From 9703d4567bb733e5b49819360928f3d353cbdab8 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 10 Aug 2023 14:28:16 -0400 Subject: [PATCH] changes thorugh addons --- .../1.25/addons/addon_coredns.tf | 11 ++- .../1.25/addons/addon_ebs-csi.tf | 16 +++- .../1.25/addons/addon_kube-proxy.tf | 11 ++- .../1.25/addons/addon_vpc-cni.tf | 40 ++++++---- .../1.25/addons/addons.tf | 19 +---- .../1.25/addons/copy_image.sh | 1 - .../1.25/addons/copy_images.tf | 77 ------------------- .../1.25/addons/{ecr.tf => ecr.tf.obsolete} | 0 .../1.25/addons/{main.tf => main.tf.obsolete} | 0 .../1.25/addons/tf-run.data | 24 ++++-- ...ebs.tf.az => variables.ebs.tf.az.obsolete} | 0 ...ables.ebs.tf => variables.ebs.tf.obsolete} | 0 .../1.25/ebs/tf-run.destroy.data | 6 -- .../full-cluster-tf-upgrade/1.25/efs/addon.tf | 10 +-- .../1.25/efs/tf-run.data | 4 +- .../full-cluster-tf-upgrade/1.25/tf-run.data | 6 +- .../1.25/tf-run.destroy.data | 4 +- 17 files changed, 81 insertions(+), 148 deletions(-) delete mode 120000 examples/full-cluster-tf-upgrade/1.25/addons/copy_image.sh delete mode 100644 examples/full-cluster-tf-upgrade/1.25/addons/copy_images.tf rename examples/full-cluster-tf-upgrade/1.25/addons/{ecr.tf => ecr.tf.obsolete} (100%) rename examples/full-cluster-tf-upgrade/1.25/addons/{main.tf => main.tf.obsolete} (100%) rename examples/full-cluster-tf-upgrade/1.25/addons/{variables.ebs.tf.az => variables.ebs.tf.az.obsolete} (100%) rename examples/full-cluster-tf-upgrade/1.25/addons/{variables.ebs.tf => variables.ebs.tf.obsolete} (100%) delete mode 100644 examples/full-cluster-tf-upgrade/1.25/ebs/tf-run.destroy.data diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/addon_coredns.tf b/examples/full-cluster-tf-upgrade/1.25/addons/addon_coredns.tf index 6196e56..8c12156 100644 --- a/examples/full-cluster-tf-upgrade/1.25/addons/addon_coredns.tf +++ b/examples/full-cluster-tf-upgrade/1.25/addons/addon_coredns.tf @@ -1,8 +1,11 @@ resource "aws_eks_addon" "coredns" { count = lookup(local.addon_versions, "coredns", null) != null ? 1 : 0 - cluster_name = var.cluster_name - addon_name = "coredns" - addon_version = lokup(local.addon_versions, "coredns") - resolve_conflicts = "OVERWRITE" + cluster_name = var.cluster_name + addon_name = "coredns" + addon_version = lookup(local.addon_versions, "coredns") + # resolve_conflicts = "OVERWRITE" + # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" } diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/addon_ebs-csi.tf b/examples/full-cluster-tf-upgrade/1.25/addons/addon_ebs-csi.tf index e57015a..2ff0e33 100644 --- a/examples/full-cluster-tf-upgrade/1.25/addons/addon_ebs-csi.tf +++ b/examples/full-cluster-tf-upgrade/1.25/addons/addon_ebs-csi.tf @@ -45,10 +45,13 @@ resource "aws_eks_addon" "aws-ebs-csi-driver" { cluster_name = var.cluster_name addon_name = "aws-ebs-csi-driver" - addon_version = lokup(local.addon_versions, "aws-ebs-csi-driver") - resolve_conflicts = "OVERWRITE" + addon_version = lookup(local.addon_versions, "aws-ebs-csi-driver") service_account_role_arn = module.role_ebs-driver.role_arn configuration_values = null + # resolve_conflicts = "OVERWRITE" + # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" } ## # Delete the old gp2 default storage class. @@ -78,6 +81,7 @@ resource "aws_eks_addon" "aws-ebs-csi-driver" { ## } ## +# https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html data "aws_iam_policy" "ebs-provisioner" { name = "AmazonEBSCSIDriverPolicy" @@ -96,7 +100,7 @@ module "role_ebs-driver" { local.base_tags, local.common_tags, var.application_tags, - tomap({ "Name" = format("%v%v-ebs-driver", local._prefixes["eks-role"], var.cluster_name) }), + { "Name" = format("%v%v-ebs-driver", local._prefixes["eks-role"], var.cluster_name) }, ) } @@ -114,6 +118,10 @@ data "aws_iam_policy_document" "ebs_assume_webidentity" { variable = "${local.oidc_provider_url}:sub" values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] } + condition { + test = "StringEquals" + variable = "${local.oidc_provider_url}:aud" + values = ["sts.amazonaws.com"] + } } } - diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/addon_kube-proxy.tf b/examples/full-cluster-tf-upgrade/1.25/addons/addon_kube-proxy.tf index 5ba8fc9..aa39295 100644 --- a/examples/full-cluster-tf-upgrade/1.25/addons/addon_kube-proxy.tf +++ b/examples/full-cluster-tf-upgrade/1.25/addons/addon_kube-proxy.tf @@ -1,10 +1,13 @@ resource "aws_eks_addon" "kube-proxy" { count = lookup(local.addon_versions, "kube-proxy", null) != null ? 1 : 0 - cluster_name = var.cluster_name - addon_name = "kube-proxy" - addon_version = lokup(local.addon_versions, "kube-proxy") - resolve_conflicts = "OVERWRITE" + cluster_name = var.cluster_name + addon_name = "kube-proxy" + addon_version = lookup(local.addon_versions, "kube-proxy") + # resolve_conflicts = "OVERWRITE" + # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" } diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/addon_vpc-cni.tf b/examples/full-cluster-tf-upgrade/1.25/addons/addon_vpc-cni.tf index 627d55e..a6b44e4 100644 --- a/examples/full-cluster-tf-upgrade/1.25/addons/addon_vpc-cni.tf +++ b/examples/full-cluster-tf-upgrade/1.25/addons/addon_vpc-cni.tf @@ -3,23 +3,26 @@ resource "aws_eks_addon" "vpc-cni" { cluster_name = var.cluster_name addon_name = "vpc-cni" - addon_version = lokup(local.addon_versions, "vpc-cni") - resolve_conflicts = "OVERWRITE" + addon_version = lookup(local.addon_versions, "vpc-cni") service_account_role_arn = module.role_vpc-cni.role_arn + # resolve_conflicts = "OVERWRITE" + # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" } -resource "kubernetes_annotations" "vpc-cni" { - kind = "serviceaccount" - metadata { - name = "aws-node" - namespace = "kube-system" - } - annotations = { - "eks.amazonaws.com/role-arn" = module.role_vpc-cni.role_arn - } - depends_on = [aws_eks_addon.vpc-cni] -} +## resource "kubernetes_annotations" "vpc-cni" { +## kind = "serviceaccount" +## api_version = "v1" +## metadata { +## name = "aws-node" +## namespace = "kube-system" +## } +## annotations = { +## "eks.amazonaws.com/role-arn" = module.role_vpc-cni.role_arn +## } +## } ## resource "null_resource" "kubectl" { ## depends_on = [ @@ -36,9 +39,12 @@ resource "kubernetes_annotations" "vpc-cni" { ## } ## -data "aws_iam_policy" "vpc_cni" { +data "aws_iam_policy" "vpc_cni_ipv4" { name = "AmazonEKS_CNI_Policy" } +#data "aws_iam_policy" "vpc_cni_ipv6" { +# name = "AmazonEKS_CNI_IPv6_Policy" +#} module "role_vpc-cni" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade" @@ -47,7 +53,7 @@ module "role_vpc-cni" { role_description = "EKS VPC-CNI Role for ${var.cluster_name}" enable_ldap_creation = false assume_policy_document = data.aws_iam_policy_document.vpc_cni_assume_webidentity.json - attached_policies = [data.aws_iam_policy.vpc_cni.arn] + attached_policies = [data.aws_iam_policy.vpc_cni_ipv4.arn] tags = merge( local.base_tags, @@ -67,12 +73,12 @@ data "aws_iam_policy_document" "vpc_cni_assume_webidentity" { identifiers = [local.principal] } condition { - test = "ForAnyValue:StringEquals" + test = "StringEquals" variable = "${local.oidc_provider_url}:aud" values = ["sts.amazonaws.com"] } condition { - test = "ForAnyValue:StringEquals" + test = "StringEquals" variable = "${local.oidc_provider_url}:sub" values = ["system:serviceaccount:kube-system:aws-node"] } diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/addons.tf b/examples/full-cluster-tf-upgrade/1.25/addons/addons.tf index 67a3856..7fdb8bb 100644 --- a/examples/full-cluster-tf-upgrade/1.25/addons/addons.tf +++ b/examples/full-cluster-tf-upgrade/1.25/addons/addons.tf @@ -1,18 +1,5 @@ locals { - addon_versions = lookup(var.addon_version, var.cluster_version, {}) + account_id = data.aws_caller_identity.current.account_id + principal = format("arn:%v:iam::%v:oidc-provider/%v", data.aws_arn.current.partition, local.account_id, local.oidc_provider_url) + addon_versions = lookup(var.addon_versions, var.cluster_version, {}) } - - -variable "addon_versions" { - description = "Map of addon versions by Kubernetes version" - type = map(map(string)) - default = { - "1.24" = {} - "1.25" = { - "coredns" = "v1.9.3-eksbuild.2" - "kube-proxy" = "v1.25.6-eksbuild.1" - "vpc-cni" = "v1.12.2-eksbuild.1" - } - } -} - diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/copy_image.sh b/examples/full-cluster-tf-upgrade/1.25/addons/copy_image.sh deleted file mode 120000 index 889e269..0000000 --- a/examples/full-cluster-tf-upgrade/1.25/addons/copy_image.sh +++ /dev/null @@ -1 +0,0 @@ -../bin/copy_image.sh \ No newline at end of file diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/copy_images.tf b/examples/full-cluster-tf-upgrade/1.25/addons/copy_images.tf deleted file mode 100644 index 55f911c..0000000 --- a/examples/full-cluster-tf-upgrade/1.25/addons/copy_images.tf +++ /dev/null @@ -1,77 +0,0 @@ -data "aws_ecr_authorization_token" "token" {} - -locals { - account_id = data.aws_caller_identity.current.account_id - repo_parent_name = format("eks/%v", var.cluster_name) - - account_ecr_registry = format("%v.dkr.ecr.%v.amazonaws.com", local.account_id, var.region) - account_ecr = format("%v/%v", local.account_ecr_registry, local.repo_parent_name) - - images = [ - { - name = "aws-ebs-csi-driver" - image = "public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver" - tag = var.aws_ebs_csi_driver_tag - }, - { - name = "external-provisioner" - image = "public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner" - tag = var.external_provisioner_tag - }, - { - name = "external-attacher" - image = "public.ecr.aws/eks-distro/kubernetes-csi/external-attacher" - tag = var.external_attacher_tag - }, - { - name = "csi-snapshotter" - image = "public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter" - tag = var.csi_snapshotter_tag - }, - { - name = "livenessprobe" - image = "public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe" - tag = var.livenessprobe_tag - }, - { - name = "external-resizer" - image = "public.ecr.aws/eks-distro/kubernetes-csi/external-resizer" - tag = var.external_resizer_tag - }, - { - name = "node-driver-registrar" - image = "public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar" - tag = var.node_driver_registrar_tag - }, - ] - image_repos = { for image in local.images : image.name => format("%v/%v", local.account_ecr, image.name) } - image_map = { for image in local.images : image.name => - merge( - image, - tomap( - { "full_path" = local.image_repos[image.name], - "registry" = local.account_ecr_registry, - "repository" = format("%v/%v", local.repo_parent_name, image.name), } - )) } -} - -resource "null_resource" "copy_images" { - for_each = { for image in local.images : image.name => image } - triggers = { - name = each.key - image = format("%v:%v", each.value.image, each.value.tag) - } - - provisioner "local-exec" { - command = "${path.module}/copy_image.sh" - environment = { - AWS_PROFILE = var.profile - AWS_REGION = local.region - SOURCE_IMAGE = format("%v:%v", each.value.image, each.value.tag) - DESTINATION_IMAGE = format("%v/%v:%v", local.account_ecr, each.value.name, each.value.tag) - DESTINATION_USERNAME = data.aws_ecr_authorization_token.token.user_name - DESTINATION_PASSWORD = data.aws_ecr_authorization_token.token.password - } - } -} - diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/ecr.tf b/examples/full-cluster-tf-upgrade/1.25/addons/ecr.tf.obsolete similarity index 100% rename from examples/full-cluster-tf-upgrade/1.25/addons/ecr.tf rename to examples/full-cluster-tf-upgrade/1.25/addons/ecr.tf.obsolete diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/main.tf b/examples/full-cluster-tf-upgrade/1.25/addons/main.tf.obsolete similarity index 100% rename from examples/full-cluster-tf-upgrade/1.25/addons/main.tf rename to examples/full-cluster-tf-upgrade/1.25/addons/main.tf.obsolete diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/addons/tf-run.data index 789be44..de3477e 100644 --- a/examples/full-cluster-tf-upgrade/1.25/addons/tf-run.data +++ b/examples/full-cluster-tf-upgrade/1.25/addons/tf-run.data @@ -1,4 +1,4 @@ -VERSION 2.0.1 +VERSION 2.0.2 REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh @@ -8,14 +8,24 @@ LINKTOP includes.d/variables.account_tags.auto.tfvars LINKTOP includes.d/variables.infrastructure_tags.tf LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars LINKTOP includes.d/variables.application_tags.tf -## LINKTOP includes.d/variables.application_tags.auto.tfvars -LINK versions.tf -LINK settings.auto.tfvars +# LINKTOP includes.d/variables.application_tags.auto.tfvars LINK variables.application_tags.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.tf +LINKTOP provider_configs.d/provider.ldap_new.variables.tf +LINK settings.auto.tfvars +LINK includes.d/parent_rs.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK variables.eks.tf +LINK prefixes.tf +LINK providers.tf +LINK variables.addons.tf +LINK versions.tf +LINK version.tf +COMMAND tf-init -COMMAND tf-init -upgrade - -#POLICY +POLICY ALL COMMAND tf-directory-setup.py -l s3 STOP cd ../irsa-roles and tf-run.sh apply diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf.az b/examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf.az.obsolete similarity index 100% rename from examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf.az rename to examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf.az.obsolete diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf b/examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf.obsolete similarity index 100% rename from examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf rename to examples/full-cluster-tf-upgrade/1.25/addons/variables.ebs.tf.obsolete diff --git a/examples/full-cluster-tf-upgrade/1.25/ebs/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.25/ebs/tf-run.destroy.data