diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6f20ddd..dda5778 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -4,12 +4,15 @@ repos:
hooks:
# - id: terraform_validate
- id: terraform_fmt
+ exclude: examples
- id: terraform_docs_replace
args: ['table']
exclude: common/*.tf
exclude: version.tf
+ exclude: examples
- id: terraform_tflint
args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+ exclude: examples
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.4.0
hooks:
diff --git a/examples/full-cluster/.terraform-docs.yml b/examples/full-cluster/.terraform-docs.yml
deleted file mode 100644
index 8391b9d..0000000
--- a/examples/full-cluster/.terraform-docs.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-formatter: markdown table
-
-header-from: main.tf
-footer-from: ""
-
-sections:
-## hide: []
- show:
- - data-sources
- - header
- - footer
- - inputs
- - modules
- - outputs
- - providers
- - requirements
- - resources
-
-output:
- file: README.md
- mode: inject
- template: |-
-
- {{ .Content }}
-
-
-## output-values:
-## enabled: false
-## from: ""
-##
-## sort:
-## enabled: true
-## by: name
-##
-## settings:
-## anchor: true
-## color: true
-## default: true
-## description: false
-## escape: true
-## indent: 2
-## required: true
-## sensitive: true
-## type: true
diff --git a/examples/full-cluster/README.md b/examples/full-cluster/README.md
index b7607b5..ac6e9d1 100644
--- a/examples/full-cluster/README.md
+++ b/examples/full-cluster/README.md
@@ -1,24 +1,4 @@
-# About
-
-This directory constructs the appropriate resources for an EKS cluster for ADSD Cumulus in the DICE-DEV environent.`
-
-# Application Information
-
-* Application: {name of application}
-* Organization: {division}
-* Project: {project}
-* Point of Contact(s): {username list}
-* Creation Date: {yyyy-mm-dd}
-* References:
- * Requirements: {url}
- * Remedy Ticket: {number}
- * Other: {url}
-* Related Configurations:
- * {directory-path}
-
-# Application Requirements
-
-# Terraform Directions
+# EKS Full Cluster Example
There are a number of steps to end up with a cluster.
@@ -511,5 +491,5 @@ clusterrolebinding.rbac.authorization.k8s.io/eks-console-dashboard-full-access-b
# Details
-{{ .Content }}
+
diff --git a/examples/full-cluster/aws-auth/aws-auth.auto.tfvars b/examples/full-cluster/aws-auth/aws-auth.auto.tfvars
new file mode 100644
index 0000000..0c382af
--- /dev/null
+++ b/examples/full-cluster/aws-auth/aws-auth.auto.tfvars
@@ -0,0 +1,22 @@
+aws_auth_users = [
+ {
+ userarn = ""
+ aws_username = "a-ashle001"
+ username = "admin"
+ groups = ["system:masters", "eks-console-dashboard-full-access-group"]
+ },
+ {
+ userarn = ""
+ aws_username = "a-badra001"
+ username = "admin"
+ groups = ["system:masters", "eks-console-dashboard-full-access-group"]
+ },
+]
+aws_auth_roles = [
+ {
+ rolearn : ""
+ aws_rolename : "r-inf-cloud-admin"
+ username : "admin"
+ groups = ["eks-console-dashboard-full-access-group"]
+ },
+]
diff --git a/examples/full-cluster/aws-auth/settings.auto.tfvars b/examples/full-cluster/aws-auth/settings.auto.tfvars
new file mode 120000
index 0000000..e397af4
--- /dev/null
+++ b/examples/full-cluster/aws-auth/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/aws-auth/tf-run.data b/examples/full-cluster/aws-auth/tf-run.data
index 44f61ff..ce77f28 100644
--- a/examples/full-cluster/aws-auth/tf-run.data
+++ b/examples/full-cluster/aws-auth/tf-run.data
@@ -1,3 +1,4 @@
+REMOTE-STATE
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
diff --git a/examples/full-cluster/aws-auth/variables.vpc.auto.tfvars b/examples/full-cluster/aws-auth/variables.vpc.auto.tfvars
