From 0df67585cb4e72eaa9f92b77dd6439990ce7e0ad Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Fri, 15 Jul 2022 11:46:34 -0400 Subject: [PATCH] chore: Convert provider auth from exec() method to static token (#769) --- .github/workflows/e2e-parallel-destroy.yml | 1 - .github/workflows/e2e-parallel-full.yml | 1 - FAQ.md | 120 ++++++++++++++++++ KNOWN_ISSUES.md | 28 ---- docs/add-ons/aws-efs-csi-driver.md | 2 +- examples/analytics/emr-eks-fsx-lustre/main.tf | 26 +--- examples/analytics/emr-on-eks/main.tf | 20 +-- examples/analytics/spark-k8s-operator/main.tf | 18 +-- examples/ci-cd/gitlab-ci-cd/main.tf | 22 ++-- examples/complete-kubernetes-addons/main.tf | 21 +-- examples/crossplane/main.tf | 28 ++-- .../eks-cluster-with-external-dns/main.tf | 22 ++-- examples/eks-cluster-with-new-vpc/main.tf | 22 ++-- .../external-secrets-kubernetes-addon/main.tf | 40 ++---- examples/fargate-serverless/main.tf | 29 +---- .../game-tech/agones-game-controller/main.tf | 23 ++-- examples/gitops/argocd/main.tf | 23 ++-- examples/ingress-controllers/nginx/main.tf | 22 ++-- examples/ipv4-prefix-delegation/main.tf | 24 +--- examples/ipv6-eks-cluster/main.tf | 23 ++-- examples/karpenter/main.tf | 28 ++-- .../managed-workflow-apache-airflow/main.tf | 24 +--- examples/multi-tenancy-with-teams/main.tf | 30 ++--- examples/node-groups/fargate-profiles/main.tf | 10 +- .../node-groups/managed-node-groups/main.tf | 21 +-- .../self-managed-node-groups/main.tf | 20 +-- .../node-groups/windows-node-groups/main.tf | 20 +-- .../adot-amp-grafana-for-haproxy/main.tf | 20 +-- .../adot-amp-grafana-for-java/main.tf | 20 +-- .../adot-amp-grafana-for-memcached/main.tf | 20 +-- .../adot-amp-grafana-for-nginx/main.tf | 20 +-- .../observability/amp-amg-opensearch/main.tf | 20 +-- .../csi-secrets-driver/main.tf | 31 ++--- examples/stateful/main.tf | 22 ++-- examples/tls-with-aws-pca-issuer/main.tf | 23 ++-- examples/upstream-with-k8s-addons/main.tf | 21 +-- 36 files changed, 345 insertions(+), 520 deletions(-) create mode 100644 FAQ.md delete mode 100644 KNOWN_ISSUES.md diff --git a/.github/workflows/e2e-parallel-destroy.yml b/.github/workflows/e2e-parallel-destroy.yml index 8bdabb0605..24e951de8a 100644 --- a/.github/workflows/e2e-parallel-destroy.yml +++ b/.github/workflows/e2e-parallel-destroy.yml @@ -25,7 +25,6 @@ jobs: include: - example_path: examples/analytics/emr-on-eks - example_path: examples/analytics/spark-k8s-operator - - example_path: examples/aws-efs-csi-driver - example_path: examples/crossplane - example_path: examples/eks-cluster-with-new-vpc - example_path: examples/fargate-serverless diff --git a/.github/workflows/e2e-parallel-full.yml b/.github/workflows/e2e-parallel-full.yml index cf1c3d18b2..4b3f49744d 100644 --- a/.github/workflows/e2e-parallel-full.yml +++ b/.github/workflows/e2e-parallel-full.yml @@ -29,7 +29,6 @@ jobs: include: - example_path: examples/analytics/emr-on-eks - example_path: examples/analytics/spark-k8s-operator - - example_path: examples/aws-efs-csi-driver - example_path: examples/crossplane - example_path: examples/eks-cluster-with-new-vpc - example_path: examples/fargate-serverless diff --git a/FAQ.md b/FAQ.md new file mode 100644 index 0000000000..c6cc6fbe25 --- /dev/null +++ b/FAQ.md @@ -0,0 +1,120 @@ +# Frequently Asked Questions + +## Timeouts on destroy + +Customers who are deleting their environments using `terraform destroy` may see timeout errors when VPCs are being deleted. This is due to a known issue in the [vpc-cni](https://github.com/aws/amazon-vpc-cni-k8s/issues/1223#issue-704536542) + +Customers may face a situation where ENIs that were attached to EKS managed nodes (same may apply to self-managed nodes) are not being deleted by the VPC CNI as expected which leads to IaC tool failures, such as: + +* ENIs are left on subnets +* EKS managed security group which is attached to the ENI can’t be deleted by EKS + +The current recommendation is to execute cleanup in the following order: + +1. delete all pods that have been created in the cluster. +2. add delay/ wait +3. delete VPC CNI +4. delete nodes +5. delete cluster + +## Leaked CloudWatch Logs Group + +Sometimes, customers may see the CloudWatch Log Group for EKS cluster being created is left