Merge branch 'master' into add-example

terraform-modules · Nov 21, 2021 · 0fa6c0c · 0fa6c0c
2 parents d677d55 + 46ade3a
commit 0fa6c0c
Show file tree

Hide file tree

Showing 52 changed files with 183 additions and 177 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -4,12 +4,15 @@ repos:
   hooks:
 #    - id: terraform_validate
     - id: terraform_fmt
+      exclude: examples
     - id: terraform_docs_replace
       args: ['table']
       exclude: common/*.tf
       exclude: version.tf
+      exclude: examples
     - id: terraform_tflint 
       args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+      exclude: examples
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v3.4.0
   hooks:

diff --git a/examples/full-cluster/.terraform-docs.yml b/examples/full-cluster/.terraform-docs.yml
diff --git a/examples/full-cluster/README.md b/examples/full-cluster/README.md
@@ -1,24 +1,4 @@
-# About
-
-This directory constructs the appropriate resources for an EKS cluster for ADSD Cumulus in the DICE-DEV environent.`
-
-# Application Information
-
-* Application: {name of application}
-* Organization: {division}
-* Project: {project}
-* Point of Contact(s): {username list}
-* Creation Date: {yyyy-mm-dd}
-* References:
-  * Requirements: {url}
-  * Remedy Ticket: {number}
-  * Other: {url}
-* Related Configurations:
-  * {directory-path}
-
-# Application Requirements
-
-# Terraform Directions
+# EKS Full Cluster Example
 
 There are a number of steps to end up with a cluster.
 
@@ -511,5 +491,5 @@ clusterrolebinding.rbac.authorization.k8s.io/eks-console-dashboard-full-access-b
 # Details
 
 <!-- BEGIN_TF_DOCS -->
-{{ .Content }}
+<!-- {{ .Content }} -->
 <!-- END_TF_DOCS -->
diff --git a/examples/full-cluster/aws-auth/aws-auth.auto.tfvars b/examples/full-cluster/aws-auth/aws-auth.auto.tfvars
@@ -0,0 +1,22 @@
+aws_auth_users = [
+  {
+    userarn      = ""
+    aws_username = "a-ashle001"
+    username     = "admin"
+    groups       = ["system:masters", "eks-console-dashboard-full-access-group"]
+  },
+  {
+    userarn      = ""
+    aws_username = "a-badra001"
+    username     = "admin"
+    groups       = ["system:masters", "eks-console-dashboard-full-access-group"]
+  },
+]
+aws_auth_roles = [
+  {
+    rolearn : ""
+    aws_rolename : "r-inf-cloud-admin"
+    username : "admin"
+    groups = ["eks-console-dashboard-full-access-group"]
+  },
+]
diff --git a/examples/full-cluster/aws-auth/settings.auto.tfvars b/examples/full-cluster/aws-auth/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
diff --git a/examples/full-cluster/aws-auth/tf-run.data b/examples/full-cluster/aws-auth/tf-run.data
@@ -1,3 +1,4 @@
+REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade

diff --git a/examples/full-cluster/aws-auth/variables.vpc.auto.tfvars b/examples/full-cluster/aws-auth/variables.vpc.auto.tfvars
@@ -0,0 +1 @@
+../variables.vpc.auto.tfvars
diff --git a/examples/full-cluster/cluster-roles/.terraform-docs.yml b/examples/full-cluster/cluster-roles/.terraform-docs.yml
diff --git a/examples/full-cluster/cluster-roles/README.md b/examples/full-cluster/cluster-roles/README.md
@@ -233,4 +233,6 @@ vpc_ntp_servers = [
   "148.129.127.23",
   "148.129.191.23"
 ]
+
+<!-- BEGIN_TF_DOCS -->
 <!-- END_TF_DOCS -->
diff --git a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
@@ -6,6 +6,7 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
   rule {
     api_groups = ["acme.cert-manager.io"]
     resources  = ["challenges", "orders", "certificaterequests"]
+
     verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 
@@ -18,6 +19,7 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
 
   rule {
     verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+
     api_groups = ["networking.istio.io"]
     resources  = ["gateways"]
   }
@@ -63,5 +65,4 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
     resources  = ["certificates"]
     verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
-
 }
diff --git a/examples/full-cluster/cluster-roles/deployer.iam.tf b/examples/full-cluster/cluster-roles/deployer.iam.tf
@@ -1,6 +1,6 @@
 locals {
   policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], local._prefixes["eks-policy"])
-  role_cicd_k8s_group_name   = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], "")
+  role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"],"")
   iam_policies_cicd          = ["p-inf-manage-access-keys"]
 }
 
@@ -66,7 +66,7 @@ locals {
       resources = ["*"]
     }
     ECRWrite = {
-      #      effect = "Deny"
+#      effect = "Deny"
       actions = [
         "ecr:BatchDeleteImage",
         "ecr:CompleteLayerUpload",

