Merge branch 'master' of github.e.it.census.gov:terraform-modules/aws…

…-eks

.pre-commit-config.yaml

@@ -1,20 +1,22 @@
 repos:
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.48.0
+  rev: v1.62.1
   hooks:
 #    - id: terraform_validate
     - id: terraform_fmt
-      exclude: examples
-    - id: terraform_docs_replace
-      args: ['table']
-      exclude: common/*.tf
+#    - id: terraform_docs_replace
+#      args: ['table']
+    - id: terraform_docs
+      args:
+        - --args=--config=.terraform-docs.yml
       exclude: version.tf
-      exclude: examples
+      exclude: examples/
     - id: terraform_tflint 
       args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
-      exclude: examples
+      exclude: examples/
+
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.0.1
   hooks:
     - id: check-symlinks
     - id: detect-aws-credentials

.terraform-docs.yml

@@ -0,0 +1,45 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+
+output:
+  file: README.md
+  mode: replace
+#   mode: inject
+#   template: |-
+#     <!-- BEGIN_TF_DOCS -->
+#     {{ .Content }}
+#     <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Versions
 
+## Version 1.x
+
 * v1.0.0 -- 2021-10-14
   - patch-aws-auth module creation
 
+## Version 2.x
+
+* v2.0.0 -- 20211223
+  - add providers for tf 0.13+
+
+

README.md

@@ -0,0 +1,44 @@
+# aws-eks
+
+This contains a list of submodules used for building an EKS cluster.  There are also some examples which can be used
+as a starting point for building a cluster.
+
+* Submodules
+  * [patch-aws-auth](#patch-aws-auth): update `aws-auth ConfigMap`
+
+* Submodules Planned
+  * dns-zone: add DNS zone for cluster
+  * efs: Setup EFS Driver, policies and roles
+  * cluster-iam-policies: Setup needed IAM policies for cluster
+  * cluster-iam-roles: Setup needed IAM roles for cluster (in conjuniction with policies)
+  * irsa-role: Setup IAM Role for Service Account
+  * cluster-role: Setup cluster roles (depends upon a created irsa-role)
+  * common-services, most likely split into a module for each of the common services
+
+* Examples
+  * [established-cluster-examples](#established-cluster-examples)
+  * [full-cluster](#full-cluster)
+
+# Submodules
+## [patch-aws-auth](patch-aws-auth/)
+
+This submodule allows for an easy patching of the `aws-auth ConfigMap`, which is used to map IAM users and roles to specific
+Kubernetes groups, roles, and cluster roles.
+
+# Examples
+
+## [established-cluster-examples](examples/established-cluster-examples/)
+
+* [alb-controller](examples/established-cluster-examples/alb-controller)
+* [dnsutils](examples/established-cluster-examples/dnsutils)
+* [empty](examples/established-cluster-examples/empty)
+* [kube-bench](examples/established-cluster-examples/kube-bench)
+* [sample-alb](examples/established-cluster-examples/sample-alb)
+* [sample-elb](examples/established-cluster-examples/sample-elb)
+* [sample-istio](examples/established-cluster-examples/sample-istio)
+* [sample-nlb](examples/established-cluster-examples/sample-nlb)
+
+## [full-cluster](examples/full-cluster/)
+
+
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.0"
+  _module_version = "2.0.0"
 }

common/versions.tf

@@ -0,0 +1,29 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.66.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.4"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 2.1"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.7"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.1"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 3.1"
+    }
+  }
+  #  required_version = ">= 0.13"
+}

examples/full-cluster/aws-auth/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh

examples/full-cluster/cluster-roles/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 STOP only run this after the cluster roles represented here have been setup in K8S
 COMMAND tf-directory-setup.py -l none -f

examples/full-cluster/common-services/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh

examples/full-cluster/dns-zone.tf

@@ -13,9 +13,18 @@ resource "aws_route53_zone" "cluster_domain" {
     vpc_region = local.region
   }
 
