From 0303d4598896bd8973f98359be288afc30cdf17b Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:38:55 -0800 Subject: [PATCH 01/88] make optional --- examples/complete-managed-nodegroup/variables.tf | 5 ++--- examples/complete-self-managed-nodegroup/main.tf | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index dfd3dfff..339f79cf 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -94,11 +94,10 @@ variable "assign_public_ip" { } variable "bastion_ami_id" { - description = "The AMI ID to use for the bastion" + description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" type = string - default = "ami-000d4884381edb14c" + default = "" } - variable "bastion_ssh_user" { description = "The SSH user to use for the bastion" type = string diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index a29df6a4..43d646f7 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -7,6 +7,17 @@ locals { } } +data "aws_ami" "amazonlinux2" { + most_recent = true + + filter { + name = "name" + values = ["amzn2-ami-hvm*x86_64-gp2"] + } + + owners = ["amazon"] +} + ########################################################### ####################### VPC ############################### @@ -41,7 +52,7 @@ module "bastion" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/bastion?ref=v" source = "../../modules/bastion" - ami_id = var.bastion_ami_id + ami_id = coalesce(var.bastion_ami_id, data.aws_ami.amazonlinux2.id) #use var.bastion_ami_id if set, otherwise use the latest Amazon Linux 2 AMI instance_type = "m5.large" root_volume_config = { volume_type = "gp3" @@ -162,7 +173,7 @@ module "eks" { } ] - instance_type = "m5.xlarge" + instance_type = var.instance_type desired_size = 3 max_size = 10 min_size = 3 From 3688232bac880a31d9b23a528ef36e3b1e3d713e Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:39:09 -0800 Subject: [PATCH 02/88] update readme --- .../complete-self-managed-nodegroup/README.md | 101 ++++++++++++------ 1 file changed, 71 insertions(+), 30 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index ab401045..a14e3398 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -8,6 +8,33 @@ This example deploys the following Basic EKS Cluster with VPC - Creates a Bastion host in a private subnet - Creates dependencies needed for BigBang +--- +**Table of contents:** +- [EKS Cluster Deployment with new VPC \& Big Bang Dependencies](#eks-cluster-deployment-with-new-vpc--big-bang-dependencies) + - [How to Deploy](#how-to-deploy) + - [Prerequisites](#prerequisites) + - [Deployment Steps](#deployment-steps) + - [Step 1: Preparation](#step-1-preparation) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values.](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) + - [local](#local) + - [remote](#remote) + - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) + - [Step 5: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) + - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) + - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) + - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) + - [Step 8: List all the pods running in `kube-system` namespace](#step-8-list-all-the-pods-running-in-kube-system-namespace) + - [Cleanup](#cleanup) + - [Requirements](#requirements) + - [Providers](#providers) + - [Modules](#modules) + - [Resources](#resources) + - [Inputs](#inputs) + - [Outputs](#outputs) + +--- + ## How to Deploy ### Prerequisites @@ -16,8 +43,9 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop 1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) 2. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) -4. [SSHuttle](https://github.com/sshuttle/sshuttle) +3. [Helm](https://helm.sh/docs/intro/install/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) +5. [SSHuttle](https://github.com/sshuttle/sshuttle) Ensure that your AWS credentials are configured. This can be done by running `aws configure` @@ -26,15 +54,20 @@ Ensure that your AWS credentials are configured. This can be done by running `aw #### Step 1: Preparation ```sh -mkdir tmp && cd tmp git clone https://github.com/defenseunicorns/iac.git -cd examples/complete-complete-self-managed-nodegroup/ -cp terraform.tfvars.example ../../../terraform.tfvars +cd ./iac/examples/complete-self-managed-nodegroup +cp terraform.tfvars.example terraform.tfvars ``` -Modify terraform.tfvars (located in tmp directory) with desired values. AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values. + +AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` + +#### Step 3: Terraform Init & State -#### Step 2: Terraform Init & State +Use remote or local state for terraform + +##### local Initialize a working directory with configuration files and create local terraform state file @@ -42,32 +75,38 @@ Initialize a working directory with configuration files and create local terrafo terraform init ``` -(OPTIONAL) Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: +##### remote + +Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: ```sh -cd tmp/examples/tf-state-backend +#from the ./iac/examples/complete-self-managed-nodegroup directory +pushd ../tf-state-backend + terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` +export AWS_DEFAULT_REGION=us-east-2 #set to your perferred region + +popd -cd tmp/examples/complete-complete-self-managed-nodegroup -mv backend.example backend.tf -tf init -backend-config="bucket=$BUCKET_ID" \ --backend-config="key=complete-complete-self-managed-nodegroup/terraform.tfstate" \ --backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ --backend-config="region=$AWS_DEFAULT_REGION" +terraform init -backend-config="bucket=$BUCKET_ID" \ + -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ + -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ + -backend-config="region=$AWS_DEFAULT_REGION" ``` -#### Step 3: Provision VPC and Bastion +#### Step 4: Provision VPC and Bastion ```sh -terraform plan -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# verify these changes are desired -terraform apply -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# type yes to confirm or utilize the ```-auto-approve``` flag in the above command +# plan deployment and verify desired outcome +terraform plan -target=module.vpc -target=module.bastion + +# type yes to confirm or utilize the '-auto-approve' flag +terraform apply -target=module.vpc -target=module.bastion ``` -#### Step 4: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture +#### Step 5: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) @@ -80,7 +119,7 @@ host i-* mi-* Test SSH connection to the Bastion ```sh -#grab bastion instance id from terraform +# grab bastion instance id from terraform export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` # replace "my-password" with the variable set if changed from the default expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' @@ -93,10 +132,10 @@ In a new terminal, open an sshuttle tunnel to the bastion sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 ``` -Navigate back to the terminal in the complete-complete-self-managed-nodegroup directory and Provision the EKS Cluster +Navigate back to the terminal in the complete-self-managed-nodegroup directory and Provision the EKS Cluster ```sh -terraform apply -var-file ../../../terraform.tfvars +terraform apply -var-file # type yes to confirm or utilize the ```-auto-approve``` flag in the above command ``` @@ -107,17 +146,19 @@ Note: In this example we are using a private EKS Cluster endpoint for the contro EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. -#### Step 5: Run `update-kubeconfig` command +#### Step 6: Run the `aws eks update-kubeconfig` command `~/.kube/config` file gets updated with cluster details and certificate from the below command - aws eks --region update-kubeconfig --name +```bash +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name +``` -#### Step 6: List all the worker nodes by running the command below +#### Step 7: List all the worker nodes by running the command below kubectl get nodes -#### Step 7: List all the pods running in `kube-system` namespace +#### Step 8: List all the pods running in `kube-system` namespace kubectl get pods -n kube-system @@ -128,13 +169,13 @@ To clean up your environment, destroy the Terraform modules in reverse order. Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion) ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve -target=module.eks +terraform destroy -auto-approve -target=module.eks ``` Destroy all other resources ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve +terraform destroy -auto-approve ``` ## Requirements From 511c64ae0b9e51c6392041fed7773b258396eeec Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:39:20 -0800 Subject: [PATCH 03/88] update env vars --- .../complete-self-managed-nodegroup/terraform.tfvars.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 3c9c8a44..70b8a0a4 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -23,7 +23,7 @@ ################## Bastion Config ######################### bastion_name = "my-bastion" - bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 +# bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" #AWS linux 2 #optional bastion_ssh_user = "ec2-user" # local user in bastion used to ssh bastion_ssh_password = "my-password" bastion_tenancy = "dedicated" From 6b2eb9b6cea21ea37ac2fb40e339cb8c6087f094 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:59:05 -0800 Subject: [PATCH 04/88] unable to iterate over tuple if it doesn't exist --- modules/eks/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 51d6e565..11732c02 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -56,20 +56,20 @@ output "eks_cluster_certificate_authority_data" { output "aws_iam_role_self_managed_ng_arn" { description = "AWS IAM role self managed node group ARN" - value = aws_iam_role.self_managed_ng[0].arn + value = try(aws_iam_role.self_managed_ng[0].arn, "") } output "aws_iam_instance_profile_self_managed_ng_name" { description = "AWS IAM instance profile self managed node group name" - value = aws_iam_instance_profile.self_managed_ng[0].name + value = try(aws_iam_instance_profile.self_managed_ng[0].name, "") } output "aws_iam_role_managed_ng_arn" { description = "AWS IAM role managed node group ARN" - value = aws_iam_role.managed_ng[0].arn + value = try(aws_iam_role.managed_ng[0].arn, "") } output "aws_iam_instance_profile_managed_ng_name" { description = "AWS IAM instance profile managed node group name" - value = aws_iam_instance_profile.managed_ng[0].name + value = try(aws_iam_instance_profile.managed_ng[0].name, "") } From 9272dcb1658f4fdfcb7bdc070d55fa16f1660eb1 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:59:26 -0800 Subject: [PATCH 05/88] default null --- examples/tf-state-backend/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 8e4b80da..80768a04 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -16,4 +16,5 @@ variable "aws_admin_1_username" { variable "aws_admin_2_username" { description = "AWS username authorized to access S3 Terraform State Backend" type = string + default = "" } From ec7d861fc9640d448858b60c73cc2ff4f4268cf0 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:00:05 -0800 Subject: [PATCH 06/88] parameterize instance type --- examples/complete-managed-nodegroup/variables.tf | 12 ++++++++++++ .../complete-self-managed-nodegroup/variables.tf | 16 ++++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index 339f79cf..bbc4e8d7 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -78,6 +78,12 @@ variable "cluster_endpoint_public_access" { default = false } +variable "instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + ########################################################### ################## Bastion Config ######################### @@ -87,6 +93,12 @@ variable "bastion_name" { default = "my-bastion" } +variable "bastion_instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + variable "assign_public_ip" { description = "Whether to assign a public IP to the bastion" type = bool diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index dfd3dfff..a97d7695 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -78,6 +78,12 @@ variable "cluster_endpoint_public_access" { default = false } +variable "instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + ########################################################### ################## Bastion Config ######################### @@ -87,6 +93,12 @@ variable "bastion_name" { default = "my-bastion" } +variable "bastion_instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + variable "assign_public_ip" { description = "Whether to assign a public IP to the bastion" type = bool @@ -94,9 +106,9 @@ variable "assign_public_ip" { } variable "bastion_ami_id" { - description = "The AMI ID to use for the bastion" + description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" type = string - default = "ami-000d4884381edb14c" + default = "" } variable "bastion_ssh_user" { From 32532cdea9b1a66e71d6f8286bc2a5b9dd74a0b9 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:00:38 -0800 Subject: [PATCH 07/88] refactor --- examples/tf-state-backend/main.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index 3c28b86c..9542326f 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -5,14 +5,17 @@ provider "aws" { data "aws_partition" "current" {} module "tfstate_backend" { - source = "git::https://github.com/defenseunicorns/iac.git//modules/tfstate-backend?ref=v0.0.0-alpha.2" + source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend" region = var.region bucket_prefix = "my-tfstate-backend" dynamodb_table_name = "my-tfstate-backend-lock" # list of admin's AWS account arn to allow control of KMS keys - cluster_key_admin_arns = ["arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}"] + cluster_key_admin_arns = [ + "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", + "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" + ] } output "tfstate_bucket_id" { From 4e1d1f9ec34efefbda5552ab7cda473345358ed3 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:00:42 -0800 Subject: [PATCH 08/88] add --- examples/tf-state-backend/.terraform.lock.hcl | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 examples/tf-state-backend/.terraform.lock.hcl diff --git a/examples/tf-state-backend/.terraform.lock.hcl b/examples/tf-state-backend/.terraform.lock.hcl new file mode 100644 index 00000000..550b917f --- /dev/null +++ b/examples/tf-state-backend/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.55.0" + constraints = ">= 4.9.0" + hashes = [ + "h1:vSVjfh4GIrca2Z3YPjWMaac5hOEBc1U3xOOwFmo7HZc=", + "zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b", + "zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770", + "zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53", + "zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9", + "zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946", + "zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6", + "zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74", + "zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4", + "zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c", + "zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971", + "zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f", + "zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2", + "zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9", + ] +} From b4bbb2d6cd1f019646806bb7c634f3a01e8909ab Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:01:18 -0800 Subject: [PATCH 09/88] parameterize instance type --- examples/complete-self-managed-nodegroup/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index 43d646f7..ddac6c67 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -53,7 +53,7 @@ module "bastion" { source = "../../modules/bastion" ami_id = coalesce(var.bastion_ami_id, data.aws_ami.amazonlinux2.id) #use var.bastion_ami_id if set, otherwise use the latest Amazon Linux 2 AMI - instance_type = "m5.large" + instance_type = var.bastion_instance_type root_volume_config = { volume_type = "gp3" volume_size = "20" From 8cf40256aaebfa3f7b8adf390b8488ba93d0e87e Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:04:15 -0800 Subject: [PATCH 10/88] parameterize instance type --- examples/complete-managed-nodegroup/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index 5b9d118e..5605b883 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -53,7 +53,7 @@ module "bastion" { source = "../../modules/bastion" ami_id = var.bastion_ami_id - instance_type = "m5.large" + instance_type = var.bastion_instance_type root_volume_config = { volume_type = "gp3" volume_size = "20" From 4c287734fc7b3db3875c98349e304508a33f7404 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:15:48 -0800 Subject: [PATCH 11/88] update readme --- examples/complete-managed-nodegroup/README.md | 4 +++- examples/complete-self-managed-nodegroup/README.md | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index f8342cd6..46eaa02b 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -176,7 +176,8 @@ No requirements. | [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | -| [bastion\_ami\_id](#input\_bastion\_ami\_id) | The AMI ID to use for the bastion | `string` | `"ami-000d4884381edb14c"` | no | +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | +| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [bastion\_name](#input\_bastion\_name) | The name to use for the bastion | `string` | `"my-bastion"` | no | | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | @@ -187,6 +188,7 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index a14e3398..db20b2cc 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -203,6 +203,7 @@ No requirements. | Name | Type | |------|------| +| [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -216,7 +217,8 @@ No requirements. | [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | -| [bastion\_ami\_id](#input\_bastion\_ami\_id) | The AMI ID to use for the bastion | `string` | `"ami-000d4884381edb14c"` | no | +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | +| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [bastion\_name](#input\_bastion\_name) | The name to use for the bastion | `string` | `"my-bastion"` | no | | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | @@ -227,6 +229,7 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | From 32f679bfe92227f7186484c89207169276a66831 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:34:10 -0800 Subject: [PATCH 12/88] parameterize --- examples/tf-state-backend/main.tf | 13 +++++++------ .../tf-state-backend.tfvars.example | 6 ++++-- examples/tf-state-backend/variables.tf | 18 +++++++++++------- 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index e0437465..72cc58a6 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -4,18 +4,19 @@ provider "aws" { data "aws_partition" "current" {} +locals { + admin_arns = [for admin in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin}"] +} + module "tfstate_backend" { source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=0.0.1" region = var.region - bucket_prefix = "my-tfstate-backend" - dynamodb_table_name = "my-tfstate-backend-lock" + bucket_prefix = var.bucket_prefix + dynamodb_table_name = var.dynamodb_table_name # list of admin's AWS account arn to allow control of KMS keys - cluster_key_admin_arns = [ - "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", - "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" - ] + cluster_key_admin_arns = local.admin_arns } output "tfstate_bucket_id" { diff --git a/examples/tf-state-backend/tf-state-backend.tfvars.example b/examples/tf-state-backend/tf-state-backend.tfvars.example index a98f5848..4c9d6ddb 100644 --- a/examples/tf-state-backend/tf-state-backend.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.tfvars.example @@ -4,5 +4,7 @@ region = "us-east-2" # target AWS region account = "008675309" # target AWS account - aws_admin_1_username = "Bob.Marley" # enables eks access & ssh access to bastion - aws_admin_2_username = "Jane.Doe" # enables eks access & ssh access to bastion + aws_admin_usernames = [ + "Bob.Marley", + "Jane.Doe" + ] diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 80768a04..499e32fe 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -8,13 +8,17 @@ variable "account" { type = string } -variable "aws_admin_1_username" { - description = "AWS username authorized to access S3 Terraform State Backend" - type = string +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + type = list(string) } -variable "aws_admin_2_username" { - description = "AWS username authorized to access S3 Terraform State Backend" - type = string - default = "" +variable "bucket_prefix" { + type = string + default = "my-tfstate-backend" +} + +variable "dynamodb_table_name" { + type = string + default = "my-tfstate-backend-lock" } From 72b735f9b782d288aba692d5103516f81a40a037 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:34:21 -0800 Subject: [PATCH 13/88] add parameters to example --- examples/tf-state-backend/tf-state-backend.tfvars.example | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/tf-state-backend/tf-state-backend.tfvars.example b/examples/tf-state-backend/tf-state-backend.tfvars.example index 4c9d6ddb..5a39cce1 100644 --- a/examples/tf-state-backend/tf-state-backend.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.tfvars.example @@ -5,6 +5,8 @@ region = "us-east-2" # target AWS region account = "008675309" # target AWS account aws_admin_usernames = [ - "Bob.Marley", + "Bob.Marley" "Jane.Doe" ] + bucket_prefix = "my-tfstate-backend" + dynamodb_table_name = "my-tfstate-backend-lock" From 5c26e3026f2b9468ef5cb904171979ea99084b71 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:36:42 -0800 Subject: [PATCH 14/88] add backend.tf.example --- .gitignore | 2 +- examples/complete-self-managed-nodegroup/README.md | 2 ++ .../complete-self-managed-nodegroup/backend.tf.example | 9 +++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 examples/complete-self-managed-nodegroup/backend.tf.example diff --git a/.gitignore b/.gitignore index 882aba25..4b448ef7 100644 --- a/.gitignore +++ b/.gitignore @@ -45,7 +45,7 @@ terraform.rc .terragrunt-cache* # Ignore Terraform state files -backend.* +backend.tf # Ignore Checkov external module downloads .external_modules diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 8362831c..af287390 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -90,6 +90,8 @@ export AWS_DEFAULT_REGION=us-east-2 #set to your perferred region popd +cp backend.tf.example backend.tf + terraform init -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ diff --git a/examples/complete-self-managed-nodegroup/backend.tf.example b/examples/complete-self-managed-nodegroup/backend.tf.example new file mode 100644 index 00000000..6e9833ac --- /dev/null +++ b/examples/complete-self-managed-nodegroup/backend.tf.example @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + region = "" + bucket = "" + key = "" + dynamodb_table = "" + encrypt = "true" + } +} From 5ae1bf78fce47860d1a02eba2065e541e9cfc86c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:36:57 -0800 Subject: [PATCH 15/88] update lockfile thing --- examples/tf-state-backend/.terraform.lock.hcl | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/examples/tf-state-backend/.terraform.lock.hcl b/examples/tf-state-backend/.terraform.lock.hcl index 550b917f..c4e7be59 100644 --- a/examples/tf-state-backend/.terraform.lock.hcl +++ b/examples/tf-state-backend/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.55.0" + version = "4.56.0" constraints = ">= 4.9.0" hashes = [ - "h1:vSVjfh4GIrca2Z3YPjWMaac5hOEBc1U3xOOwFmo7HZc=", - "zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b", - "zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770", - "zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53", - "zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9", - "zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946", - "zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6", - "zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74", - "zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4", - "zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27", + "h1:v6DE95Ll2mxE96IGUsT/h6WQTU1d2cfHydWah1FgT20=", + "zh:1d2b7693a102da015a86b9235b554272b9280597011216c3ddd1a6dc95ad8dab", + "zh:28c3e8ebaa077f65c4ac5fd051c95887070293fcff0386dfc2e4b7e248a0aefa", + "zh:2a620bc4a87be06e7acac1bc15e966dba45df643bf6c3efb811e74e6c2122b03", + "zh:30d3ac148fa0634e7ba1de66e1af1328481c92cd774adcfc0e27f828103b17e0", + "zh:3d3eebf916f25e11b12dd3c692f8fe1e4c4e9a0c414af9d0d881ddebd28dcd39", + "zh:3f4600f2881c02fcc69080df68747c9a0b9b11cb002117fd918b7800f2ac402b", + "zh:7156fb12c3b4f2964f7e78cee97f31d95b43045467f90749d2ed545725c36baa", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c", - "zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971", - "zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f", - "zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2", - "zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9", + "zh:a5bbc84fd37d468c7b016009776b6d2a287bbb746af81aba786cdf8eb5fce4a1", + "zh:d5322bcd4e11caddbbfaa1198893824d4b4d28f504517a3a87902cf86d75bd87", + "zh:d766eb9f86a40060d63e12ef674d7c9c47ec4e47ade487f1f49af8c89b441711", + "zh:df23f592b99f6617f09e449009bbb49068a69fc926b15ca29e30b068c9c67365", + "zh:e7b0acee2d98549731547259b539f598e18db07c0c202d3a34b922beff711054", + "zh:ec317f79fdcce934c39458ea312862e7f7ec48cafb8bcc9b5a00d9b78b629d81", + "zh:f78ec7a771867d96dfee96bf74523341ba42feeb64ce2f108b5bf2e7ebef0fef", ] } From b7bfb5e64dc52e23a886196ba15a29045bea9e28 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:38:35 -0800 Subject: [PATCH 16/88] add backend.tf.example --- examples/complete-managed-nodegroup/README.md | 3 ++- examples/complete-managed-nodegroup/backend.tf.example | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 examples/complete-managed-nodegroup/backend.tf.example diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 46eaa02b..f2952865 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -51,7 +51,8 @@ export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` cd tmp/examples/complete-complete-self-managed-nodegroup -mv backend.example backend.tf +cp backend.tf.example backend.tf + tf init -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ diff --git a/examples/complete-managed-nodegroup/backend.tf.example b/examples/complete-managed-nodegroup/backend.tf.example new file mode 100644 index 00000000..6e9833ac --- /dev/null +++ b/examples/complete-managed-nodegroup/backend.tf.example @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + region = "" + bucket = "" + key = "" + dynamodb_table = "" + encrypt = "true" + } +} From a26795afeb07f461cf51588e3a7391d9a9884c5d Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:13:00 -0800 Subject: [PATCH 17/88] DRYify admin username parameters --- examples/complete-managed-nodegroup/main.tf | 25 ++++++++----------- .../terraform.tfvars.example | 4 +-- .../complete-managed-nodegroup/variables.tf | 11 +++----- .../complete-self-managed-nodegroup/main.tf | 22 +++++++--------- .../variables.tf | 12 +++------ 5 files changed, 27 insertions(+), 47 deletions(-) diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index 5605b883..aaf6a8bf 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -16,6 +16,13 @@ locals { Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + username = "${admin_user}" + groups = ["system:masters"] + } + ] } ########################################################### @@ -93,24 +100,12 @@ module "eks" { source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = ["arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}"] + cluster_kms_key_additional_admin_arns = local.admin_arns eks_k8s_version = var.eks_k8s_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = [ - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}" - username = "${var.aws_admin_1_username}" - groups = ["system:masters"] - }, - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" - username = "${var.aws_admin_2_username}" - groups = ["system:masters"] - } - ] - - enable_managed_nodegroups = true + aws_auth_eks_map_users = local.aws_auth_eks_map_users + enable_managed_nodegroups = true #--------------------------------------------------------------- # EKS Blueprints - Managed Node Groups diff --git a/examples/complete-managed-nodegroup/terraform.tfvars.example b/examples/complete-managed-nodegroup/terraform.tfvars.example index 3c9c8a44..aae29a10 100644 --- a/examples/complete-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-managed-nodegroup/terraform.tfvars.example @@ -9,8 +9,8 @@ region2 = "us-east-1" # RDS backup target AWS region account = "100008675309" # target AWS account aws_profile = "du-dev" # local AWS profile to be used for deployment - aws_admin_1_username = "Bob.Marley" # enables eks access & ssh access to bastion - aws_admin_2_username = "Jane.Doe" # enables eks access & ssh access to bastion + aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group + ########################################################### #################### VPC Config ########################### diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index bbc4e8d7..ad7fb891 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -21,14 +21,9 @@ variable "aws_profile" { type = string } -variable "aws_admin_1_username" { - description = "The AWS admin username to use for deployment" - type = string -} - -variable "aws_admin_2_username" { - description = "The AWS admin username to use for deployment" - type = string +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + type = list(string) } ########################################################### diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index ddac6c67..f6ec23f9 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -5,6 +5,13 @@ locals { Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + username = "${admin_user}" + groups = ["system:masters"] + } + ] } data "aws_ami" "amazonlinux2" { @@ -93,22 +100,11 @@ module "eks" { source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = ["arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}"] + cluster_kms_key_additional_admin_arns = local.admin_arns eks_k8s_version = var.eks_k8s_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = [ - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}" - username = "${var.aws_admin_1_username}" - groups = ["system:masters"] - }, - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" - username = "${var.aws_admin_2_username}" - groups = ["system:masters"] - } - ] + aws_auth_eks_map_users = local.aws_auth_eks_map_users enable_managed_nodegroups = false diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index a97d7695..e131249a 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -21,16 +21,10 @@ variable "aws_profile" { type = string } -variable "aws_admin_1_username" { - description = "The AWS admin username to use for deployment" - type = string +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + type = list(string) } - -variable "aws_admin_2_username" { - description = "The AWS admin username to use for deployment" - type = string -} - ########################################################### #################### VPC Config ########################### From dbcc5bf6ab9d2a3f9a730d5a53c6eb32f14eed7a Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:20:55 -0800 Subject: [PATCH 18/88] update variables --- examples/complete-managed-nodegroup/README.md | 3 +-- examples/complete-managed-nodegroup/variables.tf | 2 +- examples/complete-self-managed-nodegroup/README.md | 3 +-- examples/complete-self-managed-nodegroup/variables.tf | 2 +- examples/tf-state-backend/variables.tf | 2 +- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index f2952865..1d53ab21 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -174,8 +174,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | -| [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index ad7fb891..d7b22ef6 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -22,7 +22,7 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index af287390..4b669dcc 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -216,8 +216,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | -| [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index e131249a..4da8ceb9 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -22,7 +22,7 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } ########################################################### diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 499e32fe..7bcaa451 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -9,7 +9,7 @@ variable "account" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } From 7ee515137c408bee1de7c425d267ad9c1e7181da Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:22:45 -0800 Subject: [PATCH 19/88] DRYify input vars --- .../complete-self-managed-nodegroup/terraform.tfvars.example | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 70b8a0a4..6c4b49cb 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -9,8 +9,7 @@ region2 = "us-east-1" # RDS backup target AWS region account = "100008675309" # target AWS account aws_profile = "du-dev" # local AWS profile to be used for deployment - aws_admin_1_username = "Bob.Marley" # enables eks access & ssh access to bastion - aws_admin_2_username = "Jane.Doe" # enables eks access & ssh access to bastion + aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group ########################################################### #################### VPC Config ########################### From 10cea7fac002dc085ce5514967ff1c896f373db3 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:56:44 -0800 Subject: [PATCH 20/88] add -foce-copy --- examples/complete-self-managed-nodegroup/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 4b669dcc..585f2c33 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -92,7 +92,8 @@ popd cp backend.tf.example backend.tf -terraform init -backend-config="bucket=$BUCKET_ID" \ +#copy init and copy state if it exists +terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ -backend-config="region=$AWS_DEFAULT_REGION" From 97b0edee27eb403d311127630bfd8dbae701c765 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 09:37:45 -0800 Subject: [PATCH 21/88] Remove variable, do not need defaults at the moment --- examples/complete-managed-nodegroup/variables.tf | 6 ------ examples/complete-self-managed-nodegroup/main.tf | 2 +- examples/complete-self-managed-nodegroup/variables.tf | 6 ------ 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index d7b22ef6..e0e29cb9 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -73,12 +73,6 @@ variable "cluster_endpoint_public_access" { default = false } -variable "instance_type" { - description = "value for the instance type of the EKS worker nodes" - type = string - default = "m5.xlarge" -} - ########################################################### ################## Bastion Config ######################### diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index f6ec23f9..cd02e433 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -169,7 +169,7 @@ module "eks" { } ] - instance_type = var.instance_type + instance_type = "m5.xlarge" desired_size = 3 max_size = 10 min_size = 3 diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 4da8ceb9..e698daaa 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -72,12 +72,6 @@ variable "cluster_endpoint_public_access" { default = false } -variable "instance_type" { - description = "value for the instance type of the EKS worker nodes" - type = string - default = "m5.xlarge" -} - ########################################################### ################## Bastion Config ######################### From c8e2dbdd9b1645509ed12f7097298d4d08be109c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 10:00:04 -0800 Subject: [PATCH 22/88] added cluster_name --- examples/complete-self-managed-nodegroup/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 585f2c33..ed9b4f65 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -154,7 +154,8 @@ This following command used to update the `kubeconfig` in your local machine whe `~/.kube/config` file gets updated with cluster details and certificate from the below command ```bash -aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name +CLUSTER_NAME=$(grep 'cluster_name' terraform.tfvars | cut -d'=' -f2 | tr -d '[:space:]' | sed 's/"//g') +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $CLUSTER_NAME ``` #### Step 7: List all the worker nodes by running the command below From 87b6062c25ae3f343d49c9dd6081a3593347470e Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 10:35:43 -0800 Subject: [PATCH 23/88] update readmes --- examples/complete-managed-nodegroup/README.md | 1 - examples/complete-self-managed-nodegroup/README.md | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 1d53ab21..820ff7f4 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -188,7 +188,6 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index ed9b4f65..c5810026 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -86,7 +86,7 @@ pushd ../tf-state-backend terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` -export AWS_DEFAULT_REGION=us-east-2 #set to your perferred region +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') popd @@ -232,7 +232,6 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | From 0edbd560e8000ba0e41942a7f611bad84ffec161 Mon Sep 17 00:00:00 2001 From: jase koonce Date: Tue, 28 Feb 2023 14:00:42 -0500 Subject: [PATCH 24/88] updating self-managed/managed readmes Signed-off-by: jase koonce --- README.md | 2 +- examples/complete-managed-nodegroup/README.md | 2 +- examples/complete-self-managed-nodegroup/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f08151ae..235c17b8 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # Infrastructure-as-Code -This repository is a collection of Terraform modules designed to help you quickly and easily build robust, scalable infrastructure. Each module represents a best-practice, opinionated design for a specific piece of infrastructure, such as an EKS cluster, load balancer, database or S3 bucket needed to satisfy [Big Bang](https://docs-bigbang.dso.mil/) dependencies. By using these modules, you can take advantage of the experience and insights of the module authors, who have spent countless hours testing and refining the designs to ensure their reliability and efficiency. In addition, the versioning of these modules allows you to track and manage changes to your infrastructure with confidence. Whether you are a seasoned infrastructure engineer or new to the field, these modules are an invaluable tool for building and maintaining your infrastructure. +This repository is a collection of Terraform modules designed to help you quickly and easily build robust, scalable infrastructure. Each module represents a best-practice, opinionated design for a specific piece of infrastructure, such as an EKS cluster, load balancer, database or S3 bucket needed to satisfy [Big Bang](https://docs-bigbang.dso.mil/) dependencies. At the example level, both an option for Self-Managed and Managed node groups are included. Depending on which type of node group you are using be sure to run terraform from inside the corresponding example. By using these modules, you can take advantage of the experience and insights of the module authors, who have spent countless hours testing and refining the designs to ensure their reliability and efficiency. In addition, the versioning of these modules allows you to track and manage changes to your infrastructure with confidence. Whether you are a seasoned infrastructure engineer or new to the field, these modules are an invaluable tool for building and maintaining your infrastructure. diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 820ff7f4..7a392a23 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -1,6 +1,6 @@ # EKS Cluster Deployment with new VPC & Big Bang Dependencies -This example deploys the following Basic EKS Cluster with VPC +This example deploys the following Basic Managed EKS Cluster with VPC - Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index c5810026..b4e9b396 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -1,6 +1,6 @@ # EKS Cluster Deployment with new VPC & Big Bang Dependencies -This example deploys the following Basic EKS Cluster with VPC +This example deploys the following Basic Self-Managed EKS Cluster with VPC - Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets From 6e5df2ea7ec5092524dd842af984534ee95a1935 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 14:43:13 -0800 Subject: [PATCH 25/88] fix some pah and var logic --- examples/zarf-complete-example/Makefile | 8 ++--- examples/zarf-complete-example/zarf.yaml | 45 ++++++++++++------------ 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/examples/zarf-complete-example/Makefile b/examples/zarf-complete-example/Makefile index e11bbe70..8ee56360 100755 --- a/examples/zarf-complete-example/Makefile +++ b/examples/zarf-complete-example/Makefile @@ -1,6 +1,6 @@ # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to # the build folder. -ZARF_VERSION := v0.23.4-40-g929bc645 +ZARF_VERSION := v0.24.2 # Figure out which Zarf binary we should use based on the operating system we are on ZARF_BIN := zarf @@ -34,10 +34,10 @@ else endif # Set terraform version -TF_VERSION := 1.3.6 +TF_VERSION := 1.3.9 # Terraform environment directory -TF_ENV_DIR := "../complete-example" -TF_ENV := "complete-example" +TF_ENV_DIR := "../complete-self-managed-nodegroup" +TF_ENV := "complete-self-managed-nodegroup" TF_ENV_STATE_DIR := "../tf-state-backend" TF_ENV_STATE := "tf-state-backend" # Terraform modules directory diff --git a/examples/zarf-complete-example/zarf.yaml b/examples/zarf-complete-example/zarf.yaml index 83cdde28..9ee0ab36 100644 --- a/examples/zarf-complete-example/zarf.yaml +++ b/examples/zarf-complete-example/zarf.yaml @@ -16,11 +16,8 @@ variables: - name: AWS_PROFILE description: "local AWS profile to be used for deployment" prompt: true - - name: AWS_ADMIN_1_USERNAME - description: "AWS username for admin, ex. Bob.Marley" - prompt: true - - name: AWS_ADMIN_2_USERNAME - description: "AWS username for additional admin, ex. Jane.Doe" + - name: AWS_ADMIN_USERNAMES + description: "AWS username for admin, ex. Bob.Marley, ENTER AS A LIST ex [\"Bob.Marley\",\"Jane.Doe\"]" prompt: true - name: VPC_CIDR default: "10.200.0.0/16" @@ -29,7 +26,7 @@ variables: - name: CLUSTER_NAME default: "my-eks" - name: EKS_K8S_VERSION - default: "1.23" + default: "1.24" - name: BASTION_NAME default: "my-bastion" - name: BASTION_SSH_USER @@ -38,8 +35,8 @@ variables: - name: BASTION_SSH_PASSWORD description: "Bastion password for ssh" prompt: true - - name: BASTION_AMI_ID - default: "ami-000d4884381edb14c" + # - name: BASTION_AMI_ID + # default: "ami-000d4884381edb14c" - name: KEYCLOAK_ENABLED default: "true" - name: KEYCLOAK_DB_PASSWORD @@ -52,13 +49,14 @@ variables: - name: KC_DB_MAJOR_ENGINE_VERSION default: "14" - name: KC_DB_ALLOCATED_STORAGE - default: 20.0 + default: 20 - name: KC_DB_MAX_ALLOCATED_STORAGE - default: 100.0 + default: 100 - name: KC_DB_INSTANCE_CLASS default: "db.t4g.large" + # used in bastion userdata to download zarf binary - name: ZARF_VERSION - default: "v0.24.0-rc4" + default: "v0.24.2" components: - name: download-dependencies @@ -74,7 +72,7 @@ components: # - "./zarf tools archiver decompress tmp/awscliv2.zip ." # - "rm -rf tmp/" files: - # terraform binary + # terraform binary into zarf package - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_VAR_TF_VERSION###/terraform_###ZARF_PKG_VAR_TF_VERSION###_###ZARF_PKG_VAR_ARCH_NAME###_###ZARF_PKG_VAR_ARCH_PROC###.zip target: tmp/terraform_###ZARF_PKG_VAR_TF_VERSION###_###ZARF_PKG_VAR_ARCH_NAME###_###ZARF_PKG_VAR_ARCH_PROC###.zip # aws cli binary @@ -90,9 +88,11 @@ components: maxTotalSeconds: 300 maxRetries: 3 before: + #just used to build the .terraform folder and modules for airgapping - cmd: "terraform init -backend=false" dir: "###ZARF_PKG_VAR_TF_ENV_DIR###" - - cmd: "terraform init" + #just used to build the .terraform folder and modules for airgapping + - cmd: "terraform init -backend=false" dir: "###ZARF_PKG_VAR_TF_ENV_STATE_DIR###" files: - source: "###ZARF_PKG_VAR_TF_ENV_DIR###" @@ -102,13 +102,14 @@ components: - source: "###ZARF_PKG_VAR_TF_MODULES_DIR###" target: "tmp/modules" + # one-time backend configuraion module for s3 - name: terraform-s3-bucket actions: onDeploy: defaults: maxTotalSeconds: 300 maxRetries: 3 - dir: "tmp/###ZARF_PKG_VAR_TF_ENV_STATE###" + dir: "tmp/examples/###ZARF_PKG_VAR_TF_ENV_STATE###" before: - cmd: "terraform apply -auto-approve" - cmd: "terraform output -raw tfstate_bucket_id" @@ -122,7 +123,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -target=module.vpc -target=module.bastion -auto-approve" @@ -138,21 +139,21 @@ components: defaults: maxTotalSeconds: 300 maxRetries: 3 - dir: "tmp/###ZARF_PKG_VAR_TF_ENV_STATE###" + dir: "tmp/examples/###ZARF_PKG_VAR_TF_ENV_STATE###" before: - cmd: "terraform output -raw tfstate_bucket_id" setVariable: BUCKET_ID - cmd: "terraform output -raw tfstate_dynamodb_table_name" setVariable: DYNAMODB_TABLE_NAME - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### - name: terraform-apply-eks actions: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: "terraform apply -target=module.eks -auto-approve" @@ -161,7 +162,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -target=module.flux_sops -target=module.loki_s3_bucket -target=module.rds_postgres_keycloak -auto-approve" @@ -171,7 +172,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -destroy -target=module.rds_postgres_keycloak -target=module.loki_s3_bucket -target=module.flux_sops -auto-approve" @@ -181,7 +182,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -destroy -target=module.eks -auto-approve" @@ -191,7 +192,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -destroy -auto-approve" From 158b102afa52b35e1b15310550d565cf8b8d058a Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 14:45:52 -0800 Subject: [PATCH 26/88] update readme --- examples/complete-self-managed-nodegroup/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index c5810026..7726e414 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -86,13 +86,15 @@ pushd ../tf-state-backend terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` -export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') popd +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') + +#make backend file cp backend.tf.example backend.tf -#copy init and copy state if it exists +#init and copy state if it exists terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ From 675975c0d27d7b3553d7d61d8bed3be1323c67ca Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 14:46:09 -0800 Subject: [PATCH 27/88] ignore build dir --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 4b448ef7..80505fcf 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,5 @@ backend.tf # Ignore Checkov external module downloads .external_modules + +examples/zarf-complete-example/build From 70a3ab39a46fd15b2454477f6871595a09cf1814 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 15:10:07 -0800 Subject: [PATCH 28/88] update readme --- examples/complete-managed-nodegroup/README.md | 108 +++++++++++++----- .../complete-self-managed-nodegroup/README.md | 6 +- 2 files changed, 80 insertions(+), 34 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 820ff7f4..2f40e2ce 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -8,6 +8,33 @@ This example deploys the following Basic EKS Cluster with VPC - Creates a Bastion host in a private subnet - Creates dependencies needed for BigBang +--- +**Table of contents:** +- [EKS Cluster Deployment with new VPC \& Big Bang Dependencies](#eks-cluster-deployment-with-new-vpc--big-bang-dependencies) + - [How to Deploy](#how-to-deploy) + - [Prerequisites](#prerequisites) + - [Deployment Steps](#deployment-steps) + - [Step 1: Preparation](#step-1-preparation) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) + - [local](#local) + - [remote](#remote) + - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) + - [Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-required-if-eks-public-access-set-to-false-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) + - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) + - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) + - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) + - [Step 8: List all the pods running in `kube-system` namespace](#step-8-list-all-the-pods-running-in-kube-system-namespace) + - [Cleanup](#cleanup) + - [Requirements](#requirements) + - [Providers](#providers) + - [Modules](#modules) + - [Resources](#resources) + - [Inputs](#inputs) + - [Outputs](#outputs) + +--- + ## How to Deploy ### Prerequisites @@ -16,8 +43,9 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop 1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) 2. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) -4. [SSHuttle](https://github.com/sshuttle/sshuttle) +3. [Helm](https://helm.sh/docs/intro/install/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) +5. [SSHuttle](https://github.com/sshuttle/sshuttle) Ensure that your AWS credentials are configured. This can be done by running `aws configure` @@ -26,15 +54,20 @@ Ensure that your AWS credentials are configured. This can be done by running `aw #### Step 1: Preparation ```sh -mkdir tmp && cd tmp git clone https://github.com/defenseunicorns/iac.git -cd examples/complete-complete-self-managed-nodegroup/ -cp terraform.tfvars.example ../../../terraform.tfvars +cd ./iac/examples/complete-managed-nodegroup +cp terraform.tfvars.example terraform.tfvars ``` -Modify terraform.tfvars (located in tmp directory) with desired values. AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values + +AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` + +#### Step 3: Terraform Init & State -#### Step 2: Terraform Init & State +Use remote or local state for terraform + +##### local Initialize a working directory with configuration files and create local terraform state file @@ -42,33 +75,43 @@ Initialize a working directory with configuration files and create local terrafo terraform init ``` -(OPTIONAL) Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: +##### remote + +Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: ```sh -cd tmp/examples/tf-state-backend +#from the ./iac/examples/complete-self-managed-nodegroup directory +pushd ../tf-state-backend + terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` -cd tmp/examples/complete-complete-self-managed-nodegroup +popd + +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') + +#make backend file cp backend.tf.example backend.tf -tf init -backend-config="bucket=$BUCKET_ID" \ --backend-config="key=complete-complete-self-managed-nodegroup/terraform.tfstate" \ --backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ --backend-config="region=$AWS_DEFAULT_REGION" +#init and copy state if it exists +terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ + -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ + -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ + -backend-config="region=$AWS_DEFAULT_REGION" ``` -#### Step 3: Provision VPC and Bastion +#### Step 4: Provision VPC and Bastion ```sh -terraform plan -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# verify these changes are desired -terraform apply -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# type yes to confirm or utilize the ```-auto-approve``` flag in the above command +# plan deployment and verify desired outcome +terraform plan -target=module.vpc -target=module.bastion + +# type yes to confirm or utilize the '-auto-approve' flag +terraform apply -target=module.vpc -target=module.bastion ``` -#### Step 4: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture +#### Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) @@ -81,9 +124,9 @@ host i-* mi-* Test SSH connection to the Bastion ```sh -#grab bastion instance id from terraform +# grab bastion instance id from terraform export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` -# replace "my-password" with the variable set if changed from the default +# replace "my-password" with the variable set (if changed from the default) expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' ``` @@ -94,10 +137,10 @@ In a new terminal, open an sshuttle tunnel to the bastion sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 ``` -Navigate back to the terminal in the complete-complete-self-managed-nodegroup directory and Provision the EKS Cluster +Navigate back to the terminal in the `complete-managed-nodegroup` directory and Provision the EKS Cluster ```sh -terraform apply -var-file ../../../terraform.tfvars +terraform apply -var-file # type yes to confirm or utilize the ```-auto-approve``` flag in the above command ``` @@ -108,17 +151,20 @@ Note: In this example we are using a private EKS Cluster endpoint for the contro EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. -#### Step 5: Run `update-kubeconfig` command +#### Step 6: Run the `aws eks update-kubeconfig` command `~/.kube/config` file gets updated with cluster details and certificate from the below command - aws eks --region update-kubeconfig --name +```bash +CLUSTER_NAME=$(grep 'cluster_name' terraform.tfvars | cut -d'=' -f2 | tr -d '[:space:]' | sed 's/"//g') +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $CLUSTER_NAME +``` -#### Step 6: List all the worker nodes by running the command below +#### Step 7: List all the worker nodes by running the command below kubectl get nodes -#### Step 7: List all the pods running in `kube-system` namespace +#### Step 8: List all the pods running in `kube-system` namespace kubectl get pods -n kube-system @@ -126,16 +172,16 @@ This following command used to update the `kubeconfig` in your local machine whe To clean up your environment, destroy the Terraform modules in reverse order. -Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion) +Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion if EKS Public Access set to False) ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve -target=module.eks +terraform destroy -auto-approve -target=module.eks ``` Destroy all other resources ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve +terraform destroy -auto-approve ``` ## Requirements diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 7726e414..70f48ef3 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -15,7 +15,7 @@ This example deploys the following Basic EKS Cluster with VPC - [Prerequisites](#prerequisites) - [Deployment Steps](#deployment-steps) - [Step 1: Preparation](#step-1-preparation) - - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values.](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) - [local](#local) - [remote](#remote) @@ -59,7 +59,7 @@ cd ./iac/examples/complete-self-managed-nodegroup cp terraform.tfvars.example terraform.tfvars ``` -#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values. +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` @@ -137,7 +137,7 @@ In a new terminal, open an sshuttle tunnel to the bastion sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 ``` -Navigate back to the terminal in the complete-self-managed-nodegroup directory and Provision the EKS Cluster +Navigate back to the terminal in the `complete-self-managed-nodegroup` directory and Provision the EKS Cluster ```sh terraform apply -var-file From 2a41a147c79a77c77e392f2f7105a241aaea9967 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:02:30 -0800 Subject: [PATCH 29/88] Empty commit From 10f936cfa4812e73e3769fb2c560b7fbed9794e2 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:25:18 -0800 Subject: [PATCH 30/88] testing sign From b7dec8a0db57bc051bcf5f83b0403e80acb8fde9 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:40:21 -0800 Subject: [PATCH 31/88] testing sign again From c1bf4b3c772f30b21f45a9f54beaea721cf9f353 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:55:36 -0800 Subject: [PATCH 32/88] testing sign again again From 6bf825e071a2c2f2f867a92409773ab22dbf0724 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:39:09 -0800 Subject: [PATCH 33/88] update readme --- .../complete-self-managed-nodegroup/README.md | 101 ++++++++++++------ 1 file changed, 71 insertions(+), 30 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index ab401045..a14e3398 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -8,6 +8,33 @@ This example deploys the following Basic EKS Cluster with VPC - Creates a Bastion host in a private subnet - Creates dependencies needed for BigBang +--- +**Table of contents:** +- [EKS Cluster Deployment with new VPC \& Big Bang Dependencies](#eks-cluster-deployment-with-new-vpc--big-bang-dependencies) + - [How to Deploy](#how-to-deploy) + - [Prerequisites](#prerequisites) + - [Deployment Steps](#deployment-steps) + - [Step 1: Preparation](#step-1-preparation) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values.](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) + - [local](#local) + - [remote](#remote) + - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) + - [Step 5: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) + - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) + - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) + - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) + - [Step 8: List all the pods running in `kube-system` namespace](#step-8-list-all-the-pods-running-in-kube-system-namespace) + - [Cleanup](#cleanup) + - [Requirements](#requirements) + - [Providers](#providers) + - [Modules](#modules) + - [Resources](#resources) + - [Inputs](#inputs) + - [Outputs](#outputs) + +--- + ## How to Deploy ### Prerequisites @@ -16,8 +43,9 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop 1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) 2. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) -4. [SSHuttle](https://github.com/sshuttle/sshuttle) +3. [Helm](https://helm.sh/docs/intro/install/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) +5. [SSHuttle](https://github.com/sshuttle/sshuttle) Ensure that your AWS credentials are configured. This can be done by running `aws configure` @@ -26,15 +54,20 @@ Ensure that your AWS credentials are configured. This can be done by running `aw #### Step 1: Preparation ```sh -mkdir tmp && cd tmp git clone https://github.com/defenseunicorns/iac.git -cd examples/complete-complete-self-managed-nodegroup/ -cp terraform.tfvars.example ../../../terraform.tfvars +cd ./iac/examples/complete-self-managed-nodegroup +cp terraform.tfvars.example terraform.tfvars ``` -Modify terraform.tfvars (located in tmp directory) with desired values. AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values. + +AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` + +#### Step 3: Terraform Init & State -#### Step 2: Terraform Init & State +Use remote or local state for terraform + +##### local Initialize a working directory with configuration files and create local terraform state file @@ -42,32 +75,38 @@ Initialize a working directory with configuration files and create local terrafo terraform init ``` -(OPTIONAL) Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: +##### remote + +Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: ```sh -cd tmp/examples/tf-state-backend +#from the ./iac/examples/complete-self-managed-nodegroup directory +pushd ../tf-state-backend + terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` +export AWS_DEFAULT_REGION=us-east-2 #set to your perferred region + +popd -cd tmp/examples/complete-complete-self-managed-nodegroup -mv backend.example backend.tf -tf init -backend-config="bucket=$BUCKET_ID" \ --backend-config="key=complete-complete-self-managed-nodegroup/terraform.tfstate" \ --backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ --backend-config="region=$AWS_DEFAULT_REGION" +terraform init -backend-config="bucket=$BUCKET_ID" \ + -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ + -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ + -backend-config="region=$AWS_DEFAULT_REGION" ``` -#### Step 3: Provision VPC and Bastion +#### Step 4: Provision VPC and Bastion ```sh -terraform plan -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# verify these changes are desired -terraform apply -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# type yes to confirm or utilize the ```-auto-approve``` flag in the above command +# plan deployment and verify desired outcome +terraform plan -target=module.vpc -target=module.bastion + +# type yes to confirm or utilize the '-auto-approve' flag +terraform apply -target=module.vpc -target=module.bastion ``` -#### Step 4: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture +#### Step 5: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) @@ -80,7 +119,7 @@ host i-* mi-* Test SSH connection to the Bastion ```sh -#grab bastion instance id from terraform +# grab bastion instance id from terraform export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` # replace "my-password" with the variable set if changed from the default expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' @@ -93,10 +132,10 @@ In a new terminal, open an sshuttle tunnel to the bastion sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 ``` -Navigate back to the terminal in the complete-complete-self-managed-nodegroup directory and Provision the EKS Cluster +Navigate back to the terminal in the complete-self-managed-nodegroup directory and Provision the EKS Cluster ```sh -terraform apply -var-file ../../../terraform.tfvars +terraform apply -var-file # type yes to confirm or utilize the ```-auto-approve``` flag in the above command ``` @@ -107,17 +146,19 @@ Note: In this example we are using a private EKS Cluster endpoint for the contro EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. -#### Step 5: Run `update-kubeconfig` command +#### Step 6: Run the `aws eks update-kubeconfig` command `~/.kube/config` file gets updated with cluster details and certificate from the below command - aws eks --region update-kubeconfig --name +```bash +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name +``` -#### Step 6: List all the worker nodes by running the command below +#### Step 7: List all the worker nodes by running the command below kubectl get nodes -#### Step 7: List all the pods running in `kube-system` namespace +#### Step 8: List all the pods running in `kube-system` namespace kubectl get pods -n kube-system @@ -128,13 +169,13 @@ To clean up your environment, destroy the Terraform modules in reverse order. Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion) ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve -target=module.eks +terraform destroy -auto-approve -target=module.eks ``` Destroy all other resources ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve +terraform destroy -auto-approve ``` ## Requirements From 2b37ea9360418284d2f1b9caef8b17927012bd08 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:39:20 -0800 Subject: [PATCH 34/88] update env vars --- .../complete-self-managed-nodegroup/terraform.tfvars.