From 9a8be778ae297b1d423d7ed8bbab8ac9413d0628 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 3 Mar 2023 15:17:34 -0800 Subject: [PATCH 01/46] add junk dir --- .../.terraform.lock.hcl | 233 ++++++++++++++ .../README.md | 264 ++++++++++++++++ .../backend.tf.example | 9 + .../bigbang-dependencies.tf | 83 +++++ .../main.tf | 223 ++++++++++++++ .../outputs.tf | 40 +++ .../providers.tf | 50 +++ .../terraform.tfvars.example | 54 ++++ .../variables.tf | 284 ++++++++++++++++++ .../versions.tf | 29 ++ 10 files changed, 1269 insertions(+) create mode 100644 examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl create mode 100644 examples/complete-self-managed-ng-intra-subnets/README.md create mode 100644 examples/complete-self-managed-ng-intra-subnets/backend.tf.example create mode 100644 examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf create mode 100644 examples/complete-self-managed-ng-intra-subnets/main.tf create mode 100644 examples/complete-self-managed-ng-intra-subnets/outputs.tf create mode 100644 examples/complete-self-managed-ng-intra-subnets/providers.tf create mode 100644 examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example create mode 100644 examples/complete-self-managed-ng-intra-subnets/variables.tf create mode 100644 examples/complete-self-managed-ng-intra-subnets/versions.tf diff --git a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl new file mode 100644 index 00000000..99c00212 --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl @@ -0,0 +1,233 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.14.0" + constraints = ">= 1.14.0" + hashes = [ + "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", + "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", + "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", + "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", + "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", + "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", + "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", + "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", + "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", + "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", + "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.53.0" + constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0" + hashes = [ + "h1:P6ZZ716SRIimw0t/SAgYbOMZtO0HDvwVQKxyHEW6aaE=", + "h1:SamdqgizhmtJ7ejTM/G8RoxMoKC1ovLnd1jBzCFkI7c=", + "zh:0d44171544a916adf0fa96b7d0851a49d8dec98f71f0229dfd2d178958b3996b", + "zh:16945808ce26b86af7f5a77c4ab1154da786208c793abb95b8f918b4f48daded", + "zh:1a57a5a30cef9a5867579d894b74f60bb99afc7ca0d030d49a80ad776958b428", + "zh:2c718734ae17430d7f598ca0b4e4f86d43d66569c72076a10f4ace3ff8dfc605", + "zh:46fdf6301cb2fa0a4d122d1a8f75f047b6660c24851d6a4537ee38926a86485d", + "zh:53a53920b38a9e1648e85c6ee33bccf95bfcd067bffc4934a2af55621e6a6bd9", + "zh:548d927b234b1914c43169224b03f641d0961a4e312e5c6508657fce27b66db4", + "zh:57c847b2a5ae41ddea20b18ef006369d36bfdc4dec7f542f60e22a47f7b6f347", + "zh:79f7402b581621ba69f5a07ce70299735c678beb265d114d58955d04f0d39f87", + "zh:8970109a692dc4ecbda98a0969da472da4759db90ce22f2a196356ea85bb2cf7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a500cc4ffcad854dec0cf6f97751930a53c9f278f143a4355fa8892aa77c77bf", + "zh:b687c20b42a8b9e9e9f56c42e3b3c6859c043ec72b8907a6e4d4b64068e11df5", + "zh:e2c592e96822b78287554be43c66398f658c74c4ae3796f6b9e6d4b0f1f7f626", + "zh:ff1c4a46fdc988716c6fc28925549600093fc098828237cb1a30264e15cf730f", + ] +} + +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.2.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:Id6dDkpuSSLbGPTdbw49bVS/7XXHu/+d7CJoGDqtk5g=", + "h1:siiI0wK6/jUDdA5P8ifTO0yc9YmXHml4hz5K9I9N+MA=", + "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96", + "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d", + "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9", + "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472", + "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f", + "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb", + "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a", + "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c", + "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c", + "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517", + "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.8.0" + constraints = ">= 2.4.1, >= 2.5.1" + hashes = [ + "h1:U0w0mUT0SwZCR0poGNSxGaZJKWcOiu4GerpGztYBiMM=", + "h1:a98mBNghv9odh5PVmgdXapgyYJmO/ncAWkwLWdXLuY4=", + "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54", + "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f", + "zh:391fe49b4d2dc07bc717248a3fc6952189cfc49c596c514ad72a29c9a9f9d575", + "zh:89272048e1e63f3edc3e83dfddd5a9fd4bd2a4ead104e67de1e14319294dedf1", + "zh:a5a057c3435a854389ce8a1d98a54aaa7cbab68aca7baa436a605897aa70ff7e", + "zh:b1098e53e1a8a3afcd325ecd0328662156b3d9c3d80948f19ba3a4eb870cee2b", + "zh:b676f949e8274a2b6c3fa41f5428ea597125579c7b93bb50bb73a5e295a7a447", + "zh:cdf7e9460f28c2dbfe49a79a5022bd0d474ff18120d340738aa35456ba77ebca", + "zh:e24b59b4ed1c593facbf8051ec58550917991e2e017f3085dac5fb902d9908cb", + "zh:e3b5e1f5543cac9d9031a028f1c1be4858fb80fae69f181f21e9465e366ebfa2", + "zh:e9fddc0bcdb28503078456f0088851d45451600d229975fd9990ee92c7489a10", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.17.0" + constraints = ">= 2.6.1, >= 2.10.0" + hashes = [ + "h1:Dq/EHg8mKP9wDDTJx5CzZ+w44wutIZJGfQLrAIznAqY=", + "h1:p2sgF62c2svJSKuImL3/zq/SSPOZFyd4Vj7K0UF2VrQ=", + "zh:1cbafea8c404195d8ad2490d75dbeebef131563d3e38dec87231ceb3923a3012", + "zh:26d9584423ee77e607999b082de7d9dc3e937934aa83341e0832e7253caf4f51", + "zh:333527fc15fb43bbf1898a2f058598c596468a01d88c415627bb617878dc4d4d", + "zh:391b8c80e3115af485977d6e949d7260b7fc0b641089b884256bfd36a7077db2", + "zh:4d18ba55247486181759d60195777945bcd68e17ccd980820ca18e8a8b94aeb5", + "zh:607ae94d85d1c1ed3845bd71095daadea4b2468e16f57fa05c98eab0de6b14ae", + "zh:95c6cf22f8ef14e7a4f85e33cff5d6f11056c7880041b71d425d1b5ebbe246e7", + "zh:b077edcedb46a313b461ac1e49317872063b3871f2acbe1a50498612cefff387", + "zh:c6a7891683e44148b0c928fd4748b7abac727266ab551d679015f5fe8b72d1e6", + "zh:e5cebfdf873770c37a4304362003d3fea8d6c2fd819663ad121bc65bb81e4738", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:feb19269e7c0de473ad412b37818b48da0cc91e5c93dd4c77a72676ca97a16b1", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.3.0" + constraints = ">= 2.1.0" + hashes = [ + "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=", + "h1:U+DbBqKnXSIqC2z7qIko2dy8w6wwuZd89orPvfeqHk0=", + "zh:1f1920b3f78c31c6b69cdfe1e016a959667c0e2d01934e1a084b94d5a02cd9d2", + "zh:550a3cdae0ddb350942624e7b2e8b31d28bc15c20511553432413b1f38f4b214", + "zh:68d1d9ccbfce2ce56b28a23b22833a5369d4c719d6d75d50e101a8a8dbe33b9b", + "zh:6ae3ad6d865a906920c313ec2f413d080efe32c230aca711fd106b4cb9022ced", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a0f413d50f54124057ae3dcd9353a797b84e91dc34bcf85c34a06f8aef1f9b12", + "zh:a2ac6d4088ceddcd73d88505e18b8226a6e008bff967b9e2d04254ef71b4ac6b", + "zh:a851010672e5218bdd4c4ea1822706c9025ef813a03da716d647dd6f8e2cffb0", + "zh:aa797561755041ef2fad99ee9ffc12b5e724e246bb019b21d7409afc2ece3232", + "zh:c6afa960a20d776f54bb1fc260cd13ead17280ebd87f05b9abcaa841ed29d289", + "zh:df0975e86b30bb89717b8c8d6d4690b21db66de06e79e6d6cfda769f3304afe6", + "zh:f0d3cc3da72135efdbe8f4cfbfb0f2f7174827887990a5545e6db1981f0d3a7c", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.1" + constraints = ">= 3.0.0, >= 3.1.0" + hashes = [ + "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", + "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", + "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", + "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", + "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", + "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", + "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", + "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", + "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", + "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", + "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", + "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.4.3" + constraints = ">= 3.1.0" + hashes = [ + "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", + "h1:tL3katm68lX+4lAncjQA9AXL4GR/VM+RPwqYf4D2X8Q=", + "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", + "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", + "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", + "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", + "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", + "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", + "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", + "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", + "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", + "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.9.1" + constraints = ">= 0.7.0, >= 0.8.0" + hashes = [ + "h1:UHcDnIYFZ00uoou0TwPGMwOrE8gTkoRephIvdwDAK70=", + "h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=", + "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", + "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", + "zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a", + "zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57", + "zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1", + "zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b", + "zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00", + "zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea", + "zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904", + "zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.4" + constraints = ">= 3.0.0" + hashes = [ + "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", + "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", + "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", + "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", + "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", + "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", + "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", + "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", + "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", + "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", + "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", + "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", + "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/terraform-aws-modules/http" { + version = "2.4.1" + constraints = "2.4.1" + hashes = [ + "h1:FINkX7/X/cr5NEssB7dMqVWa6YtJtmwzvkfryuR39/k=", + "h1:fHqAXle/P/fT2k+HEyTqYVE+/RvpQAaBr6xXZgM66es=", + "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", + "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", + "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", + "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", + "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", + "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", + "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", + "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", + "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", + "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", + "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", + "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", + "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", + ] +} diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md new file mode 100644 index 00000000..18c715ea --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -0,0 +1,264 @@ +# EKS Cluster Deployment with new VPC & Big Bang Dependencies + +This example deploys the following Basic Self-Managed EKS Cluster with VPC + +- Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets +- Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets +- Creates EKS Cluster Control plane with one managed node group +- Creates a Bastion host in a private subnet +- Creates dependencies needed for BigBang + +--- +**Table of contents:** +- [EKS Cluster Deployment with new VPC \& Big Bang Dependencies](#eks-cluster-deployment-with-new-vpc--big-bang-dependencies) + - [How to Deploy](#how-to-deploy) + - [Prerequisites](#prerequisites) + - [Deployment Steps](#deployment-steps) + - [Step 1: Preparation](#step-1-preparation) + - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) + - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) + - [local](#local) + - [remote](#remote) + - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) + - [Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-required-if-eks-public-access-set-to-false-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) + - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) + - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) + - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) + - [Step 8: List all the pods running in `kube-system` namespace](#step-8-list-all-the-pods-running-in-kube-system-namespace) + - [Cleanup](#cleanup) + - [Requirements](#requirements) + - [Providers](#providers) + - [Modules](#modules) + - [Resources](#resources) + - [Inputs](#inputs) + - [Outputs](#outputs) + +--- + +## How to Deploy + +### Prerequisites + +Ensure that you have installed the following tools in your Mac or Windows Laptop before start working with this module and run Terraform Plan and Apply + +1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) +2. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) +3. [Helm](https://helm.sh/docs/intro/install/) +4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) +5. [SSHuttle](https://github.com/sshuttle/sshuttle) + +Ensure that your AWS credentials are configured. This can be done by running `aws configure` + +### Deployment Steps + +#### Step 1: Preparation + +```sh +git clone https://github.com/defenseunicorns/iac.git +cd ./iac/examples/complete-self-managed-nodegroup +cp terraform.tfvars.example terraform.tfvars +``` + +#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values + +AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` + +#### Step 3: Terraform Init & State + +Use remote or local state for terraform + +##### local + +Initialize a working directory with configuration files and create local terraform state file + +```sh +terraform init +``` + +##### remote + +Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: + +```sh +#from the ./iac/examples/complete-self-managed-nodegroup directory +pushd ../tf-state-backend + +terraform apply +export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` +export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` + +popd + +export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') + +#make backend file +cp backend.tf.example backend.tf + +#init and copy state if it exists +terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ + -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ + -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ + -backend-config="region=$AWS_DEFAULT_REGION" +``` + +#### Step 4: Provision VPC and Bastion + +```sh +# plan deployment and verify desired outcome +terraform plan -target=module.vpc -target=module.bastion + +# type yes to confirm or utilize the '-auto-approve' flag +terraform apply -target=module.vpc -target=module.bastion +``` + +#### Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture + +Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) + +```sh +# SSH over Session Manager +host i-* mi-* + ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" +``` + +Test SSH connection to the Bastion + +```sh +# grab bastion instance id from terraform +export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` +# replace "my-password" with the variable set (if changed from the default) +expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' +``` + +In a new terminal, open an sshuttle tunnel to the bastion + +```sh +# subnet below is the CIDR block from your tfvars file +sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 +``` + +Navigate back to the terminal in the `complete-self-managed-nodegroup` directory and Provision the EKS Cluster + +```sh +terraform apply -var-file +# type yes to confirm or utilize the ```-auto-approve``` flag in the above command +``` + +### Configure `kubectl` and test cluster + +Note: In this example we are using a private EKS Cluster endpoint for the control plane. You must ensure the sshuttle is running to the bastion to utilize `kubectl` + +EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. +This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. + +#### Step 6: Run the `aws eks update-kubeconfig` command + +`~/.kube/config` file gets updated with cluster details and certificate from the below command + +```bash +CLUSTER_NAME=$(grep 'cluster_name' terraform.tfvars | cut -d'=' -f2 | tr -d '[:space:]' | sed 's/"//g') +aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $CLUSTER_NAME +``` + +#### Step 7: List all the worker nodes by running the command below + + kubectl get nodes + +#### Step 8: List all the pods running in `kube-system` namespace + + kubectl get pods -n kube-system + +## Cleanup + +To clean up your environment, destroy the Terraform modules in reverse order. + +Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion if EKS Public Access set to False) + +```sh +terraform destroy -auto-approve -target=module.eks +``` + +Destroy all other resources + +```sh +terraform destroy -auto-approve +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.53.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [bastion](#module\_bastion) | ../../modules/bastion | n/a | +| [eks](#module\_eks) | ../../modules/eks | n/a | +| [flux\_sops](#module\_flux\_sops) | ../../modules/sops | n/a | +| [loki\_s3\_bucket](#module\_loki\_s3\_bucket) | ../../modules/s3-irsa | n/a | +| [rds\_postgres\_keycloak](#module\_rds\_postgres\_keycloak) | ../../modules/rds | n/a | +| [vpc](#module\_vpc) | ../../modules/vpc | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | +| [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | +| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | +| [bastion\_name](#input\_bastion\_name) | The name to use for the bastion | `string` | `"my-bastion"` | no | +| [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | +| [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | +| [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | +| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | +| [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | +| [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | +| [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | +| [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | +| [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_instance\_class](#input\_kc\_db\_instance\_class) | The database instance class to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_major\_engine\_version](#input\_kc\_db\_major\_engine\_version) | The database major engine version to use for Keycloak | `string` | n/a | yes | +| [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | +| [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | +| [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | +| [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | +| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | +| [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The tenancy of instances launched into the VPC | `string` | `"default"` | no | +| [vpc\_name](#input\_vpc\_name) | The name to use for the VPC | `string` | `"my-vpc"` | no | +| [zarf\_version](#input\_zarf\_version) | The version of Zarf to use | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bastion\_instance\_id](#output\_bastion\_instance\_id) | The ID of the bastion host | +| [bastion\_private\_key](#output\_bastion\_private\_key) | The private key for the bastion host | +| [dynamodb\_name](#output\_dynamodb\_name) | Name of DynmoDB table | +| [keycloak\_db\_instance\_endpoint](#output\_keycloak\_db\_instance\_endpoint) | The connection endpoint | +| [keycloak\_db\_instance\_name](#output\_keycloak\_db\_instance\_name) | The database name | +| [keycloak\_db\_instance\_port](#output\_keycloak\_db\_instance\_port) | The database port | +| [keycloak\_db\_instance\_username](#output\_keycloak\_db\_instance\_username) | The master username for the database | +| [loki\_s3\_bucket](#output\_loki\_s3\_bucket) | Loki S3 Bucket Name | + diff --git a/examples/complete-self-managed-ng-intra-subnets/backend.tf.example b/examples/complete-self-managed-ng-intra-subnets/backend.tf.example new file mode 100644 index 00000000..6e9833ac --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/backend.tf.example @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + region = "" + bucket = "" + key = "" + dynamodb_table = "" + encrypt = "true" + } +} diff --git a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf new file mode 100644 index 00000000..cf066d28 --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf @@ -0,0 +1,83 @@ + +########################################################### +############## Big Bang Core Dependencies ################# +########################################################### + +########################################################### +################# Enable EKS Sops ######################### + +module "flux_sops" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/sops?ref=v" + source = "../../modules/sops" + + region = var.region + cluster_name = module.eks.eks_cluster_id + vpc_id = module.vpc.vpc_id + policy_name_prefix = "${module.eks.eks_cluster_id}-flux-sops" + kms_key_alias = "${module.eks.eks_cluster_id}-flux-sops" + kubernetes_service_account = "flux-system-sops-sa" + kubernetes_namespace = "flux-system" + irsa_sops_iam_role_name = "${module.eks.eks_cluster_id}-flux-system-sa-role" + eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + tags = local.tags + role_name = module.bastion.bastion_role_name +} + +########################################################### +################## Loki S3 Buckets ######################## + +module "loki_s3_bucket" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/s3-irsa?ref=v" + source = "../../modules/s3-irsa" + + region = var.region + cluster_name = module.eks.eks_cluster_id + policy_name_prefix = "loki-s3-policy" + bucket_prefix = "loki-s3" + kms_key_alias = "loki-s3" + kubernetes_service_account = "logging-loki-s3-sa" + kubernetes_namespace = "logging" + irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" + eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + tags = local.tags + dynamodb_enabled = true +} + +########################################################### +############ Big Bang Add-Ons Dependencies ################ +########################################################### + +########################################################### +############### Keycloak RDS Database ##################### + +module "rds_postgres_keycloak" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/rds?ref=v" + source = "../../modules/rds" + + count = var.keycloak_enabled ? 