deleted file mode 100644 index 7a82c9f..0000000 --- a/examples/full-cluster-tf-upgrade/1.25/ebs/tf-run.destroy.data +++ /dev/null @@ -1,6 +0,0 @@ -VERSION 1.0.1 -BACKUP-STATE -COMMAND tf-init -COMMAND tf-state list - -ALL diff --git a/examples/full-cluster-tf-upgrade/1.25/efs/addon.tf b/examples/full-cluster-tf-upgrade/1.25/efs/addon.tf index 38dc396..e1af409 100644 --- a/examples/full-cluster-tf-upgrade/1.25/efs/addon.tf +++ b/examples/full-cluster-tf-upgrade/1.25/efs/addon.tf @@ -3,13 +3,13 @@ resource "aws_eks_addon" "aws-efs-csi-driver" { count = lookup(lookup(var.addon_versions, var.cluster_version, {}), "aws-efs-csi-driver", null) != null ? 1 : 0 - cluster_name = var.cluster_name - addon_name = "aws-efs-csi-driver" - addon_version = lookup(lookup(var.addon_versions, var.cluster_version, {}), "aws-efs-csi-driver", null) + cluster_name = var.cluster_name + addon_name = "aws-efs-csi-driver" + addon_version = lookup(lookup(var.addon_versions, var.cluster_version, {}), "aws-efs-csi-driver", null) + service_account_role_arn = module.role_efs-driver.role_arn + configuration_values = null # resolve_conflicts = "OVERWRITE" # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here resolve_conflicts_on_create = "OVERWRITE" resolve_conflicts_on_update = "OVERWRITE" - service_account_role_arn = module.role_efs-driver.role_arn - configuration_values = null } diff --git a/examples/full-cluster-tf-upgrade/1.25/efs/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/efs/tf-run.data index 76a449d..6eb2bbf 100644 --- a/examples/full-cluster-tf-upgrade/1.25/efs/tf-run.data +++ b/examples/full-cluster-tf-upgrade/1.25/efs/tf-run.data @@ -1,4 +1,4 @@ -VERSION 1.2.6 +VERSION 1.2.7 REMOTE-STATE COMMAND tf-directory-setup.py -l none -f COMMAND setup-new-directory.sh @@ -27,4 +27,4 @@ COMMAND tf-init POLICY ALL COMMAND tf-directory-setup.py -l s3 -STOP cd ../ebs and tf-run.sh apply +STOP cd ../addons and tf-run.sh apply diff --git a/examples/full-cluster-tf-upgrade/1.25/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/tf-run.data index 3452e05..24e0e31 100644 --- a/examples/full-cluster-tf-upgrade/1.25/tf-run.data +++ b/examples/full-cluster-tf-upgrade/1.25/tf-run.data @@ -1,4 +1,4 @@ -VERSION 1.4.7 +VERSION 1.4.8 REMOTE-STATE COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md) STOP then continue with at step %%NEXT%% (tag:subnets-verified) @@ -57,8 +57,8 @@ TAG setup-efs COMMENT cd efs and tf-run.sh apply STOP Once applied in this subdirectory, come back here and continue with step %%NEXT%% (tag:setup-ebs) -TAG setup-ebs -COMMENT cd ebs and tf-run.sh apply +TAG setup-addons +COMMENT cd addons and tf-run.sh apply STOP Once applied in this subdirectory, come back here and continue with step %%NEXT%% (tag:setup-irsa) TAG setup-irsa diff --git a/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data index 5e90bde..8e0aa80 100644 --- a/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data +++ b/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data @@ -1,4 +1,4 @@ -VERSION 1.0.3 +VERSION 1.0.4 BACKUP-STATE COMMAND tf-init COMMAND tf-state list @@ -25,7 +25,7 @@ ALL ## ./common-services/tf-run.destroy.data ## ./irsa-roles/cluster-autoscaler/tf-run.destroy.data ## ./irsa-roles/tf-run.destroy.data -## ./ebs/tf-run.destroy.data +## ./addons/tf-run.destroy.data ## ./efs/tf-run.destroy.data ## NO ./aws-auth/tf-run.destroy.data ## ./tf-run.destroy.data