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 3c9c8a44..70b8a0a4 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -23,7 +23,7 @@ ################## Bastion Config ######################### bastion_name = "my-bastion" - bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 +# bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" #AWS linux 2 #optional bastion_ssh_user = "ec2-user" # local user in bastion used to ssh bastion_ssh_password = "my-password" bastion_tenancy = "dedicated" From b84529e4c37c2fca38018d7b6cf349a8b402575d Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:59:05 -0800 Subject: [PATCH 35/88] unable to iterate over tuple if it doesn't exist --- modules/eks/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 51d6e565..11732c02 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -56,20 +56,20 @@ output "eks_cluster_certificate_authority_data" { output "aws_iam_role_self_managed_ng_arn" { description = "AWS IAM role self managed node group ARN" - value = aws_iam_role.self_managed_ng[0].arn + value = try(aws_iam_role.self_managed_ng[0].arn, "") } output "aws_iam_instance_profile_self_managed_ng_name" { description = "AWS IAM instance profile self managed node group name" - value = aws_iam_instance_profile.self_managed_ng[0].name + value = try(aws_iam_instance_profile.self_managed_ng[0].name, "") } output "aws_iam_role_managed_ng_arn" { description = "AWS IAM role managed node group ARN" - value = aws_iam_role.managed_ng[0].arn + value = try(aws_iam_role.managed_ng[0].arn, "") } output "aws_iam_instance_profile_managed_ng_name" { description = "AWS IAM instance profile managed node group name" - value = aws_iam_instance_profile.managed_ng[0].name + value = try(aws_iam_instance_profile.managed_ng[0].name, "") } From e8193805dcd874abaf0697f67b5a0fdfaaed9194 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 10:59:26 -0800 Subject: [PATCH 36/88] default null --- examples/tf-state-backend/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 8e4b80da..80768a04 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -16,4 +16,5 @@ variable "aws_admin_1_username" { variable "aws_admin_2_username" { description = "AWS username authorized to access S3 Terraform State Backend" type = string + default = "" } From 8fa20a4e106f8c0e77472b8aa2a8d14cf0af5596 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:00:05 -0800 Subject: [PATCH 37/88] parameterize instance type --- examples/complete-managed-nodegroup/variables.tf | 12 ++++++++++++ .../complete-self-managed-nodegroup/variables.tf | 16 ++++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index 339f79cf..bbc4e8d7 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -78,6 +78,12 @@ variable "cluster_endpoint_public_access" { default = false } +variable "instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + ########################################################### ################## Bastion Config ######################### @@ -87,6 +93,12 @@ variable "bastion_name" { default = "my-bastion" } +variable "bastion_instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + variable "assign_public_ip" { description = "Whether to assign a public IP to the bastion" type = bool diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index dfd3dfff..a97d7695 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -78,6 +78,12 @@ variable "cluster_endpoint_public_access" { default = false } +variable "instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + ########################################################### ################## Bastion Config ######################### @@ -87,6 +93,12 @@ variable "bastion_name" { default = "my-bastion" } +variable "bastion_instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + variable "assign_public_ip" { description = "Whether to assign a public IP to the bastion" type = bool @@ -94,9 +106,9 @@ variable "assign_public_ip" { } variable "bastion_ami_id" { - description = "The AMI ID to use for the bastion" + description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" type = string - default = "ami-000d4884381edb14c" + default = "" } variable "bastion_ssh_user" { From 77cdc7d70fb894ffac284cacaf5539997c1c51dc Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:00:38 -0800 Subject: [PATCH 38/88] refactor --- examples/tf-state-backend/main.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index 3c28b86c..9542326f 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -5,14 +5,17 @@ provider "aws" { data "aws_partition" "current" {} module "tfstate_backend" { - source = "git::https://github.com/defenseunicorns/iac.git//modules/tfstate-backend?ref=v0.0.0-alpha.2" + source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend" region = var.region bucket_prefix = "my-tfstate-backend" dynamodb_table_name = "my-tfstate-backend-lock" # list of admin's AWS account arn to allow control of KMS keys - cluster_key_admin_arns = ["arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}"] + cluster_key_admin_arns = [ + "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", + "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" + ] } output "tfstate_bucket_id" { From cd33f2c15d97845cf6d327ec7f907af56f9319d8 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:00:42 -0800 Subject: [PATCH 39/88] add --- examples/tf-state-backend/.terraform.lock.hcl | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 examples/tf-state-backend/.terraform.lock.hcl diff --git a/examples/tf-state-backend/.terraform.lock.hcl b/examples/tf-state-backend/.terraform.lock.hcl new file mode 100644 index 00000000..550b917f --- /dev/null +++ b/examples/tf-state-backend/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.55.0" + constraints = ">= 4.9.0" + hashes = [ + "h1:vSVjfh4GIrca2Z3YPjWMaac5hOEBc1U3xOOwFmo7HZc=", + "zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b", + "zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770", + "zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53", + "zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9", + "zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946", + "zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6", + "zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74", + "zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4", + "zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c", + "zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971", + "zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f", + "zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2", + "zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9", + ] +} From 157fa19ddaf36e2ad732e4cb0b14f5de32e7b859 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:01:18 -0800 Subject: [PATCH 40/88] parameterize instance type --- examples/complete-self-managed-nodegroup/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index 43d646f7..ddac6c67 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -53,7 +53,7 @@ module "bastion" { source = "../../modules/bastion" ami_id = coalesce(var.bastion_ami_id, data.aws_ami.amazonlinux2.id) #use var.bastion_ami_id if set, otherwise use the latest Amazon Linux 2 AMI - instance_type = "m5.large" + instance_type = var.bastion_instance_type root_volume_config = { volume_type = "gp3" volume_size = "20" From ec0087fae3eb54c27b5f6900f4d522f2fec820d7 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:04:15 -0800 Subject: [PATCH 41/88] parameterize instance type --- examples/complete-managed-nodegroup/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index 5b9d118e..5605b883 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -53,7 +53,7 @@ module "bastion" { source = "../../modules/bastion" ami_id = var.bastion_ami_id - instance_type = "m5.large" + instance_type = var.bastion_instance_type root_volume_config = { volume_type = "gp3" volume_size = "20" From a252147d85a183263097e750d1bf6355465a3764 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 11:15:48 -0800 Subject: [PATCH 42/88] update readme --- examples/complete-managed-nodegroup/README.md | 4 +++- examples/complete-self-managed-nodegroup/README.md | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index f8342cd6..46eaa02b 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -176,7 +176,8 @@ No requirements. | [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | -| [bastion\_ami\_id](#input\_bastion\_ami\_id) | The AMI ID to use for the bastion | `string` | `"ami-000d4884381edb14c"` | no | +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | +| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [bastion\_name](#input\_bastion\_name) | The name to use for the bastion | `string` | `"my-bastion"` | no | | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | @@ -187,6 +188,7 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index a14e3398..db20b2cc 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -203,6 +203,7 @@ No requirements. | Name | Type | |------|------| +| [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -216,7 +217,8 @@ No requirements. | [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | -| [bastion\_ami\_id](#input\_bastion\_ami\_id) | The AMI ID to use for the bastion | `string` | `"ami-000d4884381edb14c"` | no | +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | +| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [bastion\_name](#input\_bastion\_name) | The name to use for the bastion | `string` | `"my-bastion"` | no | | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | @@ -227,6 +229,7 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | From 88d0cccbd27e216a0b7a196e16553547ccf15d90 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Tue, 21 Feb 2023 15:04:38 -0800 Subject: [PATCH 43/88] Move the tfstate-backend module to its own repo (#77) --- ...tfstate-backend-module-to-separate-repo.md | 29 +++++++++++++++++++ modules/tfstate-backend/README.md | 14 +++++---- modules/tfstate-backend/main.tf | 2 ++ modules/tfstate-backend/variables.tf | 12 ++++---- 4 files changed, 45 insertions(+), 12 deletions(-) create mode 100644 doc/adr/0003-move-tfstate-backend-module-to-separate-repo.md diff --git a/doc/adr/0003-move-tfstate-backend-module-to-separate-repo.md b/doc/adr/0003-move-tfstate-backend-module-to-separate-repo.md new file mode 100644 index 00000000..3fe314d8 --- /dev/null +++ b/doc/adr/0003-move-tfstate-backend-module-to-separate-repo.md @@ -0,0 +1,29 @@ +# 3. Move tfstate-backend module to separate repo + +Date: 2023-02-21 + +## Status + +Accepted + +## Context + +As we start moving more toward treating our Terraform infrastructure code as a product, additional focus is needed on making each module into an independently consumable product. This means that each module should: + +* Be versioned independently +* Run automated tests +* Have sufficient documentation + +## Decision + +To assist with being versioned independently, we will move the `tfstate-backend` module to a [separate repository](https://github.com/defenseunicorns/terraform-aws-tfstate-backend). This will allow us to develop and release new versions of the module independently of the rest of the infrastructure code. + +This decision is, for now, just being made for the `tfstate-backend` module. We will evaluate other modules for similar treatment in the future as we uncover better ways and best practices for managing reusable production-level Terraform work. + +## Consequences + +What becomes easier or more difficult to do and any risks introduced by the change that will need to be mitigated. + +* It will be easier to version the module independently of the rest of the infrastructure code. +* It will be easier to run automated tests on the module since we won't need any custom logic to figure out when certain tests can be skipped (e.g. when this module has not been changed but another has, only run the other module's tests) +* Our work will be less DRY (Don't Repeat Yourself) since each independent module repo will need its own set of GitHub Actions workflows/scripts/Makefile, etc. This can potentially be mitigated by using automation to keep code that is the same across all modules in sync. diff --git a/modules/tfstate-backend/README.md b/modules/tfstate-backend/README.md index c8ad42f8..8d9cc0d1 100644 --- a/modules/tfstate-backend/README.md +++ b/modules/tfstate-backend/README.md @@ -1,5 +1,7 @@ # AWS tfstate-backend Module +:warning: WARNING: This module has been moved to its own repository. This directory is now deprecated and will be removed in the future. Please use [the new repository](https://github.com/defenseunicorns/terraform-aws-tfstate-backend) instead. + This repository contains Terraform configuration files that create various AWS resources, such as an S3 bucket, a DynamoDB table, and KMS keys. These resources are configured to hold store your terraform TFSTATE files. ## Examples @@ -38,12 +40,12 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [bucket\_prefix](#input\_bucket\_prefix) | S3 Bucket Prefix | `string` | n/a | yes | -| [cluster\_key\_admin\_arns](#input\_cluster\_key\_admin\_arns) | ARNs of IAM users or roles that can administer the cluster | `list(string)` | `[]` | no | -| [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | DynamoDB Table Name | `string` | n/a | yes | -| [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `""` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [versioning\_enabled](#input\_versioning\_enabled) | Enable versioning on the S3 bucket | `bool` | `true` | no | +| [bucket\_prefix](#input\_bucket\_prefix) | DEPRECATED - S3 Bucket Prefix | `string` | n/a | yes | +| [cluster\_key\_admin\_arns](#input\_cluster\_key\_admin\_arns) | DEPRECATED - ARNs of IAM users or roles that can administer the cluster | `list(string)` | `[]` | no | +| [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | DEPRECATED - DynamoDB Table Name | `string` | n/a | yes | +| [permissions\_boundary](#input\_permissions\_boundary) | DEPRECATED - (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `""` | no | +| [region](#input\_region) | DEPRECATED - AWS Region | `string` | n/a | yes | +| [versioning\_enabled](#input\_versioning\_enabled) | DEPRECATED - Enable versioning on the S3 bucket | `bool` | `true` | no | ## Outputs diff --git a/modules/tfstate-backend/main.tf b/modules/tfstate-backend/main.tf index 58990b4f..9e4172d2 100644 --- a/modules/tfstate-backend/main.tf +++ b/modules/tfstate-backend/main.tf @@ -1,3 +1,5 @@ +// WARNING: This module has been moved to its own repository. This directory is now deprecated and will be removed in the future. Please use [the new repository](https://github.com/defenseunicorns/terraform-aws-tfstate-backend) instead. + data "aws_partition" "current" {} resource "aws_kms_key" "objects" { diff --git a/modules/tfstate-backend/variables.tf b/modules/tfstate-backend/variables.tf index b1d16821..bced49fa 100644 --- a/modules/tfstate-backend/variables.tf +++ b/modules/tfstate-backend/variables.tf @@ -1,32 +1,32 @@ variable "region" { - description = "AWS Region" + description = "DEPRECATED - AWS Region" type = string } variable "bucket_prefix" { - description = "S3 Bucket Prefix" + description = "DEPRECATED - S3 Bucket Prefix" type = string } variable "dynamodb_table_name" { - description = "DynamoDB Table Name" + description = "DEPRECATED - DynamoDB Table Name" type = string } variable "versioning_enabled" { - description = "Enable versioning on the S3 bucket" + description = "DEPRECATED - Enable versioning on the S3 bucket" type = bool default = true } variable "cluster_key_admin_arns" { - description = "ARNs of IAM users or roles that can administer the cluster" + description = "DEPRECATED - ARNs of IAM users or roles that can administer the cluster" type = list(string) default = [] } variable "permissions_boundary" { - description = "(Optional) The ARN of the policy that is used to set the permissions boundary for the role." + description = "DEPRECATED - (Optional) The ARN of the policy that is used to set the permissions boundary for the role." type = string default = "" } From 8ca53c1dfad21bf39fb67c45ca9cb83021aa309c Mon Sep 17 00:00:00 2001 From: Gabe <70963120+ntwkninja@users.noreply.github.com> Date: Thu, 23 Feb 2023 13:48:25 -0600 Subject: [PATCH 44/88] Update README.md (#78) --- .gitignore | 4 +++- examples/complete-self-managed-nodegroup/README.md | 8 ++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 882aba25..80505fcf 100644 --- a/.gitignore +++ b/.gitignore @@ -45,7 +45,9 @@ terraform.rc .terragrunt-cache* # Ignore Terraform state files -backend.* +backend.tf # Ignore Checkov external module downloads .external_modules + +examples/zarf-complete-example/build diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index db20b2cc..12d58653 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -20,7 +20,7 @@ This example deploys the following Basic EKS Cluster with VPC - [local](#local) - [remote](#remote) - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) - - [Step 5: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) + - [Step 4: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-4-required-if-eks-public-access-set-to-false-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) @@ -106,7 +106,7 @@ terraform plan -target=module.vpc -target=module.bastion terraform apply -target=module.vpc -target=module.bastion ``` -#### Step 5: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture +#### Step 4: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) @@ -121,7 +121,7 @@ Test SSH connection to the Bastion ```sh # grab bastion instance id from terraform export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` -# replace "my-password" with the variable set if changed from the default +# replace "my-password" with the variable set (if changed from the default) expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' ``` @@ -166,7 +166,7 @@ aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name To clean up your environment, destroy the Terraform modules in reverse order. -Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion) +Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion if EKS Public Access set to False) ```sh terraform destroy -auto-approve -target=module.eks From f046f8dbbc9f2f1f205a051b9f7ffd11b83d8666 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Thu, 23 Feb 2023 11:57:29 -0800 Subject: [PATCH 45/88] Use new remote tfstate-backend module (and delete the one in this repo) (#80) --- examples/tf-state-backend/main.tf | 2 +- modules/tfstate-backend/README.md | 56 -------------- modules/tfstate-backend/locals.tf | 4 - modules/tfstate-backend/main.tf | 111 --------------------------- modules/tfstate-backend/outputs.tf | 9 --- modules/tfstate-backend/variables.tf | 32 -------- 6 files changed, 1 insertion(+), 213 deletions(-) delete mode 100644 modules/tfstate-backend/README.md delete mode 100644 modules/tfstate-backend/locals.tf delete mode 100644 modules/tfstate-backend/main.tf delete mode 100644 modules/tfstate-backend/outputs.tf delete mode 100644 modules/tfstate-backend/variables.tf diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index 9542326f..e0437465 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -5,7 +5,7 @@ provider "aws" { data "aws_partition" "current" {} module "tfstate_backend" { - source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend" + source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=0.0.1" region = var.region bucket_prefix = "my-tfstate-backend" diff --git a/modules/tfstate-backend/README.md b/modules/tfstate-backend/README.md deleted file mode 100644 index 8d9cc0d1..00000000 --- a/modules/tfstate-backend/README.md +++ /dev/null @@ -1,56 +0,0 @@ -# AWS tfstate-backend Module - -:warning: WARNING: This module has been moved to its own repository. This directory is now deprecated and will be removed in the future. Please use [the new repository](https://github.com/defenseunicorns/terraform-aws-tfstate-backend) instead. - -This repository contains Terraform configuration files that create various AWS resources, such as an S3 bucket, a DynamoDB table, and KMS keys. These resources are configured to hold store your terraform TFSTATE files. - -## Examples - -To view examples for how you can leverage this tfstate-backend Module, please see the [examples](https://github.com/defenseunicorns/iac/tree/main/examples) directory. - -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | v3.6.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_dynamodb_table.dynamodb_terraform_state_lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | -| [aws_kms_key.dynamo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_kms_key.objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_s3_bucket_logging.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_policy.backend_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_versioning.versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [bucket\_prefix](#input\_bucket\_prefix) | DEPRECATED - S3 Bucket Prefix | `string` | n/a | yes | -| [cluster\_key\_admin\_arns](#input\_cluster\_key\_admin\_arns) | DEPRECATED - ARNs of IAM users or roles that can administer the cluster | `list(string)` | `[]` | no | -| [dynamodb\_table\_name](#input\_dynamodb\_table\_name) | DEPRECATED - DynamoDB Table Name | `string` | n/a | yes | -| [permissions\_boundary](#input\_permissions\_boundary) | DEPRECATED - (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `""` | no | -| [region](#input\_region) | DEPRECATED - AWS Region | `string` | n/a | yes | -| [versioning\_enabled](#input\_versioning\_enabled) | DEPRECATED - Enable versioning on the S3 bucket | `bool` | `true` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [tfstate\_bucket\_id](#output\_tfstate\_bucket\_id) | Terraform State Bucket Name | -| [tfstate\_dynamodb\_table\_name](#output\_tfstate\_dynamodb\_table\_name) | Terraform State DynamoDB Table Name | - diff --git a/modules/tfstate-backend/locals.tf b/modules/tfstate-backend/locals.tf deleted file mode 100644 index cbbda5f6..00000000 --- a/modules/tfstate-backend/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - role_name = "${var.bucket_prefix}-role" - bucket_prefix = var.bucket_prefix -} diff --git a/modules/tfstate-backend/main.tf b/modules/tfstate-backend/main.tf deleted file mode 100644 index 9e4172d2..00000000 --- a/modules/tfstate-backend/main.tf +++ /dev/null @@ -1,111 +0,0 @@ -// WARNING: This module has been moved to its own repository. This directory is now deprecated and will be removed in the future. Please use [the new repository](https://github.com/defenseunicorns/terraform-aws-tfstate-backend) instead. - -data "aws_partition" "current" {} - -resource "aws_kms_key" "objects" { - enable_key_rotation = true - description = "KMS key is used to encrypt bucket objects" - deletion_window_in_days = 7 -} -resource "aws_kms_key" "dynamo" { - enable_key_rotation = true - description = "KMS key is used to encrypt dynamodb table" - deletion_window_in_days = 7 -} - -resource "aws_dynamodb_table" "dynamodb_terraform_state_lock" { - name = "${var.dynamodb_table_name}-${formatdate("YYYYMMDDhhmmss", timestamp())}" - hash_key = "LockID" - billing_mode = "PAY_PER_REQUEST" - point_in_time_recovery { - enabled = true - } - attribute { - name = "LockID" - type = "S" - } - server_side_encryption { - enabled = true - kms_key_arn = aws_kms_key.dynamo.arn - } -} - -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "v3.6.0" - - bucket_prefix = var.bucket_prefix - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - kms_master_key_id = aws_kms_key.objects.arn - sse_algorithm = "aws:kms" - } - } - } -} - -resource "aws_s3_bucket_versioning" "versioning" { - count = var.versioning_enabled ? 1 : 0 - bucket = module.s3_bucket.s3_bucket_id - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_logging" "logging" { - bucket = module.s3_bucket.s3_bucket_id - - target_bucket = module.s3_bucket.s3_bucket_id - target_prefix = "log/" -} - -resource "aws_s3_bucket_policy" "backend_bucket" { - bucket = module.s3_bucket.s3_bucket_id - - policy = < Date: Fri, 24 Feb 2023 13:33:28 -0600 Subject: [PATCH 46/88] eks output fix (#83) --- modules/eks/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 11732c02..7fc3b931 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -56,20 +56,20 @@ output "eks_cluster_certificate_authority_data" { output "aws_iam_role_self_managed_ng_arn" { description = "AWS IAM role self managed node group ARN" - value = try(aws_iam_role.self_managed_ng[0].arn, "") + value = try(aws_iam_role.self_managed_ng[0].arn, null) } output "aws_iam_instance_profile_self_managed_ng_name" { description = "AWS IAM instance profile self managed node group name" - value = try(aws_iam_instance_profile.self_managed_ng[0].name, "") + value = try(aws_iam_instance_profile.self_managed_ng[0].name, null) } output "aws_iam_role_managed_ng_arn" { description = "AWS IAM role managed node group ARN" - value = try(aws_iam_role.managed_ng[0].arn, "") + value = try(aws_iam_role.managed_ng[0].arn, null) } output "aws_iam_instance_profile_managed_ng_name" { description = "AWS IAM instance profile managed node group name" - value = try(aws_iam_instance_profile.managed_ng[0].name, "") + value = try(aws_iam_instance_profile.managed_ng[0].name, null) } From 0bed8b628120e97ce05155ab191237cbc41feac8 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:34:10 -0800 Subject: [PATCH 47/88] parameterize --- examples/tf-state-backend/main.tf | 13 +++++++------ .../tf-state-backend.tfvars.example | 6 ++++-- examples/tf-state-backend/variables.tf | 18 +++++++++++------- 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index e0437465..72cc58a6 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -4,18 +4,19 @@ provider "aws" { data "aws_partition" "current" {} +locals { + admin_arns = [for admin in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin}"] +} + module "tfstate_backend" { source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=0.0.1" region = var.region - bucket_prefix = "my-tfstate-backend" - dynamodb_table_name = "my-tfstate-backend-lock" + bucket_prefix = var.bucket_prefix + dynamodb_table_name = var.dynamodb_table_name # list of admin's AWS account arn to allow control of KMS keys - cluster_key_admin_arns = [ - "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", - "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" - ] + cluster_key_admin_arns = local.admin_arns } output "tfstate_bucket_id" { diff --git a/examples/tf-state-backend/tf-state-backend.tfvars.example b/examples/tf-state-backend/tf-state-backend.tfvars.example index a98f5848..4c9d6ddb 100644 --- a/examples/tf-state-backend/tf-state-backend.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.tfvars.example @@ -4,5 +4,7 @@ region = "us-east-2" # target AWS region account = "008675309" # target AWS account - aws_admin_1_username = "Bob.Marley" # enables eks access & ssh access to bastion - aws_admin_2_username = "Jane.Doe" # enables eks access & ssh access to bastion + aws_admin_usernames = [ + "Bob.Marley", + "Jane.Doe" + ] diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 80768a04..499e32fe 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -8,13 +8,17 @@ variable "account" { type = string } -variable "aws_admin_1_username" { - description = "AWS username authorized to access S3 Terraform State Backend" - type = string +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + type = list(string) } -variable "aws_admin_2_username" { - description = "AWS username authorized to access S3 Terraform State Backend" - type = string - default = "" +variable "bucket_prefix" { + type = string + default = "my-tfstate-backend" +} + +variable "dynamodb_table_name" { + type = string + default = "my-tfstate-backend-lock" } From 91876ae603a0a87336b83db5cf9a6db845e1e614 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:34:21 -0800 Subject: [PATCH 48/88] add parameters to example --- examples/tf-state-backend/tf-state-backend.tfvars.example | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/tf-state-backend/tf-state-backend.tfvars.example b/examples/tf-state-backend/tf-state-backend.tfvars.example index 4c9d6ddb..5a39cce1 100644 --- a/examples/tf-state-backend/tf-state-backend.