new file mode 120000
index 0000000..cb9b691
--- /dev/null
+++ b/examples/full-cluster/aws-auth/variables.vpc.auto.tfvars
@@ -0,0 +1 @@
+../variables.vpc.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/cluster-roles/.terraform-docs.yml b/examples/full-cluster/cluster-roles/.terraform-docs.yml
deleted file mode 100644
index 8391b9d..0000000
--- a/examples/full-cluster/cluster-roles/.terraform-docs.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-formatter: markdown table
-
-header-from: main.tf
-footer-from: ""
-
-sections:
-## hide: []
- show:
- - data-sources
- - header
- - footer
- - inputs
- - modules
- - outputs
- - providers
- - requirements
- - resources
-
-output:
- file: README.md
- mode: inject
- template: |-
-
- {{ .Content }}
-
-
-## output-values:
-## enabled: false
-## from: ""
-##
-## sort:
-## enabled: true
-## by: name
-##
-## settings:
-## anchor: true
-## color: true
-## default: true
-## description: false
-## escape: true
-## indent: 2
-## required: true
-## sensitive: true
-## type: true
diff --git a/examples/full-cluster/cluster-roles/README.md b/examples/full-cluster/cluster-roles/README.md
index 15664f8..eae6d1d 100644
--- a/examples/full-cluster/cluster-roles/README.md
+++ b/examples/full-cluster/cluster-roles/README.md
@@ -233,4 +233,6 @@ vpc_ntp_servers = [
"148.129.127.23",
"148.129.191.23"
]
+
+
diff --git a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
index 7cede6e..0ca031a 100644
--- a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
+++ b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
@@ -6,6 +6,7 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
rule {
api_groups = ["acme.cert-manager.io"]
resources = ["challenges", "orders", "certificaterequests"]
+
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
}
@@ -18,6 +19,7 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
rule {
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+
api_groups = ["networking.istio.io"]
resources = ["gateways"]
}
@@ -63,5 +65,4 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
resources = ["certificates"]
verbs = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
}
-
}
diff --git a/examples/full-cluster/cluster-roles/deployer.iam.tf b/examples/full-cluster/cluster-roles/deployer.iam.tf
index 13f4192..1b22261 100644
--- a/examples/full-cluster/cluster-roles/deployer.iam.tf
+++ b/examples/full-cluster/cluster-roles/deployer.iam.tf
@@ -1,6 +1,6 @@
locals {
policy_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], local._prefixes["eks-policy"])
- role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"], "")
+ role_cicd_k8s_group_name = replace(local.cicd_k8s_iam_username, local._prefixes["eks-user"],"")
iam_policies_cicd = ["p-inf-manage-access-keys"]
}
@@ -66,7 +66,7 @@ locals {
resources = ["*"]
}
ECRWrite = {
- # effect = "Deny"
+# effect = "Deny"
actions = [
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
diff --git a/examples/full-cluster/cluster-roles/remote_state.yml b/examples/full-cluster/cluster-roles/remote_state.yml
deleted file mode 100644
index b1c5141..0000000
--- a/examples/full-cluster/cluster-roles/remote_state.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-directory: "applications/apps-adsd-eks/vpc/east/vpc3/apps/eks-adsd-cumulus-qa/cluster-roles"
-profile: "252960665057-ma6-gov"
-bucket: "inf-tfstate-252960665057"
-bucket_region: "us-gov-east-1"
-region: "us-gov-east-1"
-regions: ["us-gov-east-1"]
-account_id: "252960665057"
-account_alias: "ma6-gov"
-aws_environment: "gov"
diff --git a/examples/full-cluster/cluster-roles/settings.auto.tfvars b/examples/full-cluster/cluster-roles/settings.auto.tfvars