1 : 0 + + # provider alias is needed for every parent module supporting RDS backup replication is a separate region + providers = { + aws.region2 = aws.region2 + } + + vpc_id = module.vpc.vpc_id + vpc_cidr = module.vpc.vpc_cidr_block + database_subnet_group_name = module.vpc.database_subnet_group_name + engine = "postgres" + engine_version = var.kc_db_engine_version + family = var.kc_db_family + major_engine_version = var.kc_db_major_engine_version + instance_class = var.kc_db_instance_class + identifier = "${var.cluster_name}-keycloak" + db_name = "keycloak" # Can only be alphanumeric, no hyphens or underscores + username = "kcadmin" + create_random_password = false + password = var.keycloak_db_password + allocated_storage = var.kc_db_allocated_storage + max_allocated_storage = var.kc_db_max_allocated_storage + create_db_subnet_group = true + deletion_protection = false + # automated_backups_replication_enabled = true + tags = local.tags +} diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf new file mode 100644 index 00000000..377d4c85 --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/main.tf @@ -0,0 +1,223 @@ +data "aws_partition" "current" {} + +locals { + tags = { + Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name + GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" + } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] + aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" + username = "${admin_user}" + groups = ["system:masters"] + } + ] +} + +data "aws_ami" "amazonlinux2" { + most_recent = true + + filter { + name = "name" + values = ["amzn2-ami-hvm*x86_64-gp2"] + } + + owners = ["amazon"] +} + +########################################################### +####################### VPC ############################### + +module "vpc" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/vpc?ref=v" + source = "../../modules/vpc" + + region = var.region + name = var.vpc_name + vpc_cidr = var.vpc_cidr + azs = ["${var.region}a", "${var.region}b", "${var.region}c"] + public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] + private_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 4)] + database_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 8)] + intra_subnets = var.intra_subnets + single_nat_gateway = true + enable_nat_gateway = true + + private_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + create_database_subnet_group = true + create_database_subnet_route_table = true + + instance_tenancy = var.vpc_instance_tenancy # dedicated tenancy globally set in VPC does not currently work with EKS +} + +########################################################### +##################### Bastion ############################# + +module "bastion" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/bastion?ref=v" + source = "../../modules/bastion" + + ami_id = coalesce(var.bastion_ami_id, data.aws_ami.amazonlinux2.id) #use var.bastion_ami_id if set, otherwise use the latest Amazon Linux 2 AMI + instance_type = var.bastion_instance_type + root_volume_config = { + volume_type = "gp3" + volume_size = "20" + encrypted = true + } + name = var.bastion_name + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.private_subnets[0] + aws_region = var.region + access_log_bucket_name = "${var.bastion_name}-access-logs" + bucket_name = "${var.bastion_name}-session-logs" + ssh_user = var.bastion_ssh_user + ssh_password = var.bastion_ssh_password + assign_public_ip = false # var.assign_public_ip + enable_log_to_s3 = true + enable_log_to_cloudwatch = true + vpc_endpoints_enabled = true + tenancy = var.bastion_tenancy + zarf_version = var.zarf_version + tags = { + Function = "bastion-ssm" + } +} + +########################################################### +################### EKS Cluster ########################### +module "eks" { + # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" + source = "../../modules/eks" + + name = var.cluster_name + aws_region = var.region + aws_account = var.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + control_plane_subnet_ids = module.vpc.private_subnets + source_security_group_id = module.bastion.security_group_ids[0] + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_private_access = true + cluster_kms_key_additional_admin_arns = local.admin_arns + eks_k8s_version = var.eks_k8s_version + bastion_role_arn = module.bastion.bastion_role_arn + bastion_role_name = module.bastion.bastion_role_name + aws_auth_eks_map_users = local.aws_auth_eks_map_users + + enable_managed_nodegroups = false + + #--------------------------------------------------------------- + # EKS Blueprints - Self Managed Node Groups + #--------------------------------------------------------------- + + self_managed_node_groups = { + self_mg1 = { + node_group_name = "self_mg1" + subnet_ids = module.vpc.private_subnets + create_launch_template = true + launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket or windows + custom_ami_id = "" # Bring your own custom AMI generated by Packer/ImageBuilder/Puppet etc. + + create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role + iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false + iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false + + format_mount_nvme_disk = true + public_ip = false + enable_monitoring = false + + placement = { + affinity = null + availability_zone = null + group_name = null + host_id = null + tenancy = var.eks_worker_tenancy + } + + enable_metadata_options = false + + pre_userdata = <<-EOT + yum install -y amazon-ssm-agent + systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent + EOT + + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes + # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" + bootstrap_extra_args = "--use-max-pods false" + + block_device_mappings = [ + { + device_name = "/dev/xvda" # mount point to / + volume_type = "gp3" + volume_size = 50 + }, + { + device_name = "/dev/xvdf" # mount point to /local1 (it could be local2, depending upon the disks are attached during boot) + volume_type = "gp3" + volume_size = 80 + iops = 3000 + throughput = 125 + }, + { + device_name = "/dev/xvdg" # mount point to /local2 (it could be local1, depending upon the disks are attached during boot) + volume_type = "gp3" + volume_size = 100 + iops = 3000 + throughput = 125 + } + ] + + instance_type = "m5.xlarge" + desired_size = 3 + max_size = 10 + min_size = 3 + capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot" + + k8s_labels = { + Environment = "preprod" + Zone = "test" + } + + additional_tags = { + ExtraTag = "m5x-on-demand" + Name = "m5x-on-demand" + subnet_type = "private" + } + } + } + + #--------------------------------------------------------------- + # EKS Blueprints - EKS Add-Ons + #--------------------------------------------------------------- + + # VPC CNI + enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni + amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config + + # EKS CoreDNS + enable_amazon_eks_coredns = var.enable_amazon_eks_coredns + amazon_eks_coredns_config = var.amazon_eks_coredns_config + + # EKS kube-proxy + enable_amazon_eks_kube_proxy = var.enable_amazon_eks_kube_proxy + amazon_eks_kube_proxy_config = var.amazon_eks_kube_proxy_config + + # EKS EBS CSI Driver + enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver + amazon_eks_aws_ebs_csi_driver_config = var.amazon_eks_aws_ebs_csi_driver_config + + # EKS Metrics Server + enable_metrics_server = var.enable_metrics_server + metrics_server_helm_config = var.metrics_server_helm_config + + # EKS AWS node termination handler + enable_aws_node_termination_handler = var.enable_aws_node_termination_handler + aws_node_termination_handler_helm_config = var.aws_node_termination_handler_helm_config + + # EKS Cluster Autoscaler + enable_cluster_autoscaler = var.enable_cluster_autoscaler + cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config +} diff --git a/examples/complete-self-managed-ng-intra-subnets/outputs.tf b/examples/complete-self-managed-ng-intra-subnets/outputs.tf new file mode 100644 index 00000000..2146a3e6 --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/outputs.tf @@ -0,0 +1,40 @@ +output "loki_s3_bucket" { + description = "Loki S3 Bucket Name" + value = module.loki_s3_bucket.s3_bucket +} + +output "keycloak_db_instance_endpoint" { + description = "The connection endpoint" + value = module.rds_postgres_keycloak[0].db_instance_endpoint +} + +output "keycloak_db_instance_name" { + description = "The database name" + value = module.rds_postgres_keycloak[0].db_instance_name +} + +output "keycloak_db_instance_username" { + description = "The master username for the database" + value = module.rds_postgres_keycloak[0].db_instance_username + sensitive = true +} + +output "keycloak_db_instance_port" { + description = "The database port" + value = module.rds_postgres_keycloak[0].db_instance_port +} + +output "bastion_instance_id" { + description = "The ID of the bastion host" + value = module.bastion.instance_id +} + +output "bastion_private_key" { + description = "The private key for the bastion host" + value = module.bastion.private_key + sensitive = true +} +output "dynamodb_name" { + description = "Name of DynmoDB table" + value = module.loki_s3_bucket.dynamodb_name +} diff --git a/examples/complete-self-managed-ng-intra-subnets/providers.tf b/examples/complete-self-managed-ng-intra-subnets/providers.tf new file mode 100644 index 00000000..4574ef19 --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/providers.tf @@ -0,0 +1,50 @@ + +data "aws_eks_cluster_auth" "this" { + name = module.eks.eks_cluster_id +} + +data "aws_eks_cluster" "example" { + name = module.eks.eks_cluster_id +} + +provider "aws" { + region = var.region +} + +provider "aws" { + alias = "region2" + region = var.region2 +} + +provider "kubernetes" { + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} + +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } + } +} + +provider "kubectl" { + apply_retry_count = 5 + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} diff --git a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example new file mode 100644 index 00000000..6c4b49cb --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example @@ -0,0 +1,54 @@ +# Rename this file to .tfvars and fill in the values +# Run terraform command to specify using the tfvars file `terraform plan -var-file tf-state-backend.tfvars` +# Variables can also be set via environment variables + +########################################################### +################## Global Settings ######################## + + region = "us-east-2" # target AWS region + region2 = "us-east-1" # RDS backup target AWS region + account = "100008675309" # target AWS account + aws_profile = "du-dev" # local AWS profile to be used for deployment + aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group + +########################################################### +#################### VPC Config ########################### + + vpc_cidr = "10.200.0.0/16" + vpc_name = "my-vpc" + # vpc_instance_tenancy = "dedicated" #does not currently work with EKS + +########################################################### +################## Bastion Config ######################### + + bastion_name = "my-bastion" +# bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" #AWS linux 2 #optional + bastion_ssh_user = "ec2-user" # local user in bastion used to ssh + bastion_ssh_password = "my-password" + bastion_tenancy = "dedicated" + zarf_version = "v0.24.0-rc4" + +########################################################### +#################### EKS Config ########################### + + cluster_name = "my-eks" + eks_k8s_version = "1.23" + eks_worker_tenancy = "dedicated" + cluster_endpoint_public_access = true + +########################################################### +############## Big Bang Dependencies ###################### + + keycloak_enabled = true + # other_addon_enabled = true + + +#################### Keycloak ########################### + + keycloak_db_password = "my-password" + kc_db_engine_version = "14.1" + kc_db_family = "postgres14" # DB parameter group + kc_db_major_engine_version = "14" # DB option group + kc_db_allocated_storage = 20 + kc_db_max_allocated_storage = 100 + kc_db_instance_class = "db.t4g.large" diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf new file mode 100644 index 00000000..abdd9cdd --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/variables.tf @@ -0,0 +1,284 @@ +########################################################### +################## Global Settings ######################## + +variable "region" { + description = "The AWS region to deploy into" + type = string +} + +variable "region2" { + description = "The AWS region to deploy into" + type = string +} + +variable "account" { + description = "The AWS account to deploy into" + type = string +} + +variable "aws_profile" { + description = "The AWS profile to use for deployment" + type = string +} + +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + type = list(string) +} +########################################################### +#################### VPC Config ########################### + +variable "vpc_cidr" { + description = "The CIDR block for the VPC" + type = string +} + +variable "vpc_name" { + description = "The name to use for the VPC" + type = string + default = "my-vpc" +} + +variable "create_database_subnet_group" { + description = "Whether to create a database subnet group" + type = bool + default = true +} + +variable "create_database_subnet_route_table" { + description = "Whether to create a database subnet route table" + type = bool + default = true +} + +variable "intra_subnets" { + description = "A list of intra subnets" + type = list(string) + default = [] +} + +########################################################### +#################### EKS Config ########################### + +variable "cluster_name" { + description = "The name to use for the EKS cluster" + type = string + default = "my-eks" +} + +variable "eks_k8s_version" { + description = "The Kubernetes version to use for the EKS cluster" + type = string + default = "1.23" +} + +variable "cluster_endpoint_public_access" { + description = "Whether to enable private access to the EKS cluster" + type = bool + default = false +} + +########################################################### +################## EKS Addons Config ###################### + +#----------------AWS EKS VPC CNI------------------------- +variable "enable_amazon_eks_vpc_cni" { + description = "Enable VPC CNI add-on" + type = bool + default = true +} + +variable "amazon_eks_vpc_cni_config" { + description = "ConfigMap of Amazon EKS VPC CNI add-on" + type = any + default = {} +} + +#----------------AWS CoreDNS------------------------- +variable "enable_amazon_eks_coredns" { + description = "Enable Amazon EKS CoreDNS add-on" + type = bool + default = true +} + +variable "amazon_eks_coredns_config" { + description = "Configuration for Amazon CoreDNS EKS add-on" + type = any + default = {} +} + +#----------------AWS Kube Proxy------------------------- +variable "enable_amazon_eks_kube_proxy" { + description = "Enable Kube Proxy add-on" + type = bool + default = true +} + +variable "amazon_eks_kube_proxy_config" { + description = "ConfigMap for Amazon EKS Kube-Proxy add-on" + type = any + default = {} +} + +#----------------AWS EBS CSI Driver------------------------- +variable "enable_amazon_eks_aws_ebs_csi_driver" { + description = "Enable EKS Managed AWS EBS CSI Driver add-on; enable_amazon_eks_aws_ebs_csi_driver and enable_self_managed_aws_ebs_csi_driver are mutually exclusive" + type = bool + default = true +} + +variable "amazon_eks_aws_ebs_csi_driver_config" { + description = "configMap for AWS EBS CSI Driver add-on" + type = any + default = {} +} + +#----------------Metrics Server------------------------- +variable "enable_metrics_server" { + description = "Enable metrics server add-on" + type = bool + default = true +} + +variable "metrics_server_helm_config" { + description = "Metrics Server Helm Chart config" + type = any + default = {} +} + +#----------------AWS Node Termination Handler------------------------- +variable "enable_aws_node_termination_handler" { + description = "Enable AWS Node Termination Handler add-on" + type = bool + default = true +} + +variable "aws_node_termination_handler_helm_config" { + description = "AWS Node Termination Handler Helm Chart config" + type = any + default = {} +} + +#----------------Cluster Autoscaler------------------------- +variable "enable_cluster_autoscaler" { + description = "Enable Cluster autoscaler add-on" + type = bool + default = true +} + +variable "cluster_autoscaler_helm_config" { + description = "Cluster Autoscaler Helm Chart config" + type = any + default = {} +} + + +########################################################### +################## Bastion Config ######################### + +variable "bastion_name" { + description = "The name to use for the bastion" + type = string + default = "my-bastion" +} + +variable "bastion_instance_type" { + description = "value for the instance type of the EKS worker nodes" + type = string + default = "m5.xlarge" +} + +variable "assign_public_ip" { + description = "Whether to assign a public IP to the bastion" + type = bool + default = false +} + +variable "bastion_ami_id" { + description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" + type = string + default = "" +} + +variable "bastion_ssh_user" { + description = "The SSH user to use for the bastion" + type = string + default = "ec2-user" +} + +variable "bastion_ssh_password" { + description = "The SSH password to use for the bastion if SSM authentication is used" + type = string + default = "my-password" +} + +########################################################### +############## Big Bang Dependencies ###################### + +variable "keycloak_enabled" { + description = "Whether to enable Keycloak" + type = bool + default = false +} + +#################### Keycloak ########################### + +variable "keycloak_db_password" { + description = "The password to use for the Keycloak database" + type = string + default = "my-password" +} + +variable "kc_db_engine_version" { + description = "The database engine to use for Keycloak" + type = string +} + +variable "kc_db_family" { + description = "The database family to use for Keycloak" + type = string +} + +variable "kc_db_major_engine_version" { + description = "The database major engine version to use for Keycloak" + type = string +} + +variable "kc_db_instance_class" { + description = "The database instance class to use for Keycloak" + type = string +} + +variable "kc_db_allocated_storage" { + description = "The database allocated storage to use for Keycloak" + type = number +} + +variable "kc_db_max_allocated_storage" { + description = "The database allocated storage to use for Keycloak" + type = number +} + +variable "vpc_instance_tenancy" { + description = "The tenancy of instances launched into the VPC" + type = string + default = "default" +} + +variable "bastion_tenancy" { + description = "The tenancy of the bastion" + type = string + default = "default" +} + +variable "eks_worker_tenancy" { + description = "The tenancy of the EKS worker nodes" + type = string + default = "default" +} + +variable "zarf_version" { + description = "The version of Zarf to use" + type = string + default = "" +} diff --git a/examples/complete-self-managed-ng-intra-subnets/versions.tf b/examples/complete-self-managed-ng-intra-subnets/versions.tf new file mode 100644 index 00000000..853b5309 --- /dev/null +++ b/examples/complete-self-managed-ng-intra-subnets/versions.tf @@ -0,0 +1,29 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.9" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.14" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" + # } +} From 60f8e42dffc3f55c078973db0d49d8b178917a1d Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 3 Mar 2023 15:18:14 -0800 Subject: [PATCH 02/46] cleanup and add a bunch of logic.. --- examples/complete-managed-nodegroup/main.tf | 53 +++---- .../README.md | 23 ++- .../complete-self-managed-nodegroup/main.tf | 41 ++---- modules/eks/README.md | 28 +++- modules/eks/eks-addons.tf | 34 ++++- modules/eks/k8s-manifests.tf | 19 +++ modules/eks/locals.tf | 14 +- modules/eks/main.tf | 4 +- modules/eks/variables.tf | 139 ++++++++++++++---- modules/eks/versions.tf | 4 + 10 files changed, 260 insertions(+), 99 deletions(-) create mode 100644 modules/eks/k8s-manifests.tf diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index aaf6a8bf..caef8118 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -321,30 +321,31 @@ module "eks" { # EKS Blueprints - EKS Add-Ons #--------------------------------------------------------------- - enable_eks_vpc_cni = true - enable_eks_coredns = true - enable_eks_kube_proxy = true - enable_eks_ebs_csi_driver = true - enable_eks_metrics_server = true - - enable_eks_cluster_autoscaler = true - cluster_autoscaler_helm_config = { - set = [ - { - name = "extraArgs.expander" - value = "priority" - }, - { - name = "expanderPriorities" - value = <<-EOT - 100: - - .