behind after their blueprint has been destroyed using `terraform destroy`. This happens because even after terraform deletes the CW log group, there’s still logs being processed behind the scene by AWS EKS and service continues to write logs after recreating the log group using the EKS service IAM role which users don't have control over. This results in a terraform failure when the same blueprint is being recreated due to the existing log group left behind. + +There are two options here: + +1. During cluster creation set `var.create_cloudwatch_log_group` to `false` (default behavior). This will indicate to the upstream [terraform-aws-eks](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/6d7245621f97bb8e38642a9e40ddce3a32ff9efb/main.tf#L70) to not create the log group, but instead let the service create the log group. This means that upon cluster deletion the log group will be left behind but there will not be terraform failures if you re-create the same cluster as terraform does not manage the log group creation/deletion anymore. + +2. During cluster creation set `var.create_cloudwatch_log_group` to `true`. This will indicate to the upstream [terraform-aws-eks](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/6d7245621f97bb8e38642a9e40ddce3a32ff9efb/main.tf#L70) to create the log group via terraform. EKS service will detect the log group and will start forwarding the logs for the log types [enabled](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/6d7245621f97bb8e38642a9e40ddce3a32ff9efb/variables.tf#L35). Upon deletion terraform will delete the log group but depending upon any unforwarded logs, the EKS service may recreate log group using the service role. This will result in terraform errors if the same blueprint is recreated. To proceed, manually delete the log group using the console or cli rerun the `terraform apply`. + +## Provider Authentication + +The chain of events when provisioning an example is typically in the stages of VPC -> EKS cluster -> addons and manifests. Per Terraform's recommendation, it is not recommended to pass an unknown value into provider configurations. However, for the sake of simplicity and ease of use, Blueprints does specify the AWS provider along with the Kubernetes, Helm, and Kubectl providers in order to show the full configuration requred for provisioning example. Note - this is the configuration *required* to provision the example, not necessarily the shape of how the configuration should be structured; users are encouraged to split up EKS cluster creation from addon and manifest provisioning to align with Terraform's recommendations. + +With that said, the examples here are combining the providers and users can sometimes encounter various issues with the provider authentication methods. There are primarily two methods for authenticating the Kubernetes, Helm, and Kubectl providers to the EKS cluster created: + +1. Using a static token which has a lifetime of 15 minutes per the EKS service documentation. +2. Using the `exec()` method which will fetch a token at the time of Terraform invocation. + +The Kubernetes and Helm providers [recommend the `exec()` method](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#exec-plugins), however this has the caveat that it requires the awscli to be installed on the machine running Terraform *AND* of at least a minimum version to support the API spec used by the provider (i.e. - `"client.authentication.k8s.io/v1alpha1"`, `"client.authentication.k8s.io/v1beta1"`, etc.). Selecting the appropriate provider authentication method is left up to users, and the examples used in this project will default to using the static token method for ease of use. + +Users of the static token method should be aware that if they receive a `401 Unauthorized` message, they might have a token that has expired and will need to run `terraform refresh` to get a new token. +Users of the `exec()` method should be aware that the `exec()` method is reliant on the awscli and the associated authtentication API version; the awscli version may need to be updated to support a later API version required by the Kubernetes version in use. + +The following examples demonstrate either method that