new file mode 120000
index 0000000..e397af4
--- /dev/null
+++ b/examples/full-cluster/cluster-roles/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/cluster-roles/tf-run.data b/examples/full-cluster/cluster-roles/tf-run.data
new file mode 100644
index 0000000..5d91871
--- /dev/null
+++ b/examples/full-cluster/cluster-roles/tf-run.data
@@ -0,0 +1,10 @@
+REMOTE-STATE
+STOP only run this after the cluster roles represented here have been setup in K8S
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+POLICY
+ALL
+COMMAND tf-directory-setup.py -l s3
+
+COMMENT cd ../ and continue
diff --git a/examples/full-cluster/common-services/common-services.auto.tfvars b/examples/full-cluster/common-services/common-services.auto.tfvars
new file mode 100644
index 0000000..8198041
--- /dev/null
+++ b/examples/full-cluster/common-services/common-services.auto.tfvars
@@ -0,0 +1,2 @@
+#tls_crt_file = "certs/pki.test4.sandbox.csp2.census.gov.bundle.crt"
+#tls_key_file = "certs/pki.test4.sandbox.csp2.census.gov.key"
diff --git a/examples/full-cluster/common-services/main.tf b/examples/full-cluster/common-services/main.tf
index 45ee939..dd8c4fa 100644
--- a/examples/full-cluster/common-services/main.tf
+++ b/examples/full-cluster/common-services/main.tf
@@ -20,12 +20,6 @@ locals {
# name = "certificate-issuer"
# name = "istio-profile"
}
-
- base_tags = {
- "eks-cluster-name" = var.cluster_name
- "boc:tf_module_version" = local._module_version
- "boc:created_by" = "terraform"
- }
}
resource "kubernetes_namespace" "cert-manager" {
diff --git a/examples/full-cluster/common-services/settings.auto.tfvars b/examples/full-cluster/common-services/settings.auto.tfvars
new file mode 120000
index 0000000..e397af4
--- /dev/null
+++ b/examples/full-cluster/common-services/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/common-services/tf-run.data b/examples/full-cluster/common-services/tf-run.data
index 63f8c73..47d1bf6 100644
--- a/examples/full-cluster/common-services/tf-run.data
+++ b/examples/full-cluster/common-services/tf-run.data
@@ -1,10 +1,8 @@
+REMOTE-STATE
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
-tls_private_key.ca
-tls_cert_request.ca
-null_resource.ca_root_cert
-null_resource.ca_files
+tls_private_key.ca tls_cert_request.ca null_resource.ca_root_cert null_resource.ca_files
null_resource.ca_cert
local_file.ca_bundle_cert
COMMAND tf-directory-setup.py -l s3
@@ -13,13 +11,9 @@ COMMENT submit certs/*csr using command ouptut listed in apply to TCO for signin
STOP once that is availabile, change cert_download to true
COMMAND terraform taint null_resource.ca_cert
-null_resource.ca_root_cert
-null_resource.ca_files
-null_resource.ca_cert
+null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
COMMENT second run is to complete the steps
-null_resource.ca_root_cert
-null_resource.ca_files
-null_resource.ca_cert
+null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
ALL
diff --git a/examples/full-cluster/common-services/variables.vpc.auto.tfvars b/examples/full-cluster/common-services/variables.vpc.auto.tfvars
new file mode 120000
index 0000000..cb9b691
--- /dev/null
+++ b/examples/full-cluster/common-services/variables.vpc.auto.tfvars
@@ -0,0 +1 @@
+../variables.vpc.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/data.eks-main.tf b/examples/full-cluster/data.eks-main.tf
deleted file mode 120000
index a3addd9..0000000
--- a/examples/full-cluster/data.eks-main.tf
+++ /dev/null
@@ -1 +0,0 @@
-includes.d/data.eks-main.tf
\ No newline at end of file
diff --git a/examples/full-cluster/data.eks-main.tf b/examples/full-cluster/data.eks-main.tf