*-spot-2vcpu-8mem.* - 90: - - .*-spot-4vcpu-16mem.* - 10: - - .* - EOT - } - ] - } + # VPC CNI + enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni + amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config + + # EKS CoreDNS + enable_amazon_eks_coredns = var.enable_amazon_eks_coredns + amazon_eks_coredns_config = var.amazon_eks_coredns_config + + # EKS kube-proxy + enable_amazon_eks_kube_proxy = var.enable_amazon_eks_kube_proxy + amazon_eks_kube_proxy_config = var.amazon_eks_kube_proxy_config + + # EKS EBS CSI Driver + enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver + amazon_eks_aws_ebs_csi_driver_config = var.amazon_eks_aws_ebs_csi_driver_config + + # EKS Metrics Server + enable_metrics_server = var.enable_metrics_server + metrics_server_helm_config = var.metrics_server_helm_config + + # EKS AWS node termination handler + enable_aws_node_termination_handler = var.enable_aws_node_termination_handler + aws_node_termination_handler_helm_config = var.aws_node_termination_handler_helm_config + + # EKS Cluster Autoscaler + enable_cluster_autoscaler = var.enable_cluster_autoscaler + cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config } diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md index 18c715ea..83a3fe11 100644 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -186,7 +186,13 @@ terraform destroy -auto-approve ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.9 | +| [helm](#requirement\_helm) | >= 2.4.1 | +| [kubectl](#requirement\_kubectl) | >= 1.14 | +| [kubernetes](#requirement\_kubernetes) | >= 2.10 | ## Providers @@ -219,8 +225,13 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | +| [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | +| [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | +| [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | +| [amazon\_eks\_vpc\_cni\_config](#input\_amazon\_eks\_vpc\_cni\_config) | ConfigMap of Amazon EKS VPC CNI add-on | `any` | `{}` | no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | @@ -228,12 +239,21 @@ No requirements. | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | | [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | +| [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `true` | no | +| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `true` | no | +| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `true` | no | +| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | Enable VPC CNI add-on | `bool` | `true` | no | +| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `true` | no | +| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `true` | no | +| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `true` | no | +| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | @@ -242,6 +262,7 @@ No requirements. | [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | | [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | | [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index cd02e433..acb85325 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -192,31 +192,18 @@ module "eks" { # EKS Blueprints - EKS Add-Ons #--------------------------------------------------------------- - enable_eks_vpc_cni = true - enable_eks_coredns = true - enable_eks_kube_proxy = true - enable_eks_ebs_csi_driver = true - enable_eks_metrics_server = true - enable_eks_node_termination_handler = true - - enable_eks_cluster_autoscaler = true - cluster_autoscaler_helm_config = { - set = [ - { - name = "extraArgs.expander" - value = "priority" - }, - { - name = "expanderPriorities" - value = <<-EOT - 100: - - .*-spot-2vcpu-8mem.* - 90: - - .*-spot-4vcpu-16mem.* - 10: - - .* - EOT - } - ] - } + #--------------------------------------------------------------- + # EKS Blueprints - EKS Add-Ons - VPC CNI + # https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/aws-vpc-cni/README.md + #--------------------------------------------------------------- + enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni + amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config + + enable_amazon_eks_coredns = true + enable_amazon_eks_kube_proxy = true + enable_amazon_eks_aws_ebs_csi_driver = true + enable_metrics_server = true + enable_aws_node_termination_handler = true + + enable_cluster_autoscaler = true } diff --git a/modules/eks/README.md b/modules/eks/README.md index d15faeb8..f89c3000 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -13,6 +13,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 4.9 | | [helm](#requirement\_helm) | >= 2.4.1 | +| [kubectl](#requirement\_kubectl) | >= 1.14 | | [kubernetes](#requirement\_kubernetes) | >= 2.10 | ## Providers @@ -20,6 +21,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 4.9 | +| [kubectl](#provider\_kubectl) | >= 1.14 | ## Modules @@ -37,6 +39,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [aws_iam_role.auth_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [kubectl_manifest.eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | @@ -48,27 +51,36 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | +| [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | +| [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | +| [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes | `bool` | `true` | no | +| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | +| [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | +| [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | | [aws\_auth\_eks\_map\_users](#input\_aws\_auth\_eks\_map\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | `""` | no | | [bastion\_role\_arn](#input\_bastion\_role\_arn) | ARN of role authorized kubectl access | `string` | `""` | no | | [bastion\_role\_name](#input\_bastion\_role\_name) | Name of role authorized kubectl access | `string` | `""` | no | -| [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Helm configuration for Amazon EKS Cluster Autoscaler | `any` | `{}` | no | +| [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | 
{
  "set": [
    {
      "name": "extraArgs.expander",
      "value": "priority"
    },
    {
      "name": "expanderPriorities",
      "value": "100:\n  - .*-spot-2vcpu-8mem.*\n90:\n  - .*-spot-4vcpu-16mem.*\n10:\n  - .*\n"
    }
  ]
}
| no | | [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Enable private access to the cluster endpoint | `bool` | `true` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Enable public access to the cluster endpoint | `bool` | `false` | no | | [cluster\_kms\_key\_additional\_admin\_arns](#input\_cluster\_kms\_key\_additional\_admin\_arns) | List of ARNs of additional users to add to KMS key policy | `list(string)` | `[]` | no | | [cluster\_name](#input\_cluster\_name) | Name of cluster - used by Terratest for e2e test automation | `string` | `""` | no | | [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids) | Subnet IDs for control plane | `list(string)` | `[]` | no | | [eks\_k8s\_version](#input\_eks\_k8s\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no | -| [enable\_eks\_cluster\_autoscaler](#input\_enable\_eks\_cluster\_autoscaler) | Enable Amazon EKS Cluster Autoscaler | `bool` | `false` | no | -| [enable\_eks\_coredns](#input\_enable\_eks\_coredns) | Enable Amazon EKS CoreDNS | `bool` | `false` | no | -| [enable\_eks\_ebs\_csi\_driver](#input\_enable\_eks\_ebs\_csi\_driver) | Enable Amazon EKS EBS CSI Driver | `bool` | `false` | no | -| [enable\_eks\_kube\_proxy](#input\_enable\_eks\_kube\_proxy) | Enable Amazon EKS Kube Proxy | `bool` | `false` | no | -| [enable\_eks\_metrics\_server](#input\_enable\_eks\_metrics\_server) | Enable Amazon EKS Metrics Server | `bool` | `false` | no | -| [enable\_eks\_node\_termination\_handler](#input\_enable\_eks\_node\_termination\_handler) | Enable Amazon EKS Node Termination Handler | `bool` | `false` | no | -| [enable\_eks\_vpc\_cni](#input\_enable\_eks\_vpc\_cni) | Enable Amazon EKS VPC CNI | `bool` | `false` | no | +| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `true` | no | +| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `true` | no | +| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `true` | no | +| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | HANDLED by EKS module, not blueprints: Enable VPC CNI add-on | `bool` | `true` | no | +| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `true` | no | +| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `true` | no | | [enable\_managed\_nodegroups](#input\_enable\_managed\_nodegroups) | Enable managed node groups. If false, self managed node groups will be used. | `bool` | n/a | yes | +| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `true` | no | | [managed\_node\_groups](#input\_managed\_node\_groups) | Managed node groups configuration | `any` | `{}` | no | +| [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [name](#input\_name) | n/a | `string` | `""` | no | | [private\_subnet\_ids](#input\_private\_subnet\_ids) | Private subnet IDs | `list(string)` | `[]` | no | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | Public subnet IDs | `list(string)` | `[]` | no | diff --git a/modules/eks/eks-addons.tf b/modules/eks/eks-addons.tf index ece59cfd..f5cb9109 100644 --- a/modules/eks/eks-addons.tf +++ b/modules/eks/eks-addons.tf @@ -14,15 +14,33 @@ module "eks_blueprints_kubernetes_addons" { auto_scaling_group_names = module.eks_blueprints.self_managed_node_group_autoscaling_groups # EKS Managed Add-ons - enable_amazon_eks_vpc_cni = var.enable_eks_vpc_cni - enable_amazon_eks_coredns = var.enable_eks_coredns - enable_amazon_eks_kube_proxy = var.enable_eks_kube_proxy - enable_amazon_eks_aws_ebs_csi_driver = var.enable_eks_ebs_csi_driver + # VPC CNI - This needs to be done outside of the blueprints module + # enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni + # amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config - #K8s Add-ons - enable_metrics_server = var.enable_eks_metrics_server - enable_aws_node_termination_handler = var.enable_eks_node_termination_handler + # EKS CoreDNS + enable_amazon_eks_coredns = var.enable_amazon_eks_coredns + amazon_eks_coredns_config = var.amazon_eks_coredns_config - enable_cluster_autoscaler = var.enable_eks_cluster_autoscaler + # EKS kube-proxy + enable_amazon_eks_kube_proxy = var.enable_amazon_eks_kube_proxy + amazon_eks_kube_proxy_config = var.amazon_eks_kube_proxy_config + + # EKS EBS CSI Driver + enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver + amazon_eks_aws_ebs_csi_driver_config = var.amazon_eks_aws_ebs_csi_driver_config + + + # K8s Add-ons + # EKS Metrics Server + enable_metrics_server = var.enable_metrics_server + metrics_server_helm_config = var.metrics_server_helm_config + + # EKS AWS node termination handler + enable_aws_node_termination_handler = var.enable_aws_node_termination_handler + aws_node_termination_handler_helm_config = var.aws_node_termination_handler_helm_config + + # EKS Cluster Autoscaler + enable_cluster_autoscaler = var.enable_cluster_autoscaler cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config } diff --git a/modules/eks/k8s-manifests.tf b/modules/eks/k8s-manifests.tf new file mode 100644 index 00000000..2d94e117 --- /dev/null +++ b/modules/eks/k8s-manifests.tf @@ -0,0 +1,19 @@ +################################################################################ +# VPC-CNI Custom Networking ENIConfig +################################################################################ + +resource "kubectl_manifest" "eni_config" { + for_each = toset(module.vpc.intra_subnets) + + yaml_body = < Date: Tue, 7 Mar 2023 09:30:58 -0800 Subject: [PATCH 03/46] Change variable name --- examples/zarf-complete-example/zarf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/zarf-complete-example/zarf.yaml b/examples/zarf-complete-example/zarf.yaml index 9ee0ab36..c7d8d31f 100644 --- a/examples/zarf-complete-example/zarf.yaml +++ b/examples/zarf-complete-example/zarf.yaml @@ -25,7 +25,7 @@ variables: default: "my-vpc" - name: CLUSTER_NAME default: "my-eks" - - name: EKS_K8S_VERSION + - name: CLUSTER_VERSION default: "1.24" - name: BASTION_NAME default: "my-bastion" From 33074d48322b9cb3e0198f380c6dcc00b7f40f53 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 7 Mar 2023 17:16:28 -0800 Subject: [PATCH 04/46] ALL WIP --- examples/complete-managed-nodegroup/README.md | 2 +- .../bigbang-dependencies.tf | 12 +- examples/complete-managed-nodegroup/main.tf | 36 ++-- .../complete-managed-nodegroup/providers.tf | 11 +- .../terraform.tfvars.example | 2 +- .../complete-managed-nodegroup/variables.tf | 2 +- .../.terraform.lock.hcl | 160 +++++++----------- .../README.md | 26 +-- .../bigbang-dependencies.tf | 16 +- .../main.tf | 65 ++++--- .../providers.tf | 70 ++++---- .../terraform.tfvars.example | 2 +- .../variables.tf | 68 ++++++-- .../complete-self-managed-nodegroup/README.md | 2 +- .../bigbang-dependencies.tf | 12 +- .../complete-self-managed-nodegroup/main.tf | 30 ++-- .../providers.tf | 10 +- .../terraform.tfvars.example | 2 +- .../variables.tf | 2 +- examples/tf-state-backend/.terraform.lock.hcl | 32 ++-- examples/tf-state-backend/main.tf | 9 +- .../tf-state-backend.tfvars.example | 1 + examples/tf-state-backend/variables.tf | 11 ++ modules/eks/README.md | 44 ++--- modules/eks/data.tf | 4 +- modules/eks/eks-addons.tf | 12 +- modules/eks/k8s-manifests.tf | 16 +- modules/eks/main.tf | 28 +-- modules/eks/outputs.tf | 66 ++++---- modules/eks/variables.tf | 40 +++-- 30 files changed, 438 insertions(+), 355 deletions(-) diff --git a/examples/complete-managed-nodegroup/README.md b/examples/complete-managed-nodegroup/README.md index bdd8160d..165a4309 100644 --- a/examples/complete-managed-nodegroup/README.md +++ b/examples/complete-managed-nodegroup/README.md @@ -230,9 +230,9 @@ No requirements. | [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | +| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | -| [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-managed-nodegroup/bigbang-dependencies.tf b/examples/complete-managed-nodegroup/bigbang-dependencies.tf index cf066d28..ff68b64a 100644 --- a/examples/complete-managed-nodegroup/bigbang-dependencies.tf +++ b/examples/complete-managed-nodegroup/bigbang-dependencies.tf @@ -11,13 +11,13 @@ module "flux_sops" { source = "../../modules/sops" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name vpc_id = module.vpc.vpc_id - policy_name_prefix = "${module.eks.eks_cluster_id}-flux-sops" - kms_key_alias = "${module.eks.eks_cluster_id}-flux-sops" + policy_name_prefix = "${module.eks.cluster_name}-flux-sops" + kms_key_alias = "${module.eks.cluster_name}-flux-sops" kubernetes_service_account = "flux-system-sops-sa" kubernetes_namespace = "flux-system" - irsa_sops_iam_role_name = "${module.eks.eks_cluster_id}-flux-system-sa-role" + irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn tags = local.tags role_name = module.bastion.bastion_role_name @@ -31,13 +31,13 @@ module "loki_s3_bucket" { source = "../../modules/s3-irsa" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name policy_name_prefix = "loki-s3-policy" bucket_prefix = "loki-s3" kms_key_alias = "loki-s3" kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" - irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" + irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn tags = local.tags dynamodb_enabled = true diff --git a/examples/complete-managed-nodegroup/main.tf b/examples/complete-managed-nodegroup/main.tf index caef8118..562c3e22 100644 --- a/examples/complete-managed-nodegroup/main.tf +++ b/examples/complete-managed-nodegroup/main.tf @@ -5,7 +5,7 @@ data "aws_ami" "amazonlinux2eks" { filter { name = "name" - values = ["amazon-eks-node-${var.eks_k8s_version}-*"] + values = ["amazon-eks-node-${var.cluster_version}-*"] } owners = ["amazon"] @@ -17,7 +17,7 @@ locals { GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] - aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + aws_auth_users = [for admin_user in var.aws_admin_usernames : { userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" username = "${admin_user}" groups = ["system:masters"] @@ -91,27 +91,27 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = var.cluster_name - aws_region = var.region - aws_account = var.account - vpc_id = module.vpc.vpc_id - private_subnet_ids = module.vpc.private_subnets - control_plane_subnet_ids = module.vpc.private_subnets - source_security_group_id = module.bastion.security_group_ids[0] - cluster_endpoint_public_access = var.cluster_endpoint_public_access - cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = local.admin_arns - eks_k8s_version = var.eks_k8s_version - bastion_role_arn = module.bastion.bastion_role_arn - bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = local.aws_auth_eks_map_users - enable_managed_nodegroups = true + name = var.cluster_name + aws_region = var.region + aws_account = var.