changes thorugh addons

examples/full-cluster-tf-upgrade/1.25/addons/addon_coredns.tf

@@ -1,8 +1,11 @@
 resource "aws_eks_addon" "coredns" {
   count = lookup(local.addon_versions, "coredns", null) != null ? 1 : 0
 
-  cluster_name      = var.cluster_name
-  addon_name        = "coredns"
-  addon_version     = lokup(local.addon_versions, "coredns")
-  resolve_conflicts = "OVERWRITE"
+  cluster_name  = var.cluster_name
+  addon_name    = "coredns"
+  addon_version = lookup(local.addon_versions, "coredns")
+  #  resolve_conflicts = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
 }

examples/full-cluster-tf-upgrade/1.25/addons/addon_ebs-csi.tf

@@ -45,10 +45,13 @@ resource "aws_eks_addon" "aws-ebs-csi-driver" {
 
   cluster_name             = var.cluster_name
   addon_name               = "aws-ebs-csi-driver"
-  addon_version            = lokup(local.addon_versions, "aws-ebs-csi-driver")
-  resolve_conflicts        = "OVERWRITE"
+  addon_version            = lookup(local.addon_versions, "aws-ebs-csi-driver")
   service_account_role_arn = module.role_ebs-driver.role_arn
   configuration_values     = null
+  #  resolve_conflicts        = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
 }
 
 ## # Delete the old gp2 default storage class.
@@ -78,6 +81,7 @@ resource "aws_eks_addon" "aws-ebs-csi-driver" {
 ## }
 ## 
 
+# https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html
 
 data "aws_iam_policy" "ebs-provisioner" {
   name = "AmazonEBSCSIDriverPolicy"
@@ -96,7 +100,7 @@ module "role_ebs-driver" {
     local.base_tags,
     local.common_tags,
     var.application_tags,
-    tomap({ "Name" = format("%v%v-ebs-driver", local._prefixes["eks-role"], var.cluster_name) }),
+    { "Name" = format("%v%v-ebs-driver", local._prefixes["eks-role"], var.cluster_name) },
   )
 }
 
@@ -114,6 +118,10 @@ data "aws_iam_policy_document" "ebs_assume_webidentity" {
       variable = "${local.oidc_provider_url}:sub"
       values   = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "${local.oidc_provider_url}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
   }
 }
-

examples/full-cluster-tf-upgrade/1.25/addons/addon_kube-proxy.tf

@@ -1,10 +1,13 @@
 resource "aws_eks_addon" "kube-proxy" {
   count = lookup(local.addon_versions, "kube-proxy", null) != null ? 1 : 0
 
-  cluster_name      = var.cluster_name
-  addon_name        = "kube-proxy"
-  addon_version     = lokup(local.addon_versions, "kube-proxy")
-  resolve_conflicts = "OVERWRITE"
+  cluster_name  = var.cluster_name
+  addon_name    = "kube-proxy"
+  addon_version = lookup(local.addon_versions, "kube-proxy")
+  #  resolve_conflicts = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
 }
 
 

examples/full-cluster-tf-upgrade/1.25/addons/addon_vpc-cni.tf

@@ -3,23 +3,26 @@ resource "aws_eks_addon" "vpc-cni" {
 
   cluster_name             = var.cluster_name
   addon_name               = "vpc-cni"
-  addon_version            = lokup(local.addon_versions, "vpc-cni")
-  resolve_conflicts        = "OVERWRITE"
+  addon_version            = lookup(local.addon_versions, "vpc-cni")
   service_account_role_arn = module.role_vpc-cni.role_arn
+  #  resolve_conflicts        = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
 }
 
 
-resource "kubernetes_annotations" "vpc-cni" {
-  kind = "serviceaccount"
-  metadata {
-    name      = "aws-node"
-    namespace = "kube-system"
-  }
-  annotations = {
-    "eks.amazonaws.com/role-arn" = module.role_vpc-cni.role_arn
-  }
-  depends_on = [aws_eks_addon.vpc-cni]
-}
+## resource "kubernetes_annotations" "vpc-cni" {
+##   kind = "serviceaccount"
+##   api_version = "v1"
+##   metadata {
+##     name      = "aws-node"
+##     namespace = "kube-system"
+##   }
+##   annotations = {
+##     "eks.amazonaws.com/role-arn" = module.role_vpc-cni.role_arn
+##   }
+## }
 
 ## resource "null_resource" "kubectl" {
 ##   depends_on = [
@@ -36,9 +39,12 @@ resource "kubernetes_annotations" "vpc-cni" {
 ## }
 ## 
 
-data "aws_iam_policy" "vpc_cni" {
+data "aws_iam_policy" "vpc_cni_ipv4" {
   name = "AmazonEKS_CNI_Policy"
 }
+#data "aws_iam_policy" "vpc_cni_ipv6" {
+#  name = "AmazonEKS_CNI_IPv6_Policy"
+#}
 
 module "role_vpc-cni" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
@@ -47,7 +53,7 @@ module "role_vpc-cni" {
   role_description       = "EKS VPC-CNI Role for ${var.cluster_name}"
   enable_ldap_creation   = false
   assume_policy_document = data.aws_iam_policy_document.vpc_cni_assume_webidentity.json
-  attached_policies      = [data.aws_iam_policy.vpc_cni.arn]
+  attached_policies      = [data.aws_iam_policy.vpc_cni_ipv4.arn]
 