new file mode 100644
index 0000000..7ead28b
--- /dev/null
+++ b/examples/full-cluster/data.eks-main.tf
@@ -0,0 +1,18 @@
+locals {
+ aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster
+ # for main.tf
+ aws_eks_cluster = aws_eks_cluster.eks_cluster
+ # for all subdirectories
+ ## aws_eks_cluster = data.aws_eks_cluster.cluster
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+ name = var.cluster_name
+}
+
+#---
+# for all subdirectories only
+#---
+## data "aws_eks_cluster" "cluster" {
+## name = var.cluster_name
+## }
diff --git a/examples/full-cluster/ebs-encryption.tf b/examples/full-cluster/ebs-encryption.tf
index 7243a3d..7890df5 100644
--- a/examples/full-cluster/ebs-encryption.tf
+++ b/examples/full-cluster/ebs-encryption.tf
@@ -7,9 +7,9 @@ resource "kubernetes_storage_class" "ebs_encrypted" {
}
parameters = {
fsType = "ext4"
- type = "gp2"
- encrypted = "true"
-# kms_key_id = data.aws_kms_key.ebs_key.arn
+ type = "gp2"
+ encrypted = "true"
+ # kms_key_id = data.aws_kms_key.ebs_key.arn
kmsKeyId = data.aws_kms_key.ebs_key.arn
}
storage_provisioner = "kubernetes.io/aws-ebs"
diff --git a/examples/full-cluster/efs/copy_images.tf b/examples/full-cluster/efs/copy_images.tf
index bf89085..f7e13be 100644
--- a/examples/full-cluster/efs/copy_images.tf
+++ b/examples/full-cluster/efs/copy_images.tf
@@ -47,6 +47,8 @@ resource "null_resource" "copy_images" {
provisioner "local-exec" {
command = "${path.module}/copy_image.sh"
environment = {
+ AWS_PROFILE = var.profile
+ AWS_REGION = local.region
SOURCE_IMAGE = format("%v/%v:%v", local.src_reg, each.value.image, each.value.tag)
DESTINATION_IMAGE = format("%v:%v", aws_ecr_repository.repository[each.key].repository_url, each.value.tag)
DESTINATION_USERNAME = data.aws_ecr_authorization_token.token.user_name
diff --git a/examples/full-cluster/efs/locals.tf b/examples/full-cluster/efs/locals.tf
index 3042080..4b9ae5a 100644
--- a/examples/full-cluster/efs/locals.tf
+++ b/examples/full-cluster/efs/locals.tf
@@ -12,6 +12,6 @@ locals {
subnet_ids = local.parent_rs.cluster_subnet_ids
cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
- oidc_provider_url = local.parent_rs.oidc_provider_url
- oidc_provider_arn = local.parent_rs.oidc_provider_arn
+ oidc_provider_url = local.parent_rs.oidc_provider_url
+ oidc_provider_arn = local.parent_rs.oidc_provider_arn
}
diff --git a/examples/full-cluster/efs/settings.auto.tfvars b/examples/full-cluster/efs/settings.auto.tfvars
new file mode 120000
index 0000000..e397af4
--- /dev/null
+++ b/examples/full-cluster/efs/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/efs/tf-run.data b/examples/full-cluster/efs/tf-run.data
index 8bb6677..c778fc1 100644
--- a/examples/full-cluster/efs/tf-run.data
+++ b/examples/full-cluster/efs/tf-run.data
@@ -1,7 +1,8 @@
+REMOTE-STATE
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
POLICY
ALL
COMMAND tf-directory-setup.py -l s3
-STOP cd ../common-services and tf-run.sh apply
+STOP cd ../irsa-roles and tf-run.sh apply
diff --git a/examples/full-cluster/efs/variables.vpc.auto.tfvars b/examples/full-cluster/efs/variables.vpc.auto.tfvars
new file mode 120000
index 0000000..cb9b691
--- /dev/null
+++ b/examples/full-cluster/efs/variables.vpc.auto.tfvars
@@ -0,0 +1 @@
+../variables.vpc.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/includes.d/README.md b/examples/full-cluster/includes.d/README.md
index b34ca3f..97c168f 100644
--- a/examples/full-cluster/includes.d/README.md
+++ b/examples/full-cluster/includes.d/README.md
@@ -1,10 +1,30 @@
-# Includes.d
+## Requirements
-## parent_rs.tf
+No requirements.