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.tfvars.example @@ -5,6 +5,8 @@ region = "us-east-2" # target AWS region account = "008675309" # target AWS account aws_admin_usernames = [ - "Bob.Marley", + "Bob.Marley" "Jane.Doe" ] + bucket_prefix = "my-tfstate-backend" + dynamodb_table_name = "my-tfstate-backend-lock" From f712b79a8b405cbc56a87ef28108c7ce85b167cc Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:36:42 -0800 Subject: [PATCH 49/88] add backend.tf.example --- examples/complete-self-managed-nodegroup/README.md | 2 ++ .../complete-self-managed-nodegroup/backend.tf.example | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 examples/complete-self-managed-nodegroup/backend.tf.example diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 12d58653..27290cdc 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -90,6 +90,8 @@ export AWS_DEFAULT_REGION=us-east-2 #set to your perferred region popd +cp backend.tf.example backend.tf + terraform init -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ diff --git a/examples/complete-self-managed-nodegroup/backend.tf.example b/examples/complete-self-managed-nodegroup/backend.tf.example new file mode 100644 index 00000000..6e9833ac --- /dev/null +++ b/examples/complete-self-managed-nodegroup/backend.tf.example @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + region = "" + bucket = "" + key = "" + dynamodb_table = "" + encrypt = "true" + } +} From 911fd747e2fcfcebb1441332ed26f7d3c092b956 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:36:57 -0800 Subject: [PATCH 50/88] update lockfile thing --- examples/tf-state-backend/.terraform.lock.hcl | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/examples/tf-state-backend/.terraform.lock.hcl b/examples/tf-state-backend/.terraform.lock.hcl index 550b917f..c4e7be59 100644 --- a/examples/tf-state-backend/.terraform.lock.hcl +++ b/examples/tf-state-backend/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.55.0" + version = "4.56.0" constraints = ">= 4.9.0" hashes = [ - "h1:vSVjfh4GIrca2Z3YPjWMaac5hOEBc1U3xOOwFmo7HZc=", - "zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b", - "zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770", - "zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53", - "zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9", - "zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946", - "zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6", - "zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74", - "zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4", - "zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27", + "h1:v6DE95Ll2mxE96IGUsT/h6WQTU1d2cfHydWah1FgT20=", + "zh:1d2b7693a102da015a86b9235b554272b9280597011216c3ddd1a6dc95ad8dab", + "zh:28c3e8ebaa077f65c4ac5fd051c95887070293fcff0386dfc2e4b7e248a0aefa", + "zh:2a620bc4a87be06e7acac1bc15e966dba45df643bf6c3efb811e74e6c2122b03", + "zh:30d3ac148fa0634e7ba1de66e1af1328481c92cd774adcfc0e27f828103b17e0", + "zh:3d3eebf916f25e11b12dd3c692f8fe1e4c4e9a0c414af9d0d881ddebd28dcd39", + "zh:3f4600f2881c02fcc69080df68747c9a0b9b11cb002117fd918b7800f2ac402b", + "zh:7156fb12c3b4f2964f7e78cee97f31d95b43045467f90749d2ed545725c36baa", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c", - "zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971", - "zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f", - "zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2", - "zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9", + "zh:a5bbc84fd37d468c7b016009776b6d2a287bbb746af81aba786cdf8eb5fce4a1", + "zh:d5322bcd4e11caddbbfaa1198893824d4b4d28f504517a3a87902cf86d75bd87", + "zh:d766eb9f86a40060d63e12ef674d7c9c47ec4e47ade487f1f49af8c89b441711", + "zh:df23f592b99f6617f09e449009bbb49068a69fc926b15ca29e30b068c9c67365", + "zh:e7b0acee2d98549731547259b539f598e18db07c0c202d3a34b922beff711054", + "zh:ec317f79fdcce934c39458ea312862e7f7ec48cafb8bcc9b5a00d9b78b629d81", + "zh:f78ec7a771867d96dfee96bf74523341ba42feeb64ce2f108b5bf2e7ebef0fef", ] } From ca31abdd850acea6f70876f9444149b75f3bdf1f Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 13:38:35 -0800 Subject: [PATCH 51/88] add backend.tf.example --- examples/complete-managed-nodegroup/README.md | 3 ++- examples/complete-managed-nodegroup/backend.tf.example | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 examples/complete-managed-nodegroup/backend.tf.example diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 46eaa02b..f2952865 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -51,7 +51,8 @@ export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` cd tmp/examples/complete-complete-self-managed-nodegroup -mv backend.example backend.tf +cp backend.tf.example backend.tf + tf init -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ diff --git a/examples/complete-managed-nodegroup/backend.tf.example b/examples/complete-managed-nodegroup/backend.tf.example new file mode 100644 index 00000000..6e9833ac --- /dev/null +++ b/examples/complete-managed-nodegroup/backend.tf.example @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + region = "" + bucket = "" + key = "" + dynamodb_table = "" + encrypt = "true" + } +} From a06b039582aaee9034a266e725c4e92659ecfc07 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:13:00 -0800 Subject: [PATCH 52/88] DRYify admin username parameters --- examples/complete-managed-nodegroup/main.tf | 25 ++++++++----------- .../terraform.tfvars.example | 4 +-- .../complete-managed-nodegroup/variables.tf | 11 +++----- .../complete-self-managed-nodegroup/main.tf | 22 +++++++--------- .../variables.tf | 12 +++------ 5 files changed, 27 insertions(+), 47 deletions(-) diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index 5605b883..aaf6a8bf 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -16,6 +16,13 @@ locals { Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + username = "${admin_user}" + groups = ["system:masters"] + } + ] } ########################################################### @@ -93,24 +100,12 @@ module "eks" { source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = ["arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}"] + cluster_kms_key_additional_admin_arns = local.admin_arns eks_k8s_version = var.eks_k8s_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = [ - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}" - username = "${var.aws_admin_1_username}" - groups = ["system:masters"] - }, - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" - username = "${var.aws_admin_2_username}" - groups = ["system:masters"] - } - ] - - enable_managed_nodegroups = true + aws_auth_eks_map_users = local.aws_auth_eks_map_users + enable_managed_nodegroups = true #--------------------------------------------------------------- # EKS Blueprints - Managed Node Groups diff --git a/examples/complete-managed-nodegroup/terraform.tfvars.example b/examples/complete-managed-nodegroup/terraform.tfvars.example index 3c9c8a44..aae29a10 100644 --- a/examples/complete-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-managed-nodegroup/terraform.tfvars.example @@ -9,8 +9,8 @@ region2 = "us-east-1" # RDS backup target AWS region account = "100008675309" # target AWS account aws_profile = "du-dev" # local AWS profile to be used for deployment - aws_admin_1_username = "Bob.Marley" # enables eks access & ssh access to bastion - aws_admin_2_username = "Jane.Doe" # enables eks access & ssh access to bastion + aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group + ########################################################### #################### VPC Config ########################### diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index bbc4e8d7..ad7fb891 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -21,14 +21,9 @@ variable "aws_profile" { type = string } -variable "aws_admin_1_username" { - description = "The AWS admin username to use for deployment" - type = string -} - -variable "aws_admin_2_username" { - description = "The AWS admin username to use for deployment" - type = string +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + type = list(string) } ########################################################### diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index ddac6c67..f6ec23f9 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -5,6 +5,13 @@ locals { Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + username = "${admin_user}" + groups = ["system:masters"] + } + ] } data "aws_ami" "amazonlinux2" { @@ -93,22 +100,11 @@ module "eks" { source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = ["arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}", "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}"] + cluster_kms_key_additional_admin_arns = local.admin_arns eks_k8s_version = var.eks_k8s_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = [ - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_1_username}" - username = "${var.aws_admin_1_username}" - groups = ["system:masters"] - }, - { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${var.aws_admin_2_username}" - username = "${var.aws_admin_2_username}" - groups = ["system:masters"] - } - ] + aws_auth_eks_map_users = local.aws_auth_eks_map_users enable_managed_nodegroups = false diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index a97d7695..e131249a 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -21,16 +21,10 @@ variable "aws_profile" { type = string } -variable "aws_admin_1_username" { - description = "The AWS admin username to use for deployment" - type = string +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + type = list(string) } - -variable "aws_admin_2_username" { - description = "The AWS admin username to use for deployment" - type = string -} - ########################################################### #################### VPC Config ########################### From 33134786faed259344bf5f2ee440d5e9c4108747 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:20:55 -0800 Subject: [PATCH 53/88] update variables --- examples/complete-managed-nodegroup/README.md | 3 +-- examples/complete-managed-nodegroup/variables.tf | 2 +- examples/complete-self-managed-nodegroup/README.md | 3 +-- examples/complete-self-managed-nodegroup/variables.tf | 2 +- examples/tf-state-backend/variables.tf | 2 +- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index f2952865..1d53ab21 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -174,8 +174,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | -| [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index ad7fb891..d7b22ef6 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -22,7 +22,7 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 27290cdc..96cf85aa 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -216,8 +216,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_1\_username](#input\_aws\_admin\_1\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | -| [aws\_admin\_2\_username](#input\_aws\_admin\_2\_username) | The AWS admin username to use for deployment | `string` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index e131249a..4da8ceb9 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -22,7 +22,7 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } ########################################################### diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 499e32fe..7bcaa451 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -9,7 +9,7 @@ variable "account" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames authorized to access S3 Terraform State Backend" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } From 8abc80106d24103c13a3663dc5125a4c2ad959c9 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:22:45 -0800 Subject: [PATCH 54/88] DRYify input vars --- .../complete-self-managed-nodegroup/terraform.tfvars.example | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 70b8a0a4..6c4b49cb 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -9,8 +9,7 @@ region2 = "us-east-1" # RDS backup target AWS region account = "100008675309" # target AWS account aws_profile = "du-dev" # local AWS profile to be used for deployment - aws_admin_1_username = "Bob.Marley" # enables eks access & ssh access to bastion - aws_admin_2_username = "Jane.Doe" # enables eks access & ssh access to bastion + aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group ########################################################### #################### VPC Config ########################### From 747a5199c7088eaa0637e507837af03104f99850 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 27 Feb 2023 14:56:44 -0800 Subject: [PATCH 55/88] add -foce-copy --- examples/complete-self-managed-nodegroup/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 96cf85aa..43a793aa 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -92,7 +92,8 @@ popd cp backend.tf.example backend.tf -terraform init -backend-config="bucket=$BUCKET_ID" \ +#copy init and copy state if it exists +terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ -backend-config="region=$AWS_DEFAULT_REGION" From 41c82b9be85e2b582552eb14575fc57e33726016 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 09:37:45 -0800 Subject: [PATCH 56/88] Remove variable, do not need defaults at the moment --- examples/complete-managed-nodegroup/variables.tf | 6 ------ examples/complete-self-managed-nodegroup/main.tf | 2 +- examples/complete-self-managed-nodegroup/variables.tf | 6 ------ 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index d7b22ef6..e0e29cb9 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -73,12 +73,6 @@ variable "cluster_endpoint_public_access" { default = false } -variable "instance_type" { - description = "value for the instance type of the EKS worker nodes" - type = string - default = "m5.xlarge" -} - ########################################################### ################## Bastion Config ######################### diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index f6ec23f9..cd02e433 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -169,7 +169,7 @@ module "eks" { } ] - instance_type = var.instance_type + instance_type = "m5.xlarge" desired_size = 3 max_size = 10 min_size = 3 diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 4da8ceb9..e698daaa 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -72,12 +72,6 @@ variable "cluster_endpoint_public_access" { default = false } -variable "instance_type" { - description = "value for the instance type of the EKS worker nodes" - type = string - default = "m5.xlarge" -} - ########################################################### ################## Bastion Config ######################### From 3a472317b415a38defe99c219c0d042f38ff30a0 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 10:00:04 -0800 Subject: [PATCH 57/88] added cluster_name --- examples/complete-self-managed-nodegroup/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 43a793aa..dca521e2 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -154,7 +154,8 @@ This following command used to update the `kubeconfig` in your local machine whe `~/.kube/config` file gets updated with cluster details and certificate from the below command ```bash -aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name +CLUSTER_NAME=$(grep 'cluster_name' terraform.tfvars | cut -d'=' -f2 | tr -d '[:space:]' | sed 's/"//g') +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $CLUSTER_NAME ``` #### Step 7: List all the worker nodes by running the command below From b3429b109ea532fc95b23e4dbb865e171da14940 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 10:35:43 -0800 Subject: [PATCH 58/88] update readmes --- examples/complete-managed-nodegroup/README.md | 1 - examples/complete-self-managed-nodegroup/README.md | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 1d53ab21..820ff7f4 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -188,7 +188,6 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index dca521e2..cf25e6e3 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -86,7 +86,7 @@ pushd ../tf-state-backend terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` -export AWS_DEFAULT_REGION=us-east-2 #set to your perferred region +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') popd @@ -232,7 +232,6 @@ No requirements. | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [instance\_type](#input\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | From 369b5022462be4b089655f55589c4cd3c59caf49 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 14:43:13 -0800 Subject: [PATCH 59/88] fix some pah and var logic --- examples/zarf-complete-example/Makefile | 8 ++--- examples/zarf-complete-example/zarf.yaml | 45 ++++++++++++------------ 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/examples/zarf-complete-example/Makefile b/examples/zarf-complete-example/Makefile index e11bbe70..8ee56360 100755 --- a/examples/zarf-complete-example/Makefile +++ b/examples/zarf-complete-example/Makefile @@ -1,6 +1,6 @@ # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to # the build folder. -ZARF_VERSION := v0.23.4-40-g929bc645 +ZARF_VERSION := v0.24.2 # Figure out which Zarf binary we should use based on the operating system we are on ZARF_BIN := zarf @@ -34,10 +34,10 @@ else endif # Set terraform version -TF_VERSION := 1.3.6 +TF_VERSION := 1.3.9 # Terraform environment directory -TF_ENV_DIR := "../complete-example" -TF_ENV := "complete-example" +TF_ENV_DIR := "../complete-self-managed-nodegroup" +TF_ENV := "complete-self-managed-nodegroup" TF_ENV_STATE_DIR := "../tf-state-backend" TF_ENV_STATE := "tf-state-backend" # Terraform modules directory diff --git a/examples/zarf-complete-example/zarf.yaml b/examples/zarf-complete-example/zarf.yaml index 83cdde28..9ee0ab36 100644 --- a/examples/zarf-complete-example/zarf.yaml +++ b/examples/zarf-complete-example/zarf.yaml @@ -16,11 +16,8 @@ variables: - name: AWS_PROFILE description: "local AWS profile to be used for deployment" prompt: true - - name: AWS_ADMIN_1_USERNAME - description: "AWS username for admin, ex. Bob.Marley" - prompt: true - - name: AWS_ADMIN_2_USERNAME - description: "AWS username for additional admin, ex. Jane.Doe" + - name: AWS_ADMIN_USERNAMES + description: "AWS username for admin, ex. Bob.Marley, ENTER AS A LIST ex [\"Bob.Marley\",\"Jane.Doe\"]" prompt: true - name: VPC_CIDR default: "10.200.0.0/16" @@ -29,7 +26,7 @@ variables: - name: CLUSTER_NAME default: "my-eks" - name: EKS_K8S_VERSION - default: "1.23" + default: "1.24" - name: BASTION_NAME default: "my-bastion" - name: BASTION_SSH_USER @@ -38,8 +35,8 @@ variables: - name: BASTION_SSH_PASSWORD description: "Bastion password for ssh" prompt: true - - name: BASTION_AMI_ID - default: "ami-000d4884381edb14c" + # - name: BASTION_AMI_ID + # default: "ami-000d4884381edb14c" - name: KEYCLOAK_ENABLED default: "true" - name: KEYCLOAK_DB_PASSWORD @@ -52,13 +49,14 @@ variables: - name: KC_DB_MAJOR_ENGINE_VERSION default: "14" - name: KC_DB_ALLOCATED_STORAGE - default: 20.0 + default: 20 - name: KC_DB_MAX_ALLOCATED_STORAGE - default: 100.0 + default: 100 - name: KC_DB_INSTANCE_CLASS default: "db.t4g.large" + # used in bastion userdata to download zarf binary - name: ZARF_VERSION - default: "v0.24.0-rc4" + default: "v0.24.2" components: - name: download-dependencies @@ -74,7 +72,7 @@ components: # - "./zarf tools archiver decompress tmp/awscliv2.zip ." # - "rm -rf tmp/" files: - # terraform binary + # terraform binary into zarf package - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_VAR_TF_VERSION###/terraform_###ZARF_PKG_VAR_TF_VERSION###_###ZARF_PKG_VAR_ARCH_NAME###_###ZARF_PKG_VAR_ARCH_PROC###.zip target: tmp/terraform_###ZARF_PKG_VAR_TF_VERSION###_###ZARF_PKG_VAR_ARCH_NAME###_###ZARF_PKG_VAR_ARCH_PROC###.zip # aws cli binary @@ -90,9 +88,11 @@ components: maxTotalSeconds: 300 maxRetries: 3 before: + #just used to build the .terraform folder and modules for airgapping - cmd: "terraform init -backend=false" dir: "###ZARF_PKG_VAR_TF_ENV_DIR###" - - cmd: "terraform init" + #just used to build the .terraform folder and modules for airgapping + - cmd: "terraform init -backend=false" dir: "###ZARF_PKG_VAR_TF_ENV_STATE_DIR###" files: - source: "###ZARF_PKG_VAR_TF_ENV_DIR###" @@ -102,13 +102,14 @@ components: - source: "###ZARF_PKG_VAR_TF_MODULES_DIR###" target: "tmp/modules" + # one-time backend configuraion module for s3 - name: terraform-s3-bucket actions: onDeploy: defaults: maxTotalSeconds: 300 maxRetries: 3 - dir: "tmp/###ZARF_PKG_VAR_TF_ENV_STATE###" + dir: "tmp/examples/###ZARF_PKG_VAR_TF_ENV_STATE###" before: - cmd: "terraform apply -auto-approve" - cmd: "terraform output -raw tfstate_bucket_id" @@ -122,7 +123,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -target=module.vpc -target=module.bastion -auto-approve" @@ -138,21 +139,21 @@ components: defaults: maxTotalSeconds: 300 maxRetries: 3 - dir: "tmp/###ZARF_PKG_VAR_TF_ENV_STATE###" + dir: "tmp/examples/###ZARF_PKG_VAR_TF_ENV_STATE###" before: - cmd: "terraform output -raw tfstate_bucket_id" setVariable: BUCKET_ID - cmd: "terraform output -raw tfstate_dynamodb_table_name" setVariable: DYNAMODB_TABLE_NAME - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### - name: terraform-apply-eks actions: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: "terraform apply -target=module.eks -auto-approve" @@ -161,7 +162,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -target=module.flux_sops -target=module.loki_s3_bucket -target=module.rds_postgres_keycloak -auto-approve" @@ -171,7 +172,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -destroy -target=module.rds_postgres_keycloak -target=module.loki_s3_bucket -target=module.flux_sops -auto-approve" @@ -181,7 +182,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -destroy -target=module.eks -auto-approve" @@ -191,7 +192,7 @@ components: onDeploy: defaults: maxRetries: 3 - dir: tmp/###ZARF_PKG_VAR_TF_ENV### + dir: tmp/examples/###ZARF_PKG_VAR_TF_ENV### before: - cmd: terraform init -backend-config="bucket=$ZARF_VAR_BUCKET_ID" -backend-config="key=###ZARF_PKG_VAR_TF_ENV###/terraform.tfstate" -backend-config="dynamodb_table=$ZARF_VAR_DYNAMODB_TABLE_NAME" -backend-config="region=$ZARF_VAR_REGION" - cmd: "terraform apply -destroy -auto-approve" From 91d151d28aa40bd4cf6897be1839fab3b1a8852c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 14:45:52 -0800 Subject: [PATCH 60/88] update readme --- examples/complete-self-managed-nodegroup/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index cf25e6e3..61e97b92 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -86,13 +86,15 @@ pushd ../tf-state-backend terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` -export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') popd +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') + +#make backend file cp backend.tf.example backend.tf -#copy init and copy state if it exists +#init and copy state if it exists terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ From 1fb2bd75f37e6649f5d5f7520abb3d9cb2f80e73 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 28 Feb 2023 15:10:07 -0800 Subject: [PATCH 61/88] update readme --- examples/complete-managed-nodegroup/README.md | 108 +++++++++++++----- .../complete-self-managed-nodegroup/README.md | 6 +- 2 files changed, 80 insertions(+), 34 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 820ff7f4..2f40e2ce 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -8,6 +8,33 @@ This example deploys the following Basic EKS Cluster with VPC - Creates a Bastion host in a private subnet - Creates dependencies needed for BigBang +--- +**Table of contents:** +- [EKS Cluster Deployment with new VPC \& Big Bang Dependencies](#eks-cluster-deployment-with-new-vpc--big-bang-dependencies) + - [How to Deploy](#how-to-deploy) + - [Prerequisites](#prerequisites) + - [Deployment Steps](#deployment-steps) + - [Step 1: Preparation](#step-1-preparation) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) + - [local](#local) + - [remote](#remote) + - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) + - [Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-required-if-eks-public-access-set-to-false-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) + - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) + - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) + - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) + - [Step 8: List all the pods running in `kube-system` namespace](#step-8-list-all-the-pods-running-in-kube-system-namespace) + - [Cleanup](#cleanup) + - [Requirements](#requirements) + - [Providers](#providers) + - [Modules](#modules) + - [Resources](#resources) + - [Inputs](#inputs) + - [Outputs](#outputs) + +--- + ## How to Deploy ### Prerequisites @@ -16,8 +43,9 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop 1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) 2. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) -4. [SSHuttle](https://github.com/sshuttle/sshuttle) +3. [Helm](https://helm.sh/docs/intro/install/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) +5. [SSHuttle](https://github.com/sshuttle/sshuttle) Ensure that your AWS credentials are configured. This can be done by running `aws configure` @@ -26,15 +54,20 @@ Ensure that your AWS credentials are configured. This can be done by running `aw #### Step 1: Preparation ```sh -mkdir tmp && cd tmp git clone https://github.com/defenseunicorns/iac.git -cd examples/complete-complete-self-managed-nodegroup/ -cp terraform.tfvars.example ../../../terraform.tfvars +cd ./iac/examples/complete-managed-nodegroup +cp terraform.tfvars.example terraform.tfvars ``` -Modify terraform.tfvars (located in tmp directory) with desired values. AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values + +AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` + +#### Step 3: Terraform Init & State -#### Step 2: Terraform Init & State +Use remote or local state for terraform + +##### local Initialize a working directory with configuration files and create local terraform state file @@ -42,33 +75,43 @@ Initialize a working directory with configuration files and create local terrafo terraform init ``` -(OPTIONAL) Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: +##### remote + +Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: ```sh -cd tmp/examples/tf-state-backend +#from the ./iac/examples/complete-self-managed-nodegroup directory +pushd ../tf-state-backend + terraform apply export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` -cd tmp/examples/complete-complete-self-managed-nodegroup +popd + +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') + +#make backend file cp backend.tf.example backend.tf -tf init -backend-config="bucket=$BUCKET_ID" \ --backend-config="key=complete-complete-self-managed-nodegroup/terraform.tfstate" \ --backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ --backend-config="region=$AWS_DEFAULT_REGION" +#init and copy state if it exists +terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ + -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ + -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ + -backend-config="region=$AWS_DEFAULT_REGION" ``` -#### Step 3: Provision VPC and Bastion +#### Step 4: Provision VPC and Bastion ```sh -terraform plan -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# verify these changes are desired -terraform apply -var-file ../../../terraform.tfvars -target=module.vpc -target=module.bastion -# type yes to confirm or utilize the ```-auto-approve``` flag in the above command +# plan deployment and verify desired outcome +terraform plan -target=module.vpc -target=module.bastion + +# type yes to confirm or utilize the '-auto-approve' flag +terraform apply -target=module.vpc -target=module.bastion ``` -#### Step 4: Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture +#### Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) @@ -81,9 +124,9 @@ host i-* mi-* Test SSH connection to the Bastion ```sh -#grab bastion instance id from terraform +# grab bastion instance id from terraform export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` -# replace "my-password" with the variable set if changed from the default +# replace "my-password" with the variable set (if changed from the default) expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' ``` @@ -94,10 +137,10 @@ In a new terminal, open an sshuttle tunnel to the bastion sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 ``` -Navigate back to the terminal in the complete-complete-self-managed-nodegroup directory and Provision the EKS Cluster +Navigate back to the terminal in the `complete-managed-nodegroup` directory and Provision the EKS Cluster ```sh -terraform apply -var-file ../../../terraform.tfvars +terraform apply -var-file # type yes to confirm or utilize the ```-auto-approve``` flag in the above command ``` @@ -108,17 +151,20 @@ Note: In this example we are using a private EKS Cluster endpoint for the contro EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. -#### Step 5: Run `update-kubeconfig` command +#### Step 6: Run the `aws eks update-kubeconfig` command `~/.kube/config` file gets updated with cluster details and certificate from the below command - aws eks --region update-kubeconfig --name +```bash +CLUSTER_NAME=$(grep 'cluster_name' terraform.tfvars | cut -d'=' -f2 | tr -d '[:space:]' | sed 's/"//g') +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $CLUSTER_NAME +``` -#### Step 6: List all the worker nodes by running the command below +#### Step 7: List all the worker nodes by running the command below kubectl get nodes -#### Step 7: List all the pods running in `kube-system` namespace +#### Step 8: List all the pods running in `kube-system` namespace kubectl get pods -n kube-system @@ -126,16 +172,16 @@ This following command used to update the `kubeconfig` in your local machine whe To clean up your environment, destroy the Terraform modules in reverse order. -Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion) +Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion if EKS Public Access set to False) ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve -target=module.eks +terraform destroy -auto-approve -target=module.eks ``` Destroy all other resources ```sh -terraform destroy -var-file ../../../terraform.tfvars -auto-approve +terraform destroy -auto-approve ``` ## Requirements diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 61e97b92..d8edac83 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -15,7 +15,7 @@ This example deploys the following Basic EKS Cluster with VPC - [Prerequisites](#prerequisites) - [Deployment Steps](#deployment-steps) - [Step 1: Preparation](#step-1-preparation) - - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values.](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) - [local](#local) - [remote](#remote) @@ -59,7 +59,7 @@ cd ./iac/examples/complete-self-managed-nodegroup cp terraform.tfvars.example terraform.tfvars ``` -#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values. +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` @@ -137,7 +137,7 @@ In a new terminal, open an sshuttle tunnel to the bastion sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 ``` -Navigate back to the terminal in the complete-self-managed-nodegroup directory and Provision the EKS Cluster +Navigate back to the terminal in the `complete-self-managed-nodegroup` directory and Provision the EKS Cluster ```sh terraform apply -var-file From 61ef01a9e0a2d836ad4d3db6fdec072ee2074372 Mon Sep 17 00:00:00 2001 From: jase koonce Date: Tue, 28 Feb 2023 14:00:42 -0500 Subject: [PATCH 62/88] updating self-managed/managed readmes Signed-off-by: jase koonce --- README.md | 2 +- examples/complete-managed-nodegroup/README.md | 2 +- examples/complete-self-managed-nodegroup/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f08151ae..235c17b8 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # Infrastructure-as-Code -This repository is a collection of Terraform modules designed to help you quickly and easily build robust, scalable infrastructure. Each module represents a best-practice, opinionated design for a specific piece of infrastructure, such as an EKS cluster, load balancer, database or S3 bucket needed to satisfy [Big Bang](https://docs-bigbang.dso.mil/) dependencies. By using these modules, you can take advantage of the experience and insights of the module authors, who have spent countless hours testing and refining the designs to ensure their reliability and efficiency. In addition, the versioning of these modules allows you to track and manage changes to your infrastructure with confidence. Whether you are a seasoned infrastructure engineer or new to the field, these modules are an invaluable tool for building and maintaining your infrastructure. +This repository is a collection of Terraform modules designed to help you quickly and easily build robust, scalable infrastructure. Each module represents a best-practice, opinionated design for a specific piece of infrastructure, such as an EKS cluster, load balancer, database or S3 bucket needed to satisfy [Big Bang](https://docs-bigbang.dso.mil/) dependencies. At the example level, both an option for Self-Managed and Managed node groups are included. Depending on which type of node group you are using be sure to run terraform from inside the corresponding example. By using these modules, you can take advantage of the experience and insights of the module authors, who have spent countless hours testing and refining the designs to ensure their reliability and efficiency. In addition, the versioning of these modules allows you to track and manage changes to your infrastructure with confidence. Whether you are a seasoned infrastructure engineer or new to the field, these modules are an invaluable tool for building and maintaining your infrastructure. diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index 2f40e2ce..bdd8160d 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -1,6 +1,6 @@ # EKS Cluster Deployment with new VPC & Big Bang Dependencies -This example deploys the following Basic EKS Cluster with VPC +This example deploys the following Basic Managed EKS Cluster with VPC - Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index d8edac83..cacc77a5 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -1,6 +1,6 @@ # EKS Cluster Deployment with new VPC & Big Bang Dependencies -This example deploys the following Basic EKS Cluster with VPC +This example deploys the following Basic Self-Managed EKS Cluster with VPC - Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets From 666a05f684174010733fcc19f903bd0e643c1aa0 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:02:30 -0800 Subject: [PATCH 63/88] Empty commit From abd312258b8375670887d10b8943010218b612d0 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:25:18 -0800 Subject: [PATCH 64/88] testing sign From 50fe0f10c2028343cc18f258a87e44bb56e6c9a8 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:40:21 -0800 Subject: [PATCH 65/88] testing sign again From cd531a911e8167f5d10acf1e9892d6a48071974e Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 1 Mar 2023 10:55:36 -0800 Subject: [PATCH 66/88] testing sign again again From 37c10e8b2a938c516a21e78f0a5a9c11737b21f6 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Wed, 1 Mar 2023 15:15:33 -0800 Subject: [PATCH 67/88] wip --- .gitignore | 4 + examples/complete/.terraform.lock.hcl | 222 +++++++++++ examples/complete/bigbang-dependencies.tf | 83 ++++ examples/complete/fixtures.common.tfvars | 48 +++ examples/complete/fixtures.insecure.tfvars | 4 + examples/complete/main.tf | 424 +++++++++++++++++++++ examples/complete/outputs.tf | 40 ++ examples/complete/providers.tf | 39 ++ examples/complete/variables.tf | 188 +++++++++ 9 files changed, 1052 insertions(+) create mode 100644 examples/complete/.terraform.lock.hcl create mode 100644 examples/complete/bigbang-dependencies.tf create mode 100644 examples/complete/fixtures.common.tfvars create mode 100644 examples/complete/fixtures.insecure.tfvars create mode 100644 examples/complete/main.tf create mode 100644 examples/complete/outputs.tf create mode 100644 examples/complete/providers.tf create mode 100644 examples/complete/variables.tf diff --git a/.gitignore b/.gitignore index 80505fcf..5684bf46 100644 --- a/.gitignore +++ b/.gitignore @@ -24,6 +24,10 @@ crash.