users can utilize - please refer to the associated provider's documentation for further details on cofiguration. + +### Static Token Example + +```hcl +provider "kubernetes" { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token +} + +provider "helm" { + kubernetes { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token + } +} + +provider "kubectl" { + apply_retry_count = 10 + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} + +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} +``` + +### `exec()` Example + +```hcl +provider "kubernetes" { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] + } +} + +provider "helm" { + kubernetes { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] + } + } +} + +provider "kubectl" { + apply_retry_count = 10 + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + load_config_file = false + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] + } +} +``` + +### References + +- https://github.com/hashicorp/terraform/issues/29182 +- https://github.com/aws/aws-cli/pull/6476 diff --git a/KNOWN_ISSUES.md b/KNOWN_ISSUES.md deleted file mode 100644 index cd47c78eb8..0000000000 --- a/KNOWN_ISSUES.md +++ /dev/null @@ -1,28 +0,0 @@ -# Known Issues - -## Timeouts on destroy - -Customers who are deleting their environments using `terraform destroy` may see timeout errors when VPCs are being deleted. This is due to a known issue in the [vpc-cni](https://github.com/aws/amazon-vpc-cni-k8s/issues/1223#issue-704536542) - -Customers may face a situation where ENIs that were attached to EKS managed nodes (same may apply to self-managed nodes) are not being deleted by the VPC CNI as expected which leads to IaC tool failures, such as: - -* ENIs are left on subnets -* EKS managed security group which is attached to the ENI can’t be deleted by EKS - -The current recommendation is to execute cleanup in the following order: - -1. delete all pods that have been created in the cluster. -2. add delay/ wait -3. delete VPC CNI -4. delete nodes -5. delete cluster - -## Leaked CloudWatch Logs Group - -Sometimes, customers may see the CloudWatch Log Group for EKS cluster being created is left behind after their blueprint has been destroyed using `terraform destroy`. This happens because even after terraform deletes the CW log group, there’s still logs being processed behind the scene by AWS EKS and service continues to write logs after recreating the log group using the EKS service IAM role which users don't have control over. This results in a terraform failure when the same blueprint is being recreated due to the existing log group left behind. - -There are two options here: - -1. During cluster creation set `var.create_cloudwatch_log_group` to `false` (default behavior). This will indicate to the upstream [terraform-aws-eks](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/6d7245621f97bb8e38642a9e40ddce3a32ff9efb/main.tf#L70) to not create the log group, but instead let the service create the log group. This means that upon cluster deletion the log group will be left behind but there will not be terraform failures if you re-create the same cluster as terraform does not manage the log group creation/deletion anymore. - -2. During cluster creation set `var.create_cloudwatch_log_group` to `true`. This will indicate to the upstream [terraform-aws-eks](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/6d7245621f97bb8e38642a9e40ddce3a32ff9efb/main.tf#L70) to create the log group via terraform. EKS service will detect the log group and will start forwarding the logs for the log types [enabled](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/6d7245621f97bb8e38642a9e40ddce3a32ff9efb/variables.tf#L35). Upon deletion terraform will delete the log group but depending upon any unforwarded logs, the EKS service may recreate log group using the service role. This will result in terraform errors if the same blueprint is recreated. To proceed, manually delete the log group using the console or cli rerun the `terraform apply`. diff --git a/docs/add-ons/aws-efs-csi-driver.md b/docs/add-ons/aws-efs-csi-driver.md index 6cf58ee93d..e9d771126d 100644 --- a/docs/add-ons/aws-efs-csi-driver.md +++ b/docs/add-ons/aws-efs-csi-driver.md @@ -4,7 +4,7 @@ This add-on deploys the [AWS EFS CSI driver](https://docs.aws.amazon.com/eks/lat ## Usage -The [AWS EFS CSI driver](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/modules/kubernetes-addons/aws-efs-csi-driver) can be deployed by enabling the add-on via the following. Check out the full [example](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/examples/aws-efs-csi-driver/main.tf) to deploy an EKS Cluster with EFS backing the dynamic provisioning of persistent volumes. +The [AWS EFS CSI driver](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/modules/kubernetes-addons/aws-efs-csi-driver) can be deployed by enabling the add-on via the following. Check out the full [example](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/examples/stateful/main.tf) to deploy an EKS Cluster with EFS backing the dynamic provisioning of persistent volumes. ```hcl enable_aws_efs_csi_driver = true diff --git a/examples/analytics/emr-eks-fsx-lustre/main.tf b/examples/analytics/emr-eks-fsx-lustre/main.tf index 3f14a8e278..e1776400c3 100644 --- a/examples/analytics/emr-eks-fsx-lustre/main.tf +++ b/examples/analytics/emr-eks-fsx-lustre/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,13 +21,11 @@ provider "kubectl" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id } data "aws_availability_zones" "available" {} diff --git a/examples/analytics/emr-on-eks/main.tf b/examples/analytics/emr-on-eks/main.tf index 77985d92d2..a7c92c2035 100644 --- a/examples/analytics/emr-on-eks/main.tf +++ b/examples/analytics/emr-on-eks/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} data "aws_region" "current" {} diff --git a/examples/analytics/spark-k8s-operator/main.tf b/examples/analytics/spark-k8s-operator/main.tf index 50f972fd7e..a5cabff740 100644 --- a/examples/analytics/spark-k8s-operator/main.tf +++ b/examples/analytics/spark-k8s-operator/main.tf @@ -3,24 +3,20 @@ provider "aws" { } provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) - token = data.aws_eks_cluster_auth.cluster.token + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { - host = data.aws_eks_cluster.cluster.endpoint - token = data.aws_eks_cluster_auth.cluster.token - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token } } -data "aws_eks_cluster" "cluster" { - name = module.eks_blueprints.eks_cluster_id -} - -data "aws_eks_cluster_auth" "cluster" { +data "aws_eks_cluster_auth" "this" { name = module.eks_blueprints.eks_cluster_id } diff --git a/examples/ci-cd/gitlab-ci-cd/main.tf b/examples/ci-cd/gitlab-ci-cd/main.tf index 0eedf794bd..6ff3e63784 100644 --- a/examples/ci-cd/gitlab-ci-cd/main.tf +++ b/examples/ci-cd/gitlab-ci-cd/main.tf @@ -9,29 +9,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -50,6 +42,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../../.." @@ -74,6 +67,7 @@ module "eks_blueprints" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/complete-kubernetes-addons/main.tf b/examples/complete-kubernetes-addons/main.tf index 2ab11e6964..70cbb1a4d1 100644 --- a/examples/complete-kubernetes-addons/main.tf +++ b/examples/complete-kubernetes-addons/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -46,6 +38,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." diff --git a/examples/crossplane/main.tf b/examples/crossplane/main.tf index b9155893aa..7b97db56ae 100644 --- a/examples/crossplane/main.tf +++ b/examples/crossplane/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,13 +21,11 @@ provider "kubectl" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id } data "aws_availability_zones" "available" {} @@ -60,6 +46,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -116,6 +103,7 @@ module "eks_blueprints_kubernetes_addons" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/eks-cluster-with-external-dns/main.tf b/examples/eks-cluster-with-external-dns/main.tf index 9405590b02..c6c597d5b8 100644 --- a/examples/eks-cluster-with-external-dns/main.tf +++ b/examples/eks-cluster-with-external-dns/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_acm_certificate" "issued" { domain = var.acm_certificate_domain statuses = ["ISSUED"] @@ -51,6 +43,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -113,6 +106,7 @@ module "eks_blueprints_kubernetes_addons" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/eks-cluster-with-new-vpc/main.tf b/examples/eks-cluster-with-new-vpc/main.tf index 4aac23f706..418e30dfd9 100644 --- a/examples/eks-cluster-with-new-vpc/main.tf +++ b/examples/eks-cluster-with-new-vpc/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -48,6 +40,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -94,6 +87,7 @@ module "eks_blueprints_kubernetes_addons" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/external-secrets-kubernetes-addon/main.tf b/examples/external-secrets-kubernetes-addon/main.tf index 09708e2e7a..866a6dd523 100644 --- a/examples/external-secrets-kubernetes-addon/main.tf +++ b/examples/external-secrets-kubernetes-addon/main.tf @@ -5,43 +5,31 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } provider "kubectl" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} data "aws_availability_zones" "available" {} +data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} locals { name = basename(path.cwd) @@ -56,7 +44,6 @@ locals { secretstore_name = "secretstore-ps" secretstore_sa = "secretstore-sa" - tags = { Blueprint = local.name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" @@ -66,6 +53,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -138,12 +126,12 @@ module "eks_blueprints_kubernetes_addons" { enable_external_secrets = true tags = local.tags - } #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" @@ -180,12 +168,6 @@ module "vpc" { tags = local.tags } -data "aws_partition" "current" {} - -data "aws_caller_identity" "current" {} - -data "aws_region" "current" {} - #--------------------------------------------------------------- # External Secrets Operator - Secret #--------------------------------------------------------------- diff --git a/examples/fargate-serverless/main.tf b/examples/fargate-serverless/main.tf index a7bc71a57a..8be9cf10c7 100644 --- a/examples/fargate-serverless/main.tf +++ b/examples/fargate-serverless/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,13 +21,11 @@ provider "kubectl" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id } data "aws_caller_identity" "current" {} @@ -172,9 +158,6 @@ data "aws_eks_addon_version" "latest" { #--------------------------------------------------------------- # Modifying CoreDNS for Fargate #--------------------------------------------------------------- -data "aws_eks_cluster_auth" "this" { - name = module.eks_blueprints.eks_cluster_id -} locals { kubeconfig = yamlencode({ diff --git a/examples/game-tech/agones-game-controller/main.tf b/examples/game-tech/agones-game-controller/main.tf index 8c0cd477bb..c13a9f8bbb 100644 --- a/examples/game-tech/agones-game-controller/main.tf +++ b/examples/game-tech/agones-game-controller/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -46,6 +38,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../../.." @@ -125,12 +118,12 @@ module "eks_blueprints_kubernetes_addons" { } tags = local.tags - } #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/gitops/argocd/main.tf b/examples/gitops/argocd/main.tf index 89270de9f2..ca479fed3d 100644 --- a/examples/gitops/argocd/main.tf +++ b/examples/gitops/argocd/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -46,6 +38,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../../.." @@ -117,7 +110,6 @@ module "eks_blueprints_kubernetes_addons" { enable_argo_rollouts = true tags = local.tags - } #--------------------------------------------------------------- @@ -150,6 +142,7 @@ data "aws_secretsmanager_secret_version" "admin_password_version" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/ingress-controllers/nginx/main.tf b/examples/ingress-controllers/nginx/main.tf index 4051e76685..a7488c3dd3 100644 --- a/examples/ingress-controllers/nginx/main.tf +++ b/examples/ingress-controllers/nginx/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -46,6 +38,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../../.." @@ -96,6 +89,7 @@ module "eks_blueprints_kubernetes_addons" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/ipv4-prefix-delegation/main.tf b/examples/ipv4-prefix-delegation/main.tf index 214d67a464..e8f8ded40d 100644 --- a/examples/ipv4-prefix-delegation/main.tf +++ b/examples/ipv4-prefix-delegation/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_caller_identity" "current" {} data "aws_availability_zones" "available" {} @@ -129,10 +121,6 @@ data "aws_eks_addon_version" "latest" { # Modify VPC CNI deployment #--------------------------------------------------------------- -data "aws_eks_cluster_auth" "this" { - name = module.eks_blueprints.eks_cluster_id -} - locals { kubeconfig = yamlencode({ apiVersion = "v1" diff --git a/examples/ipv6-eks-cluster/main.tf b/examples/ipv6-eks-cluster/main.tf index 9f50f69020..7ae3baa239 100644 --- a/examples/ipv6-eks-cluster/main.tf +++ b/examples/ipv6-eks-cluster/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { @@ -46,6 +38,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -89,12 +82,12 @@ module "eks_blueprints_kubernetes_addons" { enable_aws_load_balancer_controller = true tags = local.tags - } #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf index b99b359e9f..f9d230e60f 100644 --- a/examples/karpenter/main.tf +++ b/examples/karpenter/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,13 +21,11 @@ provider "kubectl" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id } data "aws_availability_zones" "available" {} @@ -62,6 +48,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -219,6 +206,7 @@ resource "kubectl_manifest" "karpenter_provisioner" { #--------------------------------------------------------------- # Supporting Resources #--------------------------------------------------------------- + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/managed-workflow-apache-airflow/main.tf b/examples/managed-workflow-apache-airflow/main.tf index 2f9a2d4865..e127f2b662 100644 --- a/examples/managed-workflow-apache-airflow/main.tf +++ b/examples/managed-workflow-apache-airflow/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} data "aws_caller_identity" "current" {} @@ -264,10 +256,6 @@ module "s3_bucket" { tags = local.tags } -data "aws_eks_cluster_auth" "this" { - name = module.eks_blueprints.eks_cluster_id -} - # Kubeconfig is required for KubernetesPodOperator # https://airflow.apache.org/docs/apache-airflow-providers-cncf-kubernetes/stable/operators.html locals { diff --git a/examples/multi-tenancy-with-teams/main.tf b/examples/multi-tenancy-with-teams/main.tf index 2eb920baaf..0550c8ec78 100644 --- a/examples/multi-tenancy-with-teams/main.tf +++ b/examples/multi-tenancy-with-teams/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,13 +21,11 @@ provider "kubectl" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) load_config_file = false + token = data.aws_eks_cluster_auth.this.token +} - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id } data "aws_caller_identity" "current" {} @@ -61,6 +47,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../.." @@ -135,7 +122,8 @@ module "eks_blueprints" { #--------------------------------------------------------------- # Supporting Resources -#--------------------------------------------------------------- +#---------------------------------------------------------------' + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 3.0" diff --git a/examples/node-groups/fargate-profiles/main.tf b/examples/node-groups/fargate-profiles/main.tf index bfef3345d4..22c0829f6a 100644 --- a/examples/node-groups/fargate-profiles/main.tf +++ b/examples/node-groups/fargate-profiles/main.tf @@ -5,13 +5,11 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token +} - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id } data "aws_availability_zones" "available" {} diff --git a/examples/node-groups/managed-node-groups/main.tf b/examples/node-groups/managed-node-groups/main.tf index f04c34b756..cf4311dae8 100644 --- a/examples/node-groups/managed-node-groups/main.tf +++ b/examples/node-groups/managed-node-groups/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_ami" "amazonlinux2eks" { most_recent = true @@ -39,7 +31,6 @@ data "aws_ami" "amazonlinux2eks" { owners = ["amazon"] } - data "aws_availability_zones" "available" {} locals { diff --git a/examples/node-groups/self-managed-node-groups/main.tf b/examples/node-groups/self-managed-node-groups/main.tf index 8605ff88b7..8837e0b30f 