-Update this with the proper remote state path, as pulled from the application directory for the cluster in the
-main cluster directory. This is used throughout the cluster components.
+## Providers
-```hcl
- parent_rs = data.terraform_remote_state.{vpc-state-path}_{application-state-path}-eks-{cluster-name}.outputs
-```
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/examples/full-cluster/includes.d/data.eks-main.tf b/examples/full-cluster/includes.d/data.eks-main.tf
index 9452be6..7ead28b 100644
--- a/examples/full-cluster/includes.d/data.eks-main.tf
+++ b/examples/full-cluster/includes.d/data.eks-main.tf
@@ -1,9 +1,9 @@
locals {
aws_eks_cluster_auth = data.aws_eks_cluster_auth.cluster
-# for main.tf
+ # for main.tf
aws_eks_cluster = aws_eks_cluster.eks_cluster
-# for all subdirectories
-## aws_eks_cluster = data.aws_eks_cluster.cluster
+ # for all subdirectories
+ ## aws_eks_cluster = data.aws_eks_cluster.cluster
}
data "aws_eks_cluster_auth" "cluster" {
diff --git a/examples/full-cluster/includes.d/parent_rs.tf b/examples/full-cluster/includes.d/parent_rs.tf
index 5ccae16..7d4b782 100644
--- a/examples/full-cluster/includes.d/parent_rs.tf
+++ b/examples/full-cluster/includes.d/parent_rs.tf
@@ -1,4 +1,4 @@
# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
locals {
- parent_rs = data.terraform_remote_state.{vpc-state-path}_{application-state-path}-eks-{cluster-name}.outputs
+ parent_rs = data.terraform_remote_state.vpc-state-path_application-state-path-eks-cluster-name.outputs
}
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/data.eks-subdirectory.tf b/examples/full-cluster/irsa-roles/cluster-autoscaler/data.eks-subdirectory.tf
new file mode 120000
index 0000000..05ab52d
--- /dev/null
+++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/data.eks-subdirectory.tf
@@ -0,0 +1 @@
+../data.eks-subdirectory.tf
\ No newline at end of file
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/data.eks.tf b/examples/full-cluster/irsa-roles/cluster-autoscaler/data.eks.tf
deleted file mode 120000
index bc5a403..0000000
--- a/examples/full-cluster/irsa-roles/cluster-autoscaler/data.eks.tf
+++ /dev/null
@@ -1 +0,0 @@
-../data.eks.tf
\ No newline at end of file
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/locals.tf b/examples/full-cluster/irsa-roles/cluster-autoscaler/locals.tf
index 3042080..4b9ae5a 100644
--- a/examples/full-cluster/irsa-roles/cluster-autoscaler/locals.tf
+++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/locals.tf
@@ -12,6 +12,6 @@ locals {
subnet_ids = local.parent_rs.cluster_subnet_ids
cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
- oidc_provider_url = local.parent_rs.oidc_provider_url
- oidc_provider_arn = local.parent_rs.oidc_provider_arn
+ oidc_provider_url = local.parent_rs.oidc_provider_url
+ oidc_provider_arn = local.parent_rs.oidc_provider_arn
}
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/region.tf b/examples/full-cluster/irsa-roles/cluster-autoscaler/region.tf
index f617506..b7b1696 100644
--- a/examples/full-cluster/irsa-roles/cluster-autoscaler/region.tf
+++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/region.tf
@@ -1,3 +1,4 @@
locals {
region = var.region
}
+
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/settings.auto.tfvars b/examples/full-cluster/irsa-roles/cluster-autoscaler/settings.auto.tfvars