diff --git a/examples/full-cluster/cluster-roles/remote_state.yml b/examples/full-cluster/cluster-roles/remote_state.yml
diff --git a/examples/full-cluster/cluster-roles/settings.auto.tfvars b/examples/full-cluster/cluster-roles/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
diff --git a/examples/full-cluster/cluster-roles/tf-run.data b/examples/full-cluster/cluster-roles/tf-run.data
@@ -0,0 +1,10 @@
+REMOTE-STATE
+STOP only run this after the cluster roles represented here have been setup in K8S
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+POLICY
+ALL
+COMMAND tf-directory-setup.py -l s3
+
+COMMENT cd ../ and continue
diff --git a/examples/full-cluster/common-services/common-services.auto.tfvars b/examples/full-cluster/common-services/common-services.auto.tfvars
@@ -0,0 +1,2 @@
+#tls_crt_file = "certs/pki.test4.sandbox.csp2.census.gov.bundle.crt"
+#tls_key_file = "certs/pki.test4.sandbox.csp2.census.gov.key"
diff --git a/examples/full-cluster/common-services/main.tf b/examples/full-cluster/common-services/main.tf
@@ -20,12 +20,6 @@ locals {
     #  name       = "certificate-issuer"
     #  name       = "istio-profile"
   }
-
-  base_tags = {
-    "eks-cluster-name"      = var.cluster_name
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-  }
 }
 
 resource "kubernetes_namespace" "cert-manager" {

diff --git a/examples/full-cluster/common-services/settings.auto.tfvars b/examples/full-cluster/common-services/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
diff --git a/examples/full-cluster/common-services/tf-run.data b/examples/full-cluster/common-services/tf-run.data
@@ -1,10 +1,8 @@
+REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
-tls_private_key.ca
-tls_cert_request.ca
-null_resource.ca_root_cert
-null_resource.ca_files
+tls_private_key.ca tls_cert_request.ca null_resource.ca_root_cert null_resource.ca_files
 null_resource.ca_cert
 local_file.ca_bundle_cert
 COMMAND tf-directory-setup.py -l s3
@@ -13,13 +11,9 @@ COMMENT submit certs/*csr using command ouptut listed in apply to TCO for signin
 STOP once that is availabile, change cert_download to true
 
 COMMAND terraform taint null_resource.ca_cert
-null_resource.ca_root_cert
-null_resource.ca_files
-null_resource.ca_cert
+null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
 COMMENT second run is to complete the steps
-null_resource.ca_root_cert
-null_resource.ca_files
-null_resource.ca_cert
+null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
 
 ALL
 

diff --git a/examples/full-cluster/common-services/variables.vpc.auto.tfvars b/examples/full-cluster/common-services/variables.vpc.auto.tfvars
@@ -0,0 +1 @@
+../variables.vpc.auto.tfvars
diff --git a/examples/full-cluster/data.eks-main.tf b/examples/full-cluster/data.eks-main.tf
diff --git a/examples/full-cluster/data.eks-main.tf b/examples/full-cluster/data.eks-main.tf
@@ -0,0 +1,18 @@
+locals {
+  aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster
+  # for main.tf
+  aws_eks_cluster = aws_eks_cluster.eks_cluster
+  # for all subdirectories
+  ##  aws_eks_cluster = data.aws_eks_cluster.cluster
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = var.cluster_name
+}
+
+#---
+#  for all subdirectories only
+#---
+## data "aws_eks_cluster" "cluster" {
+##   name = var.cluster_name
+## }
diff --git a/examples/full-cluster/ebs-encryption.tf b/examples/full-cluster/ebs-encryption.tf
@@ -7,9 +7,9 @@ resource "kubernetes_storage_class" "ebs_encrypted" {
   }
   parameters = {
     fsType    = "ext4"
-    type       = "gp2"
-    encrypted  = "true"
-#    kms_key_id = data.aws_kms_key.ebs_key.arn
+    type      = "gp2"
+    encrypted = "true"
+    #    kms_key_id = data.aws_kms_key.ebs_key.arn
     kmsKeyId = data.aws_kms_key.ebs_key.arn
   }
   storage_provisioner    = "kubernetes.io/aws-ebs"

diff --git a/examples/full-cluster/efs/copy_images.tf b/examples/full-cluster/efs/copy_images.tf
@@ -47,6 +47,8 @@ resource "null_resource" "copy_images" {
   provisioner "local-exec" {
     command = "${path.module}/copy_image.sh"
     environment = {
+      AWS_PROFILE          = var.profile
+      AWS_REGION           = local.region
       SOURCE_IMAGE         = format("%v/%v:%v", local.src_reg, each.value.image, each.value.tag)
       DESTINATION_IMAGE    = format("%v:%v", aws_ecr_repository.repository[each.key].repository_url, each.value.tag)
       DESTINATION_USERNAME = data.aws_ecr_authorization_token.token.user_name

diff --git a/examples/full-cluster/efs/locals.tf b/examples/full-cluster/efs/locals.tf
@@ -12,6 +12,6 @@ locals {
   subnet_ids           = local.parent_rs.cluster_subnet_ids
   cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
 
-  oidc_provider_url    = local.parent_rs.oidc_provider_url
-  oidc_provider_arn    = local.parent_rs.oidc_provider_arn
+  oidc_provider_url = local.parent_rs.oidc_provider_url
+  oidc_provider_arn = local.parent_rs.oidc_provider_arn
 }
diff --git a/examples/full-cluster/efs/settings.auto.tfvars b/examples/full-cluster/efs/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
diff --git a/examples/full-cluster/efs/tf-run.data b/examples/full-cluster/efs/tf-run.data
@@ -1,7 +1,8 @@
+REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
 POLICY
 ALL
 COMMAND tf-directory-setup.py -l s3
-STOP cd ../common-services and tf-run.sh apply
+STOP cd ../irsa-roles and tf-run.sh apply
diff --git a/examples/full-cluster/efs/variables.vpc.auto.tfvars b/examples/full-cluster/efs/variables.vpc.auto.tfvars
@@ -0,0 +1 @@
+../variables.vpc.auto.tfvars