From 1f8393f5e68dbba49dcc98abf1bc178a21c7bda8 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 5 Feb 2024 12:33:18 -0500
Subject: [PATCH] add conversion doc for eks

---
 conversion/eks/README.md              | 56 +++++++++++++++++++++++++++
 conversion/eks/cert-manager-issuer.tf | 14 +++++++
 conversion/eks/main.tf.diffs          | 25 ++++++++++++
 conversion/eks/test-cert.tf           | 38 ++++++++++++++++++
 4 files changed, 133 insertions(+)
 create mode 100644 conversion/eks/README.md
 create mode 100644 conversion/eks/cert-manager-issuer.tf
 create mode 100644 conversion/eks/main.tf.diffs
 create mode 100644 conversion/eks/test-cert.tf

diff --git a/conversion/eks/README.md b/conversion/eks/README.md
new file mode 100644
index 0000000..316417e
--- /dev/null
+++ b/conversion/eks/README.md
@@ -0,0 +1,56 @@
+# Convert
+
+Work in a git branch.
+
+* copy new file
+
+Copy `cert-manager-issuer.tf` from [here](cert-manager-issuer.tf) or [here](https://github.e.it.census.gov/raw/terraform-modules/aws-eks/tf-upgrade/examples/cert-manager-issuer/cert-manager-issuer.tf) to `common-services/`.
+
+* comment old cert
+
+Comment out `module "cert"` from `cert.tf.
+
+* update `main.tf`
+
+Update `main.tf` helm settings for the intermediate-certificate-issuer
+
+Change the `tls.crt` and `tls.key` settings to the module output values listed below.
+
+```hcl
+   set {
+     name  = "tls.crt"
++#    value = local.tls_crt_b64
+    value = module.subordinate_ca.certificate_tls_crt
+   }
+   set {
+     name  = "tls.key"
++#    value = local.tls_key_b64
+    value = module.subordinate_ca.certificate_tls_key
+   }
+ }
+```
+
+* apply
+
+`tf-apply`.  As there is no ACM certificate here, you should be able to apply without using `-target`.
+
+* remove old key
+
+```script
+git-secret remove -c certs/pki*key
+```
+
+* remove rest of certs/
+
+```script
+git rm -r certs/
+```
+
+* commit -a, push and PR
+
+```script
+git commit -a
+git push
+# do PR
+```
+
diff --git a/conversion/eks/cert-manager-issuer.tf b/conversion/eks/cert-manager-issuer.tf
new file mode 100644
index 0000000..65d1abd
--- /dev/null
+++ b/conversion/eks/cert-manager-issuer.tf
@@ -0,0 +1,14 @@
+module "subordinate_ca" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+  cluster_name  = var.cluster_name
+  contact_email = var.contact_email
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.account_tags,
+    var.infrastructure_tags,
+    var.application_tags,
+  )
+}
diff --git a/conversion/eks/main.tf.diffs b/conversion/eks/main.tf.diffs
new file mode 100644
index 0000000..967af59
--- /dev/null
+++ b/conversion/eks/main.tf.diffs
@@ -0,0 +1,25 @@
+diff --git a/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf b/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
+index 29efe14..9f6efc7 100644
+--- a/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
++++ b/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
+@@ -245,14 +245,17 @@ resource "helm_release" "intermediate-certificate-issuer" {
+ 
+   set {
+     name  = "tls.crt"
+-    value = local.tls_crt_b64
++#    value = local.tls_crt_b64
++    value = module.subordinate_ca.certificate_tls_crt
+   }
+   set {
+     name  = "tls.key"
+-    value = local.tls_key_b64
++#    value = local.tls_key_b64
++    value = module.subordinate_ca.certificate_tls_key
+   }
+ }
+ 
++
+ # when using vault as a CA is requested
+ resource "helm_release" "vault-certificate-issuer" {
+   count = local.vault_ca == true ? 1 : 0
+
diff --git a/conversion/eks/test-cert.tf b/conversion/eks/test-cert.tf
new file mode 100644
index 0000000..f9372b6
--- /dev/null
+++ b/conversion/eks/test-cert.tf
@@ -0,0 +1,38 @@
+locals {
+  vs_cert_name = "test"
+}
+
+resource "kubernetes_manifest" "vs_certificate" {
+  manifest = {
+    apiVersion = "cert-manager.io/v1"
+    kind       = "Certificate"
+
+    metadata = {
+      name      = format("%v-cert", local.vs_cert_name)
+      namespace = "istio-system"
+    }
+    spec = {
+      secretName = format("%v-cert", local.vs_cert_name)
+      commonName = format("%v.%v.%v", local.vs_cert_name, var.cluster_name, var.vpc_domain_name)
+      dnsNames = [
+        format("%v.%v.%v", local.vs_cert_name, var.cluster_name, var.vpc_domain_name),
+        format("%v.%v", local.vs_cert_name, var.vpc_domain_name),
+      ]
+      subject = {
+        countries           = ["US"]
+        organizations       = ["U.S. Census Bureau"]
+        organizationalUnits = ["Services"]
+      }
+      usages = [
+        "digital signature",
+        "key encipherment",
+        "server auth",
+        "client auth",
+      ]
+      issuerRef = {
+        kind = "ClusterIssuer"
+        name = "clusterissuer"
+      }
+    }
+  }
+}