*.log *.tfvars *.tfvars.json +# Except ones that we do want to commit because they are used for automated tests +!examples/complete/fixtures.common.tfvars +!examples/complete/fixtures.insecure.tfvars + # Ignore override files as they are usually used to override resources locally and so # are not checked in override.tf diff --git a/examples/complete/.terraform.lock.hcl b/examples/complete/.terraform.lock.hcl new file mode 100644 index 00000000..8f12bc6b --- /dev/null +++ b/examples/complete/.terraform.lock.hcl @@ -0,0 +1,222 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.14.0" + constraints = ">= 1.14.0" + hashes = [ + "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", + "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", + "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", + "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", + "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", + "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", + "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", + "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", + "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", + "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.56.0" + constraints = ">= 3.28.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.47.0" + hashes = [ + "h1:koDunHl/LUmCAKy3VFie6MakXN7ng93v8HBRpKI8He8=", + "zh:1d2b7693a102da015a86b9235b554272b9280597011216c3ddd1a6dc95ad8dab", + "zh:28c3e8ebaa077f65c4ac5fd051c95887070293fcff0386dfc2e4b7e248a0aefa", + "zh:2a620bc4a87be06e7acac1bc15e966dba45df643bf6c3efb811e74e6c2122b03", + "zh:30d3ac148fa0634e7ba1de66e1af1328481c92cd774adcfc0e27f828103b17e0", + "zh:3d3eebf916f25e11b12dd3c692f8fe1e4c4e9a0c414af9d0d881ddebd28dcd39", + "zh:3f4600f2881c02fcc69080df68747c9a0b9b11cb002117fd918b7800f2ac402b", + "zh:7156fb12c3b4f2964f7e78cee97f31d95b43045467f90749d2ed545725c36baa", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a5bbc84fd37d468c7b016009776b6d2a287bbb746af81aba786cdf8eb5fce4a1", + "zh:d5322bcd4e11caddbbfaa1198893824d4b4d28f504517a3a87902cf86d75bd87", + "zh:d766eb9f86a40060d63e12ef674d7c9c47ec4e47ade487f1f49af8c89b441711", + "zh:df23f592b99f6617f09e449009bbb49068a69fc926b15ca29e30b068c9c67365", + "zh:e7b0acee2d98549731547259b539f598e18db07c0c202d3a34b922beff711054", + "zh:ec317f79fdcce934c39458ea312862e7f7ec48cafb8bcc9b5a00d9b78b629d81", + "zh:f78ec7a771867d96dfee96bf74523341ba42feeb64ce2f108b5bf2e7ebef0fef", + ] +} + +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.3.2" + constraints = ">= 2.0.0" + hashes = [ + "h1:Ar/DAbZQ9Nsj0BrqX6camrEE6U+Yq4E87DCNVqxqx8k=", + "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", + "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", + "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", + "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", + "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", + "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", + "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", + "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", + "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", + "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.9.0" + constraints = ">= 2.4.1, >= 2.5.1" + hashes = [ + "h1:3M1gPJ2W3qtYr6do1HkH5l03kSEHIYMQ97W2tP59dYY=", + "zh:1471cb45908b426104687c962007b2980cfde294fa3530fabc4798ce9fb6c20c", + "zh:1572e9cec20591ec08ece797b3630802be816a5adde36ca91a93359f2430b130", + "zh:1b10ae03cf5ab1ae21ffaac2251de99797294ae4242b156b3b0beebbdbcb7e0f", + "zh:3bd043b68de967d8d0b549d3f71485193d81167d5656f5507d743dedfe60e352", + "zh:538911921c729185900176cc22eb8edcb822bc8d22b9ebb48103a1d9bb53cc38", + "zh:69a6a2d40c0463662c3fb1621e37a3ee65024ea4479adf4d5f7f19fb0dea48c2", + "zh:94b58daa0c351a49d01f6d8f1caae46c95c2d6c3f29753e2b9ea3e3c0e7c9ab4", + "zh:9d0543331a4a32241e1ab5457f30b41df745acb235a0391205c725a5311e4809", + "zh:a6789306524ca121512a95e873e3949b4175114a6c5db32bed2df2551a79368f", + "zh:d146b94cd9502cca7f2044797a328d71c7ec2a98e2d138270d8a28c872f04289", + "zh:d14ccd14511f0446eacf43a9243f22de7c1427ceb059cf67d7bf9803be2cb15d", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.18.1" + constraints = ">= 2.6.1, >= 2.10.0" + hashes = [ + "h1:vBRsQjT8QeFe8C9yJ1PR43wzX4hM5UssxlHkPPo34gU=", + "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753", + "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197", + "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8", + "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80", + "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25", + "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce", + "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15", + "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad", + "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8", + "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4", + "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.3.0" + constraints = ">= 2.1.0" + hashes = [ + "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=", + "zh:1f1920b3f78c31c6b69cdfe1e016a959667c0e2d01934e1a084b94d5a02cd9d2", + "zh:550a3cdae0ddb350942624e7b2e8b31d28bc15c20511553432413b1f38f4b214", + "zh:68d1d9ccbfce2ce56b28a23b22833a5369d4c719d6d75d50e101a8a8dbe33b9b", + "zh:6ae3ad6d865a906920c313ec2f413d080efe32c230aca711fd106b4cb9022ced", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a0f413d50f54124057ae3dcd9353a797b84e91dc34bcf85c34a06f8aef1f9b12", + "zh:a2ac6d4088ceddcd73d88505e18b8226a6e008bff967b9e2d04254ef71b4ac6b", + "zh:a851010672e5218bdd4c4ea1822706c9025ef813a03da716d647dd6f8e2cffb0", + "zh:aa797561755041ef2fad99ee9ffc12b5e724e246bb019b21d7409afc2ece3232", + "zh:c6afa960a20d776f54bb1fc260cd13ead17280ebd87f05b9abcaa841ed29d289", + "zh:df0975e86b30bb89717b8c8d6d4690b21db66de06e79e6d6cfda769f3304afe6", + "zh:f0d3cc3da72135efdbe8f4cfbfb0f2f7174827887990a5545e6db1981f0d3a7c", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.1" + constraints = ">= 3.0.0, >= 3.1.0" + hashes = [ + "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", + "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", + "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", + "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", + "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", + "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", + "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", + "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", + "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", + "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", + "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.4.3" + hashes = [ + "h1:tL3katm68lX+4lAncjQA9AXL4GR/VM+RPwqYf4D2X8Q=", + "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", + "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", + "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", + "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", + "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", + "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", + "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", + "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", + "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", + "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.9.1" + constraints = ">= 0.7.0, >= 0.8.0" + hashes = [ + "h1:UHcDnIYFZ00uoou0TwPGMwOrE8gTkoRephIvdwDAK70=", + "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", + "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", + "zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a", + "zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57", + "zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1", + "zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b", + "zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00", + "zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea", + "zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904", + "zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.4" + constraints = ">= 3.0.0" + hashes = [ + "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", + "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", + "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", + "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", + "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", + "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", + "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", + "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", + "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", + "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", + "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", + "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/terraform-aws-modules/http" { + version = "2.4.1" + constraints = "2.4.1" + hashes = [ + "h1:FINkX7/X/cr5NEssB7dMqVWa6YtJtmwzvkfryuR39/k=", + "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", + "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", + "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", + "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", + "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", + "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", + "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", + "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", + "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", + "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", + "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", + "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", + "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", + ] +} diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf new file mode 100644 index 00000000..cf066d28 --- /dev/null +++ b/examples/complete/bigbang-dependencies.tf @@ -0,0 +1,83 @@ + +########################################################### +############## Big Bang Core Dependencies ################# +########################################################### + +########################################################### +################# Enable EKS Sops ######################### + +module "flux_sops" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/sops?ref=v" + source = "../../modules/sops" + + region = var.region + cluster_name = module.eks.eks_cluster_id + vpc_id = module.vpc.vpc_id + policy_name_prefix = "${module.eks.eks_cluster_id}-flux-sops" + kms_key_alias = "${module.eks.eks_cluster_id}-flux-sops" + kubernetes_service_account = "flux-system-sops-sa" + kubernetes_namespace = "flux-system" + irsa_sops_iam_role_name = "${module.eks.eks_cluster_id}-flux-system-sa-role" + eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + tags = local.tags + role_name = module.bastion.bastion_role_name +} + +########################################################### +################## Loki S3 Buckets ######################## + +module "loki_s3_bucket" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/s3-irsa?ref=v" + source = "../../modules/s3-irsa" + + region = var.region + cluster_name = module.eks.eks_cluster_id + policy_name_prefix = "loki-s3-policy" + bucket_prefix = "loki-s3" + kms_key_alias = "loki-s3" + kubernetes_service_account = "logging-loki-s3-sa" + kubernetes_namespace = "logging" + irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" + eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + tags = local.tags + dynamodb_enabled = true +} + +########################################################### +############ Big Bang Add-Ons Dependencies ################ +########################################################### + +########################################################### +############### Keycloak RDS Database ##################### + +module "rds_postgres_keycloak" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/rds?ref=v" + source = "../../modules/rds" + + count = var.keycloak_enabled ? 1 : 0 + + # provider alias is needed for every parent module supporting RDS backup replication is a separate region + providers = { + aws.region2 = aws.region2 + } + + vpc_id = module.vpc.vpc_id + vpc_cidr = module.vpc.vpc_cidr_block + database_subnet_group_name = module.vpc.database_subnet_group_name + engine = "postgres" + engine_version = var.kc_db_engine_version + family = var.kc_db_family + major_engine_version = var.kc_db_major_engine_version + instance_class = var.kc_db_instance_class + identifier = "${var.cluster_name}-keycloak" + db_name = "keycloak" # Can only be alphanumeric, no hyphens or underscores + username = "kcadmin" + create_random_password = false + password = var.keycloak_db_password + allocated_storage = var.kc_db_allocated_storage + max_allocated_storage = var.kc_db_max_allocated_storage + create_db_subnet_group = true + deletion_protection = false + # automated_backups_replication_enabled = true + tags = local.tags +} diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars new file mode 100644 index 00000000..19645a0d --- /dev/null +++ b/examples/complete/fixtures.common.tfvars @@ -0,0 +1,48 @@ +########################################################### +################## Global Settings ######################## + +region = "us-east-2" # target AWS region +region2 = "us-east-1" # RDS backup target AWS region +account = "1234567890" # target AWS account +aws_profile = "foo" # local AWS profile to be used for deployment +aws_admin_usernames = ["John.Smith"] # list of users to be added to the AWS admin group + + +########################################################### +#################### VPC Config ########################### + +vpc_cidr = "10.200.0.0/16" +vpc_name = "my-vpc" +# vpc_instance_tenancy = "dedicated" #does not currently work with EKS + +########################################################### +################## Bastion Config ######################### + +bastion_name = "my-bastion" +bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 +bastion_ssh_user = "ec2-user" # local user in bastion used to ssh +bastion_ssh_password = "my-password" +zarf_version = "v0.24.0-rc4" + +########################################################### +#################### EKS Config ########################### + +cluster_name = "my-eks" +eks_k8s_version = "1.23" + +########################################################### +############## Big Bang Dependencies ###################### + +keycloak_enabled = true +# other_addon_enabled = true + + +#################### Keycloak ########################### + +keycloak_db_password = "my-password" +kc_db_engine_version = "14.1" +kc_db_family = "postgres14" # DB parameter group +kc_db_major_engine_version = "14" # DB option group +kc_db_allocated_storage = 20 +kc_db_max_allocated_storage = 100 +kc_db_instance_class = "db.t4g.large" diff --git a/examples/complete/fixtures.insecure.tfvars b/examples/complete/fixtures.insecure.tfvars new file mode 100644 index 00000000..d2a14643 --- /dev/null +++ b/examples/complete/fixtures.insecure.tfvars @@ -0,0 +1,4 @@ +enable_managed_nodegroups = true +bastion_tenancy = "default" +eks_worker_tenancy = "default" +cluster_endpoint_public_access = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf new file mode 100644 index 00000000..32575359 --- /dev/null +++ b/examples/complete/main.tf @@ -0,0 +1,424 @@ +data "aws_partition" "current" {} + +data "aws_ami" "amazonlinux2eks" { + most_recent = true + + filter { + name = "name" + values = ["amazon-eks-node-${var.eks_k8s_version}-*"] + } + + owners = ["amazon"] +} + +locals { + tags = { + Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name + GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" + } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + username = "${admin_user}" + groups = ["system:masters"] + } + ] + + managed_node_groups = var.enable_managed_nodegroups == false ? tomap({}) : { + # Managed Node groups with minimum config + mg5 = { + node_group_name = "mg5" + instance_types = ["m5.large"] + min_size = 2 + create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role + iam_role_arn = module.eks.aws_iam_role_managed_ng_arn + disk_size = 100 # Disk size is used only with Managed Node Groups without Launch Templates + update_config = [{ + max_unavailable_percentage = 30 + }] + }, + # Managed Node groups with Launch templates using AMI TYPE + mng_lt = { + # Node Group configuration + node_group_name = "mng_lt" # Max 40 characters for node group name + + ami_type = "AL2_x86_64" # Available options -> AL2_x86_64, AL2_x86_64_GPU, AL2_ARM_64, CUSTOM + release_version = "" # Enter AMI release version to deploy the latest AMI released by AWS. Used only when you specify ami_type + capacity_type = "ON_DEMAND" # ON_DEMAND or SPOT + instance_types = ["r5d.large"] # List of instances used only for SPOT type + format_mount_nvme_disk = true # format and mount NVMe disks ; default to false + + # Launch template configuration + create_launch_template = true # false will use the default launch template + launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket + + enable_monitoring = true + eni_delete = true + public_ip = false # Use this to enable public IP for EC2 instances; only for public subnets used in launch templates + + http_endpoint = "enabled" + http_tokens = "optional" + http_put_response_hop_limit = 3 + + # pre_userdata can be used in both cases where you provide custom_ami_id or ami_type + pre_userdata = <<-EOT + yum install -y amazon-ssm-agent + systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent + EOT + + # Taints can be applied through EKS API or through Bootstrap script using kubelet_extra_args + # e.g., k8s_taints = [{key= "spot", value="true", "effect"="NO_SCHEDULE"}] + k8s_taints = [] + + # Node Labels can be applied through EKS API or through Bootstrap script using kubelet_extra_args + k8s_labels = { + Environment = "preprod" + Zone = "dev" + Runtime = "docker" + } + + # Node Group scaling configuration + desired_size = 2 + max_size = 2 + min_size = 2 + + block_device_mappings = [ + { + device_name = "/dev/xvda" + volume_type = "gp3" + volume_size = 100 + } + ] + + # Node Group network configuration + subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" + subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] + + additional_iam_policies = [] # Attach additional IAM policies to the IAM role attached to this worker group + + # SSH ACCESS Optional - Recommended to use SSM Session manager + remote_access = false + ec2_ssh_key = "" + ssh_security_group_id = "" + + additional_tags = { + ExtraTag = "m5x-on-demand" + Name = "m5x-on-demand" + subnet_type = "private" + } + } + # Managed Node groups with Launch templates using CUSTOM AMI with ContainerD runtime + mng_custom_ami = { + # Node Group configuration + node_group_name = "mng_custom_ami" # Max 40 characters for node group name + + # custom_ami_id is optional when you provide ami_type. Enter the Custom AMI id if you want to use your own custom AMI + custom_ami_id = data.aws_ami.amazonlinux2eks.id + capacity_type = "ON_DEMAND" # ON_DEMAND or SPOT + instance_types = ["r5d.large"] # List of instances used only for SPOT type + + # Launch template configuration + create_launch_template = true # false will use the default launch template + launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket + + # pre_userdata will be applied by using custom_ami_id or ami_type + pre_userdata = <<-EOT + yum install -y amazon-ssm-agent + systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent + EOT + + # post_userdata will be applied only by using custom_ami_id + post_userdata = <<-EOT + echo "Bootstrap successfully completed! You can further apply config or install to run after bootstrap if needed" + EOT + + # kubelet_extra_args used only when you pass custom_ami_id; + # --node-labels is used to apply Kubernetes Labels to Nodes + # --register-with-taints used to apply taints to Nodes + # e.g., kubelet_extra_args='--node-labels=WorkerType=SPOT,noderole=spark --register-with-taints=spot=true:NoSchedule --max-pods=58', + kubelet_extra_args = "--node-labels=WorkerType=SPOT,noderole=spark --register-with-taints=test=true:NoSchedule --max-pods=20" + + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes + # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" + bootstrap_extra_args = "--use-max-pods false --container-runtime containerd" + + # Taints can be applied through EKS API or through Bootstrap script using kubelet_extra_args + k8s_taints = [] + + # Node Labels can be applied through EKS API or through Bootstrap script using kubelet_extra_args + k8s_labels = { + Environment = "preprod" + Zone = "dev" + Runtime = "containerd" + } + + enable_monitoring = true + eni_delete = true + public_ip = false # Use this to enable public IP for EC2 instances; only for public subnets used in launch templates + + # Node Group scaling configuration + desired_size = 2 + max_size = 2 + min_size = 2 + + block_device_mappings = [ + { + device_name = "/dev/xvda" + volume_type = "gp3" + volume_size = 150 + } + ] + + # Node Group network configuration + subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" + subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] + + additional_iam_policies = [] # Attach additional IAM policies to the IAM role attached to this worker group + + # SSH ACCESS Optional - Recommended to use SSM Session manager + remote_access = false + ec2_ssh_key = "" + ssh_security_group_id = "" + + additional_tags = { + ExtraTag = "mng-custom-ami" + Name = "mng-custom-ami" + subnet_type = "private" + } + } + # Managed Node group with Launch templates using AMI TYPE and SPOT instances of 2 vCPUs and 8 Gib Memory + spot_2vcpu_8mem = { + node_group_name = "mng-spot-2vcpu-8mem" + capacity_type = "SPOT" + instance_types = ["m5.large", "m4.large", "m6a.large", "m5a.large", "m5d.large"] + max_size = 2 + desired_size = 1 + min_size = 1 + + # Node Group network configuration + subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" + subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] + + k8s_taints = [{ key = "spotInstance", value = "true", effect = "NO_SCHEDULE" }] + } + + # Managed Node group with Launch templates using AMI TYPE and SPOT instances of 4 vCPUs and 16 Gib Memory + spot_4vcpu_16mem = { + node_group_name = "mng-spot-4vcpu-16mem" + capacity_type = "SPOT" + instance_types = ["m5.xlarge", "m4.xlarge", "m6a.xlarge", "m5a.xlarge", "m5d.xlarge"] + + # Node Group network configuration + subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" + subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] + + k8s_taints = [{ key = "spotInstance", value = "true", effect = "NO_SCHEDULE" }] + + # NOTE: If we want the node group to scale-down to zero nodes, + # we need to use a custom launch template and define some additional tags for the ASGs + min_size = 0 + + # Launch template configuration + create_launch_template = true # false will use the default launch template + launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket + + # This is so cluster autoscaler can identify which node (using ASGs tags) to scale-down to zero nodes + additional_tags = { + "k8s.io/cluster-autoscaler/node-template/label/eks.amazonaws.com/capacityType" = "SPOT" + "k8s.io/cluster-autoscaler/node-template/label/eks/node_group_name" = "mng-spot-2vcpu-8mem" + } + } + } + + self_managed_node_groups = var.enable_managed_nodegroups == true ? tomap({}) : { + self_mg1 = { + node_group_name = "self_mg1" + subnet_ids = module.vpc.private_subnets + create_launch_template = true + launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket or windows + custom_ami_id = "" # Bring your own custom AMI generated by Packer/ImageBuilder/Puppet etc. + + create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role + iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false + iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false + + format_mount_nvme_disk = true + public_ip = false + enable_monitoring = false + + placement = { + affinity = null + availability_zone = null + group_name = null + host_id = null + tenancy = var.eks_worker_tenancy + } + + enable_metadata_options = false + + pre_userdata = <<-EOT + yum install -y amazon-ssm-agent + systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent + EOT + + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes + # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" + bootstrap_extra_args = "--use-max-pods false" + + block_device_mappings = [ + { + device_name = "/dev/xvda" # mount point to / + volume_type = "gp3" + volume_size = 50 + }, + { + device_name = "/dev/xvdf" # mount point to /local1 (it could be local2, depending upon the disks are attached during boot) + volume_type = "gp3" + volume_size = 80 + iops = 3000 + throughput = 125 + }, + { + device_name = "/dev/xvdg" # mount point to /local2 (it could be local1, depending upon the disks are attached during boot) + volume_type = "gp3" + volume_size = 100 + iops = 3000 + throughput = 125 + } + ] + + instance_type = "m5.xlarge" + desired_size = 3 + max_size = 10 + min_size = 3 + capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot" + + k8s_labels = { + Environment = "preprod" + Zone = "test" + } + + additional_tags = { + ExtraTag = "m5x-on-demand" + Name = "m5x-on-demand" + subnet_type = "private" + } + } + } +} + +########################################################### +####################### VPC ############################### + +module "vpc" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/vpc?ref=v" + source = "../../modules/vpc" + + region = var.region + name = var.vpc_name + vpc_cidr = var.vpc_cidr + azs = ["${var.region}a", "${var.region}b", "${var.region}c"] + public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] + private_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 4)] + database_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 8)] + single_nat_gateway = true + enable_nat_gateway = true + + private_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + create_database_subnet_group = true + create_database_subnet_route_table = true + + instance_tenancy = var.vpc_instance_tenancy # dedicated tenancy globally set in VPC does not currently work with EKS +} + +########################################################### +##################### Bastion ############################# + +module "bastion" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/bastion?ref=v" + source = "../../modules/bastion" + + ami_id = var.bastion_ami_id + instance_type = var.bastion_instance_type + root_volume_config = { + volume_type = "gp3" + volume_size = "20" + encrypted = true + } + name = var.bastion_name + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.private_subnets[0] + aws_region = var.region + access_log_bucket_name = "${var.bastion_name}-access-logs" + bucket_name = "${var.bastion_name}-session-logs" + ssh_user = var.bastion_ssh_user + ssh_password = var.bastion_ssh_password + assign_public_ip = false # var.assign_public_ip + enable_log_to_s3 = true + enable_log_to_cloudwatch = true + vpc_endpoints_enabled = true + tenancy = var.bastion_tenancy + zarf_version = var.zarf_version + tags = { + Function = "bastion-ssm" + } +} + +########################################################### +################### EKS Cluster ########################### +module "eks" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" + source = "../../modules/eks" + + name = var.cluster_name + aws_region = var.region + aws_account = var.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + control_plane_subnet_ids = module.vpc.private_subnets + source_security_group_id = module.bastion.security_group_ids[0] + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_private_access = true + cluster_kms_key_additional_admin_arns = local.admin_arns + eks_k8s_version = var.eks_k8s_version + bastion_role_arn = module.bastion.bastion_role_arn + bastion_role_name = module.bastion.bastion_role_name + aws_auth_eks_map_users = local.aws_auth_eks_map_users + enable_managed_nodegroups = var.enable_managed_nodegroups + managed_node_groups = local.managed_node_groups + self_managed_node_groups = local.self_managed_node_groups + + #--------------------------------------------------------------- + # EKS Blueprints - EKS Add-Ons + #--------------------------------------------------------------- + + enable_eks_vpc_cni = true + enable_eks_coredns = true + enable_eks_kube_proxy = true + enable_eks_ebs_csi_driver = true + enable_eks_metrics_server = true + + enable_eks_cluster_autoscaler = true + cluster_autoscaler_helm_config = { + set = [ + { + name = "extraArgs.expander" + value = "priority" + }, + { + name = "expanderPriorities" + value = <<-EOT + 100: + - .*-spot-2vcpu-8mem.* + 90: + - .*-spot-4vcpu-16mem.* + 10: + - .