   tags = merge(
     local.base_tags,
@@ -67,12 +73,12 @@ data "aws_iam_policy_document" "vpc_cni_assume_webidentity" {
       identifiers = [local.principal]
     }
     condition {
-      test     = "ForAnyValue:StringEquals"
+      test     = "StringEquals"
       variable = "${local.oidc_provider_url}:aud"
       values   = ["sts.amazonaws.com"]
     }
     condition {
-      test     = "ForAnyValue:StringEquals"
+      test     = "StringEquals"
       variable = "${local.oidc_provider_url}:sub"
       values   = ["system:serviceaccount:kube-system:aws-node"]
     }

examples/full-cluster-tf-upgrade/1.25/addons/addons.tf

@@ -1,18 +1,5 @@
 locals {
-  addon_versions = lookup(var.addon_version, var.cluster_version, {})
+  account_id     = data.aws_caller_identity.current.account_id
+  principal      = format("arn:%v:iam::%v:oidc-provider/%v", data.aws_arn.current.partition, local.account_id, local.oidc_provider_url)
+  addon_versions = lookup(var.addon_versions, var.cluster_version, {})
 }
-
-
-variable "addon_versions" {
-  description = "Map of addon versions by Kubernetes version"
-  type        = map(map(string))
-  default = {
-    "1.24" = {}
-    "1.25" = {
-      "coredns"    = "v1.9.3-eksbuild.2"
-      "kube-proxy" = "v1.25.6-eksbuild.1"
-      "vpc-cni"    = "v1.12.2-eksbuild.1"
-    }
-  }
-}
-

examples/full-cluster-tf-upgrade/1.25/addons/tf-run.data

@@ -1,4 +1,4 @@
-VERSION 2.0.1
+VERSION 2.0.2
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -8,14 +8,24 @@ LINKTOP includes.d/variables.account_tags.auto.tfvars
 LINKTOP includes.d/variables.infrastructure_tags.tf
 LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
 LINKTOP includes.d/variables.application_tags.tf
-## LINKTOP includes.d/variables.application_tags.auto.tfvars
-LINK versions.tf
-LINK settings.auto.tfvars
+# LINKTOP includes.d/variables.application_tags.auto.tfvars
 LINK variables.application_tags.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+LINK settings.auto.tfvars
+LINK includes.d/parent_rs.tf
+LINK includes.d/data.eks-subdirectory.tf
+LINK includes.d/kubeconfig.eks-subdirectory.tf
+LINK variables.eks.tf
+LINK prefixes.tf
+LINK providers.tf
+LINK variables.addons.tf
+LINK versions.tf
+LINK version.tf
+COMMAND tf-init 
 
-COMMAND tf-init -upgrade
-
-#POLICY 
+POLICY
 ALL
 COMMAND tf-directory-setup.py -l s3
 STOP cd ../irsa-roles and tf-run.sh apply

examples/full-cluster-tf-upgrade/1.25/efs/addon.tf

@@ -3,13 +3,13 @@
 resource "aws_eks_addon" "aws-efs-csi-driver" {
   count = lookup(lookup(var.addon_versions, var.cluster_version, {}), "aws-efs-csi-driver", null) != null ? 1 : 0
 
-  cluster_name  = var.cluster_name
-  addon_name    = "aws-efs-csi-driver"
-  addon_version = lookup(lookup(var.addon_versions, var.cluster_version, {}), "aws-efs-csi-driver", null)
+  cluster_name             = var.cluster_name
+  addon_name               = "aws-efs-csi-driver"
+  addon_version            = lookup(lookup(var.addon_versions, var.cluster_version, {}), "aws-efs-csi-driver", null)
+  service_account_role_arn = module.role_efs-driver.role_arn
+  configuration_values     = null
   #  resolve_conflicts        = "OVERWRITE"
   # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
   resolve_conflicts_on_create = "OVERWRITE"
   resolve_conflicts_on_update = "OVERWRITE"
-  service_account_role_arn    = module.role_efs-driver.role_arn
-  configuration_values        = null
 }

examples/full-cluster-tf-upgrade/1.25/efs/tf-run.data

@@ -1,4 +1,4 @@
-VERSION 1.2.6
+VERSION 1.2.7
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -27,4 +27,4 @@ COMMAND tf-init
 POLICY
 ALL
 COMMAND tf-directory-setup.py -l s3
-STOP cd ../ebs and tf-run.sh apply
+STOP cd ../addons and tf-run.sh apply

examples/full-cluster-tf-upgrade/1.25/tf-run.data

@@ -1,4 +1,4 @@
-VERSION 1.4.7
+VERSION 1.4.8
 REMOTE-STATE
 COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md)
 STOP then continue with at step %%NEXT%% (tag:subnets-verified)
@@ -57,8 +57,8 @@ TAG setup-efs
 COMMENT cd efs and tf-run.sh apply
 STOP Once applied in this subdirectory, come back here and continue with step %%NEXT%% (tag:setup-ebs)
 
-TAG setup-ebs
-COMMENT cd ebs and tf-run.sh apply
+TAG setup-addons
+COMMENT cd addons and tf-run.sh apply
 STOP Once applied in this subdirectory, come back here and continue with step %%NEXT%% (tag:setup-irsa)
 
 TAG setup-irsa

examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data

@@ -1,4 +1,4 @@
-VERSION 1.0.3
+VERSION 1.0.4
 BACKUP-STATE
 COMMAND tf-init
 COMMAND tf-state list
@@ -25,7 +25,7 @@ ALL
 ## ./common-services/tf-run.destroy.data
 ## ./irsa-roles/cluster-autoscaler/tf-run.destroy.data
 ## ./irsa-roles/tf-run.destroy.data
-## ./ebs/tf-run.destroy.data
+## ./addons/tf-run.destroy.data
 ## ./efs/tf-run.destroy.data
 ## NO ./aws-auth/tf-run.destroy.data
 ## ./tf-run.destroy.data