From 7098b5a9d779b9d96cc5af5f81f5bda34e4effc1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 10 Dec 2021 09:34:37 -0500 Subject: [PATCH 1/7] update dns config --- examples/full-cluster/dns-zone.tf | 89 +++++++++++++++++++++++++- examples/full-cluster/variables.dns.tf | 21 ++++++ 2 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 examples/full-cluster/variables.dns.tf diff --git a/examples/full-cluster/dns-zone.tf b/examples/full-cluster/dns-zone.tf index e26e584..a7f3f41 100644 --- a/examples/full-cluster/dns-zone.tf +++ b/examples/full-cluster/dns-zone.tf @@ -13,9 +13,18 @@ resource "aws_route53_zone" "cluster_domain" { vpc_region = local.region } - # lifecycle { - # ignore_changes - # } + ## dynamic "vpc" { + ## for_each = true ? var.region_map : {} + ## iterator = r + ## content { + ## vpc_id = var.main_dns_vpcs[r.value] + ## vpc_region = r.value + ## } + ## } + + lifecycle { + ignore_changes = [vpc] + } tags = merge( local.base_tags, @@ -24,6 +33,8 @@ resource "aws_route53_zone" "cluster_domain" { var.application_tags, tomap({ "Name" = local.cluster_domain_name }), ) + + # depends_on = [ aws_route53_vpc_association_authorization.west_cluster_domain, aws_route53_vpc_association_authorization.east_cluster_domain ] } output "cluster_domain_name" { @@ -40,3 +51,75 @@ output "cluster_domain_ns" { description = "DNS Zone Nameservers" value = aws_route53_zone.cluster_domain.name_servers } + +#--- +# associate to main do2-govcloud vpc1-services east and west for inbound resolution +#--- +provider "aws" { + alias = "east_main_dns" + region = var.region_map["east"] + profile = var.main_dns_profile +} + +provider "aws" { + alias = "west_main_dns" + region = var.region_map["west"] + profile = var.main_dns_profile +} + +# resource "aws_route53_vpc_association_authorization" "cluster_domain" { +# for_each = var.region_map +# +# zone_id = aws_route53_zone.cluster_domain.zone_id +# vpc_region = each.value +# vpc_id = var.main_dns_vpcs[each.value] +# } + +resource "aws_route53_vpc_association_authorization" "west_cluster_domain" { + for_each = tomap({ "zone" = aws_route53_zone.cluster_domain }) + zone_id = each.value.zone_id + vpc_region = "us-gov-west-1" + vpc_id = var.main_dns_vpcs["us-gov-west-1"] +} + +resource "aws_route53_vpc_association_authorization" "east_cluster_domain" { + for_each = tomap({ "zone" = aws_route53_zone.cluster_domain }) + zone_id = each.value.zone_id + vpc_region = "us-gov-east-1" + vpc_id = var.main_dns_vpcs["us-gov-east-1"] +} + +resource "aws_route53_zone_association" "west_cluster_domain" { + provider = aws.west_main_dns + for_each = aws_route53_vpc_association_authorization.west_cluster_domain + + zone_id = each.value.zone_id + vpc_id = each.value.vpc_id + vpc_region = each.value.vpc_region +} + +resource "aws_route53_zone_association" "east_cluster_domain" { + provider = aws.east_main_dns + for_each = aws_route53_vpc_association_authorization.east_cluster_domain + + zone_id = each.value.zone_id + vpc_id = each.value.vpc_id + vpc_region = each.value.vpc_region +} + +# now we need to add the NS records for the new zone to the parent zone + +data "aws_route53_zone" "parent" { + name = var.vpc_domain_name + private_zone = true +} + +resource "aws_route53_record" "cluster_domain" { + allow_overwrite = true + name = local.cluster_domain_name + type = "NS" + ttl = 900 + zone_id = data.aws_route53_zone.parent.zone_id + + records = aws_route53_zone.cluster_domain.name_servers +} diff --git a/examples/full-cluster/variables.dns.tf b/examples/full-cluster/variables.dns.tf new file mode 100644 index 0000000..c82d30c --- /dev/null +++ b/examples/full-cluster/variables.dns.tf @@ -0,0 +1,21 @@ +variable "main_dns_vpcs" { + description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" + type = map(string) + default = { + "us-gov-west-1" = "vpc-77877a12" + "us-gov-east-1" = "vpc-099a991da7c4eb8a5" + } +} + +variable "main_dns_profile" { + description = "Profile name for AWS for the main DNS central account" + type = string + default = "107742151971-do2-govcloud" +} + + +variable "dns_zone_description_prefix" { + description = "Zone description with the org-project-program-environment" + type = string + default = "" +} From 5951e47c2de5c7a4a610da74f7cdafd4cd9c6269 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 10 Dec 2021 09:34:47 -0500 Subject: [PATCH 2/7] update tf-run.data --- examples/full-cluster/aws-auth/tf-run.data | 1 + examples/full-cluster/cluster-roles/tf-run.data | 1 + examples/full-cluster/common-services/tf-run.data | 1 + examples/full-cluster/efs/tf-run.data | 1 + examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data | 1 + examples/full-cluster/irsa-roles/tf-run.data | 1 + examples/full-cluster/providers.tf | 2 +- examples/full-cluster/tf-run.data | 1 + 8 files changed, 8 insertions(+), 1 deletion(-) diff --git a/examples/full-cluster/aws-auth/tf-run.data b/examples/full-cluster/aws-auth/tf-run.data index ce77f28..f26a232 100644 --- a/examples/full-cluster/aws-auth/tf-run.data +++ b/examples/full-cluster/aws-auth/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh diff --git a/examples/full-cluster/cluster-roles/tf-run.data b/examples/full-cluster/cluster-roles/tf-run.data index 5d91871..24037de 100644 --- a/examples/full-cluster/cluster-roles/tf-run.data +++ b/examples/full-cluster/cluster-roles/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE STOP only run this after the cluster roles represented here have been setup in K8S COMMAND tf-directory-setup.py -l none -f diff --git a/examples/full-cluster/common-services/tf-run.data b/examples/full-cluster/common-services/tf-run.data index 47d1bf6..d1571ae 100644 --- a/examples/full-cluster/common-services/tf-run.data +++ b/examples/full-cluster/common-services/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh diff --git a/examples/full-cluster/efs/tf-run.data b/examples/full-cluster/efs/tf-run.data index c778fc1..056ab3b 100644 --- a/examples/full-cluster/efs/tf-run.data +++ b/examples/full-cluster/efs/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh diff --git a/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data b/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data index b7371bc..723eacd 100644 --- a/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data +++ b/examples/full-cluster/irsa-roles/cluster-autoscaler/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE COMMAND tf-directory-setup.py -l none COMMAND setup-new-directory.sh diff --git a/examples/full-cluster/irsa-roles/tf-run.data b/examples/full-cluster/irsa-roles/tf-run.data index eecc8ab..03783ff 100644 --- a/examples/full-cluster/irsa-roles/tf-run.data +++ b/examples/full-cluster/irsa-roles/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh diff --git a/examples/full-cluster/providers.tf b/examples/full-cluster/providers.tf index 03c6b10..f0e85a2 100644 --- a/examples/full-cluster/providers.tf +++ b/examples/full-cluster/providers.tf @@ -12,7 +12,7 @@ provider "kubernetes" { host = local.aws_eks_cluster.endpoint cluster_ca_certificate = base64decode(local.aws_eks_cluster.certificate_authority[0].data) token = local.aws_eks_cluster_auth.token -# config_path = "${path.root}/setup/kube.config" + # config_path = "${path.root}/setup/kube.config" } provider "helm" { diff --git a/examples/full-cluster/tf-run.data b/examples/full-cluster/tf-run.data index 0baeaa9..a7692be 100644 --- a/examples/full-cluster/tf-run.data +++ b/examples/full-cluster/tf-run.data @@ -1,3 +1,4 @@ +VERSION 1.1.0 REMOTE-STATE COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md) STOP then continue with at step 4 From fd8f5f07d03072433ab7f0da94581e1e63fc8248 Mon Sep 17 00:00:00 2001 From: badra001 Date: Sun, 19 Dec 2021 12:05:49 -0500 Subject: [PATCH 3/7] fix policy --- examples/full-cluster/efs/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/full-cluster/efs/policy.tf b/examples/full-cluster/efs/policy.tf index 4ec462d..2693fde 100644 --- a/examples/full-cluster/efs/policy.tf +++ b/examples/full-cluster/efs/policy.tf @@ -48,7 +48,7 @@ data "aws_iam_policy_document" "efs-policy" { ] condition { test = "StringLike" - variable = "aws:Resource/efs.csi.aws.com/cluster" + variable = "aws:ResourceTag/efs.csi.aws.com/cluster" values = ["true"] } } From 31a03f7dcff41788b62a19a698d28e4dc5295eb8 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 23 Dec 2021 14:03:54 -0500 Subject: [PATCH 4/7] update pre-commit --- .pre-commit-config.yaml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dda5778..c2384ab 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,20 +1,22 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.48.0 + rev: v1.62.1 hooks: # - id: terraform_validate - id: terraform_fmt - exclude: examples - - id: terraform_docs_replace - args: ['table'] - exclude: common/*.tf +# - id: terraform_docs_replace +# args: ['table'] + - id: terraform_docs + args: + - --args=--config=.terraform-docs.yml exclude: version.tf - exclude: examples + exclude: examples/ - id: terraform_tflint args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] - exclude: examples + exclude: examples/ + - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 + rev: v4.0.1 hooks: - id: check-symlinks - id: detect-aws-credentials From c05331afde41b623c98007a99c9bd936912b49f0 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 23 Dec 2021 14:04:39 -0500 Subject: [PATCH 5/7] add .terraform-docs.yml --- .terraform-docs.yml | 45 +++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.md | 8 ++++++++ README.md | 32 ++++++++++++++++++++++++++++++++ common/version.tf | 2 +- 4 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 .terraform-docs.yml diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..418f24a --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,45 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: replace +# mode: inject +# template: |- +# +# {{ .Content }} +# + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 48c832e..6f92f4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Versions +## Version 1.x + * v1.0.0 -- 2021-10-14 - patch-aws-auth module creation +## Version 2.x + +* v2.0.0 -- 20211223 + - add providers for tf 0.13+ + + diff --git a/README.md b/README.md index e69de29..6bd377d 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,32 @@ +# aws-eks + +This contains a list of submodules used for building an EKS cluster. There are also some examples which can be used +as a starting point for building a cluster. + +* Submodules + * [patch-aws-auth](#patch-aws-auth): update `aws-auth ConfigMap` + +* Submodules Planned + * dns-zone + * efs + * cluster-iam-policies + * cluster-iam-roles + * irsa-role + * cluster-role + * common-services, most likely split into a module for each of the common services + +* Examples + * established-cluster-examples + * full-cluster + +# Submodules +## [patch-aws-auth](patch-aws-auth/) + +This submodule allows for an easy patching of the `aws-auth ConfigMap`, which is used to map IAM users and roles to specific +Kubernetes groups, roles, and cluster roles. + +# Examples + +## established-cluster-examples +## full-cluster + diff --git a/common/version.tf b/common/version.tf index fa2705b..6b49608 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.0.0" + _module_version = "2.0.0" } From c8b701b7b626c1e80cf52e4097e3c16972840e76 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 23 Dec 2021 14:05:43 -0500 Subject: [PATCH 6/7] update for tf 0.13+ --- common/versions.tf | 29 +++++++++++++++++++++++++++++ patch-aws-auth/README.md | 5 ++++- patch-aws-auth/version.tf | 1 + patch-aws-auth/versions.tf | 9 +++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 common/versions.tf create mode 120000 patch-aws-auth/version.tf create mode 100644 patch-aws-auth/versions.tf diff --git a/common/versions.tf b/common/versions.tf new file mode 100644 index 0000000..07e01fb --- /dev/null +++ b/common/versions.tf @@ -0,0 +1,29 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.66.