-  # lifecycle {
-  #    ignore_changes
-  # }
+  ##   dynamic "vpc" {
+  ##     for_each = true ? var.region_map : {}
+  ##     iterator = r
+  ##     content {
+  ##       vpc_id     = var.main_dns_vpcs[r.value]
+  ##       vpc_region = r.value
+  ##     }
+  ##   }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
 
   tags = merge(
     local.base_tags,
@@ -24,6 +33,8 @@ resource "aws_route53_zone" "cluster_domain" {
     var.application_tags,
     tomap({ "Name" = local.cluster_domain_name }),
   )
+
+  #  depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ]
 }
 
 output "cluster_domain_name" {
@@ -40,3 +51,75 @@ output "cluster_domain_ns" {
   description = "DNS Zone Nameservers"
   value       = aws_route53_zone.cluster_domain.name_servers
 }
+
+#---
+# associate to main do2-govcloud vpc1-services east and west for inbound resolution
+#---
+provider "aws" {
+  alias   = "east_main_dns"
+  region  = var.region_map["east"]
+  profile = var.main_dns_profile
+}
+
+provider "aws" {
+  alias   = "west_main_dns"
+  region  = var.region_map["west"]
+  profile = var.main_dns_profile
+}
+
+# resource "aws_route53_vpc_association_authorization" "cluster_domain" {
+#   for_each = var.region_map
+# 
+#   zone_id    = aws_route53_zone.cluster_domain.zone_id
+#   vpc_region = each.value
+#   vpc_id     = var.main_dns_vpcs[each.value]
+# }
+
+resource "aws_route53_vpc_association_authorization" "west_cluster_domain" {
+  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_vpc_association_authorization" "east_cluster_domain" {
+  for_each   = tomap({ "zone" = aws_route53_zone.cluster_domain })
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "west_cluster_domain" {
+  provider = aws.west_main_dns
+  for_each = aws_route53_vpc_association_authorization.west_cluster_domain
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+resource "aws_route53_zone_association" "east_cluster_domain" {
+  provider = aws.east_main_dns
+  for_each = aws_route53_vpc_association_authorization.east_cluster_domain
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+# now we need to add the NS records for the new zone to the parent zone
+
+data "aws_route53_zone" "parent" {
+  name         = var.vpc_domain_name
+  private_zone = true
+}
+
+resource "aws_route53_record" "cluster_domain" {
+  allow_overwrite = true
+  name            = local.cluster_domain_name
+  type            = "NS"
+  ttl             = 900
+  zone_id         = data.aws_route53_zone.parent.zone_id
+
+  records = aws_route53_zone.cluster_domain.name_servers
+}

examples/full-cluster/efs/policy.tf

@@ -48,7 +48,7 @@ data "aws_iam_policy_document" "efs-policy" {
     ]
     condition {
       test     = "StringLike"
-      variable = "aws:Resource/efs.csi.aws.com/cluster"
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
       values   = ["true"]
     }
   }

examples/full-cluster/efs/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh

examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none
 COMMAND setup-new-directory.sh

examples/full-cluster/irsa-roles/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh

examples/full-cluster/tf-run.data

@@ -1,3 +1,4 @@
+VERSION 1.1.0
 REMOTE-STATE
 COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md)
 STOP then continue with at step 4

examples/full-cluster/variables.dns.tf

@@ -0,0 +1,21 @@
+variable "main_dns_vpcs" {
+  description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
+  type        = map(string)
+  default = {
+    "us-gov-west-1" = "vpc-77877a12"
+    "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+  }
+}
+
+variable "main_dns_profile" {
+  description = "Profile name for AWS for the main DNS central account"
+  type        = string
+  default     = "107742151971-do2-govcloud"
+}
+
+
+variable "dns_zone_description_prefix" {
+  description = "Zone description with the org-project-program-environment"
+  type        = string
+  default     = ""
+}

patch-aws-auth/README.md

@@ -1,3 +1,4 @@
+<!-- BEGIN_TF_DOCS -->
 # About patch-aws-auth
 
 This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into
@@ -66,14 +67,15 @@ module "awsauth_base_users" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.31 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
-| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.1 |
 
 ## Modules
 
@@ -111,3 +113,4 @@ No modules.
 ## Outputs
 
 No outputs.
+<!-- END_TF_DOCS -->

patch-aws-auth/version.tf

@@ -0,0 +1 @@
+../common/version.tf

patch-aws-auth/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.1"
+    }
+  }
+  #  required_version = ">= 0.13"
+}