* + EOT + } + ] + } +} diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf new file mode 100644 index 00000000..2146a3e6 --- /dev/null +++ b/examples/complete/outputs.tf @@ -0,0 +1,40 @@ +output "loki_s3_bucket" { + description = "Loki S3 Bucket Name" + value = module.loki_s3_bucket.s3_bucket +} + +output "keycloak_db_instance_endpoint" { + description = "The connection endpoint" + value = module.rds_postgres_keycloak[0].db_instance_endpoint +} + +output "keycloak_db_instance_name" { + description = "The database name" + value = module.rds_postgres_keycloak[0].db_instance_name +} + +output "keycloak_db_instance_username" { + description = "The master username for the database" + value = module.rds_postgres_keycloak[0].db_instance_username + sensitive = true +} + +output "keycloak_db_instance_port" { + description = "The database port" + value = module.rds_postgres_keycloak[0].db_instance_port +} + +output "bastion_instance_id" { + description = "The ID of the bastion host" + value = module.bastion.instance_id +} + +output "bastion_private_key" { + description = "The private key for the bastion host" + value = module.bastion.private_key + sensitive = true +} +output "dynamodb_name" { + description = "Name of DynmoDB table" + value = module.loki_s3_bucket.dynamodb_name +} diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf new file mode 100644 index 00000000..89fb9ef4 --- /dev/null +++ b/examples/complete/providers.tf @@ -0,0 +1,39 @@ + +data "aws_eks_cluster_auth" "this" { + name = module.eks.eks_cluster_id +} + +data "aws_eks_cluster" "example" { + name = module.eks.eks_cluster_id +} + +provider "aws" { + region = var.region +} + +provider "aws" { + alias = "region2" + region = var.region2 +} + +provider "kubernetes" { + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} + +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } + } +} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf new file mode 100644 index 00000000..6588c129 --- /dev/null +++ b/examples/complete/variables.tf @@ -0,0 +1,188 @@ +########################################################### +################## Global Settings ######################## + +variable "region" { + description = "The AWS region to deploy into" + type = string +} + +variable "region2" { + description = "The AWS region to deploy into" + type = string +} + +variable "account" { + description = "The AWS account to deploy into" + type = string +} + +variable "aws_profile" { + description = "The AWS profile to use for deployment" + type = string +} + +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + type = list(string) +} + +########################################################### +#################### VPC Config ########################### + +variable "vpc_cidr" { + description = "The CIDR block for the VPC" + type = string +} + +variable "vpc_name" { + description = "The name to use for the VPC" + type = string + default = "my-vpc" +} + +variable "create_database_subnet_group" { + description = "Whether to create a database subnet group" + type = bool + default = true +} + +variable "create_database_subnet_route_table" { + description = "Whether to create a database subnet route table" + type = bool + default = true +} + +########################################################### +#################### EKS Config ########################### + +variable "cluster_name" { + description = "The name to use for the EKS cluster" + type = string + default = "my-eks" +} + +variable "eks_k8s_version" { + description = "The Kubernetes version to use for the EKS cluster" + type = string + default = "1.23" +} + +variable "cluster_endpoint_public_access" { + description = "Whether to enable private access to the EKS cluster" + type = bool + default = false +} + +variable "enable_managed_nodegroups" { + description = "Enable managed node groups. If false, self managed node groups will be used." + type = bool +} + +########################################################### +################## Bastion Config ######################### + +variable "bastion_name" { + description = "The name to use for the bastion" + type = string + default = "my-bastion" +} + +variable "bastion_instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + +variable "assign_public_ip" { + description = "Whether to assign a public IP to the bastion" + type = bool + default = false +} + +variable "bastion_ami_id" { + description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" + type = string + default = "" +} +variable "bastion_ssh_user" { + description = "The SSH user to use for the bastion" + type = string + default = "ec2-user" +} + +variable "bastion_ssh_password" { + description = "The SSH password to use for the bastion if SSM authentication is used" + type = string + default = "my-password" +} + +########################################################### +############## Big Bang Dependencies ###################### + +variable "keycloak_enabled" { + description = "Whether to enable Keycloak" + type = bool + default = false +} + +#################### Keycloak ########################### + +variable "keycloak_db_password" { + description = "The password to use for the Keycloak database" + type = string + default = "my-password" +} + +variable "kc_db_engine_version" { + description = "The database engine to use for Keycloak" + type = string +} + +variable "kc_db_family" { + description = "The database family to use for Keycloak" + type = string +} + +variable "kc_db_major_engine_version" { + description = "The database major engine version to use for Keycloak" + type = string +} + +variable "kc_db_instance_class" { + description = "The database instance class to use for Keycloak" + type = string +} + +variable "kc_db_allocated_storage" { + description = "The database allocated storage to use for Keycloak" + type = number +} + +variable "kc_db_max_allocated_storage" { + description = "The database allocated storage to use for Keycloak" + type = number +} + +variable "vpc_instance_tenancy" { + description = "The tenancy of instances launched into the VPC" + type = string + default = "default" +} + +variable "bastion_tenancy" { + description = "The tenancy of the bastion" + type = string + default = "default" +} + +variable "eks_worker_tenancy" { + description = "The tenancy of the EKS worker nodes" + type = string + default = "default" +} + +variable "zarf_version" { + description = "The version of Zarf to use" + type = string + default = "" +} From 5f8ddf8782c6112f6efab25b792b57dfee9e85ba Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Wed, 1 Mar 2023 18:15:55 -0800 Subject: [PATCH 68/88] wip --- .gitignore | 2 +- .golangci.yml | 2 + .tool-versions | 2 +- Makefile | 28 +- examples/complete/.terraform.lock.hcl | 222 ------ examples/complete/fixtures.common.tfvars | 2 - examples/complete/main.tf | 10 +- examples/complete/variables.tf | 10 - go.mod | 83 +++ go.sum | 758 ++++++++++++++++++++ test/e2e/dummy_test.go | 8 - test/e2e/examples_complete_insecure_test.go | 36 + 12 files changed, 907 insertions(+), 256 deletions(-) delete mode 100644 examples/complete/.terraform.lock.hcl create mode 100644 go.sum delete mode 100644 test/e2e/dummy_test.go create mode 100644 test/e2e/examples_complete_insecure_test.go diff --git a/.gitignore b/.gitignore index 5684bf46..45abd0ad 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,7 @@ .DS_Store # Local .terraform directories -**/.terraform/* +.terraform/ *.terraform.* # except .terraform.lock.hcl diff --git a/.golangci.yml b/.golangci.yml index ccc8482c..e45792a8 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -5,8 +5,10 @@ linters: disable: - exhaustivestruct - exhaustruct + - gci - goerr113 - gofumpt + - goimports - gomnd - lll - nlreturn diff --git a/.tool-versions b/.tool-versions index 0a16e46a..40508305 100644 --- a/.tool-versions +++ b/.tool-versions @@ -3,7 +3,7 @@ checkov 2.3.3 golang 1.19.5 golangci-lint 1.50.1 pre-commit 3.0.1 -terraform 1.3.7 +terraform 1.3.9 terraform-docs 0.16.0 tflint 0.44.1 tfsec 1.28.1 diff --git a/Makefile b/Makefile index bacdc3ef..5028ee23 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,15 @@ # The version of the build harness container to use BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/not-a-build-harness/not-a-build-harness -BUILD_HARNESS_VERSION := 0.0.4 +BUILD_HARNESS_VERSION := 0.0.7 .DEFAULT_GOAL := help +# Optionally add the "-it" flag for docker run commands if the env var "CI" is not set (meaning we are on a local machine and not in github actions) +TTY_ARG := +ifndef CI + TTY_ARG := -it +endif + # Silent mode by default. Run `make VERBOSE=1` to turn off silent mode. ifndef VERBOSE .SILENT: @@ -20,23 +26,27 @@ help: ## Show a list of all targets .PHONY: test test: ## Run all automated tests. Requires access to an AWS account. Costs real money. - go test -v -timeout 2h ./... + mkdir -p .cache/go + mkdir -p .cache/go-build + mkdir -p .cache/tmp + echo "Running automated tests. This will take several minutes. At times it does not log anything to the console. If you interrupt the test run you will need to log into AWS console and manually delete any orphaned infrastructure." + docker run $(TTY_ARG) --rm -v "${PWD}:/app" -v "${PWD}/.cache/tmp:/tmp" -v "${PWD}/.cache/go:/root/go" -v "${PWD}/.cache/go-build:/root/.cache/go-build" --workdir "/app/test/e2e" -e GOPATH=/root/go -e GOCACHE=/root/.cache/go-build -e REPO_URL -e GIT_BRANCH -e AWS_REGION -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_SECURITY_TOKEN -e AWS_SESSION_EXPIRATION -e SKIP_SETUP -e SKIP_TEST -e SKIP_TEARDOWN $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v -timeout 2h ./...' .PHONY: docker-save-build-harness docker-save-build-harness: ## Pulls the build harness docker image and saves it to a tarball - @mkdir -p .cache/docker - @docker pull $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) - @docker save -o .cache/docker/build-harness.tar $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) + mkdir -p .cache/docker + docker pull $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) + docker save -o .cache/docker/build-harness.tar $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) .PHONY: docker-load-build-harness docker-load-build-harness: ## Loads the saved build harness docker image - @docker load -i .cache/docker/build-harness.tar + docker load -i .cache/docker/build-harness.tar .PHONY: run-pre-commit-hooks run-pre-commit-hooks: ## Run all pre-commit hooks. Returns nonzero exit code if any hooks fail. Uses Docker for maximum compatibility - @mkdir -p .cache/pre-commit - @docker run --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) pre-commit run -a --show-diff-on-failure + mkdir -p .cache/pre-commit + docker run $(TTY_ARG) --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && pre-commit run -a --show-diff-on-failure' .PHONY: fix-cache-permissions fix-cache-permissions: ## Fixes the permissions on the pre-commit cache - @docker run --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) chmod -R a+rx .cache + docker run $(TTY_ARG) --rm -v "${PWD}:/app" --workdir "/app" -e "PRE_COMMIT_HOME=/app/.cache/pre-commit" $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) chmod -R a+rx .cache diff --git a/examples/complete/.terraform.lock.hcl b/examples/complete/.terraform.lock.hcl deleted file mode 100644 index 8f12bc6b..00000000 --- a/examples/complete/.terraform.lock.hcl +++ /dev/null @@ -1,222 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.14.0" - constraints = ">= 1.14.0" - hashes = [ - "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", - "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", - "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", - "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", - "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", - "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", - "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", - "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", - "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", - "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", - ] -} - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.56.0" - constraints = ">= 3.28.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.47.0" - hashes = [ - "h1:koDunHl/LUmCAKy3VFie6MakXN7ng93v8HBRpKI8He8=", - "zh:1d2b7693a102da015a86b9235b554272b9280597011216c3ddd1a6dc95ad8dab", - "zh:28c3e8ebaa077f65c4ac5fd051c95887070293fcff0386dfc2e4b7e248a0aefa", - "zh:2a620bc4a87be06e7acac1bc15e966dba45df643bf6c3efb811e74e6c2122b03", - "zh:30d3ac148fa0634e7ba1de66e1af1328481c92cd774adcfc0e27f828103b17e0", - "zh:3d3eebf916f25e11b12dd3c692f8fe1e4c4e9a0c414af9d0d881ddebd28dcd39", - "zh:3f4600f2881c02fcc69080df68747c9a0b9b11cb002117fd918b7800f2ac402b", - "zh:7156fb12c3b4f2964f7e78cee97f31d95b43045467f90749d2ed545725c36baa", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a5bbc84fd37d468c7b016009776b6d2a287bbb746af81aba786cdf8eb5fce4a1", - "zh:d5322bcd4e11caddbbfaa1198893824d4b4d28f504517a3a87902cf86d75bd87", - "zh:d766eb9f86a40060d63e12ef674d7c9c47ec4e47ade487f1f49af8c89b441711", - "zh:df23f592b99f6617f09e449009bbb49068a69fc926b15ca29e30b068c9c67365", - "zh:e7b0acee2d98549731547259b539f598e18db07c0c202d3a34b922beff711054", - "zh:ec317f79fdcce934c39458ea312862e7f7ec48cafb8bcc9b5a00d9b78b629d81", - "zh:f78ec7a771867d96dfee96bf74523341ba42feeb64ce2f108b5bf2e7ebef0fef", - ] -} - -provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.2" - constraints = ">= 2.0.0" - hashes = [ - "h1:Ar/DAbZQ9Nsj0BrqX6camrEE6U+Yq4E87DCNVqxqx8k=", - "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", - "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", - "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", - "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", - "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", - "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", - "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", - "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", - "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", - "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.9.0" - constraints = ">= 2.4.1, >= 2.5.1" - hashes = [ - "h1:3M1gPJ2W3qtYr6do1HkH5l03kSEHIYMQ97W2tP59dYY=", - "zh:1471cb45908b426104687c962007b2980cfde294fa3530fabc4798ce9fb6c20c", - "zh:1572e9cec20591ec08ece797b3630802be816a5adde36ca91a93359f2430b130", - "zh:1b10ae03cf5ab1ae21ffaac2251de99797294ae4242b156b3b0beebbdbcb7e0f", - "zh:3bd043b68de967d8d0b549d3f71485193d81167d5656f5507d743dedfe60e352", - "zh:538911921c729185900176cc22eb8edcb822bc8d22b9ebb48103a1d9bb53cc38", - "zh:69a6a2d40c0463662c3fb1621e37a3ee65024ea4479adf4d5f7f19fb0dea48c2", - "zh:94b58daa0c351a49d01f6d8f1caae46c95c2d6c3f29753e2b9ea3e3c0e7c9ab4", - "zh:9d0543331a4a32241e1ab5457f30b41df745acb235a0391205c725a5311e4809", - "zh:a6789306524ca121512a95e873e3949b4175114a6c5db32bed2df2551a79368f", - "zh:d146b94cd9502cca7f2044797a328d71c7ec2a98e2d138270d8a28c872f04289", - "zh:d14ccd14511f0446eacf43a9243f22de7c1427ceb059cf67d7bf9803be2cb15d", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.18.1" - constraints = ">= 2.6.1, >= 2.10.0" - hashes = [ - "h1:vBRsQjT8QeFe8C9yJ1PR43wzX4hM5UssxlHkPPo34gU=", - "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753", - "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197", - "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8", - "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80", - "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25", - "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce", - "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15", - "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad", - "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8", - "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4", - "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.3.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=", - "zh:1f1920b3f78c31c6b69cdfe1e016a959667c0e2d01934e1a084b94d5a02cd9d2", - "zh:550a3cdae0ddb350942624e7b2e8b31d28bc15c20511553432413b1f38f4b214", - "zh:68d1d9ccbfce2ce56b28a23b22833a5369d4c719d6d75d50e101a8a8dbe33b9b", - "zh:6ae3ad6d865a906920c313ec2f413d080efe32c230aca711fd106b4cb9022ced", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a0f413d50f54124057ae3dcd9353a797b84e91dc34bcf85c34a06f8aef1f9b12", - "zh:a2ac6d4088ceddcd73d88505e18b8226a6e008bff967b9e2d04254ef71b4ac6b", - "zh:a851010672e5218bdd4c4ea1822706c9025ef813a03da716d647dd6f8e2cffb0", - "zh:aa797561755041ef2fad99ee9ffc12b5e724e246bb019b21d7409afc2ece3232", - "zh:c6afa960a20d776f54bb1fc260cd13ead17280ebd87f05b9abcaa841ed29d289", - "zh:df0975e86b30bb89717b8c8d6d4690b21db66de06e79e6d6cfda769f3304afe6", - "zh:f0d3cc3da72135efdbe8f4cfbfb0f2f7174827887990a5545e6db1981f0d3a7c", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - constraints = ">= 3.0.0, >= 3.1.0" - hashes = [ - "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.4.3" - hashes = [ - "h1:tL3katm68lX+4lAncjQA9AXL4GR/VM+RPwqYf4D2X8Q=", - "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", - "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", - "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", - "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", - "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", - "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", - "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", - "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", - "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", - "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.9.1" - constraints = ">= 0.7.0, >= 0.8.0" - hashes = [ - "h1:UHcDnIYFZ00uoou0TwPGMwOrE8gTkoRephIvdwDAK70=", - "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", - "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", - "zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a", - "zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57", - "zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1", - "zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b", - "zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00", - "zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea", - "zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904", - "zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.4" - constraints = ">= 3.0.0" - hashes = [ - "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", - "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", - "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", - "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", - "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", - "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", - "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", - "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", - "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", - "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", - "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", - "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/terraform-aws-modules/http" { - version = "2.4.1" - constraints = "2.4.1" - hashes = [ - "h1:FINkX7/X/cr5NEssB7dMqVWa6YtJtmwzvkfryuR39/k=", - "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", - "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", - "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", - "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", - "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", - "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", - "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", - "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", - "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", - "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", - "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", - "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", - "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", - ] -} diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 19645a0d..51b6a959 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -3,8 +3,6 @@ region = "us-east-2" # target AWS region region2 = "us-east-1" # RDS backup target AWS region -account = "1234567890" # target AWS account -aws_profile = "foo" # local AWS profile to be used for deployment aws_admin_usernames = ["John.Smith"] # list of users to be added to the AWS admin group diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 32575359..d2fb550f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,5 +1,7 @@ data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} + data "aws_ami" "amazonlinux2eks" { most_recent = true @@ -12,13 +14,15 @@ data "aws_ami" "amazonlinux2eks" { } locals { + account = data.aws_caller_identity.current.account_id + tags = { Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } - admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${local.account}:user/${admin_user}"] aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + userarn = "arn:${data.aws_partition.current.partition}:iam::${local.account}:user/${admin_user}" username = "${admin_user}" groups = ["system:masters"] } @@ -375,7 +379,7 @@ module "eks" { name = var.cluster_name aws_region = var.region - aws_account = var.account + aws_account = local.account vpc_id = module.vpc.vpc_id private_subnet_ids = module.vpc.private_subnets control_plane_subnet_ids = module.vpc.private_subnets diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 6588c129..799bd7bc 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -11,16 +11,6 @@ variable "region2" { type = string } -variable "account" { - description = "The AWS account to deploy into" - type = string -} - -variable "aws_profile" { - description = "The AWS profile to use for deployment" - type = string -} - variable "aws_admin_usernames" { description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) diff --git a/go.mod b/go.mod index 2d5e6324..5861e0eb 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,86 @@ module github.com/defenseunicorns/iac go 1.19 + +require github.com/gruntwork-io/terratest v0.41.11 + +require ( + cloud.google.com/go v0.83.0 // indirect + cloud.google.com/go/storage v1.10.0 // indirect + github.com/agext/levenshtein v1.2.3 // indirect + github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/aws/aws-sdk-go v1.40.56 // indirect + github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect + github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c // indirect + github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect + github.com/go-logr/logr v0.2.0 // indirect + github.com/go-sql-driver/mysql v1.4.1 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/snappy v0.0.3 // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/google/uuid v1.2.0 // indirect + github.com/googleapis/gax-go/v2 v2.0.5 // indirect + github.com/googleapis/gnostic v0.4.1 // indirect + github.com/gruntwork-io/go-commons v0.8.0 // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-getter v1.6.1 // indirect + github.com/hashicorp/go-multierror v1.1.0 // indirect + github.com/hashicorp/go-safetemp v1.0.0 // indirect + github.com/hashicorp/go-version v1.3.0 // indirect + github.com/hashicorp/hcl/v2 v2.9.1 // indirect + github.com/hashicorp/terraform-json v0.13.0 // indirect + github.com/imdario/mergo v0.3.11 // indirect + github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/json-iterator/go v1.1.11 // indirect + github.com/jstemmer/go-junit-report v0.9.1 // indirect + github.com/klauspost/compress v1.13.0 // indirect + github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-testing-interface v1.0.0 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pquerna/otp v1.2.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/stretchr/testify v1.7.0 // indirect + github.com/tmccombs/hcl2json v0.3.3 // indirect + github.com/ulikunitz/xz v0.5.8 // indirect + github.com/urfave/cli v1.22.2 // indirect + github.com/zclconf/go-cty v1.9.1 // indirect + go.opencensus.io v0.23.0 // indirect + golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect + golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect + golang.org/x/mod v0.4.2 // indirect + golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect + golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect + golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect + golang.org/x/text v0.3.6 // indirect + golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect + golang.org/x/tools v0.1.2 // indirect + golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect + google.golang.org/api v0.47.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect + google.golang.org/grpc v1.38.0 // indirect + google.golang.org/protobuf v1.26.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + k8s.io/api v0.20.6 // indirect + k8s.io/apimachinery v0.20.6 // indirect + k8s.io/client-go v0.20.6 // indirect + k8s.io/klog/v2 v2.4.0 // indirect + k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.0.3 // indirect + sigs.k8s.io/yaml v1.2.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 00000000..b1f41fa0 --- /dev/null +++ b/go.sum @@ -0,0 +1,758 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.83.0 h1:bAMqZidYkmIsUqe6PtkEPT7Q+vfizScn+jfNA6jwK9c= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM= +github.com/aws/aws-sdk-go v1.40.56 h1:FM2yjR0UUYFzDTMx+mH9Vyw1k1EUUxsAFzk+BjkzANA= +github.com/aws/aws-sdk-go v1.40.56/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= +github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKGUhzj7BQlPSU4OvT6tfOKe3DVHzOA7s= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 h1:yY9rWGoXv1U5pl4gxqlULARMQD7x0QG85lqEXTWysik= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= +github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.41.11 h1:EAHiK6PFWJCVkgW2yUompjSsZQzA0CfBcuqIaXtZdpk= +github.com/gruntwork-io/terratest v0.41.11/go.mod h1:qH1xkPTTGx30XkMHw8jAVIbzqheSjIa5IyiTwSV2vKI= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-getter v1.6.1 h1:NASsgP4q6tL94WH6nJxKWj8As2H/2kop/bB1d8JMyRY= +github.com/hashicorp/go-getter v1.6.1/go.mod h1:IZCrswsZPeWv9IkVnLElzRU/gz/QPi6pZHn4tv6vbwA= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= +github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I= +github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw= +github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl/v2 v2.9.1 h1:eOy4gREY0/ZQHNItlfuEZqtcQbXIxzojlP301hDpnac= +github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg= +github.com/hashicorp/terraform-json v0.13.0 h1:Li9L+lKD1FO5RVFRM1mMMIBDoUHslOniyEi5CM+FWGY= +github.com/hashicorp/terraform-json v0.13.0/go.mod h1:y5OdLBCT+rxbwnpxZs9kGL7R9ExU76+cpdY8zHwoazk= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA= +github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.11.2/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.13.0 h1:2T7tUoQrQT+fQWdaY5rjWztFGAFwbGD04iPJg90ZiOs= +github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 h1:ofNAzWCcyTALn2Zv40+8XitdzCgXY6e9qvXwN9W0YXg= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ= +github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w= +github.com/ulikunitz/xz v0.5.8 h1:ERv8V6GKqVi23rgu5cj9pVfVzJbOqAY2Ntl88O6c2nQ= +github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= +github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.8.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc= +github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= +golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e h1:w36l2Uw3dRan1K3TyXriXvY+6T56GNmlKGcqiQUJDfM= +golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s= +golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA= +golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0 h1:sQLWZQvP6jPGIP4JGPkJu4zHswrv81iobiyszr3b/0I= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMoulW9YauvK2lgdvCMS260jsqqBXr0= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.20.6 h1:bgdZrW++LqgrLikWYNruIKAtltXbSCX2l5mJu11hrVE= +k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= +k8s.io/apimachinery v0.20.6 h1:R5p3SlhaABYShQSO6LpPsYHjV05Q+79eBUR0Ut/f4tk= +k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= +k8s.io/client-go v0.20.6 h1:nJZOfolnsVtDtbGJNCxzOtKUAu7zvXjB8+pMo9UNxZo= +k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ= +k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.3 h1:4oyYo8NREp49LBBhKxEqCulFjg26rawYKrnCmg+Sr6c= +sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/test/e2e/dummy_test.go b/test/e2e/dummy_test.go deleted file mode 100644 index f8607d2a..00000000 --- a/test/e2e/dummy_test.go +++ /dev/null @@ -1,8 +0,0 @@ -package test_test - -import "testing" - -func TestDummy(t *testing.T) { - t.Parallel() - t.Log("This is a dummy test that should always pass.") -} diff --git a/test/e2e/examples_complete_insecure_test.go b/test/e2e/examples_complete_insecure_test.go new file mode 100644 index 00000000..52a72849 --- /dev/null +++ b/test/e2e/examples_complete_insecure_test.go @@ -0,0 +1,36 @@ +package test_test + +import ( + "github.com/gruntwork-io/terratest/modules/terraform" + teststructure "github.com/gruntwork-io/terratest/modules/test-structure" + "testing" +) + +func TestExamplesCompleteInsecure(t *testing.T) { + t.Parallel() + tempFolder := teststructure.CopyTerraformFolderToTemp(t, "../..", "examples/complete") + terraformOptions := &terraform.Options{ + TerraformDir: tempFolder, + Upgrade: true, + VarFiles: []string{ + "fixtures.common.tfvars", + "fixtures.insecure.tfvars", + }, + } + defer teardown(t, terraformOptions) + setup(t, terraformOptions) +} + +func setup(t *testing.T, terraformOptions *terraform.Options) { + t.Helper() + teststructure.RunTestStage(t, "SETUP", func() { + terraform.InitAndApply(t, terraformOptions) + }) +} + +func teardown(t *testing.T, terraformOptions *terraform.Options) { + t.Helper() + teststructure.RunTestStage(t, "TEARDOWN", func() { + terraform.Destroy(t, terraformOptions) + }) +} From 98d4476dda587672646ed6a352aa6fd62e24ecc0 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 11:28:53 -0800 Subject: [PATCH 69/88] wip --- examples/complete/fixtures.common.tfvars | 16 +++++----- examples/complete/main.tf | 38 +++++++++++++++++++----- examples/complete/variables.tf | 6 ++-- 3 files changed, 42 insertions(+), 18 deletions(-) diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 51b6a959..acabc239 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -1,22 +1,22 @@ ########################################################### ################## Global Settings ######################## -region = "us-east-2" # target AWS region -region2 = "us-east-1" # RDS backup target AWS region -aws_admin_usernames = ["John.Smith"] # list of users to be added to the AWS admin group +region = "us-east-1" # target AWS region +region2 = "us-east-2" # RDS backup target AWS region +aws_admin_usernames = ["Andy"] # list of users to be added to the AWS admin group ########################################################### #################### VPC Config ########################### -vpc_cidr = "10.200.0.0/16" -vpc_name = "my-vpc" +vpc_cidr = "10.200.0.0/16" +vpc_name_prefix = "ex-complete-vpc" # vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### ################## Bastion Config ######################### -bastion_name = "my-bastion" +bastion_name_prefix = "ex-complete-bastion" bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 bastion_ssh_user = "ec2-user" # local user in bastion used to ssh bastion_ssh_password = "my-password" @@ -25,8 +25,8 @@ zarf_version = "v0.24.0-rc4" ########################################################### #################### EKS Config ########################### -cluster_name = "my-eks" -eks_k8s_version = "1.23" +cluster_name_prefix = "ex-complete-eks" +eks_k8s_version = "1.23" ########################################################### ############## Big Bang Dependencies ###################### diff --git a/examples/complete/main.tf b/examples/complete/main.tf index d2fb550f..078cb200 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -13,6 +13,30 @@ data "aws_ami" "amazonlinux2eks" { owners = ["amazon"] } +resource "random_id" "vpc_name" { + byte_length = 4 + prefix = var.vpc_name_prefix + keepers = { + prefix = var.vpc_name_prefix + } +} + +resource "random_id" "cluster_name" { + byte_length = 4 + prefix = var.cluster_name_prefix + keepers = { + prefix = var.cluster_name_prefix + } +} + +resource "random_id" "bastion_name" { + byte_length = 4 + prefix = var.bastion_name_prefix + keepers = { + prefix = var.bastion_name_prefix + } +} + locals { account = data.aws_caller_identity.current.account_id @@ -319,7 +343,7 @@ module "vpc" { source = "../../modules/vpc" region = var.region - name = var.vpc_name + name = random_id.vpc_name.keepers.prefix vpc_cidr = var.vpc_cidr azs = ["${var.region}a", "${var.region}b", "${var.region}c"] public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] @@ -329,8 +353,8 @@ module "vpc" { enable_nat_gateway = true private_subnet_tags = { - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = 1 + "kubernetes.io/cluster/${random_id.cluster_name.keepers.prefix}" = "shared" + "kubernetes.io/role/internal-elb" = 1 } create_database_subnet_group = true create_database_subnet_route_table = true @@ -352,12 +376,12 @@ module "bastion" { volume_size = "20" encrypted = true } - name = var.bastion_name + name = random_id.bastion_name.keepers.prefix vpc_id = module.vpc.vpc_id subnet_id = module.vpc.private_subnets[0] aws_region = var.region - access_log_bucket_name = "${var.bastion_name}-access-logs" - bucket_name = "${var.bastion_name}-session-logs" + access_log_bucket_name = "${random_id.bastion_name.keepers.prefix}-access-logs" + bucket_name = "${random_id.bastion_name.keepers.prefix}-session-logs" ssh_user = var.bastion_ssh_user ssh_password = var.bastion_ssh_password assign_public_ip = false # var.assign_public_ip @@ -377,7 +401,7 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = var.cluster_name + name = random_id.cluster_name.keepers.prefix aws_region = var.region aws_account = local.account vpc_id = module.vpc.vpc_id diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 799bd7bc..f0d0d604 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -24,7 +24,7 @@ variable "vpc_cidr" { type = string } -variable "vpc_name" { +variable "vpc_name_prefix" { description = "The name to use for the VPC" type = string default = "my-vpc" @@ -45,7 +45,7 @@ variable "create_database_subnet_route_table" { ########################################################### #################### EKS Config ########################### -variable "cluster_name" { +variable "cluster_name_prefix" { description = "The name to use for the EKS cluster" type = string default = "my-eks" @@ -71,7 +71,7 @@ variable "enable_managed_nodegroups" { ########################################################### ################## Bastion Config ######################### -variable "bastion_name" { +variable "bastion_name_prefix" { description = "The name to use for the bastion" type = string default = "my-bastion" From 3a87b45cebbeaa31ace341466af45092035e7006 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 11:38:54 -0800 Subject: [PATCH 70/88] wip --- examples/complete/bigbang-dependencies.tf | 2 +- examples/complete/providers.