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + control_plane_subnet_ids = module.vpc.private_subnets + source_security_group_id = module.bastion.security_group_ids[0] + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_private_access = true + kms_key_administrators = local.admin_arns + cluster_version = var.cluster_version + bastion_role_arn = module.bastion.bastion_role_arn + bastion_role_name = module.bastion.bastion_role_name + aws_auth_users = local.aws_auth_users + enable_managed_nodegroups = true #--------------------------------------------------------------- # EKS Blueprints - Managed Node Groups #--------------------------------------------------------------- - managed_node_groups = { + eks_managed_node_groups = { # Managed Node groups with minimum config mg5 = { node_group_name = "mg5" diff --git a/examples/complete-managed-nodegroup/providers.tf b/examples/complete-managed-nodegroup/providers.tf index 89fb9ef4..ca7db0b0 100644 --- a/examples/complete-managed-nodegroup/providers.tf +++ b/examples/complete-managed-nodegroup/providers.tf @@ -1,21 +1,28 @@ data "aws_eks_cluster_auth" "this" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } data "aws_eks_cluster" "example" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } provider "aws" { region = var.region + default_tags { + tags = var.default_tags + } } provider "aws" { alias = "region2" region = var.region2 + default_tags { + tags = var.default_tags + } } + provider "kubernetes" { host = data.aws_eks_cluster.example.endpoint cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) diff --git a/examples/complete-managed-nodegroup/terraform.tfvars.example b/examples/complete-managed-nodegroup/terraform.tfvars.example index aae29a10..d2695c89 100644 --- a/examples/complete-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-managed-nodegroup/terraform.tfvars.example @@ -33,7 +33,7 @@ #################### EKS Config ########################### cluster_name = "my-eks" - eks_k8s_version = "1.23" + cluster_version = "1.23" eks_worker_tenancy = "dedicated" cluster_endpoint_public_access = true diff --git a/examples/complete-managed-nodegroup/variables.tf b/examples/complete-managed-nodegroup/variables.tf index e0e29cb9..1902eaca 100644 --- a/examples/complete-managed-nodegroup/variables.tf +++ b/examples/complete-managed-nodegroup/variables.tf @@ -61,7 +61,7 @@ variable "cluster_name" { default = "my-eks" } -variable "eks_k8s_version" { +variable "cluster_version" { description = "The Kubernetes version to use for the EKS cluster" type = string default = "1.23" diff --git a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl index 99c00212..339ec1be 100644 --- a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl +++ b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl @@ -20,109 +20,85 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "4.53.0" - constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0" + version = "4.57.1" + constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0, >= 4.47.0" hashes = [ - "h1:P6ZZ716SRIimw0t/SAgYbOMZtO0HDvwVQKxyHEW6aaE=", - "h1:SamdqgizhmtJ7ejTM/G8RoxMoKC1ovLnd1jBzCFkI7c=", - "zh:0d44171544a916adf0fa96b7d0851a49d8dec98f71f0229dfd2d178958b3996b", - "zh:16945808ce26b86af7f5a77c4ab1154da786208c793abb95b8f918b4f48daded", - "zh:1a57a5a30cef9a5867579d894b74f60bb99afc7ca0d030d49a80ad776958b428", - "zh:2c718734ae17430d7f598ca0b4e4f86d43d66569c72076a10f4ace3ff8dfc605", - "zh:46fdf6301cb2fa0a4d122d1a8f75f047b6660c24851d6a4537ee38926a86485d", - "zh:53a53920b38a9e1648e85c6ee33bccf95bfcd067bffc4934a2af55621e6a6bd9", - "zh:548d927b234b1914c43169224b03f641d0961a4e312e5c6508657fce27b66db4", - "zh:57c847b2a5ae41ddea20b18ef006369d36bfdc4dec7f542f60e22a47f7b6f347", - "zh:79f7402b581621ba69f5a07ce70299735c678beb265d114d58955d04f0d39f87", - "zh:8970109a692dc4ecbda98a0969da472da4759db90ce22f2a196356ea85bb2cf7", + "h1:Qfq7Q9aCQqdl7w439mCMm89126n8DsDAmg6H8gXhnLI=", + "zh:44200c213ddb138df80d2a5ad86c2ebadbb5fd1d08cd7e4fc56ec6dca927659b", + "zh:469e6fe6a9e99e60cb168d32f05e2e9a83cf161f39160d075ff96f7674c510e1", + "zh:6110ba2c15a2268652ec9ea3797dd0216de84ece428055c49eaf9caa2be1ed62", + "zh:62ed7348acca44f64fc087e879e01cfa4e084c7600cc91e8bb7683f8065a9c79", + "zh:7a80e6fa9b35be178bb566093f7984dd6ffb7ad9d40b9dd5d5907f054f0c3e60", + "zh:8793043c8575a598c1a7cbefcb65ee1776b0061eba719098e552a3adc88f3090", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a500cc4ffcad854dec0cf6f97751930a53c9f278f143a4355fa8892aa77c77bf", - "zh:b687c20b42a8b9e9e9f56c42e3b3c6859c043ec72b8907a6e4d4b64068e11df5", - "zh:e2c592e96822b78287554be43c66398f658c74c4ae3796f6b9e6d4b0f1f7f626", - "zh:ff1c4a46fdc988716c6fc28925549600093fc098828237cb1a30264e15cf730f", + "zh:a777a0082114e273b7b3eb14095a3f6f6e703c1aff61ffb1f0846bb869e6dfc7", + "zh:b060c3b2973097f2087a98ac6aad7c9c89fe80f7cf3027019049feafc3f8305b", + "zh:e7035e74563f4486848ea1feb60852175353790bc374e0e97e241a88dc0908f7", + "zh:eaaa8e9eba09ada41e13116d53d4baece04fead8fcf3eab68cca3a67ed738e18", + "zh:ec52d8f95a84fad8fe1aae169c89d0c54d5401f75caae0869ad8182c6b6db65b", + "zh:f0e33174025b1b57ecfbdd09f2a59c2559ee94d7681e5ae09079e2822ec54ecf", + "zh:f69790a21380e5aab9303a252564737333e1e95b5d25567681630e49b17e3ec7", + "zh:ff6053942c40a99904bd407f3c082c1fa8f927ecce0374566eb7e8ee8145e582", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.2.0" + version = "2.3.2" constraints = ">= 2.0.0" hashes = [ - "h1:Id6dDkpuSSLbGPTdbw49bVS/7XXHu/+d7CJoGDqtk5g=", - "h1:siiI0wK6/jUDdA5P8ifTO0yc9YmXHml4hz5K9I9N+MA=", - "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96", - "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d", - "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9", - "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472", - "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f", - "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb", - "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a", - "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c", - "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c", - "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517", - "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c", + "h1:ocyv0lvfyvzW4krenxV5CL4Jq5DiA3EUfoy8DR6zFMw=", + "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", + "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", + "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", + "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", + "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", + "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", + "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", + "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", + "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", + "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", ] } provider "registry.terraform.io/hashicorp/helm" { - version = "2.8.0" + version = "2.9.0" constraints = ">= 2.4.1, >= 2.5.1" hashes = [ - "h1:U0w0mUT0SwZCR0poGNSxGaZJKWcOiu4GerpGztYBiMM=", - "h1:a98mBNghv9odh5PVmgdXapgyYJmO/ncAWkwLWdXLuY4=", - "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54", - "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f", - "zh:391fe49b4d2dc07bc717248a3fc6952189cfc49c596c514ad72a29c9a9f9d575", - "zh:89272048e1e63f3edc3e83dfddd5a9fd4bd2a4ead104e67de1e14319294dedf1", - "zh:a5a057c3435a854389ce8a1d98a54aaa7cbab68aca7baa436a605897aa70ff7e", - "zh:b1098e53e1a8a3afcd325ecd0328662156b3d9c3d80948f19ba3a4eb870cee2b", - "zh:b676f949e8274a2b6c3fa41f5428ea597125579c7b93bb50bb73a5e295a7a447", - "zh:cdf7e9460f28c2dbfe49a79a5022bd0d474ff18120d340738aa35456ba77ebca", - "zh:e24b59b4ed1c593facbf8051ec58550917991e2e017f3085dac5fb902d9908cb", - "zh:e3b5e1f5543cac9d9031a028f1c1be4858fb80fae69f181f21e9465e366ebfa2", - "zh:e9fddc0bcdb28503078456f0088851d45451600d229975fd9990ee92c7489a10", + "h1:fEDID5J/9ret/sLpOSNAu98F/ZBEZhOmL0Leut7m5JU=", + "zh:1471cb45908b426104687c962007b2980cfde294fa3530fabc4798ce9fb6c20c", + "zh:1572e9cec20591ec08ece797b3630802be816a5adde36ca91a93359f2430b130", + "zh:1b10ae03cf5ab1ae21ffaac2251de99797294ae4242b156b3b0beebbdbcb7e0f", + "zh:3bd043b68de967d8d0b549d3f71485193d81167d5656f5507d743dedfe60e352", + "zh:538911921c729185900176cc22eb8edcb822bc8d22b9ebb48103a1d9bb53cc38", + "zh:69a6a2d40c0463662c3fb1621e37a3ee65024ea4479adf4d5f7f19fb0dea48c2", + "zh:94b58daa0c351a49d01f6d8f1caae46c95c2d6c3f29753e2b9ea3e3c0e7c9ab4", + "zh:9d0543331a4a32241e1ab5457f30b41df745acb235a0391205c725a5311e4809", + "zh:a6789306524ca121512a95e873e3949b4175114a6c5db32bed2df2551a79368f", + "zh:d146b94cd9502cca7f2044797a328d71c7ec2a98e2d138270d8a28c872f04289", + "zh:d14ccd14511f0446eacf43a9243f22de7c1427ceb059cf67d7bf9803be2cb15d", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.17.0" + version = "2.18.1" constraints = ">= 2.6.1, >= 2.10.0" hashes = [ - "h1:Dq/EHg8mKP9wDDTJx5CzZ+w44wutIZJGfQLrAIznAqY=", - "h1:p2sgF62c2svJSKuImL3/zq/SSPOZFyd4Vj7K0UF2VrQ=", - "zh:1cbafea8c404195d8ad2490d75dbeebef131563d3e38dec87231ceb3923a3012", - "zh:26d9584423ee77e607999b082de7d9dc3e937934aa83341e0832e7253caf4f51", - "zh:333527fc15fb43bbf1898a2f058598c596468a01d88c415627bb617878dc4d4d", - "zh:391b8c80e3115af485977d6e949d7260b7fc0b641089b884256bfd36a7077db2", - "zh:4d18ba55247486181759d60195777945bcd68e17ccd980820ca18e8a8b94aeb5", - "zh:607ae94d85d1c1ed3845bd71095daadea4b2468e16f57fa05c98eab0de6b14ae", - "zh:95c6cf22f8ef14e7a4f85e33cff5d6f11056c7880041b71d425d1b5ebbe246e7", - "zh:b077edcedb46a313b461ac1e49317872063b3871f2acbe1a50498612cefff387", - "zh:c6a7891683e44148b0c928fd4748b7abac727266ab551d679015f5fe8b72d1e6", - "zh:e5cebfdf873770c37a4304362003d3fea8d6c2fd819663ad121bc65bb81e4738", + "h1:y4VED+vsulAqE7YbQC7x1XXrzvi/dEIjupttSyzSA/M=", + "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753", + "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197", + "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8", + "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80", + "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25", + "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce", + "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15", + "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad", + "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8", + "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4", + "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:feb19269e7c0de473ad412b37818b48da0cc91e5c93dd4c77a72676ca97a16b1", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.3.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=", - "h1:U+DbBqKnXSIqC2z7qIko2dy8w6wwuZd89orPvfeqHk0=", - "zh:1f1920b3f78c31c6b69cdfe1e016a959667c0e2d01934e1a084b94d5a02cd9d2", - "zh:550a3cdae0ddb350942624e7b2e8b31d28bc15c20511553432413b1f38f4b214", - "zh:68d1d9ccbfce2ce56b28a23b22833a5369d4c719d6d75d50e101a8a8dbe33b9b", - "zh:6ae3ad6d865a906920c313ec2f413d080efe32c230aca711fd106b4cb9022ced", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a0f413d50f54124057ae3dcd9353a797b84e91dc34bcf85c34a06f8aef1f9b12", - "zh:a2ac6d4088ceddcd73d88505e18b8226a6e008bff967b9e2d04254ef71b4ac6b", - "zh:a851010672e5218bdd4c4ea1822706c9025ef813a03da716d647dd6f8e2cffb0", - "zh:aa797561755041ef2fad99ee9ffc12b5e724e246bb019b21d7409afc2ece3232", - "zh:c6afa960a20d776f54bb1fc260cd13ead17280ebd87f05b9abcaa841ed29d289", - "zh:df0975e86b30bb89717b8c8d6d4690b21db66de06e79e6d6cfda769f3304afe6", - "zh:f0d3cc3da72135efdbe8f4cfbfb0f2f7174827887990a5545e6db1981f0d3a7c", ] } @@ -209,25 +185,3 @@ provider "registry.terraform.io/hashicorp/tls" { "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } - -provider "registry.terraform.io/terraform-aws-modules/http" { - version = "2.4.1" - constraints = "2.4.1" - hashes = [ - "h1:FINkX7/X/cr5NEssB7dMqVWa6YtJtmwzvkfryuR39/k=", - "h1:fHqAXle/P/fT2k+HEyTqYVE+/RvpQAaBr6xXZgM66es=", - "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", - "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", - "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", - "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", - "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", - "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", - "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", - "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", - "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", - "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", - "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", - "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", - "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", - ] -} diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md index 83a3fe11..d29fdcf7 100644 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -198,7 +198,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.53.0 | +| [aws](#provider\_aws) | 4.57.1 | ## Modules @@ -228,7 +228,10 @@ terraform destroy -auto-approve | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni\_config](#input\_amazon\_eks\_vpc\_cni\_config) | ConfigMap of Amazon EKS VPC CNI add-on | `any` | `{}` | no | +| [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes | `bool` | `true` | no | +| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | +| [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | +| [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | @@ -242,17 +245,19 @@ terraform destroy -auto-approve | [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | +| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | -| [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `true` | no | -| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `true` | no | -| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `true` | no | -| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | Enable VPC CNI add-on | `bool` | `true` | no | -| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `true` | no | -| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `true` | no | -| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `true` | no | +| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | +| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | +| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | +| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | HANDLED by EKS module, not blueprints: Enable VPC CNI add-on | `bool` | `true` | no | +| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | +| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | +| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | | [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | @@ -262,6 +267,7 @@ terraform destroy -auto-approve | [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | | [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | | [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | | [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | diff --git a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf index cf066d28..5fe2503e 100644 --- a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf +++ b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf @@ -11,14 +11,14 @@ module "flux_sops" { source = "../../modules/sops" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name vpc_id = module.vpc.vpc_id - policy_name_prefix = "${module.eks.eks_cluster_id}-flux-sops" - kms_key_alias = "${module.eks.eks_cluster_id}-flux-sops" + policy_name_prefix = "${module.eks.cluster_name}-flux-sops" + kms_key_alias = "${module.eks.cluster_name}-flux-sops" kubernetes_service_account = "flux-system-sops-sa" kubernetes_namespace = "flux-system" - irsa_sops_iam_role_name = "${module.eks.eks_cluster_id}-flux-system-sa-role" - eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" + eks_oidc_provider_arn = module.eks.oidc_provider_arn tags = local.tags role_name = module.bastion.bastion_role_name } @@ -31,14 +31,14 @@ module "loki_s3_bucket" { source = "../../modules/s3-irsa" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name policy_name_prefix = "loki-s3-policy" bucket_prefix = "loki-s3" kms_key_alias = "loki-s3" kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" - irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" - eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" + eks_oidc_provider_arn = module.eks.oidc_provider tags = local.tags dynamodb_enabled = true } diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf index 377d4c85..5a5b2e94 100644 --- a/examples/complete-self-managed-ng-intra-subnets/main.tf +++ b/examples/complete-self-managed-ng-intra-subnets/main.tf @@ -2,13 +2,13 @@ data "aws_partition" "current" {} locals { tags = { - Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name + Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] - aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + aws_auth_users = [for admin_user in var.aws_admin_usernames : { userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" - username = "${admin_user}" + username = admin_user groups = ["system:masters"] } ] @@ -39,7 +39,7 @@ module "vpc" { public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] private_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 4)] database_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 8)] - intra_subnets = var.intra_subnets + intra_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 12)] single_nat_gateway = true enable_nat_gateway = true @@ -84,6 +84,9 @@ module "bastion" { tags = { Function = "bastion-ssm" } + depends_on = [ + module.vpc + ] } ########################################################### @@ -92,27 +95,28 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = var.cluster_name - aws_region = var.region - aws_account = var.account - vpc_id = module.vpc.vpc_id - private_subnet_ids = module.vpc.private_subnets - control_plane_subnet_ids = module.vpc.private_subnets - source_security_group_id = module.bastion.security_group_ids[0] - cluster_endpoint_public_access = var.cluster_endpoint_public_access - cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = local.admin_arns - eks_k8s_version = var.eks_k8s_version - bastion_role_arn = module.bastion.bastion_role_arn - bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = local.aws_auth_eks_map_users + name = var.cluster_name + aws_region = var.region + aws_account = var.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + vpc_cni_custom_subnet = module.vpc.intra_subnets + # control_plane_subnet_ids = module.vpc.private_subnets #uses subnet_ids if not set + source_security_group_id = module.bastion.security_group_ids[0] + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_private_access = true + kms_key_administrators = local.admin_arns + cluster_version = var.cluster_version + bastion_role_arn = module.bastion.bastion_role_arn + bastion_role_name = module.bastion.bastion_role_name + + #AWS_AUTH + manage_aws_auth_configmap = var.manage_aws_auth_configmap + create_aws_auth_configmap = var.create_aws_auth_configmap + aws_auth_users = local.aws_auth_users enable_managed_nodegroups = false - #--------------------------------------------------------------- - # EKS Blueprints - Self Managed Node Groups - #--------------------------------------------------------------- - self_managed_node_groups = { self_mg1 = { node_group_name = "self_mg1" @@ -190,12 +194,19 @@ module "eks" { } #--------------------------------------------------------------- - # EKS Blueprints - EKS Add-Ons + #"native" EKS Add-Ons #--------------------------------------------------------------- # VPC CNI - enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni - amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config + enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni + amazon_eks_vpc_cni_before_compute = var.amazon_eks_vpc_cni_before_compute + amazon_eks_vpc_cni_most_recent = var.amazon_eks_vpc_cni_most_recent + amazon_eks_vpc_cni_resolve_conflict = var.amazon_eks_vpc_cni_resolve_conflict + amazon_eks_vpc_cni_configuration_values = var.amazon_eks_vpc_cni_configuration_values + + #--------------------------------------------------------------- + # EKS Blueprints - EKS Add-Ons + #--------------------------------------------------------------- # EKS CoreDNS enable_amazon_eks_coredns = var.enable_amazon_eks_coredns @@ -220,4 +231,8 @@ module "eks" { # EKS Cluster Autoscaler enable_cluster_autoscaler = var.enable_cluster_autoscaler cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config + + depends_on = [ + module.vpc + ] } diff --git a/examples/complete-self-managed-ng-intra-subnets/providers.tf b/examples/complete-self-managed-ng-intra-subnets/providers.tf index 4574ef19..d4731526 100644 --- a/examples/complete-self-managed-ng-intra-subnets/providers.tf +++ b/examples/complete-self-managed-ng-intra-subnets/providers.tf @@ -1,50 +1,56 @@ data "aws_eks_cluster_auth" "this" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } data "aws_eks_cluster" "example" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } provider "aws" { region = var.region + default_tags { + tags = var.default_tags + } } provider "aws" { alias = "region2" region = var.region2 -} - -provider "kubernetes" { - host = data.aws_eks_cluster.example.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) - exec { - api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" + default_tags { + tags = var.default_tags } } -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.example.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) - exec { - api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } - } -} +# provider "kubernetes" { +# host = data.aws_eks_cluster.example.endpoint +# cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) +# exec { +# api_version = "client.authentication.k8s.io/v1" +# args = ["eks", "get-token", "--cluster-name", var.cluster_name] +# command = "aws" +# } +# } -provider "kubectl" { - apply_retry_count = 5 - host = data.aws_eks_cluster.example.