new file mode 120000
index 0000000..e397af4
--- /dev/null
+++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data b/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data
index 336f6a5..b7371bc 100644
--- a/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data
+++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data
@@ -1,3 +1,4 @@
+REMOTE-STATE
COMMAND tf-directory-setup.py -l none
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/variables.irsa.auto.tfvars b/examples/full-cluster/irsa-roles/cluster-autoscaler/variables.irsa.auto.tfvars
new file mode 100644
index 0000000..7a5389c
--- /dev/null
+++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/variables.irsa.auto.tfvars
@@ -0,0 +1,2 @@
+namespace = "kube-system"
+name = "cluster-autoscaler"
diff --git a/examples/full-cluster/locals.tf b/examples/full-cluster/irsa-roles/region.tf
similarity index 100%
rename from examples/full-cluster/locals.tf
rename to examples/full-cluster/irsa-roles/region.tf
diff --git a/examples/full-cluster/irsa-roles/settings.auto.tfvars b/examples/full-cluster/irsa-roles/settings.auto.tfvars
new file mode 120000
index 0000000..e397af4
--- /dev/null
+++ b/examples/full-cluster/irsa-roles/settings.auto.tfvars
@@ -0,0 +1 @@
+../settings.auto.tfvars
\ No newline at end of file
diff --git a/examples/full-cluster/irsa-roles/tf-run.data b/examples/full-cluster/irsa-roles/tf-run.data
index 151331f..eecc8ab 100644
--- a/examples/full-cluster/irsa-roles/tf-run.data
+++ b/examples/full-cluster/irsa-roles/tf-run.data
@@ -1,3 +1,4 @@
+REMOTE-STATE
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
diff --git a/examples/full-cluster/irsa-roles/variables.irsa.auto.tfvars b/examples/full-cluster/irsa-roles/variables.irsa.auto.tfvars
new file mode 100644
index 0000000..89c477f
--- /dev/null
+++ b/examples/full-cluster/irsa-roles/variables.irsa.auto.tfvars
@@ -0,0 +1,2 @@
+name = "unknown"
+namespace = "unknown"
diff --git a/examples/full-cluster/kubeconfig.eks-main.tf b/examples/full-cluster/kubeconfig.eks-main.tf
deleted file mode 120000
index e3f8503..0000000
--- a/examples/full-cluster/kubeconfig.eks-main.tf
+++ /dev/null
@@ -1 +0,0 @@
-includes.d/kubeconfig.eks-main.tf
\ No newline at end of file
diff --git a/examples/full-cluster/kubeconfig.eks-main.tf b/examples/full-cluster/kubeconfig.eks-main.tf
new file mode 100644
index 0000000..5a6333e
--- /dev/null
+++ b/examples/full-cluster/kubeconfig.eks-main.tf
@@ -0,0 +1,29 @@
+resource "null_resource" "kubeconfig" {
+ triggers = {
+ always_run = timestamp()
+ }
+ provisioner "local-exec" {
+ command = "which kubectl > /dev/null 2>&1; if [ $? != 0 ]; then 'echo missing kubectl'; exit 1; else exit 0; fi"
+ }
+ provisioner "local-exec" {
+ command = "test -d '${path.root}/setup' || mkdir '${path.root}/setup'"
+ }
+ provisioner "local-exec" {
+ environment = {
+ AWS_PROFILE = var.profile
+ AWS_REGION = local.region
+ }
+ command = "aws eks update-kubeconfig --name ${var.cluster_name} --kubeconfig ${path.root}/setup/kube.config"
+ }
+ depends_on = [aws_eks_cluster.eks_cluster]
+}
+
+#---
+# call it like
+#---
+## provisioner "local-exec" {
+## environment = {
+## KUBECONFIG = "${path.root}/setup/kube.config"
+## }
+## command = "kubectli set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true"
+## }
diff --git a/examples/full-cluster/main.tf b/examples/full-cluster/main.tf
