tf | 6 ------ 5 files changed, 2 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index e9482bb..fac1e90 100644 --- a/README.md +++ b/README.md @@ -79,14 +79,12 @@ Change logs are auto-generated with commitizen. |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 5.14.0 | -| [null](#requirement\_null) | >= 3.2.1 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | 5.73.0 | -| [null](#provider\_null) | 3.2.3 | ## Modules @@ -106,7 +104,6 @@ Change logs are auto-generated with commitizen. | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | @@ -116,7 +113,6 @@ Change logs are auto-generated with commitizen. | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -126,17 +122,16 @@ Change logs are auto-generated with commitizen. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | -| [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | +| [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version number to use for this EKS cluster. See https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.27"` | no | | [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | The size of the disk of the worker nodes in gigabytes. 40 is the approximate minimum. Needs to hold the all of the normal operating system files plus every image that will be used in the cluster. | `number` | `80` | no | -| [eks\_instance\_types](#input\_eks\_instance\_types) | EKS worker node instance types | `list(string)` | 
[
  "t3a.large"
]
| no | +| [eks\_instance\_types](#input\_eks\_instance\_types) | EKS worker node instance types | `list(string)` | 
[
  "t3a.large"
]
| no | | [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Node Group desired size | `number` | `4` | no | | [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Node Group maximum size | `number` | `15` | no | | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | -| [profile](#input\_profile) | AWS config profile | `string` | `""` | no | | [subnets\_name](#input\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-container-*"` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no | | [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes | diff --git a/aws_data.tf b/aws_data.tf index ce3cba6..25318f8 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -1,7 +1,5 @@ data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } diff --git a/main.tf b/main.tf index efab014..ecfed95 100644 --- a/main.tf +++ b/main.tf @@ -161,14 +161,3 @@ resource "aws_security_group_rule" "allow_sidecar_injection" { security_group_id = module.cluster.node_security_group_id source_security_group_id = module.cluster.cluster_primary_security_group_id } - -################################################################# -# Update KubeConfig after cluster complete -################################################################ -resource "null_resource" "kube_config_create" { - depends_on = [module.cluster.time_sleep] - provisioner "local-exec" { - interpreter = ["/bin/bash", "-c"] - command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" - } -} diff --git a/requirements.tf b/requirements.tf index 2f6cccc..1c41a9b 100644 --- a/requirements.tf +++ b/requirements.tf @@ -6,9 +6,5 @@ terraform { source = "hashicorp/aws" version = ">= 5.14.0" } - null = { - source = "hashicorp/null" - version = ">= 3.2.1" - } } } diff --git a/variables.tf b/variables.tf index 9b19197..2aac95c 100644 --- a/variables.tf +++ b/variables.tf @@ -86,9 +86,3 @@ variable "tags" { type = map(string) default = {} } - -variable "profile" { - description = "AWS config profile" - type = string - default = "" -} From 423585a27c0bdb40c9fd669d4b6ef27d4c478eef Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 18 Dec 2024 15:15:26 -0500 Subject: [PATCH 4/4] remove failed experiments --- README.md | 2 -- aws_data.tf | 4 ---- outputs.tf | 8 -------- 3 files changed, 14 deletions(-) diff --git a/README.md b/README.md index fac1e90..7cd8bb7 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,6 @@ Change logs are auto-generated with commitizen. | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | -| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source | @@ -158,7 +157,6 @@ Change logs are auto-generated with commitizen. | [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | ID of the cluster security group | | [cluster\_status](#output\_cluster\_status) | Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` | | [cluster\_tls\_certificate\_sha1\_fingerprint](#output\_cluster\_tls\_certificate\_sha1\_fingerprint) | The SHA1 fingerprint of the public key of the cluster's certificate | -| [cluster\_token](#output\_cluster\_token) | the token for kube config to access the cluster | | [cluster\_version](#output\_cluster\_version) | The Kubernetes version for the cluster | | [ebs\_csi\_irsa\_role](#output\_ebs\_csi\_irsa\_role) | The arn/name/unique\_id of the irsa role for the ebs-csi-driver addon | | [efs\_csi\_irsa\_role](#output\_efs\_csi\_irsa\_role) | The arn/name/unique\_id of the irsa role for the efs-csi-driver addon | diff --git a/aws_data.tf b/aws_data.tf index 25318f8..2c6aade 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -3,7 +3,3 @@ data "aws_caller_identity" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } - -data "aws_eks_cluster_auth" "eks" { - name = module.cluster.cluster_name -} diff --git a/outputs.tf b/outputs.tf index 37f647d..3c868cb 100644 --- a/outputs.tf +++ b/outputs.tf @@ -281,11 +281,3 @@ output "node_group_name" { description = "name of the node group created for use by karpenter" value = local.ng_name } - -output "cluster_token" { - description = "the token for kube config to access the cluster" - value = { - token = data.aws_eks_cluster_auth.eks.token - } - sensitive = true -}