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) - exec { - api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } -} +# provider "helm" { +# kubernetes { +# host = data.aws_eks_cluster.example.endpoint +# cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) +# exec { +# api_version = "client.authentication.k8s.io/v1" +# args = ["eks", "get-token", "--cluster-name", var.cluster_name] +# command = "aws" +# } +# } +# } + +# provider "kubectl" { +# apply_retry_count = 5 +# host = data.aws_eks_cluster.example.endpoint +# cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) +# exec { +# api_version = "client.authentication.k8s.io/v1" +# args = ["eks", "get-token", "--cluster-name", var.cluster_name] +# command = "aws" +# } +# } diff --git a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example index 6c4b49cb..b1e00e43 100644 --- a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example +++ b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example @@ -32,7 +32,7 @@ #################### EKS Config ########################### cluster_name = "my-eks" - eks_k8s_version = "1.23" + cluster_version = "1.23" eks_worker_tenancy = "dedicated" cluster_endpoint_public_access = true diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf index abdd9cdd..51de8ede 100644 --- a/examples/complete-self-managed-ng-intra-subnets/variables.tf +++ b/examples/complete-self-managed-ng-intra-subnets/variables.tf @@ -25,6 +25,25 @@ variable "aws_admin_usernames" { description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" type = list(string) } + +variable "manage_aws_auth_configmap" { + description = "Determines whether to manage the aws-auth configmap" + type = bool + default = false +} + +variable "create_aws_auth_configmap" { + description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" + type = bool + default = false +} + +variable "default_tags" { + description = "A map of default tags to apply to all resources" + type = map(string) + default = {} +} + ########################################################### #################### VPC Config ########################### @@ -66,7 +85,7 @@ variable "cluster_name" { default = "my-eks" } -variable "eks_k8s_version" { +variable "cluster_version" { description = "The Kubernetes version to use for the EKS cluster" type = string default = "1.23" @@ -83,22 +102,48 @@ variable "cluster_endpoint_public_access" { #----------------AWS EKS VPC CNI------------------------- variable "enable_amazon_eks_vpc_cni" { - description = "Enable VPC CNI add-on" + description = "HANDLED by EKS module, not blueprints: Enable VPC CNI add-on" + type = bool + default = true +} + +variable "amazon_eks_vpc_cni_before_compute" { + description = "HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes" + type = bool + default = true +} + +variable "amazon_eks_vpc_cni_most_recent" { + description = "HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on" type = bool default = true } -variable "amazon_eks_vpc_cni_config" { - description = "ConfigMap of Amazon EKS VPC CNI add-on" +variable "amazon_eks_vpc_cni_resolve_conflict" { + description = "HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module" + type = string + default = "OVERWRITE" +} + +variable "amazon_eks_vpc_cni_configuration_values" { + description = "HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on" type = any - default = {} + default = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } } #----------------AWS CoreDNS------------------------- variable "enable_amazon_eks_coredns" { description = "Enable Amazon EKS CoreDNS add-on" type = bool - default = true + default = false } variable "amazon_eks_coredns_config" { @@ -111,7 +156,7 @@ variable "amazon_eks_coredns_config" { variable "enable_amazon_eks_kube_proxy" { description = "Enable Kube Proxy add-on" type = bool - default = true + default = false } variable "amazon_eks_kube_proxy_config" { @@ -124,7 +169,7 @@ variable "amazon_eks_kube_proxy_config" { variable "enable_amazon_eks_aws_ebs_csi_driver" { description = "Enable EKS Managed AWS EBS CSI Driver add-on; enable_amazon_eks_aws_ebs_csi_driver and enable_self_managed_aws_ebs_csi_driver are mutually exclusive" type = bool - default = true + default = false } variable "amazon_eks_aws_ebs_csi_driver_config" { @@ -137,7 +182,7 @@ variable "amazon_eks_aws_ebs_csi_driver_config" { variable "enable_metrics_server" { description = "Enable metrics server add-on" type = bool - default = true + default = false } variable "metrics_server_helm_config" { @@ -150,7 +195,7 @@ variable "metrics_server_helm_config" { variable "enable_aws_node_termination_handler" { description = "Enable AWS Node Termination Handler add-on" type = bool - default = true + default = false } variable "aws_node_termination_handler_helm_config" { @@ -163,7 +208,7 @@ variable "aws_node_termination_handler_helm_config" { variable "enable_cluster_autoscaler" { description = "Enable Cluster autoscaler add-on" type = bool - default = true + default = false } variable "cluster_autoscaler_helm_config" { @@ -172,7 +217,6 @@ variable "cluster_autoscaler_helm_config" { default = {} } - ########################################################### ################## Bastion Config ######################### diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 18c715ea..9c4c3f9f 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -230,9 +230,9 @@ No requirements. | [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | +| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | -| [eks\_k8s\_version](#input\_eks\_k8s\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf index cf066d28..ff68b64a 100644 --- a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf +++ b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf @@ -11,13 +11,13 @@ module "flux_sops" { source = "../../modules/sops" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name vpc_id = module.vpc.vpc_id - policy_name_prefix = "${module.eks.eks_cluster_id}-flux-sops" - kms_key_alias = "${module.eks.eks_cluster_id}-flux-sops" + policy_name_prefix = "${module.eks.cluster_name}-flux-sops" + kms_key_alias = "${module.eks.cluster_name}-flux-sops" kubernetes_service_account = "flux-system-sops-sa" kubernetes_namespace = "flux-system" - irsa_sops_iam_role_name = "${module.eks.eks_cluster_id}-flux-system-sa-role" + irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn tags = local.tags role_name = module.bastion.bastion_role_name @@ -31,13 +31,13 @@ module "loki_s3_bucket" { source = "../../modules/s3-irsa" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name policy_name_prefix = "loki-s3-policy" bucket_prefix = "loki-s3" kms_key_alias = "loki-s3" kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" - irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" + irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn tags = local.tags dynamodb_enabled = true diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index acb85325..dcf4b3af 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -6,7 +6,7 @@ locals { GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] - aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { + aws_auth_users = [for admin_user in var.aws_admin_usernames : { userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" username = "${admin_user}" groups = ["system:masters"] @@ -91,20 +91,20 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = var.cluster_name - aws_region = var.region - aws_account = var.account - vpc_id = module.vpc.vpc_id - private_subnet_ids = module.vpc.private_subnets - control_plane_subnet_ids = module.vpc.private_subnets - source_security_group_id = module.bastion.security_group_ids[0] - cluster_endpoint_public_access = var.cluster_endpoint_public_access - cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = local.admin_arns - eks_k8s_version = var.eks_k8s_version - bastion_role_arn = module.bastion.bastion_role_arn - bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = local.aws_auth_eks_map_users + name = var.cluster_name + aws_region = var.region + aws_account = var.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + control_plane_subnet_ids = module.vpc.private_subnets + source_security_group_id = module.bastion.security_group_ids[0] + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_private_access = true + kms_key_administrators = local.admin_arns + cluster_version = var.cluster_version + bastion_role_arn = module.bastion.bastion_role_arn + bastion_role_name = module.bastion.bastion_role_name + aws_auth_users = local.aws_auth_users enable_managed_nodegroups = false diff --git a/examples/complete-self-managed-nodegroup/providers.tf b/examples/complete-self-managed-nodegroup/providers.tf index 89fb9ef4..a384885c 100644 --- a/examples/complete-self-managed-nodegroup/providers.tf +++ b/examples/complete-self-managed-nodegroup/providers.tf @@ -1,19 +1,25 @@ data "aws_eks_cluster_auth" "this" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } data "aws_eks_cluster" "example" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } provider "aws" { region = var.region + default_tags { + tags = var.default_tags + } } provider "aws" { alias = "region2" region = var.region2 + default_tags { + tags = var.default_tags + } } provider "kubernetes" { diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 6c4b49cb..b1e00e43 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -32,7 +32,7 @@ #################### EKS Config ########################### cluster_name = "my-eks" - eks_k8s_version = "1.23" + cluster_version = "1.23" eks_worker_tenancy = "dedicated" cluster_endpoint_public_access = true diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index e698daaa..24b36dda 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -60,7 +60,7 @@ variable "cluster_name" { default = "my-eks" } -variable "eks_k8s_version" { +variable "cluster_version" { description = "The Kubernetes version to use for the EKS cluster" type = string default = "1.23" diff --git a/examples/tf-state-backend/.terraform.lock.hcl b/examples/tf-state-backend/.terraform.lock.hcl index c4e7be59..15938a22 100644 --- a/examples/tf-state-backend/.terraform.lock.hcl +++ b/examples/tf-state-backend/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.56.0" + version = "4.57.1" constraints = ">= 4.9.0" hashes = [ - "h1:v6DE95Ll2mxE96IGUsT/h6WQTU1d2cfHydWah1FgT20=", - "zh:1d2b7693a102da015a86b9235b554272b9280597011216c3ddd1a6dc95ad8dab", - "zh:28c3e8ebaa077f65c4ac5fd051c95887070293fcff0386dfc2e4b7e248a0aefa", - "zh:2a620bc4a87be06e7acac1bc15e966dba45df643bf6c3efb811e74e6c2122b03", - "zh:30d3ac148fa0634e7ba1de66e1af1328481c92cd774adcfc0e27f828103b17e0", - "zh:3d3eebf916f25e11b12dd3c692f8fe1e4c4e9a0c414af9d0d881ddebd28dcd39", - "zh:3f4600f2881c02fcc69080df68747c9a0b9b11cb002117fd918b7800f2ac402b", - "zh:7156fb12c3b4f2964f7e78cee97f31d95b43045467f90749d2ed545725c36baa", + "h1:Qfq7Q9aCQqdl7w439mCMm89126n8DsDAmg6H8gXhnLI=", + "zh:44200c213ddb138df80d2a5ad86c2ebadbb5fd1d08cd7e4fc56ec6dca927659b", + "zh:469e6fe6a9e99e60cb168d32f05e2e9a83cf161f39160d075ff96f7674c510e1", + "zh:6110ba2c15a2268652ec9ea3797dd0216de84ece428055c49eaf9caa2be1ed62", + "zh:62ed7348acca44f64fc087e879e01cfa4e084c7600cc91e8bb7683f8065a9c79", + "zh:7a80e6fa9b35be178bb566093f7984dd6ffb7ad9d40b9dd5d5907f054f0c3e60", + "zh:8793043c8575a598c1a7cbefcb65ee1776b0061eba719098e552a3adc88f3090", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a5bbc84fd37d468c7b016009776b6d2a287bbb746af81aba786cdf8eb5fce4a1", - "zh:d5322bcd4e11caddbbfaa1198893824d4b4d28f504517a3a87902cf86d75bd87", - "zh:d766eb9f86a40060d63e12ef674d7c9c47ec4e47ade487f1f49af8c89b441711", - "zh:df23f592b99f6617f09e449009bbb49068a69fc926b15ca29e30b068c9c67365", - "zh:e7b0acee2d98549731547259b539f598e18db07c0c202d3a34b922beff711054", - "zh:ec317f79fdcce934c39458ea312862e7f7ec48cafb8bcc9b5a00d9b78b629d81", - "zh:f78ec7a771867d96dfee96bf74523341ba42feeb64ce2f108b5bf2e7ebef0fef", + "zh:a777a0082114e273b7b3eb14095a3f6f6e703c1aff61ffb1f0846bb869e6dfc7", + "zh:b060c3b2973097f2087a98ac6aad7c9c89fe80f7cf3027019049feafc3f8305b", + "zh:e7035e74563f4486848ea1feb60852175353790bc374e0e97e241a88dc0908f7", + "zh:eaaa8e9eba09ada41e13116d53d4baece04fead8fcf3eab68cca3a67ed738e18", + "zh:ec52d8f95a84fad8fe1aae169c89d0c54d5401f75caae0869ad8182c6b6db65b", + "zh:f0e33174025b1b57ecfbdd09f2a59c2559ee94d7681e5ae09079e2822ec54ecf", + "zh:f69790a21380e5aab9303a252564737333e1e95b5d25567681630e49b17e3ec7", + "zh:ff6053942c40a99904bd407f3c082c1fa8f927ecce0374566eb7e8ee8145e582", ] } diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index 72cc58a6..bb4b434f 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -1,5 +1,8 @@ provider "aws" { region = var.region + default_tags { + tags = var.default_tags + } } data "aws_partition" "current" {} @@ -9,14 +12,16 @@ locals { } module "tfstate_backend" { - source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=0.0.1" + # source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=main" + source = "/Users/zack/git-repos/Defense_Unicorns/projects/DU_oss/terraform-aws-tfstate-backend" region = var.region bucket_prefix = var.bucket_prefix dynamodb_table_name = var.dynamodb_table_name + force_destroy = var.force_destroy # list of admin's AWS account arn to allow control of KMS keys - cluster_key_admin_arns = local.admin_arns + admin_arns = local.admin_arns } output "tfstate_bucket_id" { diff --git a/examples/tf-state-backend/tf-state-backend.tfvars.example b/examples/tf-state-backend/tf-state-backend.tfvars.example index 5a39cce1..2d03fbf4 100644 --- a/examples/tf-state-backend/tf-state-backend.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.tfvars.example @@ -10,3 +10,4 @@ ] bucket_prefix = "my-tfstate-backend" dynamodb_table_name = "my-tfstate-backend-lock" + force_delete = false diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 7bcaa451..0383ee26 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -22,3 +22,14 @@ variable "dynamodb_table_name" { type = string default = "my-tfstate-backend-lock" } + +variable "force_destroy" { + type = bool + default = false +} + +variable "default_tags" { + description = "A map of default tags to apply to all resources" + type = map(string) + default = {} +} diff --git a/modules/eks/README.md b/modules/eks/README.md index f89c3000..45725a18 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -27,7 +27,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Source | Version | |------|--------|---------| -| [eks\_blueprints](#module\_eks\_blueprints) | git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git | v4.24.0 | +| [aws\_eks](#module\_aws\_eks) | git::https://github.com/terraform-aws-modules/terraform-aws-eks.git | v19.10.0 | | [eks\_blueprints\_kubernetes\_addons](#module\_eks\_blueprints\_kubernetes\_addons) | git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git//modules/kubernetes-addons | v4.24.0 | ## Resources @@ -39,7 +39,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [aws_iam_role.auth_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [kubectl_manifest.eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.vpc_cni_eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | @@ -59,7 +59,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | | [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | -| [aws\_auth\_eks\_map\_users](#input\_aws\_auth\_eks\_map\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | `""` | no | | [bastion\_role\_arn](#input\_bastion\_role\_arn) | ARN of role authorized kubectl access | `string` | `""` | no | @@ -67,19 +67,21 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | 
{
  "set": [
    {
      "name": "extraArgs.expander",
      "value": "priority"
    },
    {
      "name": "expanderPriorities",
      "value": "100:\n  - .*-spot-2vcpu-8mem.*\n90:\n  - .*-spot-4vcpu-16mem.*\n10:\n  - .*\n"
    }
  ]
}
| no | | [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Enable private access to the cluster endpoint | `bool` | `true` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Enable public access to the cluster endpoint | `bool` | `false` | no | -| [cluster\_kms\_key\_additional\_admin\_arns](#input\_cluster\_kms\_key\_additional\_admin\_arns) | List of ARNs of additional users to add to KMS key policy | `list(string)` | `[]` | no | | [cluster\_name](#input\_cluster\_name) | Name of cluster - used by Terratest for e2e test automation | `string` | `""` | no | +| [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no | | [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids) | Subnet IDs for control plane | `list(string)` | `[]` | no | -| [eks\_k8s\_version](#input\_eks\_k8s\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no | -| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `true` | no | -| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `true` | no | -| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `true` | no | +| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | +| [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Managed node groups configuration | `any` | `{}` | no | +| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | +| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | +| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | | [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | HANDLED by EKS module, not blueprints: Enable VPC CNI add-on | `bool` | `true` | no | -| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `true` | no | -| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `true` | no | +| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | +| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_managed\_nodegroups](#input\_enable\_managed\_nodegroups) | Enable managed node groups. If false, self managed node groups will be used. | `bool` | n/a | yes | -| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `true` | no | -| [managed\_node\_groups](#input\_managed\_node\_groups) | Managed node groups configuration | `any` | `{}` | no | +| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | +| [kms\_key\_administrators](#input\_kms\_key\_administrators) | List of ARNs of additional administrator users to add to KMS key policy | `list(string)` | `[]` | no | +| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | | [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [name](#input\_name) | n/a | `string` | `""` | no | | [private\_subnet\_ids](#input\_private\_subnet\_ids) | Private subnet IDs | `list(string)` | `[]` | no | @@ -87,25 +89,23 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [self\_managed\_node\_groups](#input\_self\_managed\_node\_groups) | Self-managed node groups configuration | `any` | `{}` | no | | [source\_security\_group\_id](#input\_source\_security\_group\_id) | List of additional rules to add to cluster security group | `string` | `""` | no | | [tenancy](#input\_tenancy) | Tenancy of the cluster | `string` | `"dedicated"` | no | +| [vpc\_cni\_custom\_subnet](#input\_vpc\_cni\_custom\_subnet) | Subnet to put pod ENIs in | `list(string)` | `[]` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | `""` | no | ## Outputs | Name | Description | |------|-------------| +| [aws\_eks](#output\_aws\_eks) | all EKS cluster outputs, just for debugging | | [aws\_iam\_instance\_profile\_managed\_ng\_name](#output\_aws\_iam\_instance\_profile\_managed\_ng\_name) | AWS IAM instance profile managed node group name | | [aws\_iam\_instance\_profile\_self\_managed\_ng\_name](#output\_aws\_iam\_instance\_profile\_self\_managed\_ng\_name) | AWS IAM instance profile self managed node group name | | [aws\_iam\_role\_managed\_ng\_arn](#output\_aws\_iam\_role\_managed\_ng\_arn) | AWS IAM role managed node group ARN | | [aws\_iam\_role\_self\_managed\_ng\_arn](#output\_aws\_iam\_role\_self\_managed\_ng\_arn) | AWS IAM role self managed node group ARN | -| [configure\_kubectl](#output\_configure\_kubectl) | Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig | -| [eks\_cluster\_certificate\_authority\_data](#output\_eks\_cluster\_certificate\_authority\_data) | EKS cluster certificate authority data | -| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | EKS cluster endpoint | -| [eks\_cluster\_id](#output\_eks\_cluster\_id) | EKS cluster ID | -| [eks\_managed\_nodegroup\_arns](#output\_eks\_managed\_nodegroup\_arns) | EKS managed node group arns | -| [eks\_managed\_nodegroup\_ids](#output\_eks\_managed\_nodegroup\_ids) | EKS managed node group ids | -| [eks\_managed\_nodegroup\_role\_name](#output\_eks\_managed\_nodegroup\_role\_name) | EKS managed node group role name | -| [eks\_managed\_nodegroup\_status](#output\_eks\_managed\_nodegroup\_status) | EKS managed node group status | -| [eks\_managed\_nodegroups](#output\_eks\_managed\_nodegroups) | EKS managed node groups | -| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | EKS OIDC provider ARN | +| [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | EKS cluster certificate authority data | +| [cluster\_endpoint](#output\_cluster\_endpoint) | EKS cluster endpoint | +| [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster | +| [managed\_nodegroups](#output\_managed\_nodegroups) | EKS managed node groups | +| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | +| [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | EKS OIDC provider ARN | | [region](#output\_region) | AWS region | diff --git a/modules/eks/data.tf b/modules/eks/data.tf index 3d76c5ae..0137724f 100644 --- a/modules/eks/data.tf +++ b/modules/eks/data.tf @@ -1,5 +1,5 @@ data "aws_eks_cluster_auth" "this" { - name = module.eks_blueprints.eks_cluster_id + name = module.aws_eks.cluster_name } data "aws_availability_zones" "available" { @@ -14,7 +14,7 @@ data "aws_ami" "amazonlinux2eks" { filter { name = "name" - values = ["amazon-eks-node-${var.eks_k8s_version}-*"] + values = ["amazon-eks-node-${var.cluster_version}-*"] } owners = ["amazon"] diff --git a/modules/eks/eks-addons.tf b/modules/eks/eks-addons.tf index f5cb9109..34b67cbb 100644 --- a/modules/eks/eks-addons.tf +++ b/modules/eks/eks-addons.tf @@ -5,13 +5,13 @@ module "eks_blueprints_kubernetes_addons" { source = "git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git//modules/kubernetes-addons?ref=v4.24.0" - depends_on = [module.eks_blueprints] + depends_on = [module.aws_eks] - eks_cluster_id = module.eks_blueprints.eks_cluster_id - eks_cluster_endpoint = module.eks_blueprints.eks_cluster_endpoint - eks_oidc_provider = module.eks_blueprints.oidc_provider - eks_cluster_version = module.eks_blueprints.eks_cluster_version - auto_scaling_group_names = module.eks_blueprints.self_managed_node_group_autoscaling_groups + eks_cluster_id = module.aws_eks.cluster_name + eks_cluster_endpoint = module.aws_eks.cluster_endpoint + eks_oidc_provider = module.aws_eks.oidc_provider + eks_cluster_version = module.aws_eks.cluster_version + auto_scaling_group_names = lookup(module.aws_eks.self_managed_node_groups, "autoscaling_group_name", []) # EKS Managed Add-ons # VPC CNI - This needs to be done outside of the blueprints module diff --git a/modules/eks/k8s-manifests.tf b/modules/eks/k8s-manifests.tf index 2d94e117..a91338f9 100644 --- a/modules/eks/k8s-manifests.tf +++ b/modules/eks/k8s-manifests.tf @@ -1,19 +1,23 @@ ################################################################################ # VPC-CNI Custom Networking ENIConfig ################################################################################ +locals { + vpc_cni_custom_subnet_map = { for key, value in var.vpc_cni_custom_subnet : key => value } +} -resource "kubectl_manifest" "eni_config" { - for_each = toset(module.vpc.intra_subnets) +#using lookup function below to deal with terraform for_each not existing errors, race condition. We default on purpose. +resource "kubectl_manifest" "vpc_cni_eni_config" { + for_each = local.vpc_cni_custom_subnet_map yaml_body = < Date: Mon, 13 Mar 2023 18:58:19 -0700 Subject: [PATCH 05/46] make comments more better --- modules/eks/k8s-manifests.