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index cf066d28..7534d418 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -69,7 +69,7 @@ module "rds_postgres_keycloak" { family = var.kc_db_family major_engine_version = var.kc_db_major_engine_version instance_class = var.kc_db_instance_class - identifier = "${var.cluster_name}-keycloak" + identifier = "${random_id.cluster_name.keepers.prefix}-keycloak" db_name = "keycloak" # Can only be alphanumeric, no hyphens or underscores username = "kcadmin" create_random_password = false diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index 89fb9ef4..32efe7a4 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -21,7 +21,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) exec { api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] + args = ["eks", "get-token", "--cluster-name", random_id.cluster_name.keepers.prefix] command = "aws" } } @@ -32,7 +32,7 @@ provider "helm" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) exec { api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] + args = ["eks", "get-token", "--cluster-name", random_id.cluster_name.keepers.prefix] command = "aws" } } From dc09757018fc89f12631446e6154d74b0e48189f Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 11:57:23 -0800 Subject: [PATCH 71/88] wip --- examples/complete/bigbang-dependencies.tf | 2 +- examples/complete/main.tf | 27 +++++++++-------------- examples/complete/providers.tf | 4 ++-- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index 7534d418..025a675a 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -69,7 +69,7 @@ module "rds_postgres_keycloak" { family = var.kc_db_family major_engine_version = var.kc_db_major_engine_version instance_class = var.kc_db_instance_class - identifier = "${random_id.cluster_name.keepers.prefix}-keycloak" + identifier = "${local.cluster_name}-keycloak" db_name = "keycloak" # Can only be alphanumeric, no hyphens or underscores username = "kcadmin" create_random_password = false diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 078cb200..1c906228 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -16,28 +16,23 @@ data "aws_ami" "amazonlinux2eks" { resource "random_id" "vpc_name" { byte_length = 4 prefix = var.vpc_name_prefix - keepers = { - prefix = var.vpc_name_prefix - } } resource "random_id" "cluster_name" { byte_length = 4 prefix = var.cluster_name_prefix - keepers = { - prefix = var.cluster_name_prefix - } } resource "random_id" "bastion_name" { byte_length = 4 prefix = var.bastion_name_prefix - keepers = { - prefix = var.bastion_name_prefix - } } locals { + vpc_name = lower(random_id.vpc_name.hex) + cluster_name = lower(random_id.cluster_name.hex) + bastion_name = lower(random_id.bastion_name.hex) + account = data.aws_caller_identity.current.account_id tags = { @@ -343,7 +338,7 @@ module "vpc" { source = "../../modules/vpc" region = var.region - name = random_id.vpc_name.keepers.prefix + name = local.vpc_name vpc_cidr = var.vpc_cidr azs = ["${var.region}a", "${var.region}b", "${var.region}c"] public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] @@ -353,8 +348,8 @@ module "vpc" { enable_nat_gateway = true private_subnet_tags = { - "kubernetes.io/cluster/${random_id.cluster_name.keepers.prefix}" = "shared" - "kubernetes.io/role/internal-elb" = 1 + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 } create_database_subnet_group = true create_database_subnet_route_table = true @@ -376,12 +371,12 @@ module "bastion" { volume_size = "20" encrypted = true } - name = random_id.bastion_name.keepers.prefix + name = local.bastion_name vpc_id = module.vpc.vpc_id subnet_id = module.vpc.private_subnets[0] aws_region = var.region - access_log_bucket_name = "${random_id.bastion_name.keepers.prefix}-access-logs" - bucket_name = "${random_id.bastion_name.keepers.prefix}-session-logs" + access_log_bucket_name = "${local.bastion_name}-access-logs" + bucket_name = "${local.bastion_name}-session-logs" ssh_user = var.bastion_ssh_user ssh_password = var.bastion_ssh_password assign_public_ip = false # var.assign_public_ip @@ -401,7 +396,7 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = random_id.cluster_name.keepers.prefix + name = local.cluster_name aws_region = var.region aws_account = local.account vpc_id = module.vpc.vpc_id diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index 32efe7a4..5b614ca8 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -21,7 +21,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) exec { api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", random_id.cluster_name.keepers.prefix] + args = ["eks", "get-token", "--cluster-name", local.cluster_name] command = "aws" } } @@ -32,7 +32,7 @@ provider "helm" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) exec { api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", random_id.cluster_name.keepers.prefix] + args = ["eks", "get-token", "--cluster-name", local.cluster_name] command = "aws" } } From 7a26cd23c7ce13d11b171abd4ae6c8f49bdd46d2 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 12:43:24 -0800 Subject: [PATCH 72/88] wip --- .tool-versions | 1 + Makefile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.tool-versions b/.tool-versions index 40508305..5d00232a 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,4 +1,5 @@ adr-tools 3.0.0 +awscli 2.11.0 checkov 2.3.3 golang 1.19.5 golangci-lint 1.50.1 diff --git a/Makefile b/Makefile index 5028ee23..acd1cfb3 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # The version of the build harness container to use BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/not-a-build-harness/not-a-build-harness -BUILD_HARNESS_VERSION := 0.0.7 +BUILD_HARNESS_VERSION := 0.0.8 .DEFAULT_GOAL := help From 37195170918fd1be0101bff4ee23153f6c42c8a0 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 13:19:28 -0800 Subject: [PATCH 73/88] wip --- modules/bastion/README.md | 2 +- modules/bastion/iam.tf | 6 +++--- modules/bastion/locals.tf | 4 +++- modules/bastion/variables.tf | 1 - 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/bastion/README.md b/modules/bastion/README.md index 74196f56..74f02d60 100644 --- a/modules/bastion/README.md +++ b/modules/bastion/README.md @@ -122,7 +122,7 @@ No modules. | [log\_archive\_days](#input\_log\_archive\_days) | Number of days to wait before archiving to Glacier | `number` | `30` | no | | [log\_expire\_days](#input\_log\_expire\_days) | Number of days to wait before deleting | `number` | `365` | no | | [logging](#input\_logging) | Map containing access bucket logging configuration. | `map(string)` | `{}` | no | -| [name](#input\_name) | Name of Bastion | `string` | `""` | no | +| [name](#input\_name) | Name of Bastion | `string` | n/a | yes | | [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | | [policy\_arns](#input\_policy\_arns) | List of IAM policy ARNs to attach to the instance profile | `list(string)` | `[]` | no | | [policy\_content](#input\_policy\_content) | Policy body. Use this to add a custom policy to your instance profile (Optional) | `string` | `""` | no | diff --git a/modules/bastion/iam.tf b/modules/bastion/iam.tf index 0b4b4edf..7a486bbc 100644 --- a/modules/bastion/iam.tf +++ b/modules/bastion/iam.tf @@ -143,7 +143,7 @@ resource "aws_iam_role_policy_attachment" "bastion-ssm-ec2-access-policy-attach" # Create custom policy and attachment resource "aws_iam_policy" "custom" { - count = local.role_name == "" || var.policy_content == "" ? 0 : 1 + count = local.add_custom_policy_to_role ? 1 : 0 name = "${local.role_name}-policy" path = "/" description = "Custom policy for EC2 instance" @@ -152,7 +152,7 @@ resource "aws_iam_policy" "custom" { } resource "aws_iam_role_policy_attachment" "custom" { - count = local.role_name == "" || var.policy_content == "" ? 0 : 1 + count = local.add_custom_policy_to_role ? 1 : 0 role = aws_iam_role.bastion_ssm_role.name policy_arn = aws_iam_policy.custom[0].arn } @@ -160,7 +160,7 @@ resource "aws_iam_role_policy_attachment" "custom" { # Additional policy attachments if needed resource "aws_iam_role_policy_attachment" "managed" { - count = local.role_name == "" ? 0 : length(var.policy_arns) + count = length(var.policy_arns) role = aws_iam_role.bastion_ssm_role.name policy_arn = var.policy_arns[count.index] } diff --git a/modules/bastion/locals.tf b/modules/bastion/locals.tf index 380bdd4a..1f5aba38 100644 --- a/modules/bastion/locals.tf +++ b/modules/bastion/locals.tf @@ -1,5 +1,7 @@ locals { - role_name = "${var.name}-role" + role_name = "${var.name}-role" + add_custom_policy_to_role = var.policy_content != null && var.policy_content != "" + bucket_prefix = var.name # ssh access diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf index 91a05256..4e47a67f 100644 --- a/modules/bastion/variables.tf +++ b/modules/bastion/variables.tf @@ -20,7 +20,6 @@ variable "vpc_id" { variable "name" { type = string description = "Name of Bastion" - default = "" } variable "instance_type" { From b068ba963c707fb6d829ef0deb3cbaad88da0378 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 15:27:50 -0800 Subject: [PATCH 74/88] wip --- examples/complete/fixtures.common.tfvars | 6 +++--- examples/complete/main.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index acabc239..204e1a6d 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -10,13 +10,13 @@ aws_admin_usernames = ["Andy"] # list of users to be added to the AWS admin g #################### VPC Config ########################### vpc_cidr = "10.200.0.0/16" -vpc_name_prefix = "ex-complete-vpc" +vpc_name_prefix = "ex-vpc-" # vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### ################## Bastion Config ######################### -bastion_name_prefix = "ex-complete-bastion" +bastion_name_prefix = "ex-bastion-" bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 bastion_ssh_user = "ec2-user" # local user in bastion used to ssh bastion_ssh_password = "my-password" @@ -25,7 +25,7 @@ zarf_version = "v0.24.0-rc4" ########################################################### #################### EKS Config ########################### -cluster_name_prefix = "ex-complete-eks" +cluster_name_prefix = "ex-eks-" eks_k8s_version = "1.23" ########################################################### diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 1c906228..a819e16f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -14,17 +14,17 @@ data "aws_ami" "amazonlinux2eks" { } resource "random_id" "vpc_name" { - byte_length = 4 + byte_length = 2 prefix = var.vpc_name_prefix } resource "random_id" "cluster_name" { - byte_length = 4 + byte_length = 2 prefix = var.cluster_name_prefix } resource "random_id" "bastion_name" { - byte_length = 4 + byte_length = 2 prefix = var.bastion_name_prefix } From 18f42ea2effc753178d4711ab81e05d1fb597c63 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 6 Mar 2023 16:28:31 -0800 Subject: [PATCH 75/88] wip --- examples/complete/bigbang-dependencies.tf | 8 ++++---- examples/complete/fixtures.common.tfvars | 9 +++++---- examples/complete/main.tf | 12 +++++++++--- examples/complete/variables.tf | 22 ++++++++++++++++++++++ 4 files changed, 40 insertions(+), 11 deletions(-) diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index 025a675a..ee92c60a 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -32,10 +32,10 @@ module "loki_s3_bucket" { region = var.region cluster_name = module.eks.eks_cluster_id - policy_name_prefix = "loki-s3-policy" - bucket_prefix = "loki-s3" - kms_key_alias = "loki-s3" - kubernetes_service_account = "logging-loki-s3-sa" + policy_name_prefix = "${local.loki_s3_bucket_name}-policy" + bucket_prefix = local.loki_s3_bucket_name + kms_key_alias = local.loki_s3_bucket_name + kubernetes_service_account = "logging-${local.loki_s3_bucket_name}-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 204e1a6d..397963b5 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -10,13 +10,13 @@ aws_admin_usernames = ["Andy"] # list of users to be added to the AWS admin g #################### VPC Config ########################### vpc_cidr = "10.200.0.0/16" -vpc_name_prefix = "ex-vpc-" +vpc_name_prefix = "ex-complete0000-vpc-" # vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### ################## Bastion Config ######################### -bastion_name_prefix = "ex-bastion-" +bastion_name_prefix = "ex-complete-bastion-" bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 bastion_ssh_user = "ec2-user" # local user in bastion used to ssh bastion_ssh_password = "my-password" @@ -25,13 +25,14 @@ zarf_version = "v0.24.0-rc4" ########################################################### #################### EKS Config ########################### -cluster_name_prefix = "ex-eks-" +cluster_name_prefix = "ex-complete0000-eks-" eks_k8s_version = "1.23" ########################################################### ############## Big Bang Dependencies ###################### -keycloak_enabled = true +keycloak_enabled = true +loki_s3_bucket_prefix = "ex-complete-loki-s3-" # other_addon_enabled = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a819e16f..44449ea3 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -28,10 +28,16 @@ resource "random_id" "bastion_name" { prefix = var.bastion_name_prefix } +resource "random_id" "loki_s3_bucket" { + byte_length = 2 + prefix = var.loki_s3_bucket_prefix +} + locals { - vpc_name = lower(random_id.vpc_name.hex) - cluster_name = lower(random_id.cluster_name.hex) - bastion_name = lower(random_id.bastion_name.hex) + vpc_name = lower(random_id.vpc_name.hex) + cluster_name = lower(random_id.cluster_name.hex) + bastion_name = lower(random_id.bastion_name.hex) + loki_s3_bucket_name = lower(random_id.loki_s3_bucket.hex) account = data.aws_caller_identity.current.account_id diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index f0d0d604..905ba869 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -28,6 +28,10 @@ variable "vpc_name_prefix" { description = "The name to use for the VPC" type = string default = "my-vpc" + validation { + condition = length(var.vpc_name_prefix) <= 20 + error_message = "The VPC name prefix cannot be more than 20 characters" + } } variable "create_database_subnet_group" { @@ -49,6 +53,10 @@ variable "cluster_name_prefix" { description = "The name to use for the EKS cluster" type = string default = "my-eks" + validation { + condition = length(var.cluster_name_prefix) <= 20 + error_message = "The EKS cluster name prefix cannot be more than 20 characters" + } } variable "eks_k8s_version" { @@ -75,6 +83,10 @@ variable "bastion_name_prefix" { description = "The name to use for the bastion" type = string default = "my-bastion" + validation { + condition = length(var.bastion_name_prefix) <= 20 + error_message = "The Bastion name prefix cannot be more than 20 characters" + } } variable "bastion_instance_type" { @@ -115,6 +127,16 @@ variable "keycloak_enabled" { default = false } +variable "loki_s3_bucket_prefix" { + description = "The name to use for the S3 bucket for Loki" + type = string + default = "loki-s3" + validation { + condition = length(var.loki_s3_bucket_prefix) <= 20 + error_message = "The Loki S3 bucket prefix cannot be more than 20 characters" + } +} + #################### Keycloak ########################### variable "keycloak_db_password" { From 841ed36e1367c8522efa9cda68a5c7e694baccc7 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Tue, 7 Mar 2023 11:56:04 -0800 Subject: [PATCH 76/88] wip --- examples/complete/bigbang-dependencies.tf | 9 +++-- examples/complete/fixtures.common.tfvars | 7 ++-- examples/complete/main.tf | 41 ++++++++++------------- examples/complete/variables.tf | 10 ------ modules/bastion/README.md | 4 +-- modules/bastion/s3-buckets.tf | 4 +-- modules/bastion/variables.tf | 12 +++++-- modules/s3-irsa/README.md | 3 +- modules/s3-irsa/main.tf | 10 +++--- modules/s3-irsa/variables.tf | 25 +++++++------- 10 files changed, 58 insertions(+), 67 deletions(-) diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index ee92c60a..44f83147 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -30,12 +30,11 @@ module "loki_s3_bucket" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/s3-irsa?ref=v" source = "../../modules/s3-irsa" + name_prefix = local.loki_s3_bucket_name_prefix region = var.region - cluster_name = module.eks.eks_cluster_id - policy_name_prefix = "${local.loki_s3_bucket_name}-policy" - bucket_prefix = local.loki_s3_bucket_name - kms_key_alias = local.loki_s3_bucket_name - kubernetes_service_account = "logging-${local.loki_s3_bucket_name}-sa" + policy_name_prefix = "${local.loki_s3_bucket_name_prefix}-policy" + kms_key_alias = local.loki_s3_bucket_name_prefix + kubernetes_service_account = "logging-${local.loki_s3_bucket_name_prefix}-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 397963b5..d39f56bc 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -10,7 +10,7 @@ aws_admin_usernames = ["Andy"] # list of users to be added to the AWS admin g #################### VPC Config ########################### vpc_cidr = "10.200.0.0/16" -vpc_name_prefix = "ex-complete0000-vpc-" +vpc_name_prefix = "ex-complete-vpc-" # vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### @@ -25,14 +25,13 @@ zarf_version = "v0.24.0-rc4" ########################################################### #################### EKS Config ########################### -cluster_name_prefix = "ex-complete0000-eks-" +cluster_name_prefix = "ex-complete-eks-" eks_k8s_version = "1.23" ########################################################### ############## Big Bang Dependencies ###################### -keycloak_enabled = true -loki_s3_bucket_prefix = "ex-complete-loki-s3-" +keycloak_enabled = true # other_addon_enabled = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 44449ea3..bcf8a3c9 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -28,16 +28,11 @@ resource "random_id" "bastion_name" { prefix = var.bastion_name_prefix } -resource "random_id" "loki_s3_bucket" { - byte_length = 2 - prefix = var.loki_s3_bucket_prefix -} - locals { - vpc_name = lower(random_id.vpc_name.hex) - cluster_name = lower(random_id.cluster_name.hex) - bastion_name = lower(random_id.bastion_name.hex) - loki_s3_bucket_name = lower(random_id.loki_s3_bucket.hex) + vpc_name = lower(random_id.vpc_name.hex) + cluster_name = lower(random_id.cluster_name.hex) + bastion_name = lower(random_id.bastion_name.hex) + loki_s3_bucket_name_prefix = "${lower(random_id.cluster_name.hex)}-loki-s3" account = data.aws_caller_identity.current.account_id @@ -377,20 +372,20 @@ module "bastion" { volume_size = "20" encrypted = true } - name = local.bastion_name - vpc_id = module.vpc.vpc_id - subnet_id = module.vpc.private_subnets[0] - aws_region = var.region - access_log_bucket_name = "${local.bastion_name}-access-logs" - bucket_name = "${local.bastion_name}-session-logs" - ssh_user = var.bastion_ssh_user - ssh_password = var.bastion_ssh_password - assign_public_ip = false # var.assign_public_ip - enable_log_to_s3 = true - enable_log_to_cloudwatch = true - vpc_endpoints_enabled = true - tenancy = var.bastion_tenancy - zarf_version = var.zarf_version + name = local.bastion_name + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.private_subnets[0] + aws_region = var.region + access_log_bucket_name_prefix = "${local.bastion_name}-accesslogs" + session_log_bucket_name_prefix = "${local.bastion_name}-sessionlogs" + ssh_user = var.bastion_ssh_user + ssh_password = var.bastion_ssh_password + assign_public_ip = false # var.assign_public_ip + enable_log_to_s3 = true + enable_log_to_cloudwatch = true + vpc_endpoints_enabled = true + tenancy = var.bastion_tenancy + zarf_version = var.zarf_version tags = { Function = "bastion-ssm" } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 905ba869..891985ab 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -127,16 +127,6 @@ variable "keycloak_enabled" { default = false } -variable "loki_s3_bucket_prefix" { - description = "The name to use for the S3 bucket for Loki" - type = string - default = "loki-s3" - validation { - condition = length(var.loki_s3_bucket_prefix) <= 20 - error_message = "The Loki S3 bucket prefix cannot be more than 20 characters" - } -} - #################### Keycloak ########################### variable "keycloak_db_password" { diff --git a/modules/bastion/README.md b/modules/bastion/README.md index 74f02d60..ff892285 100644 --- a/modules/bastion/README.md +++ b/modules/bastion/README.md @@ -89,7 +89,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name prefix of S3 bucket to store access logs from session logs bucket | `string` | n/a | yes | +| [access\_log\_bucket\_name\_prefix](#input\_access\_log\_bucket\_name\_prefix) | Name prefix of S3 bucket to store access logs from session logs bucket | `string` | n/a | yes | | [access\_log\_expire\_days](#input\_access\_log\_expire\_days) | Number of days to wait before deleting access logs | `number` | `30` | no | | [acl](#input\_acl) | The canned ACL to apply. Defaults to 'private' | `string` | `"private"` | no | | [add\_sops\_policy](#input\_add\_sops\_policy) | value of the policy arn for the cluster sops policy | `bool` | `false` | no | @@ -101,7 +101,6 @@ No modules. | [ami\_virtualization\_type](#input\_ami\_virtualization\_type) | Filter for AMI using this virtualization type | `string` | `""` | no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Determines if an instance gets a public IP assigned at launch time | `bool` | `false` | no | | [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes | -| [bucket\_name](#input\_bucket\_name) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes | | [bucket\_public\_access\_block](#input\_bucket\_public\_access\_block) | Toggle to optionally block public s3 access. Defaults to true | `bool` | `true` | no | | [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Name of the CloudWatch Log Group for storing SSM Session Logs | `string` | `"/ssm/session-logs"` | no | | [cloudwatch\_logs\_retention](#input\_cloudwatch\_logs\_retention) | Number of days to retain Session Logs in CloudWatch | `number` | `30` | no | @@ -130,6 +129,7 @@ No modules. | [role\_name](#input\_role\_name) | Name to give IAM role created for instance profile | `string` | `""` | no | | [root\_volume\_config](#input\_root\_volume\_config) | n/a | 
object({
    volume_type = any
    volume_size = any
  })
| 
{
  "volume_size": "20",
  "volume_type": "gp3"
}
| no | | [security\_group\_ids](#input\_security\_group\_ids) | List of security groups to associate with instance | `list(any)` | `[]` | no | +| [session\_log\_bucket\_name\_prefix](#input\_session\_log\_bucket\_name\_prefix) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes | | [ssh\_password](#input\_ssh\_password) | Password for SSH access if SSM authentication is enabled | `string` | n/a | yes | | [ssh\_public\_key\_names](#input\_ssh\_public\_key\_names) | n/a | `list(string)` | 
[
  "user1",
  "user2",
  "admin"
]
| no | | [ssh\_user](#input\_ssh\_user) | n/a | `string` | `"ubuntu"` | no | diff --git a/modules/bastion/s3-buckets.tf b/modules/bastion/s3-buckets.tf index e0e949a9..a765b437 100644 --- a/modules/bastion/s3-buckets.tf +++ b/modules/bastion/s3-buckets.tf @@ -4,7 +4,7 @@ # Create S3 bucket for access logs with versioning, encryption, blocked public acess enabled resource "aws_s3_bucket" "access_log_bucket" { # checkov:skip=CKV_AWS_144: Cross region replication is overkill - bucket_prefix = "${var.access_log_bucket_name}-" + bucket_prefix = "${var.access_log_bucket_name_prefix}-" force_destroy = true tags = var.tags @@ -76,7 +76,7 @@ resource "aws_s3_bucket_notification" "access_log_bucket_notification" { # Create S3 bucket for session logs with versioning, encryption, blocked public acess enabled resource "aws_s3_bucket" "session_logs_bucket" { # checkov:skip=CKV_AWS_144: Cross region replication overkill - bucket_prefix = "${var.bucket_name}-" + bucket_prefix = "${var.session_log_bucket_name_prefix}-" force_destroy = true tags = var.tags diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf index 4e47a67f..c3d0f0da 100644 --- a/modules/bastion/variables.tf +++ b/modules/bastion/variables.tf @@ -146,9 +146,13 @@ variable "permissions_boundary" { #### S3 Bucket -variable "bucket_name" { +variable "session_log_bucket_name_prefix" { description = "Name prefix of S3 bucket to store session logs" type = string + validation { + condition = length(var.session_log_bucket_name_prefix) <= 37 + error_message = "Bucket name prefixes may not be longer than 37 characters." + } } variable "log_archive_days" { @@ -163,9 +167,13 @@ variable "log_expire_days" { default = 365 } -variable "access_log_bucket_name" { +variable "access_log_bucket_name_prefix" { description = "Name prefix of S3 bucket to store access logs from session logs bucket" type = string + validation { + condition = length(var.access_log_bucket_name_prefix) <= 37 + error_message = "Bucket name prefixes may not be longer than 37 characters." + } } variable "access_log_expire_days" { diff --git a/modules/s3-irsa/README.md b/modules/s3-irsa/README.md index db9b3dde..7a1e1be5 100644 --- a/modules/s3-irsa/README.md +++ b/modules/s3-irsa/README.md @@ -46,8 +46,6 @@ To view examples for how you can leverage this S3-IRSA Module, please see the [e | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [bucket\_prefix](#input\_bucket\_prefix) | Prefix for the S3 bucket | `string` | `"bigbang"` | no | -| [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | `""` | no | | [dynamodb\_enabled](#input\_dynamodb\_enabled) | Is dynamoDB enabled | `bool` | `false` | no | | [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/ | `string` | n/a | yes | | [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no | @@ -58,6 +56,7 @@ To view examples for how you can leverage this S3-IRSA Module, please see the [e | [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes namespace for IRSA | `string` | `"default"` | no | | [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes service account for IRSA | `string` | `"default"` | no | | [name\_dynamodb](#input\_name\_dynamodb) | Name of DynamoDB table | `string` | `""` | no | +| [name\_prefix](#input\_name\_prefix) | Name prefix for all resources that use a randomized suffix | `string` | n/a | yes | | [policy\_name\_prefix](#input\_policy\_name\_prefix) | IAM Policy name prefix | `string` | `"irsa-policy"` | no | | [region](#input\_region) | AWS Region | `string` | `""` | no | | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no | diff --git a/modules/s3-irsa/main.tf b/modules/s3-irsa/main.tf index 32b618ce..63dabf53 100644 --- a/modules/s3-irsa/main.tf +++ b/modules/s3-irsa/main.tf @@ -13,7 +13,7 @@ module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "v3.6.0" - bucket_prefix = "${var.cluster_name}-${var.bucket_prefix}" + bucket_prefix = var.name_prefix block_public_acls = true block_public_policy = true ignore_public_acls = true @@ -74,14 +74,14 @@ data "aws_iam_policy_document" "irsa_policy" { resource "aws_iam_policy" "irsa_policy" { description = "IAM Policy for IRSA" - name_prefix = "${var.cluster_name}-${var.policy_name_prefix}" + name_prefix = "${var.name_prefix}-${var.policy_name_prefix}" policy = data.aws_iam_policy_document.irsa_policy.json } resource "aws_iam_role" "irsa" { count = var.irsa_iam_policies != null ? 1 : 0 - name = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.cluster_name, trim(var.kubernetes_service_account, "-*"), "irsa")), null) + name = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.name_prefix, trim(var.kubernetes_service_account, "-*"), "irsa")), null) description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}." assume_role_policy = jsonencode({ "Version" : "2012-10-17", @@ -121,7 +121,7 @@ resource "aws_iam_role_policy_attachment" "irsa" { resource "aws_dynamodb_table" "loki_dynamodb" { count = var.dynamodb_enabled != null ? 1 : 0 - name = "${var.cluster_name}-dynamodb_index" + name = "${var.name_prefix}-dynamodb_index" hash_key = "Log_id" billing_mode = "PAY_PER_REQUEST" @@ -167,7 +167,7 @@ data "aws_iam_policy_document" "dynamo_irsa_policy" { resource "aws_iam_policy" "dynamodb_irsa_policy" { # count = var.dynamodb_enabled != null ? 1 : 0 - name = "${var.cluster_name}-dynmodb_irsa_policy" + name = "${var.name_prefix}-dynmodb_irsa_policy" description = "DynamoDB IAM policy" policy = data.aws_iam_policy_document.dynamo_irsa_policy.json } diff --git a/modules/s3-irsa/variables.tf b/modules/s3-irsa/variables.tf index bd277151..fdfb5196 100644 --- a/modules/s3-irsa/variables.tf +++ b/modules/s3-irsa/variables.tf @@ -1,13 +1,17 @@ variable "region" { description = "AWS Region" type = string - default = "" + // TODO: Evaluate whether "" is ever a valid value for this variable. Does this need to be a required variable with a validation that checks against a list of known regions? + default = "" } -variable "cluster_name" { - description = "Name of the cluster" +variable "name_prefix" { + description = "Name prefix for all resources that use a randomized suffix" type = string - default = "" + validation { + condition = length(var.name_prefix) <= 37 + error_message = "Name Prefix may not be longer than 37 characters." + } } variable "irsa_iam_policies" { @@ -57,28 +61,25 @@ variable "kubernetes_service_account" { default = "default" } +// TODO: Evaluate whether we need this to be a variable variable "policy_name_prefix" { description = "IAM Policy name prefix" type = string default = "irsa-policy" } -variable "bucket_prefix" { - description = "Prefix for the S3 bucket" - type = string - default = "bigbang" -} - variable "kms_key_alias" { description = "KMS key alias" type = string - default = "" + // TODO: Evaluate whether "" is ever a valid value for this variable. + default = "" } variable "name_dynamodb" { description = "Name of DynamoDB table" type = string - default = "" + // TODO: Evaluate whether "" is ever a valid value for this variable. + default = "" } variable "dynamodb_enabled" { From a3ae040e1295d682bd6ed5f309b7ff70f58ea1e8 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Tue, 7 Mar 2023 12:23:56 -0800 Subject: [PATCH 77/88] wip --- .gitignore | 3 --- examples/complete/fixtures.common.tfvars | 3 +-- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 45abd0ad..8f6c1b90 100644 --- a/.gitignore +++ b/.gitignore @@ -6,9 +6,6 @@ .terraform/ *.terraform.