100644 --- a/examples/node-groups/self-managed-node-groups/main.tf +++ b/examples/node-groups/self-managed-node-groups/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/node-groups/windows-node-groups/main.tf b/examples/node-groups/windows-node-groups/main.tf index 1c886ede04..03911a4460 100644 --- a/examples/node-groups/windows-node-groups/main.tf +++ b/examples/node-groups/windows-node-groups/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/observability/adot-amp-grafana-for-haproxy/main.tf b/examples/observability/adot-amp-grafana-for-haproxy/main.tf index 42e73ed7c8..de971d610b 100644 --- a/examples/observability/adot-amp-grafana-for-haproxy/main.tf +++ b/examples/observability/adot-amp-grafana-for-haproxy/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,6 +21,10 @@ provider "grafana" { auth = var.grafana_api_key } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/observability/adot-amp-grafana-for-java/main.tf b/examples/observability/adot-amp-grafana-for-java/main.tf index b30f354821..ba1ce158b8 100644 --- a/examples/observability/adot-amp-grafana-for-java/main.tf +++ b/examples/observability/adot-amp-grafana-for-java/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,6 +21,10 @@ provider "grafana" { auth = var.grafana_api_key } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/observability/adot-amp-grafana-for-memcached/main.tf b/examples/observability/adot-amp-grafana-for-memcached/main.tf index f98c5dae18..2685c3d0da 100644 --- a/examples/observability/adot-amp-grafana-for-memcached/main.tf +++ b/examples/observability/adot-amp-grafana-for-memcached/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,6 +21,10 @@ provider "grafana" { auth = var.grafana_api_key } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/observability/adot-amp-grafana-for-nginx/main.tf b/examples/observability/adot-amp-grafana-for-nginx/main.tf index 9404c09425..13fec21234 100644 --- a/examples/observability/adot-amp-grafana-for-nginx/main.tf +++ b/examples/observability/adot-amp-grafana-for-nginx/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,6 +21,10 @@ provider "grafana" { auth = var.grafana_api_key } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/observability/amp-amg-opensearch/main.tf b/examples/observability/amp-amg-opensearch/main.tf index 43fd45e676..140d0b6bd6 100644 --- a/examples/observability/amp-amg-opensearch/main.tf +++ b/examples/observability/amp-amg-opensearch/main.tf @@ -5,26 +5,14 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } @@ -33,6 +21,10 @@ provider "grafana" { auth = var.grafana_api_key } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} locals { diff --git a/examples/secrets-management/csi-secrets-driver/main.tf b/examples/secrets-management/csi-secrets-driver/main.tf index c266bd7e94..59b9634d80 100644 --- a/examples/secrets-management/csi-secrets-driver/main.tf +++ b/examples/secrets-management/csi-secrets-driver/main.tf @@ -5,29 +5,21 @@ provider "aws" { provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } provider "helm" { kubernetes { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be installed locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks_blueprints.eks_cluster_id] - } + token = data.aws_eks_cluster_auth.this.token } } +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + data "aws_availability_zones" "available" {} data "aws_caller_identity" "current" {} data "aws_partition" "current" {} @@ -51,6 +43,7 @@ locals { #--------------------------------------------------------------- # EKS Blueprints #--------------------------------------------------------------- + module "eks_blueprints" { source = "../../../" @@ -90,6 +83,7 @@ module "eks_blueprints_kubernetes_addons" { #------------------------------------------------------------------------------------ # Create a sample secret in Secret Manager #------------------------------------------------------------------------------------ + resource "random_password" "password" { length = 16 special = true @@ -107,17 +101,18 @@ resource "aws_secretsmanager_secret" "application_secret" { resource "aws_secretsmanager_secret_version" "sversion" { secret_id = aws_secretsmanager_secret.application_secret.id - secret_string = <