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/eks/k8s-manifests.tf b/modules/eks/k8s-manifests.tf index a91338f9..1160b78b 100644 --- a/modules/eks/k8s-manifests.tf +++ b/modules/eks/k8s-manifests.tf @@ -5,7 +5,9 @@ locals { vpc_cni_custom_subnet_map = { for key, value in var.vpc_cni_custom_subnet : key => value } } -#using lookup function below to deal with terraform for_each not existing errors, race condition. We default on purpose. +# using lookup function below to deal with terraform's "for_each not existing.." race condition errors. +# We fail on purpose looking up "NOTHING" in an empty map. +# lookup() is considered a "non-eager" terraform function allowing you to work around this issue. resource "kubectl_manifest" "vpc_cni_eni_config" { for_each = local.vpc_cni_custom_subnet_map From e01bc8090255bfa87547b7d27b7ef1a550de90e8 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 13 Mar 2023 20:05:28 -0700 Subject: [PATCH 06/46] add source --- modules/eks/k8s-manifests.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/eks/k8s-manifests.tf b/modules/eks/k8s-manifests.tf index 1160b78b..5283e4b8 100644 --- a/modules/eks/k8s-manifests.tf +++ b/modules/eks/k8s-manifests.tf @@ -8,6 +8,7 @@ locals { # using lookup function below to deal with terraform's "for_each not existing.." race condition errors. # We fail on purpose looking up "NOTHING" in an empty map. # lookup() is considered a "non-eager" terraform function allowing you to work around this issue. +# see: https://github.com/clowdhaus/terraform-for-each-unknown resource "kubectl_manifest" "vpc_cni_eni_config" { for_each = local.vpc_cni_custom_subnet_map From f07bf6ece950d855f85c4d60c08a5275989b7119 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 14 Mar 2023 19:34:45 -0700 Subject: [PATCH 07/46] refactoring from blueprints logic --- .../.terraform.lock.hcl | 41 ++++++------- .../README.md | 4 +- .../bigbang-dependencies.tf | 2 +- .../main.tf | 31 +++------- .../providers.tf | 60 +++++++++---------- .../variables.tf | 2 +- modules/eks/README.md | 4 +- modules/eks/data.tf | 2 + modules/eks/eks-addons.tf | 4 +- modules/eks/locals.tf | 7 +++ modules/eks/main.tf | 6 +- modules/eks/variables.tf | 8 ++- 12 files changed, 84 insertions(+), 87 deletions(-) diff --git a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl index 339ec1be..257d5c52 100644 --- a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl +++ b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl @@ -6,7 +6,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = ">= 1.14.0" hashes = [ "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", - "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", @@ -20,25 +19,25 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "4.57.1" + version = "4.58.0" constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0, >= 4.47.0" hashes = [ - "h1:Qfq7Q9aCQqdl7w439mCMm89126n8DsDAmg6H8gXhnLI=", - "zh:44200c213ddb138df80d2a5ad86c2ebadbb5fd1d08cd7e4fc56ec6dca927659b", - "zh:469e6fe6a9e99e60cb168d32f05e2e9a83cf161f39160d075ff96f7674c510e1", - "zh:6110ba2c15a2268652ec9ea3797dd0216de84ece428055c49eaf9caa2be1ed62", - "zh:62ed7348acca44f64fc087e879e01cfa4e084c7600cc91e8bb7683f8065a9c79", - "zh:7a80e6fa9b35be178bb566093f7984dd6ffb7ad9d40b9dd5d5907f054f0c3e60", - "zh:8793043c8575a598c1a7cbefcb65ee1776b0061eba719098e552a3adc88f3090", + "h1:YIRXIr1ji0HLWLU0ae+UbUNOHc9MJaLrMHxH3LIQ/Vk=", + "zh:14b2b2dfbc7ee705c412d762b1485ee08958c816a64ac74f5769e946e4a1d265", + "zh:17a37e6825e2023b18987d31c0cbb9336654ea146b68e6c90710ea4636af71ae", + "zh:273127c69fb244577e5c136c46164d34f77b0c956c18d27f63d1072dd558f924", + "zh:4b2b6416d34fb3e1051c99d2a84045b136976140e34381d5fbf90e32db15272e", + "zh:7e6a8571ff15d51f892776265642ee01004b8553fd4f6f2014b6f3f2834670c7", + "zh:847c76ab2381b66666d0f79cf1ac697b5bfd0d9c3009fd11bc6ad6545d1eb427", + "zh:9a52cae08ba8d27d0639a8d2b8c61591027883058bf0cc5a639cffe1e299f019", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a777a0082114e273b7b3eb14095a3f6f6e703c1aff61ffb1f0846bb869e6dfc7", - "zh:b060c3b2973097f2087a98ac6aad7c9c89fe80f7cf3027019049feafc3f8305b", - "zh:e7035e74563f4486848ea1feb60852175353790bc374e0e97e241a88dc0908f7", - "zh:eaaa8e9eba09ada41e13116d53d4baece04fead8fcf3eab68cca3a67ed738e18", - "zh:ec52d8f95a84fad8fe1aae169c89d0c54d5401f75caae0869ad8182c6b6db65b", - "zh:f0e33174025b1b57ecfbdd09f2a59c2559ee94d7681e5ae09079e2822ec54ecf", - "zh:f69790a21380e5aab9303a252564737333e1e95b5d25567681630e49b17e3ec7", - "zh:ff6053942c40a99904bd407f3c082c1fa8f927ecce0374566eb7e8ee8145e582", + "zh:9df647e8322d6f94f1843366ba39d21c4b36c8e7dcdc03711d52e27f73b0e974", + "zh:9e52037e68409802ff913b166c30e3f2035af03865cbef0c1b03762bce853941", + "zh:a30288e7c3c904d6998d1709835d7c5800a739f8608f0837f960286a2b8b6e59", + "zh:a7f24e3bda3be566468e4ad62cef1016f68c6f5a94d2e3e979485bc05626281b", + "zh:ba326ba80f5e39829b67a6d1ce54ba52b171e5e13a0a91ef5f9170a9b0cc9ce4", + "zh:c4e3fe9f2be6e244a3dfce599f4b0be9e8fffaece64cbc65f3195f825f65489b", + "zh:f20a251af37039bb2c7612dbd2c5df3a25886b4cc78f902385a2850ea6e30d08", ] } @@ -104,9 +103,8 @@ provider "registry.terraform.io/hashicorp/kubernetes" { provider "registry.terraform.io/hashicorp/null" { version = "3.2.1" - constraints = ">= 3.0.0, >= 3.1.0" + constraints = ">= 3.0.0" hashes = [ - "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", @@ -128,7 +126,6 @@ provider "registry.terraform.io/hashicorp/random" { constraints = ">= 3.1.0" hashes = [ "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", - "h1:tL3katm68lX+4lAncjQA9AXL4GR/VM+RPwqYf4D2X8Q=", "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", @@ -146,9 +143,8 @@ provider "registry.terraform.io/hashicorp/random" { provider "registry.terraform.io/hashicorp/time" { version = "0.9.1" - constraints = ">= 0.7.0, >= 0.8.0" + constraints = ">= 0.7.0, >= 0.8.0, >= 0.9.0" hashes = [ - "h1:UHcDnIYFZ00uoou0TwPGMwOrE8gTkoRephIvdwDAK70=", "h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=", "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", @@ -170,7 +166,6 @@ provider "registry.terraform.io/hashicorp/tls" { constraints = ">= 3.0.0" hashes = [ "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", - "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md index d29fdcf7..566b6259 100644 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -198,7 +198,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.57.1 | +| [aws](#provider\_aws) | 4.58.0 | ## Modules @@ -233,7 +233,7 @@ terraform destroy -auto-approve | [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | | [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | diff --git a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf index 5fe2503e..1f9a828b 100644 --- a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf +++ b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf @@ -34,7 +34,7 @@ module "loki_s3_bucket" { cluster_name = module.eks.cluster_name policy_name_prefix = "loki-s3-policy" bucket_prefix = "loki-s3" - kms_key_alias = "loki-s3" + kms_key_alias = "zack-loki-s3" kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf index 5a5b2e94..2178a9ef 100644 --- a/examples/complete-self-managed-ng-intra-subnets/main.tf +++ b/examples/complete-self-managed-ng-intra-subnets/main.tf @@ -5,13 +5,6 @@ locals { Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } - admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] - aws_auth_users = [for admin_user in var.aws_admin_usernames : { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" - username = admin_user - groups = ["system:masters"] - } - ] } data "aws_ami" "amazonlinux2" { @@ -84,9 +77,6 @@ module "bastion" { tags = { Function = "bastion-ssm" } - depends_on = [ - module.vpc - ] } ########################################################### @@ -105,7 +95,7 @@ module "eks" { source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true - kms_key_administrators = local.admin_arns + aws_admin_usernames = var.aws_admin_usernames cluster_version = var.cluster_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name @@ -113,18 +103,19 @@ module "eks" { #AWS_AUTH manage_aws_auth_configmap = var.manage_aws_auth_configmap create_aws_auth_configmap = var.create_aws_auth_configmap - aws_auth_users = local.aws_auth_users enable_managed_nodegroups = false self_managed_node_groups = { self_mg1 = { - node_group_name = "self_mg1" - subnet_ids = module.vpc.private_subnets - create_launch_template = true - launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket or windows - custom_ami_id = "" # Bring your own custom AMI generated by Packer/ImageBuilder/Puppet etc. + node_group_name = "self_mg1" + subnet_ids = module.vpc.private_subnets + + min_size = 1 + max_size = 5 + desired_size = 3 + # ami_id = "" # defaults to amazon linux 2 eks matching k8s version upstream create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false @@ -143,7 +134,7 @@ module "eks" { enable_metadata_options = false - pre_userdata = <<-EOT + pre_bootstrap_userdata = <<-EOT yum install -y amazon-ssm-agent systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent EOT @@ -231,8 +222,4 @@ module "eks" { # EKS Cluster Autoscaler enable_cluster_autoscaler = var.enable_cluster_autoscaler cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config - - depends_on = [ - module.vpc - ] } diff --git a/examples/complete-self-managed-ng-intra-subnets/providers.tf b/examples/complete-self-managed-ng-intra-subnets/providers.tf index d4731526..f1d0f58e 100644 --- a/examples/complete-self-managed-ng-intra-subnets/providers.tf +++ b/examples/complete-self-managed-ng-intra-subnets/providers.tf @@ -22,35 +22,35 @@ provider "aws" { } } -# provider "kubernetes" { -# host = data.aws_eks_cluster.example.endpoint -# cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) -# exec { -# api_version = "client.authentication.k8s.io/v1" -# args = ["eks", "get-token", "--cluster-name", var.cluster_name] -# command = "aws" -# } -# } +provider "kubernetes" { + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} -# provider "helm" { -# kubernetes { -# host = data.aws_eks_cluster.example.endpoint -# cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) -# exec { -# api_version = "client.authentication.k8s.io/v1" -# args = ["eks", "get-token", "--cluster-name", var.cluster_name] -# command = "aws" -# } -# } -# } +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } + } +} -# provider "kubectl" { -# apply_retry_count = 5 -# host = data.aws_eks_cluster.example.endpoint -# cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) -# exec { -# api_version = "client.authentication.k8s.io/v1" -# args = ["eks", "get-token", "--cluster-name", var.cluster_name] -# command = "aws" -# } -# } +provider "kubectl" { + apply_retry_count = 5 + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1beta1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf index 51de8ede..868d9002 100644 --- a/examples/complete-self-managed-ng-intra-subnets/variables.tf +++ b/examples/complete-self-managed-ng-intra-subnets/variables.tf @@ -22,7 +22,7 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + description = "A list of one or more AWS usernames with admin access to KMS and EKS resources" type = list(string) } diff --git a/modules/eks/README.md b/modules/eks/README.md index 45725a18..b37e76b1 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -42,6 +42,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [kubectl_manifest.vpc_cni_eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_iam_policy_document.managed_ng_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.self_managed_ng_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -55,10 +56,11 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | | [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | +| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | Config of Amazon EKS VPC CNI add-on, HCL format that will be jsonencoded | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | | [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | | [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | `[]` | no | | [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | `""` | no | diff --git a/modules/eks/data.tf b/modules/eks/data.tf index 0137724f..6b948a63 100644 --- a/modules/eks/data.tf +++ b/modules/eks/data.tf @@ -2,6 +2,8 @@ data "aws_eks_cluster_auth" "this" { name = module.aws_eks.cluster_name } +data "aws_caller_identity" "current" {} + data "aws_availability_zones" "available" { filter { name = "opt-in-status" diff --git a/modules/eks/eks-addons.tf b/modules/eks/eks-addons.tf index 34b67cbb..e6be977b 100644 --- a/modules/eks/eks-addons.tf +++ b/modules/eks/eks-addons.tf @@ -5,13 +5,11 @@ module "eks_blueprints_kubernetes_addons" { source = "git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git//modules/kubernetes-addons?ref=v4.24.0" - depends_on = [module.aws_eks] - eks_cluster_id = module.aws_eks.cluster_name eks_cluster_endpoint = module.aws_eks.cluster_endpoint eks_oidc_provider = module.aws_eks.oidc_provider eks_cluster_version = module.aws_eks.cluster_version - auto_scaling_group_names = lookup(module.aws_eks.self_managed_node_groups, "autoscaling_group_name", []) + auto_scaling_group_names = concat(lookup(module.aws_eks.self_managed_node_groups, "autoscaling_group_name", []), lookup(module.aws_eks.eks_managed_node_groups, "node_group_autoscaling_group_names", [])) # EKS Managed Add-ons # VPC CNI - This needs to be done outside of the blueprints module diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index 057a3d1f..eec392a7 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -6,6 +6,13 @@ locals { Blueprint = var.name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } + admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"] + aws_auth_users = [for admin_user in var.aws_admin_usernames : { + userarn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}" + username = admin_user + groups = ["system:masters"] + } + ] cluster_addons = { #if enabled, pass in config vars, else null diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 988cf4e5..cab494d7 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -77,8 +77,8 @@ module "aws_eks" { manage_aws_auth_configmap = var.manage_aws_auth_configmap create_aws_auth_configmap = var.create_aws_auth_configmap - kms_key_administrators = var.kms_key_administrators - aws_auth_users = var.aws_auth_users + kms_key_administrators = distinct(concat(local.admin_arns, var.kms_key_administrators)) + aws_auth_users = distinct(concat(local.aws_auth_users, var.aws_auth_users)) aws_auth_roles = [ { rolearn = aws_iam_role.auth_eks_role.arn @@ -103,7 +103,7 @@ resource "aws_iam_role" "auth_eks_role" { { "Action": "sts:AssumeRole", "Principal": { - "AWS": ${length(var.kms_key_administrators) == 0 ? "[]" : jsonencode(var.kms_key_administrators)} + "AWS": ${length(local.admin_arns) == 0 ? "[]" : jsonencode(local.admin_arns)} }, "Effect": "Allow", "Sid": "" diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 539669cb..4ab1043b 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -60,6 +60,12 @@ variable "kms_key_administrators" { default = [] } +variable "aws_admin_usernames" { + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + type = list(string) + default = [] +} + variable "manage_aws_auth_configmap" { description = "Determines whether to manage the aws-auth configmap" type = bool @@ -170,7 +176,7 @@ variable "amazon_eks_vpc_cni_resolve_conflict" { } variable "amazon_eks_vpc_cni_configuration_values" { - description = "HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on" + description = "Config of Amazon EKS VPC CNI add-on, HCL format that will be jsonencoded" type = any default = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking From 4cd2b976b2a572ffc040c1976eec77f767745243 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 15 Mar 2023 19:30:32 -0700 Subject: [PATCH 08/46] working cluster deployment --- .../README.md | 1 + .../bigbang-dependencies.tf | 2 +- .../main.tf | 89 +++++++------ .../variables.tf | 6 + modules/eks/README.md | 10 +- modules/eks/eks-addons.tf | 5 - modules/eks/main.tf | 117 +++++++++--------- modules/eks/outputs.tf | 32 ++--- modules/eks/variables.tf | 14 ++- 9 files changed, 144 insertions(+), 132 deletions(-) diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md index 566b6259..136ea062 100644 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -267,6 +267,7 @@ terraform destroy -auto-approve | [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | | [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [loki\_s3\_bucket\_kms\_key\_alias](#input\_loki\_s3\_bucket\_kms\_key\_alias) | The alias of the KMS key to use for the Loki S3 bucket | `string` | `""` | no | | [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | | [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | diff --git a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf index 1f9a828b..833f1974 100644 --- a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf +++ b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf @@ -34,7 +34,7 @@ module "loki_s3_bucket" { cluster_name = module.eks.cluster_name policy_name_prefix = "loki-s3-policy" bucket_prefix = "loki-s3" - kms_key_alias = "zack-loki-s3" + kms_key_alias = var.loki_s3_bucket_kms_key_alias kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf index 2178a9ef..333668f3 100644 --- a/examples/complete-self-managed-ng-intra-subnets/main.tf +++ b/examples/complete-self-managed-ng-intra-subnets/main.tf @@ -104,25 +104,36 @@ module "eks" { manage_aws_auth_configmap = var.manage_aws_auth_configmap create_aws_auth_configmap = var.create_aws_auth_configmap - enable_managed_nodegroups = false + ########################################################### + # Self Managed Node Groups + + self_managed_node_group_defaults = { + instance_type = "m6i.large" + update_launch_template_default_version = true + iam_role_additional_policies = { + AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" + } # enable discovery of autoscaling groups by cluster-autoscaler + autoscaling_group_tags = { + "k8s.io/cluster-autoscaler/enabled" : true, + "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned" + } + } self_managed_node_groups = { self_mg1 = { node_group_name = "self_mg1" subnet_ids = module.vpc.private_subnets - min_size = 1 - max_size = 5 + min_size = 3 + max_size = 10 desired_size = 3 - # ami_id = "" # defaults to amazon linux 2 eks matching k8s version upstream - create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role - iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false - iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false + # ami_id = "" # defaults to latest amazon linux 2 eks ami matching k8s version in the upstream module + # create_iam_role = true # Changing `create_iam_role=false` to bring your own IAM Role + # iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false + # iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false - format_mount_nvme_disk = true - public_ip = false - enable_monitoring = false + # format_mount_nvme_disk = true # not supported in terraform-aws-eks - logic can be added manually to userdata script as input variable placement = { affinity = null @@ -139,46 +150,46 @@ module "eks" { systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent EOT + post_userdata = <<-EOT + echo "Bootstrap successfully completed! You can further apply config or install to run after bootstrap if needed" + EOT + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" bootstrap_extra_args = "--use-max-pods false" - block_device_mappings = [ - { - device_name = "/dev/xvda" # mount point to / - volume_type = "gp3" - volume_size = 50 + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 50 + volume_type = "gp3" + } }, - { - device_name = "/dev/xvdf" # mount point to /local1 (it could be local2, depending upon the disks are attached during boot) - volume_type = "gp3" - volume_size = 80 - iops = 3000 - throughput = 125 + xvdf = { + device_name = "/dev/xvdf" + ebs = { + volume_size = 80 + volume_type = "gp3" + iops = 3000 + throughput = 125 + } }, - { - device_name = "/dev/xvdg" # mount point to /local2 (it could be local1, depending upon the disks are attached during boot) - volume_type = "gp3" - volume_size = 100 - iops = 3000 - throughput = 125 + xvdg = { + device_name = "/dev/xvdg" + ebs = { + volume_size = 100 + volume_type = "gp3" + iops = 3000 + throughput = 125 + } } - ] + } instance_type = "m5.xlarge" - desired_size = 3 - max_size = 10 - min_size = 3 capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot" - k8s_labels = { - Environment = "preprod" - Zone = "test" - } - - additional_tags = { - ExtraTag = "m5x-on-demand" - Name = "m5x-on-demand" + tags = { subnet_type = "private" } } diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf index 868d9002..00575e20 100644 --- a/examples/complete-self-managed-ng-intra-subnets/variables.tf +++ b/examples/complete-self-managed-ng-intra-subnets/variables.tf @@ -326,3 +326,9 @@ variable "zarf_version" { type = string default = "" } + +variable "loki_s3_bucket_kms_key_alias" { + description = "The alias of the KMS key to use for the Loki S3 bucket" + type = string + default = "" +} diff --git a/modules/eks/README.md b/modules/eks/README.md index b37e76b1..86408307 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -34,11 +34,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Type | |------|------| -| [aws_iam_instance_profile.