index 14e6936..d1c801b 100644
--- a/examples/full-cluster/main.tf
+++ b/examples/full-cluster/main.tf
@@ -29,7 +29,7 @@ locals {
vpc_id = data.aws_vpc.eks_vpc.id
vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
subnets = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
- s3_base_arn = format("arn:%v:%v:::%%v", data.aws_arn.current.partition, "s3")
+ s3_base_arn = format("arn:%v:%v:::%%v", data.aws_arn.current.partition, "s3")
base_tags = {
"eks-cluster-name" = var.cluster_name
@@ -37,10 +37,10 @@ locals {
"boc:created_by" = "terraform"
}
-# https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html
+ # https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html
autoscale_tags = {
- format("k8s.io/cluster-autoscaler/%v",var.cluster_name) = "owned"
- "k8s.io/cluster-autoscaler/enabled" = "TRUE"
+ format("k8s.io/cluster-autoscaler/%v", var.cluster_name) = "owned"
+ "k8s.io/cluster-autoscaler/enabled" = "TRUE"
}
}
diff --git a/examples/full-cluster/outputs.tf b/examples/full-cluster/outputs.tf
index 9fa1e23..e95c90d 100644
--- a/examples/full-cluster/outputs.tf
+++ b/examples/full-cluster/outputs.tf
@@ -20,9 +20,9 @@ output "cluster_certificate_authority_data" {
output "cluster_auth_token" {
description = "The token required to authenticate with the cluster."
-# value = data.aws_eks_cluster_auth.eks_auth.token
- value = local.aws_eks_cluster_auth.token
- sensitive = true
+ # value = data.aws_eks_cluster_auth.eks_auth.token
+ value = local.aws_eks_cluster_auth.token
+ sensitive = true
}
output "cluster_worker_sg_id" {
diff --git a/examples/full-cluster/policy.tf b/examples/full-cluster/policy.tf
index efa06b0..ac9e414 100644
--- a/examples/full-cluster/policy.tf
+++ b/examples/full-cluster/policy.tf
@@ -172,7 +172,7 @@ resource "aws_iam_policy" "cluster-admin_assume_policy" {
local.base_tags,
var.tags,
var.application_tags,
- tomap({ "Name" = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name)}),
+ tomap({ "Name" = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) }),
)
}
@@ -181,6 +181,6 @@ data "aws_iam_policy_document" "cluster-admin_assume_policy" {
sid = "AllowSTSAssumeClusterAdminRole"
effect = "Allow"
actions = ["sts:AssumeRole"]
- resources = [ module.role_cluster-admin.role_arn ]
+ resources = [module.role_cluster-admin.role_arn]
}
}
diff --git a/examples/full-cluster/region.tf b/examples/full-cluster/region.tf
new file mode 100644
index 0000000..b7b1696
--- /dev/null
+++ b/examples/full-cluster/region.tf
@@ -0,0 +1,4 @@
+locals {
+ region = var.region
+}
+
diff --git a/examples/full-cluster/role.tf b/examples/full-cluster/role.tf
index 15d17f6..7d0db79 100644
--- a/examples/full-cluster/role.tf
+++ b/examples/full-cluster/role.tf
@@ -121,8 +121,8 @@ module "role_cluster-admin" {
role_description = "SAML EKS cluster admin Role for ${var.cluster_name}"
enable_ldap_creation = false
assume_policy_document = data.aws_iam_policy_document.allow_sts.json
-# assume_policy_document = data.aws_iam_policy_document.cluster-admin_combined.json
- attached_policies = [aws_iam_policy.cluster-admin-policy.arn]
+ # assume_policy_document = data.aws_iam_policy_document.cluster-admin_combined.json
+ attached_policies = [aws_iam_policy.cluster-admin-policy.arn]
tags = merge(
local.base_tags,
diff --git a/examples/full-cluster/saml.tf b/examples/full-cluster/saml.tf