* -# except .terraform.lock.hcl -!.terraform.lock.hcl - # .tfstate files *.tfstate *.tfstate.* diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index d39f56bc..a4450ffe 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -17,8 +17,7 @@ vpc_name_prefix = "ex-complete-vpc-" ################## Bastion Config ######################### bastion_name_prefix = "ex-complete-bastion-" -bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" # AWS linux 2 -bastion_ssh_user = "ec2-user" # local user in bastion used to ssh +bastion_ssh_user = "ec2-user" # local user in bastion used to ssh bastion_ssh_password = "my-password" zarf_version = "v0.24.0-rc4" From a0953efe82c05ed9ee48b170e84271ba97b01fe2 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Tue, 7 Mar 2023 15:07:16 -0800 Subject: [PATCH 78/88] wip --- examples/complete/main.tf | 13 ++++++++++++- examples/complete/variables.tf | 5 ----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index bcf8a3c9..9763f039 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -361,11 +361,22 @@ module "vpc" { ########################################################### ##################### Bastion ############################# +data "aws_ami" "amazonlinux2" { + most_recent = true + + filter { + name = "name" + values = ["amzn2-ami-hvm*x86_64-gp2"] + } + + owners = ["amazon"] +} + module "bastion" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/bastion?ref=v" source = "../../modules/bastion" - ami_id = var.bastion_ami_id + ami_id = data.aws_ami.amazonlinux2.id instance_type = var.bastion_instance_type root_volume_config = { volume_type = "gp3" diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 891985ab..4d217f1d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -101,11 +101,6 @@ variable "assign_public_ip" { default = false } -variable "bastion_ami_id" { - description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" - type = string - default = "" -} variable "bastion_ssh_user" { description = "The SSH user to use for the bastion" type = string From 0dda03864440d13095055fd2d7d81d2e8e755e73 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 08:42:21 -0700 Subject: [PATCH 79/88] wip --- modules/bastion/s3-buckets.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/bastion/s3-buckets.tf b/modules/bastion/s3-buckets.tf index 7732b933..02ef5efe 100644 --- a/modules/bastion/s3-buckets.tf +++ b/modules/bastion/s3-buckets.tf @@ -5,8 +5,6 @@ resource "aws_s3_bucket" "access_log_bucket" { # checkov:skip=CKV_AWS_144: Cross region replication is overkill bucket_prefix = "${var.access_log_bucket_name_prefix}-" - - bucket = var.access_log_bucket_name force_destroy = true tags = var.tags } @@ -26,7 +24,7 @@ data "aws_iam_policy_document" "cloudwatch-policy" { ] resources = [ - "arn:aws:s3:::${var.access_log_bucket_name}", + "arn:aws:s3:::${aws_s3_bucket.access_log_bucket.id}", ] condition { @@ -53,7 +51,7 @@ data "aws_iam_policy_document" "cloudwatch-policy" { ] resources = [ - "arn:aws:s3:::${var.access_log_bucket_name}/*", + "arn:aws:s3:::${aws_s3_bucket.access_log_bucket.id}/*", ] condition { From 7721af9129b34b9d5d23b19ab73121a23ac1b6cb Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 10:16:02 -0700 Subject: [PATCH 80/88] wip --- Makefile | 14 ++++- examples/complete-managed-nodegroup/main.tf | 28 +++++----- .../complete-self-managed-nodegroup/main.tf | 28 +++++----- examples/complete/README.md | 56 +++++++++++++++++++ modules/bastion/logging.tf | 2 +- 5 files changed, 96 insertions(+), 32 deletions(-) create mode 100644 examples/complete/README.md diff --git a/Makefile b/Makefile index acd1cfb3..f7facc15 100644 --- a/Makefile +++ b/Makefile @@ -24,13 +24,21 @@ help: ## Show a list of all targets | sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \ | column -t -s ":" -.PHONY: test -test: ## Run all automated tests. Requires access to an AWS account. Costs real money. +.PHONY: _test-all +_test-all: mkdir -p .cache/go mkdir -p .cache/go-build mkdir -p .cache/tmp echo "Running automated tests. This will take several minutes. At times it does not log anything to the console. If you interrupt the test run you will need to log into AWS console and manually delete any orphaned infrastructure." - docker run $(TTY_ARG) --rm -v "${PWD}:/app" -v "${PWD}/.cache/tmp:/tmp" -v "${PWD}/.cache/go:/root/go" -v "${PWD}/.cache/go-build:/root/.cache/go-build" --workdir "/app/test/e2e" -e GOPATH=/root/go -e GOCACHE=/root/.cache/go-build -e REPO_URL -e GIT_BRANCH -e AWS_REGION -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_SECURITY_TOKEN -e AWS_SESSION_EXPIRATION -e SKIP_SETUP -e SKIP_TEST -e SKIP_TEARDOWN $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v -timeout 2h ./...' + docker run $(TTY_ARG) --rm -v "${PWD}:/app" -v "${PWD}/.cache/tmp:/tmp" -v "${PWD}/.cache/go:/root/go" -v "${PWD}/.cache/go-build:/root/.cache/go-build" --workdir "/app/test/e2e" -e GOPATH=/root/go -e GOCACHE=/root/.cache/go-build -e REPO_URL -e GIT_BRANCH -e AWS_REGION -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_SECURITY_TOKEN -e AWS_SESSION_EXPIRATION -e SKIP_SETUP -e SKIP_TEST -e SKIP_TEARDOWN $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v $(EXTRA_TEST_ARGS) ./...' + +.PHONY: test +test: ## Run all automated tests. Requires access to an AWS account. Costs real money. + $(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h" + +.PHONY: test-complete-insecure +test-complete-insecure: ## Run one test (TestExamplesCompleteInsecure). Requires access to an AWS account. Costs real money. + $(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteInsecure" .PHONY: docker-save-build-harness docker-save-build-harness: ## Pulls the build harness docker image and saves it to a tarball diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index aaf6a8bf..6abb24d4 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -66,20 +66,20 @@ module "bastion" { volume_size = "20" encrypted = true } - name = var.bastion_name - vpc_id = module.vpc.vpc_id - subnet_id = module.vpc.private_subnets[0] - aws_region = var.region - access_log_bucket_name = "${var.bastion_name}-access-logs" - bucket_name = "${var.bastion_name}-session-logs" - ssh_user = var.bastion_ssh_user - ssh_password = var.bastion_ssh_password - assign_public_ip = false # var.assign_public_ip - enable_log_to_s3 = true - enable_log_to_cloudwatch = true - vpc_endpoints_enabled = true - tenancy = var.bastion_tenancy - zarf_version = var.zarf_version + name = var.bastion_name + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.private_subnets[0] + aws_region = var.region + access_log_bucket_name_prefix = "${var.bastion_name}-access-logs" + session_log_bucket_name_prefix = "${var.bastion_name}-session-logs" + ssh_user = var.bastion_ssh_user + ssh_password = var.bastion_ssh_password + assign_public_ip = false # var.assign_public_ip + enable_log_to_s3 = true + enable_log_to_cloudwatch = true + vpc_endpoints_enabled = true + tenancy = var.bastion_tenancy + zarf_version = var.zarf_version tags = { Function = "bastion-ssm" } diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index cd02e433..9e23c262 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -66,20 +66,20 @@ module "bastion" { volume_size = "20" encrypted = true } - name = var.bastion_name - vpc_id = module.vpc.vpc_id - subnet_id = module.vpc.private_subnets[0] - aws_region = var.region - access_log_bucket_name = "${var.bastion_name}-access-logs" - bucket_name = "${var.bastion_name}-session-logs" - ssh_user = var.bastion_ssh_user - ssh_password = var.bastion_ssh_password - assign_public_ip = false # var.assign_public_ip - enable_log_to_s3 = true - enable_log_to_cloudwatch = true - vpc_endpoints_enabled = true - tenancy = var.bastion_tenancy - zarf_version = var.zarf_version + name = var.bastion_name + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.private_subnets[0] + aws_region = var.region + access_log_bucket_name_prefix = "${var.bastion_name}-access-logs" + session_log_bucket_name_prefix = "${var.bastion_name}-session-logs" + ssh_user = var.bastion_ssh_user + ssh_password = var.bastion_ssh_password + assign_public_ip = false # var.assign_public_ip + enable_log_to_s3 = true + enable_log_to_cloudwatch = true + vpc_endpoints_enabled = true + tenancy = var.bastion_tenancy + zarf_version = var.zarf_version tags = { Function = "bastion-ssm" } diff --git a/examples/complete/README.md b/examples/complete/README.md new file mode 100644 index 00000000..70035d50 --- /dev/null +++ b/examples/complete/README.md @@ -0,0 +1,56 @@ +# Complete Example: EKS Cluster Deployment with new VPC & Big Bang Dependencies + +This example deploys: + +- A VPC with: + - 3 public subnets with internet gateway + - 3 private subnets with NAT gateway +- An EKS cluster with worker node group(s) +- A Bastion host in one of the private subnets +- Big Bang dependencies: + - KMS key and IAM roles for SOPS and IRSA + - S3 bucket for Loki + - RDS database for Keycloak + +## How to Deploy + +### Prerequisites + +- *Nix operating system (Linux, macOS, WSL2) +- AWS CLI environment variables + - At minimum: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and either `AWS_REGION` or `AWS_DEFAULT_REGION` + - Preferred: the above plus `AWS_SESSION_TOKEN`, `AWS_SECURITY_TOKEN`, and `AWS_SESSION_EXPIRATION` + > If the account is set up to require MFA, you'll be required to have the session stuff. We recommend that you use [aws-vault](https://github.com/99designs/aws-vault). Friends don't let friends use unencrypted AWS creds. +- `docker` +- `make` +- various standard CLI tools that usually come with running on *Nix (grep, sed, etc) + +### Configure + +- If you want access to the cluster, update the `aws_admin_usernames` variable in `fixtures.common.tfvars` to include your IAM username. + > Easily retrieve your IAM username with `aws iam get-user | jq '.[]' | jq -r '.UserName'` +- Feel free to change other variables to suit your needs. + +### Deploy + +We'll be using our automated tests to stand up environments. They use [Terratest](https://github.com/gruntwork-io/terratest). Each test is based on one of examples in the `examples` directory. For example, if you want to stand up the "complete" example in "insecure" mode, you'll run the `test-complete-insecure` target. + +```shell +export SKIP_TEARDOWN=1 +unset SKIP_SETUP +unset SKIP_TEST +make test-complete-insecure +``` +> `SKIP_TEARDOWN` tells Terratest to skip running the test stage called "TEARDOWN", which is the stage that destroys the environment. We want things to stay up, so we set this variable. We also make sure `SKIP_SETUP` and `SKIP_TEST` are unset. + +> Run `make help` to see all the available targets. Any of them can be used to stand up an environment with different parameters. Do not run `make test` directly, as it will run all the tests in parallel and is not compatible with `SKIP_TEARDOWN`. + +### Destroy + +```shell +unset SKIP_TEARDOWN +export SKIP_SETUP=1 +export SKIP_TEST=1 +make test-complete-insecure +``` +> Since we're tearing down this time, we don't want `SKIP_TEARDOWN` to be set. Instead, we are setting `SKIP_SETUP` and `SKIP_TEST` to skip the setup and test stages. diff --git a/modules/bastion/logging.tf b/modules/bastion/logging.tf index c530627c..ab1ea4e3 100644 --- a/modules/bastion/logging.tf +++ b/modules/bastion/logging.tf @@ -10,7 +10,7 @@ resource "aws_cloudtrail" "ssh-access" { # checkov:skip=CKV_AWS_252: SNS not currently needed # checkov:skip=CKV2_AWS_10: Cloudwatch logs already being used with cloudtrail name = "ssh-access" - s3_bucket_name = var.access_log_bucket_name + s3_bucket_name = aws_s3_bucket.access_log_bucket.id kms_key_id = aws_kms_key.ssmkey.arn is_multi_region_trail = true enable_log_file_validation = true From 37e4398d5b04458b701a4f7c6e79be690c708029 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 10:40:29 -0700 Subject: [PATCH 81/88] wip --- Makefile | 5 +++++ examples/README.md | 40 +++++++++++++++++++++++++++++++++ examples/complete/README.md | 45 ++++++++++++++----------------------- 3 files changed, 62 insertions(+), 28 deletions(-) create mode 100644 examples/README.md diff --git a/Makefile b/Makefile index f7facc15..dadc847d 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,11 @@ test: ## Run all automated tests. Requires access to an AWS account. Costs real test-complete-insecure: ## Run one test (TestExamplesCompleteInsecure). Requires access to an AWS account. Costs real money. $(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteInsecure" +.PHONY: test-complete-secure +test-complete-secure: ## Run one test (TestExamplesCompleteSecure). Requires access to an AWS account. Costs real money. + #$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteSecure" + echo "TestExamplesCompleteSecure is still being worked on. For now feel free to use the complete-self-managed-nodegroup example." + .PHONY: docker-save-build-harness docker-save-build-harness: ## Pulls the build harness docker image and saves it to a tarball mkdir -p .cache/docker diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 00000000..d9dcec76 --- /dev/null +++ b/examples/README.md @@ -0,0 +1,40 @@ +# Examples + +This directory contains examples of how to use the various modules in this repository. + +## How to Deploy + +### Prerequisites + +- *Nix operating system (Linux, macOS, WSL2) +- AWS CLI environment variables + - At minimum: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and either `AWS_REGION` or `AWS_DEFAULT_REGION` + - Preferred: the above plus `AWS_SESSION_TOKEN`, `AWS_SECURITY_TOKEN`, and `AWS_SESSION_EXPIRATION` + > If the account is set up to require MFA, you'll be required to have the session stuff. We recommend that you use [aws-vault](https://github.com/99designs/aws-vault). Friends don't let friends use unencrypted AWS creds. +- `docker` +- `make` +- various standard CLI tools that usually come with running on *Nix (grep, sed, etc) + +### Deploy + +We'll be using our automated tests to stand up environments. They use [Terratest](https://github.com/gruntwork-io/terratest). Each test is based on one of examples in the `examples` directory. For example, if you want to stand up the "complete" example in "insecure" mode, you'll run the `test-complete-insecure` target. + +```shell +export SKIP_TEARDOWN=1 +unset SKIP_SETUP +unset SKIP_TEST +make +``` +> `SKIP_TEARDOWN` tells Terratest to skip running the test stage called "TEARDOWN", which is the stage that destroys the environment. We want things to stay up, so we set this variable. We also make sure `SKIP_SETUP` and `SKIP_TEST` are unset. + +> Run `make help` to see all the available targets. Any of them can be used to stand up an environment with different parameters. Do not run `make test` directly, as it will run all the tests in parallel and is not compatible with `SKIP_TEARDOWN`. + +### Destroy + +```shell +unset SKIP_TEARDOWN +export SKIP_SETUP=1 +export SKIP_TEST=1 +make test-complete-insecure +``` +> Since we're tearing down this time, we don't want `SKIP_TEARDOWN` to be set. Instead, we are setting `SKIP_SETUP` and `SKIP_TEST` to skip the setup and test stages. diff --git a/examples/complete/README.md b/examples/complete/README.md index 70035d50..8594f0af 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -12,45 +12,34 @@ This example deploys: - S3 bucket for Loki - RDS database for Keycloak -## How to Deploy +> This example has 2 modes: "insecure" and "secure". Insecure mode uses managed nodegroups, default instance tenancy, and enables the public endpoint on the EKS cluster. Secure mode uses self-managed nodegroups, dedicated instance tenancy, and disables the public endpoint on the EKS cluster. The method of choosing which mode to use is by using either `fixtures.insecure.tfvars` or `fixtures.secure.tfvars` as an overlay on top of `fixtures.common.tfvars`. -### Prerequisites +> NOTE: Secure mode doesn't exist yet. Stay tuned or use the `complete-self-managed-nodegroup` example. Once this example has secure mode available the `complete-self-managed-nodegroup` example will be deprecated/deleted. -- *Nix operating system (Linux, macOS, WSL2) -- AWS CLI environment variables - - At minimum: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and either `AWS_REGION` or `AWS_DEFAULT_REGION` - - Preferred: the above plus `AWS_SESSION_TOKEN`, `AWS_SECURITY_TOKEN`, and `AWS_SESSION_EXPIRATION` - > If the account is set up to require MFA, you'll be required to have the session stuff. We recommend that you use [aws-vault](https://github.com/99designs/aws-vault). Friends don't let friends use unencrypted AWS creds. -- `docker` -- `make` -- various standard CLI tools that usually come with running on *Nix (grep, sed, etc) - -### Configure +## Configure - If you want access to the cluster, update the `aws_admin_usernames` variable in `fixtures.common.tfvars` to include your IAM username. > Easily retrieve your IAM username with `aws iam get-user | jq '.[]' | jq -r '.UserName'` - Feel free to change other variables to suit your needs. -### Deploy +## Deploy/Destroy -We'll be using our automated tests to stand up environments. They use [Terratest](https://github.com/gruntwork-io/terratest). Each test is based on one of examples in the `examples` directory. For example, if you want to stand up the "complete" example in "insecure" mode, you'll run the `test-complete-insecure` target. +See the [examples README](../README.md) for instructions on how to deploy/destroy this example. The make targets for this example are either `test-complete-insecure` or `test-complete-secure`. -```shell -export SKIP_TEARDOWN=1 -unset SKIP_SETUP -unset SKIP_TEST -make test-complete-insecure -``` -> `SKIP_TEARDOWN` tells Terratest to skip running the test stage called "TEARDOWN", which is the stage that destroys the environment. We want things to stay up, so we set this variable. We also make sure `SKIP_SETUP` and `SKIP_TEST` are unset. +## Connect -> Run `make help` to see all the available targets. Any of them can be used to stand up an environment with different parameters. Do not run `make test` directly, as it will run all the tests in parallel and is not compatible with `SKIP_TEARDOWN`. +### Insecure mode -### Destroy +In insecure mode, the EKS cluster has a public endpoint. You can get the kubeconfig you need to connect to the cluster with the following command: ```shell -unset SKIP_TEARDOWN -export SKIP_SETUP=1 -export SKIP_TEST=1 -make test-complete-insecure +aws eks update-kubeconfig --region --name --kubeconfig --alias ``` -> Since we're tearing down this time, we don't want `SKIP_TEARDOWN` to be set. Instead, we are setting `SKIP_SETUP` and `SKIP_TEST` to skip the setup and test stages. +> Use `aws eks list-clusters --region ` to get the name of the cluster. + +### Secure mode + +Coming soon + + + From cbb148f4e7c401e0bf7c31c593469be224cac685 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 10:47:28 -0700 Subject: [PATCH 82/88] wip --- examples/complete/README.md | 81 +++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/examples/complete/README.md b/examples/complete/README.md index 8594f0af..c3873a7d 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -42,4 +42,85 @@ aws eks update-kubeconfig --region --name --kubeco Coming soon +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.58.0 | +| [random](#provider\_random) | 3.4.3 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [bastion](#module\_bastion) | ../../modules/bastion | n/a | +| [eks](#module\_eks) | ../../modules/eks | n/a | +| [flux\_sops](#module\_flux\_sops) | ../../modules/sops | n/a | +| [loki\_s3\_bucket](#module\_loki\_s3\_bucket) | ../../modules/s3-irsa | n/a | +| [rds\_postgres\_keycloak](#module\_rds\_postgres\_keycloak) | ../../modules/rds | n/a | +| [vpc](#module\_vpc) | ../../modules/vpc | n/a | + +## Resources + +| Name | Type | +|------|------| +| [random_id.bastion_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [random_id.cluster_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [random_id.vpc_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | +| [bastion\_name\_prefix](#input\_bastion\_name\_prefix) | The name to use for the bastion | `string` | `"my-bastion"` | no | +| [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | +| [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | +| [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | +| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | +| [cluster\_name\_prefix](#input\_cluster\_name\_prefix) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | +| [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | +| [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | +| [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [enable\_managed\_nodegroups](#input\_enable\_managed\_nodegroups) | Enable managed node groups. If false, self managed node groups will be used. | `bool` | n/a | yes | +| [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | +| [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_instance\_class](#input\_kc\_db\_instance\_class) | The database instance class to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_major\_engine\_version](#input\_kc\_db\_major\_engine\_version) | The database major engine version to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | +| [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | +| [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | +| [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | +| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | +| [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The tenancy of instances launched into the VPC | `string` | `"default"` | no | +| [vpc\_name\_prefix](#input\_vpc\_name\_prefix) | The name to use for the VPC | `string` | `"my-vpc"` | no | +| [zarf\_version](#input\_zarf\_version) | The version of Zarf to use | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bastion\_instance\_id](#output\_bastion\_instance\_id) | The ID of the bastion host | +| [bastion\_private\_key](#output\_bastion\_private\_key) | The private key for the bastion host | +| [dynamodb\_name](#output\_dynamodb\_name) | Name of DynmoDB table | +| [keycloak\_db\_instance\_endpoint](#output\_keycloak\_db\_instance\_endpoint) | The connection endpoint | +| [keycloak\_db\_instance\_name](#output\_keycloak\_db\_instance\_name) | The database name | +| [keycloak\_db\_instance\_port](#output\_keycloak\_db\_instance\_port) | The database port | +| [keycloak\_db\_instance\_username](#output\_keycloak\_db\_instance\_username) | The master username for the database | +| [loki\_s3\_bucket](#output\_loki\_s3\_bucket) | Loki S3 Bucket Name | From 0c8ba4c4686fb5cefaf8b803dcebd20cae992db2 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 11:07:28 -0700 Subject: [PATCH 83/88] wip --- examples/complete/README.md | 14 +++++++++- examples/complete/providers.tf | 48 ++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index c3873a7d..c5f5dad1 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -44,7 +44,19 @@ Coming soon ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | >= 4.47.0 | +| [cloudinit](#requirement\_cloudinit) | >= 2.0.0 | +| [helm](#requirement\_helm) | >= 2.5.1 | +| [http](#requirement\_http) | 2.4.1 | +| [kubectl](#requirement\_kubectl) | >= 1.14.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.10.0 | +| [local](#requirement\_local) | >= 2.1.0 | +| [null](#requirement\_null) | >= 3.1.0 | +| [random](#requirement\_random) | >= 3.1.0 | +| [time](#requirement\_time) | >= 0.8.0 | +| [tls](#requirement\_tls) | >= 3.0.0 | ## Providers diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index 5b614ca8..e3e5049a 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -1,3 +1,51 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14.0" + } + aws = { + source = "hashicorp/aws" + version = ">= 4.47.0" + } + cloudinit = { + source = "hashicorp/cloudinit" + version = ">= 2.0.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.5.1" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10.0" + } + local = { + source = "hashicorp/local" + version = ">= 2.1.0" + } + null = { + source = "hashicorp/null" + version = ">= 3.1.0" + } + random = { + source = "hashicorp/random" + version = ">= 3.1.0" + } + time = { + source = "hashicorp/time" + version = ">= 0.8.0" + } + tls = { + source = "hashicorp/tls" + version = ">= 3.0.0" + } + http = { + source = "terraform-aws-modules/http" + version = "2.4.1" + } + } +} data "aws_eks_cluster_auth" "this" { name = module.eks.eks_cluster_id From fb5ad10810d47acd2f7c91081d56070ec6313f63 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 11:24:38 -0700 Subject: [PATCH 84/88] wip --- examples/README.md | 2 +- examples/complete/README.md | 4 ++-- examples/complete/fixtures.common.tfvars | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/README.md b/examples/README.md index d9dcec76..e8f0004c 100644 --- a/examples/README.md +++ b/examples/README.md @@ -35,6 +35,6 @@ make unset SKIP_TEARDOWN export SKIP_SETUP=1 export SKIP_TEST=1 -make test-complete-insecure +make ``` > Since we're tearing down this time, we don't want `SKIP_TEARDOWN` to be set. Instead, we are setting `SKIP_SETUP` and `SKIP_TEST` to skip the setup and test stages. diff --git a/examples/complete/README.md b/examples/complete/README.md index c5f5dad1..5b723d57 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -62,8 +62,8 @@ Coming soon | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.58.0 | -| [random](#provider\_random) | 3.4.3 | +| [aws](#provider\_aws) | >= 4.47.0 | +| [random](#provider\_random) | >= 3.1.0 | ## Modules diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index a4450ffe..37532b91 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -1,9 +1,9 @@ ########################################################### ################## Global Settings ######################## -region = "us-east-1" # target AWS region -region2 = "us-east-2" # RDS backup target AWS region -aws_admin_usernames = ["Andy"] # list of users to be added to the AWS admin group +region = "us-east-1" # target AWS region +region2 = "us-east-2" # RDS backup target AWS region +aws_admin_usernames = ["Placeholder"] # list of users to be added to the AWS admin group ########################################################### From 564d4bfcda4315feee74988fb63585e6370384fe Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Mon, 13 Mar 2023 15:08:38 -0700 Subject: [PATCH 85/88] wip --- modules/bastion/logging.tf | 2 +- modules/bastion/s3-buckets.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/bastion/logging.tf b/modules/bastion/logging.tf index 3b710185..c667e353 100644 --- a/modules/bastion/logging.tf +++ b/modules/bastion/logging.tf @@ -10,7 +10,7 @@ resource "aws_cloudtrail" "ssh-access" { # checkov:skip=CKV_AWS_252: SNS not currently needed # checkov:skip=CKV2_AWS_10: Cloudwatch logs already being used with cloudtrail name = "${var.name}-ssh-access" - s3_bucket_name = var.access_log_bucket_name + s3_bucket_name = aws_s3_bucket.access_log_bucket.id kms_key_id = aws_kms_key.ssmkey.arn is_multi_region_trail = true enable_log_file_validation = true diff --git a/modules/bastion/s3-buckets.tf b/modules/bastion/s3-buckets.tf index b16fa307..8bd7304c 100644 --- a/modules/bastion/s3-buckets.tf +++ b/modules/bastion/s3-buckets.tf @@ -51,7 +51,7 @@ data "aws_iam_policy_document" "cloudwatch-policy" { ] resources = [ - "arn:${data.aws_partition.current.partition}:s3:::${var.access_log_bucket_name}/*", + "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.access_log_bucket.id}/*", ] condition { From 062bc8fb8aa3b43c430c677a34b89bbdd34abe09 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 13 Mar 2023 19:35:06 -0700 Subject: [PATCH 86/88] var.policy_content should never be null, default is empty string --- modules/bastion/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/bastion/locals.tf b/modules/bastion/locals.tf index 1f5aba38..1689a8ff 100644 --- a/modules/bastion/locals.tf +++ b/modules/bastion/locals.tf @@ -1,6 +1,6 @@ locals { role_name = "${var.name}-role" - add_custom_policy_to_role = var.policy_content != null && var.policy_content != "" + add_custom_policy_to_role = var.policy_content != "" bucket_prefix = var.name From 61d0404831a8d473010a4028b7e55b3d929ffb32 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Tue, 14 Mar 2023 08:08:23 -0700 Subject: [PATCH 87/88] change back to checking for null --- modules/bastion/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/bastion/locals.tf b/modules/bastion/locals.tf index 1689a8ff..1f5aba38 100644 --- a/modules/bastion/locals.tf +++ b/modules/bastion/locals.tf @@ -1,6 +1,6 @@ locals { role_name = "${var.name}-role" - add_custom_policy_to_role = var.policy_content != "" + add_custom_policy_to_role = var.policy_content != null && var.policy_content != "" bucket_prefix = var.name From bde99a253a8145d49971052de9ce73ebfd5fb061 Mon Sep 17 00:00:00 2001 From: Andy Roth Date: Tue, 14 Mar 2023 08:27:44 -0700 Subject: [PATCH 88/88] add validation --- modules/bastion/README.md | 2 +- modules/bastion/locals.tf | 2 +- modules/bastion/variables.tf | 8 ++++++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/bastion/README.md b/modules/bastion/README.md index 87b562b6..28470e3b 100644 --- a/modules/bastion/README.md +++ b/modules/bastion/README.md @@ -131,7 +131,7 @@ No modules. | [name](#input\_name) | Name of Bastion | `string` | n/a | yes | | [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | | [policy\_arns](#input\_policy\_arns) | List of IAM policy ARNs to attach to the instance profile | `list(string)` | `[]` | no | -| [policy\_content](#input\_policy\_content) | Policy body. Use this to add a custom policy to your instance profile (Optional) | `string` | `""` | no | +| [policy\_content](#input\_policy\_content) | JSON IAM Policy body. Use this to add a custom policy to your instance profile (Optional) | `string` | `null` | no | | [requires\_eip](#input\_requires\_eip) | Whether or not the instance should have an Elastic IP associated to it | `bool` | `false` | no | | [role\_name](#input\_role\_name) | Name to give IAM role created for instance profile | `string` | `""` | no | | [root\_volume\_config](#input\_root\_volume\_config) | n/a | 
object({
    volume_type = any
    volume_size = any
  })
| 
{
  "volume_size": "20",
  "volume_type": "gp3"
}
| no | diff --git a/modules/bastion/locals.tf b/modules/bastion/locals.tf index 1f5aba38..e8803c20 100644 --- a/modules/bastion/locals.tf +++ b/modules/bastion/locals.tf @@ -1,6 +1,6 @@ locals { role_name = "${var.name}-role" - add_custom_policy_to_role = var.policy_content != null && var.policy_content != "" + add_custom_policy_to_role = var.policy_content != null bucket_prefix = var.name diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf index c3d0f0da..6b3b2c4f 100644 --- a/modules/bastion/variables.tf +++ b/modules/bastion/variables.tf @@ -108,8 +108,12 @@ variable "policy_arns" { variable "policy_content" { type = string - description = "Policy body. Use this to add a custom policy to your instance profile (Optional)" - default = "" + description = "JSON IAM Policy body. Use this to add a custom policy to your instance profile (Optional)" + default = null + validation { + condition = var.policy_content == null || try(jsondecode(var.policy_content), null) != null + error_message = "The policy_content variable must be valid JSON." + } } variable "root_volume_config" {