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4" + } + http = { + source = "hashicorp/http" + version = ">= 2.1" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.7" + } + null = { + source = "hashicorp/null" + version = ">= 3.1" + } + tls = { + source = "hashicorp/tls" + version = ">= 3.1" + } + } + # required_version = ">= 0.13" +} diff --git a/patch-aws-auth/README.md b/patch-aws-auth/README.md index 3b790e9..2f992e0 100644 --- a/patch-aws-auth/README.md +++ b/patch-aws-auth/README.md @@ -1,3 +1,4 @@ + # About patch-aws-auth This allows to add IAM roles and IAM users to the `aws-auth ConfigMap`, to tie IAM resources into @@ -66,6 +67,7 @@ module "awsauth_base_users" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.12.31 | +| [null](#requirement\_null) | >= 3.1 | ## Providers @@ -73,7 +75,7 @@ module "awsauth_base_users" { |------|---------| | [aws](#provider\_aws) | n/a | | [kubernetes](#provider\_kubernetes) | n/a | -| [null](#provider\_null) | n/a | +| [null](#provider\_null) | >= 3.1 | ## Modules @@ -111,3 +113,4 @@ No modules. ## Outputs No outputs. + \ No newline at end of file diff --git a/patch-aws-auth/version.tf b/patch-aws-auth/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/patch-aws-auth/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/patch-aws-auth/versions.tf b/patch-aws-auth/versions.tf new file mode 100644 index 0000000..9896697 --- /dev/null +++ b/patch-aws-auth/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + null = { + source = "hashicorp/null" + version = ">= 3.1" + } + } + # required_version = ">= 0.13" +} From 4ad5550d47e600d22fdc38ce6af999ee13eab3eb Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 23 Dec 2021 14:12:42 -0500 Subject: [PATCH 7/7] update readme --- README.md | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6bd377d..c9ca4f7 100644 --- a/README.md +++ b/README.md @@ -7,17 +7,17 @@ as a starting point for building a cluster. * [patch-aws-auth](#patch-aws-auth): update `aws-auth ConfigMap` * Submodules Planned - * dns-zone - * efs - * cluster-iam-policies - * cluster-iam-roles - * irsa-role - * cluster-role + * dns-zone: add DNS zone for cluster + * efs: Setup EFS Driver, policies and roles + * cluster-iam-policies: Setup needed IAM policies for cluster + * cluster-iam-roles: Setup needed IAM roles for cluster (in conjuniction with policies) + * irsa-role: Setup IAM Role for Service Account + * cluster-role: Setup cluster roles (depends upon a created irsa-role) * common-services, most likely split into a module for each of the common services * Examples - * established-cluster-examples - * full-cluster + * [established-cluster-examples](#established-cluster-examples) + * [full-cluster](#full-cluster) # Submodules ## [patch-aws-auth](patch-aws-auth/) @@ -27,6 +27,18 @@ Kubernetes groups, roles, and cluster roles. # Examples -## established-cluster-examples -## full-cluster +## [established-cluster-examples](examples/established-cluster-examples/) + +* [alb-controller](examples/established-cluster-examples/alb-controller) +* [dnsutils](examples/established-cluster-examples/dnsutils) +* [empty](examples/established-cluster-examples/empty) +* [kube-bench](examples/established-cluster-examples/kube-bench) +* [sample-alb](examples/established-cluster-examples/sample-alb) +* [sample-elb](examples/established-cluster-examples/sample-elb) +* [sample-istio](examples/established-cluster-examples/sample-istio) +* [sample-nlb](examples/established-cluster-examples/sample-nlb) + +## [full-cluster](examples/full-cluster/) + +