index cc86aa9..22c1f74 100644
--- a/examples/full-cluster/saml.tf
+++ b/examples/full-cluster/saml.tf
@@ -2,8 +2,8 @@
# also, there is no data source for saml provider
locals {
- saml_provider_arn = format(local.common_arn,"iam","saml-provider/Census_TCO_IDMS")
- saml_url = var.aws_environment == "gov" ? "https://signin.amazonaws-us-gov.com/saml" : "https://signin.aws.amazon.com/saml"
+ saml_provider_arn = format(local.common_arn, "iam", "saml-provider/Census_TCO_IDMS")
+ saml_url = var.aws_environment == "gov" ? "https://signin.amazonaws-us-gov.com/saml" : "https://signin.aws.amazon.com/saml"
}
data "aws_iam_policy_document" "saml_assume" {
diff --git a/examples/full-cluster/securitygroup.tf b/examples/full-cluster/securitygroup.tf
index 70a3c10..8c6e880 100644
--- a/examples/full-cluster/securitygroup.tf
+++ b/examples/full-cluster/securitygroup.tf
@@ -6,7 +6,7 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
local.common_tags,
var.tags,
var.application_tags,
- tomap({"Name"= format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name) }),
+ tomap({ "Name" = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name) }),
)
vpc_id = data.aws_vpc.eks_vpc.id
@@ -38,7 +38,7 @@ resource "aws_security_group" "all_worker_mgmt" {
local.common_tags,
var.tags,
var.application_tags,
- tomap({"Name" = format("%v%v-all-worker-mgmt", local._prefixes["eks-security-group"], var.cluster_name)}),
+ tomap({ "Name" = format("%v%v-all-worker-mgmt", local._prefixes["eks-security-group"], var.cluster_name) }),
)
vpc_id = data.aws_vpc.eks_vpc.id
diff --git a/examples/full-cluster/settings.auto.tfvars.example b/examples/full-cluster/settings.auto.tfvars.example
index b73fe44..ead3d65 100644
--- a/examples/full-cluster/settings.auto.tfvars.example
+++ b/examples/full-cluster/settings.auto.tfvars.example
@@ -1,4 +1,4 @@
-cluster_name = "org-project-env
+cluster_name = "org-project-env"
cluster_version = "1.21"
region = "us-gov-east-1"
domain = "org-project-env.env.domain.census.gov"
diff --git a/examples/full-cluster/tf-run.data b/examples/full-cluster/tf-run.data
index 0f9370b..0baeaa9 100644
--- a/examples/full-cluster/tf-run.data
+++ b/examples/full-cluster/tf-run.data
@@ -1,5 +1,6 @@
+REMOTE-STATE
COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md)
-STOP then continue with at step 3
+STOP then continue with at step 4
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
diff --git a/examples/full-cluster/variables.vpc.auto.tfvars.make-link b/examples/full-cluster/variables.vpc.auto.tfvars.make-link
new file mode 100644
index 0000000..fada326
--- /dev/null
+++ b/examples/full-cluster/variables.vpc.auto.tfvars.make-link
@@ -0,0 +1,5 @@
+# for a submodule/subrepository, copy variables.vpc.auto.tfvars from the appropriate vpc/{region}/vpc{n}/ directory in the main repo
+# for something directly in the main repo for the account, make a link to the file, which is handled by setup-new-directory.sh
+# if you fail to do this, you will get some errors on missing variables
+#
+# you may also wish to copy variables.vpc.tf from that vpc directory in case new variables have been defined for a vpc
diff --git a/examples/full-cluster/variables.vpc.tf b/examples/full-cluster/variables.vpc.tf.make-link
similarity index 100%
rename from examples/full-cluster/variables.vpc.tf
rename to examples/full-cluster/variables.vpc.tf.make-link