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | -| [aws_iam_instance_profile.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_role.auth_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [kubectl_manifest.vpc_cni_eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | @@ -80,7 +76,6 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | HANDLED by EKS module, not blueprints: Enable VPC CNI add-on | `bool` | `true` | no | | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | -| [enable\_managed\_nodegroups](#input\_enable\_managed\_nodegroups) | Enable managed node groups. If false, self managed node groups will be used. | `bool` | n/a | yes | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | | [kms\_key\_administrators](#input\_kms\_key\_administrators) | List of ARNs of additional administrator users to add to KMS key policy | `list(string)` | `[]` | no | | [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | @@ -88,6 +83,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [name](#input\_name) | n/a | `string` | `""` | no | | [private\_subnet\_ids](#input\_private\_subnet\_ids) | Private subnet IDs | `list(string)` | `[]` | no | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | Public subnet IDs | `list(string)` | `[]` | no | +| [self\_managed\_node\_group\_defaults](#input\_self\_managed\_node\_group\_defaults) | Map of self-managed node group default configurations | `any` | `{}` | no | | [self\_managed\_node\_groups](#input\_self\_managed\_node\_groups) | Self-managed node groups configuration | `any` | `{}` | no | | [source\_security\_group\_id](#input\_source\_security\_group\_id) | List of additional rules to add to cluster security group | `string` | `""` | no | | [tenancy](#input\_tenancy) | Tenancy of the cluster | `string` | `"dedicated"` | no | @@ -99,10 +95,6 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Description | |------|-------------| | [aws\_eks](#output\_aws\_eks) | all EKS cluster outputs, just for debugging | -| [aws\_iam\_instance\_profile\_managed\_ng\_name](#output\_aws\_iam\_instance\_profile\_managed\_ng\_name) | AWS IAM instance profile managed node group name | -| [aws\_iam\_instance\_profile\_self\_managed\_ng\_name](#output\_aws\_iam\_instance\_profile\_self\_managed\_ng\_name) | AWS IAM instance profile self managed node group name | -| [aws\_iam\_role\_managed\_ng\_arn](#output\_aws\_iam\_role\_managed\_ng\_arn) | AWS IAM role managed node group ARN | -| [aws\_iam\_role\_self\_managed\_ng\_arn](#output\_aws\_iam\_role\_self\_managed\_ng\_arn) | AWS IAM role self managed node group ARN | | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | EKS cluster certificate authority data | | [cluster\_endpoint](#output\_cluster\_endpoint) | EKS cluster endpoint | | [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster | diff --git a/modules/eks/eks-addons.tf b/modules/eks/eks-addons.tf index e6be977b..9afebbed 100644 --- a/modules/eks/eks-addons.tf +++ b/modules/eks/eks-addons.tf @@ -11,11 +11,6 @@ module "eks_blueprints_kubernetes_addons" { eks_cluster_version = module.aws_eks.cluster_version auto_scaling_group_names = concat(lookup(module.aws_eks.self_managed_node_groups, "autoscaling_group_name", []), lookup(module.aws_eks.eks_managed_node_groups, "node_group_autoscaling_group_names", [])) - # EKS Managed Add-ons - # VPC CNI - This needs to be done outside of the blueprints module - # enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni - # amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config - # EKS CoreDNS enable_amazon_eks_coredns = var.enable_amazon_eks_coredns amazon_eks_coredns_config = var.amazon_eks_coredns_config diff --git a/modules/eks/main.tf b/modules/eks/main.tf index cab494d7..037329ce 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -16,8 +16,9 @@ module "aws_eks" { cluster_endpoint_private_access = var.cluster_endpoint_private_access # control_plane_subnet_ids = var.control_plane_subnet_ids #uses subnet_ids if not set - self_managed_node_groups = var.self_managed_node_groups - eks_managed_node_groups = var.eks_managed_node_groups + self_managed_node_group_defaults = var.self_managed_node_group_defaults + self_managed_node_groups = var.self_managed_node_groups + eks_managed_node_groups = var.eks_managed_node_groups cluster_addons = local.cluster_addons @@ -114,78 +115,78 @@ EOF } -#--------------------------------------------------------------- -# Custom IAM role for Self Managed Node Group -#--------------------------------------------------------------- +# #--------------------------------------------------------------- +# # Custom IAM role for Self Managed Node Group +# #--------------------------------------------------------------- -resource "aws_iam_role" "self_managed_ng" { +# resource "aws_iam_role" "self_managed_ng" { - count = var.enable_managed_nodegroups == false ? 1 : 0 +# count = var.enable_managed_nodegroups == false ? 1 : 0 - name = "${var.name}-self-managed-node-role" - description = "EKS Managed Node group IAM Role" - assume_role_policy = data.aws_iam_policy_document.self_managed_ng_assume_role_policy.json - path = "/" - force_detach_policies = true - managed_policy_arns = [ - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" - ] +# name = "${var.name}-self-managed-node-role" +# description = "EKS Managed Node group IAM Role" +# assume_role_policy = data.aws_iam_policy_document.self_managed_ng_assume_role_policy.json +# path = "/" +# force_detach_policies = true +# managed_policy_arns = [ +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" +# ] - tags = local.tags -} +# tags = local.tags +# } -resource "aws_iam_instance_profile" "self_managed_ng" { +# resource "aws_iam_instance_profile" "self_managed_ng" { - count = var.enable_managed_nodegroups == false ? 1 : 0 +# count = var.enable_managed_nodegroups == false ? 1 : 0 - name = "${var.name}-self-managed-node-instance-profile" - role = aws_iam_role.self_managed_ng[count.index].name - path = "/" +# name = "${var.name}-self-managed-node-instance-profile" +# role = aws_iam_role.self_managed_ng[count.index].name +# path = "/" - lifecycle { - create_before_destroy = true - } +# lifecycle { +# create_before_destroy = true +# } - tags = local.tags -} +# tags = local.tags +# } -#--------------------------------------------------------------- -# Custom IAM role for Managed Node Group -#--------------------------------------------------------------- +# #--------------------------------------------------------------- +# # Custom IAM role for Managed Node Group +# #--------------------------------------------------------------- -resource "aws_iam_role" "managed_ng" { +# resource "aws_iam_role" "managed_ng" { - count = var.enable_managed_nodegroups == true ? 1 : 0 +# count = var.enable_managed_nodegroups == true ? 1 : 0 - name = "${var.name}-managed-node-role" - description = "EKS Managed Node group IAM Role" - assume_role_policy = data.aws_iam_policy_document.managed_ng_assume_role_policy.json - path = "/" - force_detach_policies = true - managed_policy_arns = [ - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" - ] +# name = "${var.name}-managed-node-role" +# description = "EKS Managed Node group IAM Role" +# assume_role_policy = data.aws_iam_policy_document.managed_ng_assume_role_policy.json +# path = "/" +# force_detach_policies = true +# managed_policy_arns = [ +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", +# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" +# ] - tags = local.tags -} +# tags = local.tags +# } -resource "aws_iam_instance_profile" "managed_ng" { +# resource "aws_iam_instance_profile" "managed_ng" { - count = var.enable_managed_nodegroups == true ? 1 : 0 +# count = var.enable_managed_nodegroups == true ? 1 : 0 - name = "${var.name}-managed-node-instance-profile" - role = aws_iam_role.managed_ng[count.index].name - path = "/" +# name = "${var.name}-managed-node-instance-profile" +# role = aws_iam_role.managed_ng[count.index].name +# path = "/" - lifecycle { - create_before_destroy = true - } +# lifecycle { +# create_before_destroy = true +# } - tags = local.tags -} +# tags = local.tags +# } diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index a0f105f7..fd97bca9 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -56,22 +56,22 @@ output "cluster_certificate_authority_data" { value = module.aws_eks.cluster_certificate_authority_data } -output "aws_iam_role_self_managed_ng_arn" { - description = "AWS IAM role self managed node group ARN" - value = try(aws_iam_role.self_managed_ng[0].arn, null) -} +# output "aws_iam_role_self_managed_ng_arn" { +# description = "AWS IAM role self managed node group ARN" +# value = try(aws_iam_role.self_managed_ng[0].arn, null) +# } -output "aws_iam_instance_profile_self_managed_ng_name" { - description = "AWS IAM instance profile self managed node group name" - value = try(aws_iam_instance_profile.self_managed_ng[0].name, null) -} +# output "aws_iam_instance_profile_self_managed_ng_name" { +# description = "AWS IAM instance profile self managed node group name" +# value = try(aws_iam_instance_profile.self_managed_ng[0].name, null) +# } -output "aws_iam_role_managed_ng_arn" { - description = "AWS IAM role managed node group ARN" - value = try(aws_iam_role.managed_ng[0].arn, null) -} +# output "aws_iam_role_managed_ng_arn" { +# description = "AWS IAM role managed node group ARN" +# value = try(aws_iam_role.managed_ng[0].arn, null) +# } -output "aws_iam_instance_profile_managed_ng_name" { - description = "AWS IAM instance profile managed node group name" - value = try(aws_iam_instance_profile.managed_ng[0].name, null) -} +# output "aws_iam_instance_profile_managed_ng_name" { +# description = "AWS IAM instance profile managed node group name" +# value = try(aws_iam_instance_profile.managed_ng[0].name, null) +# } diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 4ab1043b..39669e68 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -130,10 +130,10 @@ variable "tenancy" { # Node Groups #------------------------------- -variable "enable_managed_nodegroups" { - description = "Enable managed node groups. If false, self managed node groups will be used." - type = bool -} +# variable "enable_managed_nodegroups" { +# description = "Enable managed node groups. If false, self managed node groups will be used." +# type = bool +# } variable "eks_managed_node_groups" { description = "Managed node groups configuration" @@ -147,6 +147,12 @@ variable "self_managed_node_groups" { default = {} } +variable "self_managed_node_group_defaults" { + description = "Map of self-managed node group default configurations" + type = any + default = {} +} + ########################################################### ################## EKS Addons Config ###################### From 8f26dc3db0a885db93692c11072f3e545901ecee Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Thu, 16 Mar 2023 09:05:54 -0700 Subject: [PATCH 09/46] fix outputs that are conditional --- .../outputs.tf | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/examples/complete-self-managed-ng-intra-subnets/outputs.tf b/examples/complete-self-managed-ng-intra-subnets/outputs.tf index 2146a3e6..b5d1c77f 100644 --- a/examples/complete-self-managed-ng-intra-subnets/outputs.tf +++ b/examples/complete-self-managed-ng-intra-subnets/outputs.tf @@ -1,40 +1,41 @@ output "loki_s3_bucket" { description = "Loki S3 Bucket Name" - value = module.loki_s3_bucket.s3_bucket + value = try(module.loki_s3_bucket.s3_bucket, null) } output "keycloak_db_instance_endpoint" { description = "The connection endpoint" - value = module.rds_postgres_keycloak[0].db_instance_endpoint + value = try(module.rds_postgres_keycloak[0].db_instance_endpoint, null) + } output "keycloak_db_instance_name" { description = "The database name" - value = module.rds_postgres_keycloak[0].db_instance_name + value = try(module.rds_postgres_keycloak[0].db_instance_name, null) } output "keycloak_db_instance_username" { description = "The master username for the database" - value = module.rds_postgres_keycloak[0].db_instance_username + value = try(module.rds_postgres_keycloak[0].db_instance_username, null) sensitive = true } output "keycloak_db_instance_port" { description = "The database port" - value = module.rds_postgres_keycloak[0].db_instance_port + value = try(module.rds_postgres_keycloak[0].db_instance_port, null) } output "bastion_instance_id" { description = "The ID of the bastion host" - value = module.bastion.instance_id + value = try(module.bastion.instance_id, null) } output "bastion_private_key" { description = "The private key for the bastion host" - value = module.bastion.private_key + value = try(module.bastion.private_key, null) sensitive = true } output "dynamodb_name" { description = "Name of DynmoDB table" - value = module.loki_s3_bucket.dynamodb_name + value = try(module.loki_s3_bucket.dynamodb_name, null) } From 9326926525200dfa0a59e8c8de072952e108b494 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Thu, 16 Mar 2023 09:06:54 -0700 Subject: [PATCH 10/46] depends_on needed for something that isn't known until after apply --- examples/complete-self-managed-ng-intra-subnets/providers.tf | 3 +++ modules/eks/README.md | 1 + modules/eks/outputs.tf | 5 +++++ 3 files changed, 9 insertions(+) diff --git a/examples/complete-self-managed-ng-intra-subnets/providers.tf b/examples/complete-self-managed-ng-intra-subnets/providers.tf index f1d0f58e..acb8e25f 100644 --- a/examples/complete-self-managed-ng-intra-subnets/providers.tf +++ b/examples/complete-self-managed-ng-intra-subnets/providers.tf @@ -5,6 +5,9 @@ data "aws_eks_cluster_auth" "this" { data "aws_eks_cluster" "example" { name = module.eks.cluster_name + depends_on = [ + module.eks.cluster_status + ] } provider "aws" { diff --git a/modules/eks/README.md b/modules/eks/README.md index 86408307..edd0b181 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -98,6 +98,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | EKS cluster certificate authority data | | [cluster\_endpoint](#output\_cluster\_endpoint) | EKS cluster endpoint | | [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster | +| [cluster\_status](#output\_cluster\_status) | status of the EKS cluster | | [managed\_nodegroups](#output\_managed\_nodegroups) | EKS managed node groups | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | | [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | EKS OIDC provider ARN | diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index fd97bca9..c76017c3 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -9,6 +9,11 @@ output "cluster_name" { value = module.aws_eks.cluster_name } +output "cluster_status" { + description = "status of the EKS cluster" + value = module.aws_eks.cluster_status +} + output "managed_nodegroups" { description = "EKS managed node groups" value = module.aws_eks.eks_managed_node_groups From 5dddac247099022fe04d5d4fd87dc0deaa985243 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Thu, 16 Mar 2023 13:25:02 -0700 Subject: [PATCH 11/46] cleanup vpc-cni custom config --- modules/eks/README.md | 2 +- modules/eks/k8s-manifests.tf | 17 +++++------------ modules/eks/locals.tf | 2 ++ 3 files changed, 8 insertions(+), 13 deletions(-) diff --git a/modules/eks/README.md b/modules/eks/README.md index edd0b181..b3fa70f8 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -35,7 +35,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Type | |------|------| | [aws_iam_role.auth_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [kubectl_manifest.vpc_cni_eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.eni_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/modules/eks/k8s-manifests.tf b/modules/eks/k8s-manifests.tf index 5283e4b8..a6eece7e 100644 --- a/modules/eks/k8s-manifests.tf +++ b/modules/eks/k8s-manifests.tf @@ -1,24 +1,17 @@ ################################################################################ # VPC-CNI Custom Networking ENIConfig -################################################################################ -locals { - vpc_cni_custom_subnet_map = { for key, value in var.vpc_cni_custom_subnet : key => value } -} +# ################################################################################ -# using lookup function below to deal with terraform's "for_each not existing.." race condition errors. -# We fail on purpose looking up "NOTHING" in an empty map. -# lookup() is considered a "non-eager" terraform function allowing you to work around this issue. -# see: https://github.com/clowdhaus/terraform-for-each-unknown -resource "kubectl_manifest" "vpc_cni_eni_config" { - for_each = local.vpc_cni_custom_subnet_map +resource "kubectl_manifest" "eni_config" { + for_each = zipmap(local.azs, var.vpc_cni_custom_subnet) yaml_body = < Date: Thu, 16 Mar 2023 21:13:19 -0700 Subject: [PATCH 12/46] cleanup comments --- .../README.md | 10 +- .../main.tf | 24 ++-- .../variables.tf | 24 +++- .../versions.tf | 7 -- examples/tf-state-backend/main.tf | 3 +- modules/eks/k8s-manifests.tf | 2 +- modules/eks/locals.tf | 4 +- modules/eks/main.tf | 76 ------------- modules/eks/min-iam-policy.json | 105 ------------------ modules/eks/outputs.tf | 36 ------ modules/eks/variables.tf | 5 - 11 files changed, 39 insertions(+), 257 deletions(-) delete mode 100644 modules/eks/min-iam-policy.json diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md index 136ea062..f3646e62 100644 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -228,10 +228,10 @@ terraform destroy -auto-approve | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | -| [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | +| [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | Deploy VPC CNI add-on before compute nodes
requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `bool` | `true` | no | +| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | ConfigMap of Amazon EKS VPC CNI add-on. Define as HCL, will jsonencode when used.
Requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | +| [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | Deploy most recent VPC CNI add-on.
Requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `bool` | `true` | no | +| [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | Conflict resolution strategy of VPC CNI add-on deployment via eks module.
Requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `string` | `"OVERWRITE"` | no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | @@ -254,7 +254,7 @@ terraform destroy -auto-approve | [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | | [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | | [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | -| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | HANDLED by EKS module, not blueprints: Enable VPC CNI add-on | `bool` | `true` | no | +| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | Enable VPC CNI add-on | `bool` | `true` | no | | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf index 333668f3..313ff044 100644 --- a/examples/complete-self-managed-ng-intra-subnets/main.tf +++ b/examples/complete-self-managed-ng-intra-subnets/main.tf @@ -108,15 +108,22 @@ module "eks" { # Self Managed Node Groups self_managed_node_group_defaults = { - instance_type = "m6i.large" + instance_type = "m5.xlarge" update_launch_template_default_version = true iam_role_additional_policies = { AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" - } # enable discovery of autoscaling groups by cluster-autoscaler + } + # enable discovery of autoscaling groups by cluster-autoscaler autoscaling_group_tags = { "k8s.io/cluster-autoscaler/enabled" : true, "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned" } + metadata_options = { + #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options + http_endpoint = "enabled" + http_put_response_hop_limit = 2 + http_tokens = "optional" # set to "enabled" to enforce IMDSv2, default for upstream terraform-aws-eks module + } } self_managed_node_groups = { @@ -132,18 +139,11 @@ module "eks" { # create_iam_role = true # Changing `create_iam_role=false` to bring your own IAM Role # iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false # iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false - - # format_mount_nvme_disk = true # not supported in terraform-aws-eks - logic can be added manually to userdata script as input variable - placement = { - affinity = null - availability_zone = null - group_name = null - host_id = null - tenancy = var.eks_worker_tenancy + tenancy = var.eks_worker_tenancy } - enable_metadata_options = false + metadata_options = false pre_bootstrap_userdata = <<-EOT yum install -y amazon-ssm-agent @@ -187,7 +187,7 @@ module "eks" { } instance_type = "m5.xlarge" - capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot" + #capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot". Only for eks_managed_node_groups tags = { subnet_type = "private" diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf index 00575e20..5b129921 100644 --- a/examples/complete-self-managed-ng-intra-subnets/variables.tf +++ b/examples/complete-self-managed-ng-intra-subnets/variables.tf @@ -102,36 +102,48 @@ variable "cluster_endpoint_public_access" { #----------------AWS EKS VPC CNI------------------------- variable "enable_amazon_eks_vpc_cni" { - description = "HANDLED by EKS module, not blueprints: Enable VPC CNI add-on" + description = "Enable VPC CNI add-on" type = bool default = true } variable "amazon_eks_vpc_cni_before_compute" { - description = "HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes" + description = <<-EOD + Deploy VPC CNI add-on before compute nodes + requires var.enable_amazon_eks_vpc_cni to be true to have any effect. + EOD type = bool default = true } variable "amazon_eks_vpc_cni_most_recent" { - description = "HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on" + description = <<-EOD + Deploy most recent VPC CNI add-on. + Requires var.enable_amazon_eks_vpc_cni to be true to have any effect. + EOD type = bool default = true } variable "amazon_eks_vpc_cni_resolve_conflict" { - description = "HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module" + description = <<-EOD + Conflict resolution strategy of VPC CNI add-on deployment via eks module. + Requires var.enable_amazon_eks_vpc_cni to be true to have any effect. + EOD type = string default = "OVERWRITE" } variable "amazon_eks_vpc_cni_configuration_values" { - description = "HANDLED by EKS module, not blueprints: ConfigMap of Amazon EKS VPC CNI add-on" + description = <<-EOD + ConfigMap of Amazon EKS VPC CNI add-on. Define as HCL, will jsonencode when used. + Requires var.enable_amazon_eks_vpc_cni to be true to have any effect. + EOD type = any default = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" - ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html ENABLE_PREFIX_DELEGATION = "true" diff --git a/examples/complete-self-managed-ng-intra-subnets/versions.tf b/examples/complete-self-managed-ng-intra-subnets/versions.tf index 853b5309..d1c6dcc7 100644 --- a/examples/complete-self-managed-ng-intra-subnets/versions.tf +++ b/examples/complete-self-managed-ng-intra-subnets/versions.tf @@ -19,11 +19,4 @@ terraform { version = ">= 1.14" } } - - # ## Used for end-to-end testing on project; update to suit your needs - # backend "s3" { - # bucket = "terraform-ssp-github-actions-state" - # region = "us-west-2" - # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" - # } } diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index bb4b434f..a84807ae 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -12,8 +12,7 @@ locals { } module "tfstate_backend" { - # source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=main" - source = "/Users/zack/git-repos/Defense_Unicorns/projects/DU_oss/terraform-aws-tfstate-backend" + source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=main" region = var.region bucket_prefix = var.bucket_prefix diff --git a/modules/eks/k8s-manifests.tf b/modules/eks/k8s-manifests.tf index a6eece7e..66879e04 100644 --- a/modules/eks/k8s-manifests.tf +++ b/modules/eks/k8s-manifests.tf @@ -1,6 +1,6 @@ ################################################################################ # VPC-CNI Custom Networking ENIConfig -# ################################################################################ +################################################################################# resource "kubectl_manifest" "eni_config" { for_each = zipmap(local.azs, var.vpc_cni_custom_subnet) diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index a6e5b023..c2688ab1 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -1,4 +1,6 @@ locals { + azs = slice(data.aws_availability_zones.available.names, 0, 3) + # var.cluster_name is for Terratest cluster_name = coalesce(var.cluster_name, var.name) @@ -25,6 +27,4 @@ locals { } : null ) } - - azs = slice(data.aws_availability_zones.available.names, 0, 3) } diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 037329ce..d59052d0 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -114,79 +114,3 @@ resource "aws_iam_role" "auth_eks_role" { EOF } - -# #--------------------------------------------------------------- -# # Custom IAM role for Self Managed Node Group -# #--------------------------------------------------------------- - -# resource "aws_iam_role" "self_managed_ng" { - -# count = var.enable_managed_nodegroups == false ? 1 : 0 - -# name = "${var.name}-self-managed-node-role" -# description = "EKS Managed Node group IAM Role" -# assume_role_policy = data.aws_iam_policy_document.self_managed_ng_assume_role_policy.json -# path = "/" -# force_detach_policies = true -# managed_policy_arns = [ -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" -# ] - -# tags = local.tags -# } - -# resource "aws_iam_instance_profile" "self_managed_ng" { - -# count = var.enable_managed_nodegroups == false ? 1 : 0 - -# name = "${var.name}-self-managed-node-instance-profile" -# role = aws_iam_role.self_managed_ng[count.index].name -# path = "/" - -# lifecycle { -# create_before_destroy = true -# } - -# tags = local.tags -# } - -# #--------------------------------------------------------------- -# # Custom IAM role for Managed Node Group -# #--------------------------------------------------------------- - -# resource "aws_iam_role" "managed_ng" { - -# count = var.enable_managed_nodegroups == true ? 1 : 0 - -# name = "${var.name}-managed-node-role" -# description = "EKS Managed Node group IAM Role" -# assume_role_policy = data.aws_iam_policy_document.managed_ng_assume_role_policy.json -# path = "/" -# force_detach_policies = true -# managed_policy_arns = [ -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", -# "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" -# ] - -# tags = local.tags -# } - -# resource "aws_iam_instance_profile" "managed_ng" { - -# count = var.enable_managed_nodegroups == true ? 1 : 0 - -# name = "${var.name}-managed-node-instance-profile" -# role = aws_iam_role.managed_ng[count.index].name -# path = "/" - -# lifecycle { -# create_before_destroy = true -# } - -# tags = local.tags -# } diff --git a/modules/eks/min-iam-policy.json b/modules/eks/min-iam-policy.json deleted file mode 100644 index 670b5711..00000000 --- a/modules/eks/min-iam-policy.json +++ /dev/null @@ -1,105 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAclEntry", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteTags", - "ec2:DeleteVpc", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ReleaseAddress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "eks:CreateAddon", - "eks:CreateCluster", - "eks:CreateNodegroup", - "eks:DeleteAddon", - "eks:DeleteCluster", - "eks:DeleteNodegroup", - "eks:DescribeAddon", - "eks:DescribeAddonVersions", - "eks:DescribeCluster", - "eks:DescribeNodegroup", - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "iam:TagInstanceProfile", - "kms:CreateAlias", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "s3:GetObject", - "s3:ListBucket", - "s3:PutObject" - ], - "Resource": "*" - } - ] -} diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index c76017c3..631e0a61 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -19,22 +19,6 @@ output "managed_nodegroups" { value = module.aws_eks.eks_managed_node_groups } -#you'd need to build some logic around extracting these outputs around module.eks_managed_node_groups which passes all outputs from the child module -# output "eks_managed_nodegroup_ids" { -# description = "EKS managed node group ids" -# value = module.aws_eks.node_group_id -# } - -# output "eks_managed_nodegroup_arns" { -# description = "EKS managed node group arns" -# value = module.aws_eks.managed_node_group_arn -# } - -# output "eks_managed_nodegroup_role_name" { -# description = "EKS managed node group role name" -# value = module.aws_eks.managed_node_group_iam_role_names -# } - # Region used for Terratest output "region" { description = "AWS region" @@ -60,23 +44,3 @@ output "cluster_certificate_authority_data" { description = "EKS cluster certificate authority data" value = module.aws_eks.cluster_certificate_authority_data } - -# output "aws_iam_role_self_managed_ng_arn" { -# description = "AWS IAM role self managed node group ARN" -# value = try(aws_iam_role.self_managed_ng[0].arn, null) -# } - -# output "aws_iam_instance_profile_self_managed_ng_name" { -# description = "AWS IAM instance profile self managed node group name" -# value = try(aws_iam_instance_profile.self_managed_ng[0].name, null) -# } - -# output "aws_iam_role_managed_ng_arn" { -# description = "AWS IAM role managed node group ARN" -# value = try(aws_iam_role.managed_ng[0].arn, null) -# } - -# output "aws_iam_instance_profile_managed_ng_name" { -# description = "AWS IAM instance profile managed node group name" -# value = try(aws_iam_instance_profile.managed_ng[0].name, null) -# } diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 39669e68..8834d5db 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -130,11 +130,6 @@ variable "tenancy" { # Node Groups #------------------------------- -# variable "enable_managed_nodegroups" { -# description = "Enable managed node groups. If false, self managed node groups will be used." -# type = bool -# } - variable "eks_managed_node_groups" { description = "Managed node groups configuration" type = any From ad606c883236184581c4439f451f980a8f6b1e49 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 11:26:17 -0700 Subject: [PATCH 13/46] make input cleaner --- .../README.md | 6 +- .../main.tf | 6 +- .../terraform.tfvars.example | 94 ++++++++++++++----- .../variables.tf | 71 ++++++-------- ...e => tf-state-backend.auto.tfvars.example} | 5 + modules/eks/README.md | 6 +- modules/eks/locals.tf | 15 ++- modules/eks/variables.tf | 65 ++++++------- 8 files changed, 139 insertions(+), 129 deletions(-) rename examples/tf-state-backend/{tf-state-backend.tfvars.example => tf-state-backend.auto.tfvars.example} (83%) diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md index f3646e62..6a9fd6e5 100644 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ b/examples/complete-self-managed-ng-intra-subnets/README.md @@ -228,10 +228,7 @@ terraform destroy -auto-approve | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | Deploy VPC CNI add-on before compute nodes
requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | ConfigMap of Amazon EKS VPC CNI add-on. Define as HCL, will jsonencode when used.
Requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | -| [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | Deploy most recent VPC CNI add-on.
Requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | Conflict resolution strategy of VPC CNI add-on deployment via eks module.
Requires var.enable\_amazon\_eks\_vpc\_cni to be true to have any effect. | `string` | `"OVERWRITE"` | no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | @@ -254,7 +251,6 @@ terraform destroy -auto-approve | [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | | [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | | [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | -| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | Enable VPC CNI add-on | `bool` | `true` | no | | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf index 313ff044..cbb61f06 100644 --- a/examples/complete-self-managed-ng-intra-subnets/main.tf +++ b/examples/complete-self-managed-ng-intra-subnets/main.tf @@ -200,11 +200,7 @@ module "eks" { #--------------------------------------------------------------- # VPC CNI - enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni - amazon_eks_vpc_cni_before_compute = var.amazon_eks_vpc_cni_before_compute - amazon_eks_vpc_cni_most_recent = var.amazon_eks_vpc_cni_most_recent - amazon_eks_vpc_cni_resolve_conflict = var.amazon_eks_vpc_cni_resolve_conflict - amazon_eks_vpc_cni_configuration_values = var.amazon_eks_vpc_cni_configuration_values + amazon_eks_vpc_cni = var.amazon_eks_vpc_cni #--------------------------------------------------------------- # EKS Blueprints - EKS Add-Ons diff --git a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example index b1e00e43..5b20df0c 100644 --- a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example +++ b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example @@ -5,50 +5,92 @@ ########################################################### ################## Global Settings ######################## - region = "us-east-2" # target AWS region - region2 = "us-east-1" # RDS backup target AWS region - account = "100008675309" # target AWS account - aws_profile = "du-dev" # local AWS profile to be used for deployment - aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group +region = "us-east-2" # target AWS region +region2 = "us-east-1" # RDS backup target AWS region +account = "100008675309" # target AWS account +aws_profile = "du-dev" # local AWS profile to be used for deployment +aws_admin_usernames = ["Bob.Marley", "Jane.Doe"] # list of users to be added to the AWS admin group +default_tags = { + Environment = "dev" + Project = "du-navy" + Owner = "my-name" +} +manage_aws_auth_configmap = true +create_aws_auth_configmap = true ########################################################### #################### VPC Config ########################### - vpc_cidr = "10.200.0.0/16" - vpc_name = "my-vpc" - # vpc_instance_tenancy = "dedicated" #does not currently work with EKS +vpc_cidr = "10.200.0.0/16" +vpc_name = "my-vpc" +# vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### ################## Bastion Config ######################### - bastion_name = "my-bastion" +bastion_name = "my-bastion" # bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" #AWS linux 2 #optional - bastion_ssh_user = "ec2-user" # local user in bastion used to ssh - bastion_ssh_password = "my-password" - bastion_tenancy = "dedicated" - zarf_version = "v0.24.0-rc4" +bastion_ssh_user = "ec2-user" # local user in bastion used to ssh +bastion_ssh_password = "my-password" +bastion_tenancy = "dedicated" +zarf_version = "v0.24.0-rc4" ########################################################### #################### EKS Config ########################### - cluster_name = "my-eks" - cluster_version = "1.23" - eks_worker_tenancy = "dedicated" - cluster_endpoint_public_access = true +cluster_name = "my-eks" +cluster_version = "1.23" +eks_worker_tenancy = "dedicated" +cluster_endpoint_public_access = true +instance_type = "m4.xlarge" + ########################################################### ############## Big Bang Dependencies ###################### - keycloak_enabled = true - # other_addon_enabled = true +keycloak_enabled = true +# other_addon_enabled = true #################### Keycloak ########################### - keycloak_db_password = "my-password" - kc_db_engine_version = "14.1" - kc_db_family = "postgres14" # DB parameter group - kc_db_major_engine_version = "14" # DB option group - kc_db_allocated_storage = 20 - kc_db_max_allocated_storage = 100 - kc_db_instance_class = "db.t4g.large" +keycloak_db_password = "my-password" +kc_db_engine_version = "14.1" +kc_db_family = "postgres14" # DB parameter group +kc_db_major_engine_version = "14" # DB option group +kc_db_allocated_storage = 20 +kc_db_max_allocated_storage = 100 +kc_db_instance_class = "db.t4g.large" + +#################### Other Addon ######################## +loki_s3_bucket_kms_key_alias = "my-loki-s3" + +enable_amazon_eks_vpc_cni = true +amazon_eks_vpc_cni_before_compute = true +amazon_eks_vpc_cni_most_recent = true +amazon_eks_vpc_cni_resolve_conflict = "OVERWRITE" +amazon_eks_vpc_cni_configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" +} + +amazon_eks_vpc_cni = { + enabled = true + before_compute = true + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } +} diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf index 5b129921..905916bf 100644 --- a/examples/complete-self-managed-ng-intra-subnets/variables.tf +++ b/examples/complete-self-managed-ng-intra-subnets/variables.tf @@ -101,53 +101,36 @@ variable "cluster_endpoint_public_access" { ################## EKS Addons Config ###################### #----------------AWS EKS VPC CNI------------------------- -variable "enable_amazon_eks_vpc_cni" { - description = "Enable VPC CNI add-on" - type = bool - default = true -} - -variable "amazon_eks_vpc_cni_before_compute" { - description = <<-EOD - Deploy VPC CNI add-on before compute nodes - requires var.enable_amazon_eks_vpc_cni to be true to have any effect. - EOD - type = bool - default = true -} - -variable "amazon_eks_vpc_cni_most_recent" { +variable "amazon_eks_vpc_cni" { description = <<-EOD - Deploy most recent VPC CNI add-on. - Requires var.enable_amazon_eks_vpc_cni to be true to have any effect. + The VPC CNI add-on configuration. + enabled - (Optional) Whether to enable the add-on. Defaults to false. + before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. + most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. + resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD - type = bool - default = true -} - -variable "amazon_eks_vpc_cni_resolve_conflict" { - description = <<-EOD - Conflict resolution strategy of VPC CNI add-on deployment via eks module. - Requires var.enable_amazon_eks_vpc_cni to be true to have any effect. - EOD - type = string - default = "OVERWRITE" -} - -variable "amazon_eks_vpc_cni_configuration_values" { - description = <<-EOD - ConfigMap of Amazon EKS VPC CNI add-on. Define as HCL, will jsonencode when used. - Requires var.enable_amazon_eks_vpc_cni to be true to have any effect. - EOD - type = any + type = object({ + enabled = bool + before_compute = bool + most_recent = bool + resolve_conflict = string + configuration_values = map(any) # hcl format later to be json encoded + }) default = { - # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking - AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" - ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in - - # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html - ENABLE_PREFIX_DELEGATION = "true" - WARM_PREFIX_TARGET = "1" + before_compute = true + enabled = false + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } } } diff --git a/examples/tf-state-backend/tf-state-backend.tfvars.example b/examples/tf-state-backend/tf-state-backend.auto.tfvars.example similarity index 83% rename from examples/tf-state-backend/tf-state-backend.tfvars.example rename to examples/tf-state-backend/tf-state-backend.auto.tfvars.example index 2d03fbf4..74c18f28 100644 --- a/examples/tf-state-backend/tf-state-backend.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.auto.tfvars.example @@ -11,3 +11,8 @@ bucket_prefix = "my-tfstate-backend" dynamodb_table_name = "my-tfstate-backend-lock" force_delete = false + default_tags = { + Environment = "dev" + Project = "du-navy" + Owner = "my-name" + } diff --git a/modules/eks/README.md b/modules/eks/README.md index b3fa70f8..a7441854 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -51,10 +51,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni\_before\_compute](#input\_amazon\_eks\_vpc\_cni\_before\_compute) | HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_configuration\_values](#input\_amazon\_eks\_vpc\_cni\_configuration\_values) | Config of Amazon EKS VPC CNI add-on, HCL format that will be jsonencoded | `any` | 
{
  "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
  "ENABLE_PREFIX_DELEGATION": "true",
  "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
  "WARM_PREFIX_TARGET": "1"
}
| no | -| [amazon\_eks\_vpc\_cni\_most\_recent](#input\_amazon\_eks\_vpc\_cni\_most\_recent) | HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on | `bool` | `true` | no | -| [amazon\_eks\_vpc\_cni\_resolve\_conflict](#input\_amazon\_eks\_vpc\_cni\_resolve\_conflict) | HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module | `string` | `"OVERWRITE"` | no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.

enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | `[]` | no | | [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | @@ -73,7 +70,6 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | | [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | | [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | -| [enable\_amazon\_eks\_vpc\_cni](#input\_enable\_amazon\_eks\_vpc\_cni) | HANDLED by EKS module, not blueprints: Enable VPC CNI add-on | `bool` | `true` | no | | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index c2688ab1..80141173 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -17,14 +17,11 @@ locals { ] cluster_addons = { - #if enabled, pass in config vars, else null - vpc-cni = ( - var.enable_amazon_eks_vpc_cni ? { - before_compute = var.amazon_eks_vpc_cni_before_compute - most_recent = var.amazon_eks_vpc_cni_most_recent - configuration_values = jsonencode({ env = var.amazon_eks_vpc_cni_configuration_values }) - resolve_conflict = var.amazon_eks_vpc_cni_resolve_conflict - } : null - ) + vpc-cni = lookup(var.amazon_eks_vpc_cni, "enabled", false) ? { + before_compute = lookup(var.amazon_eks_vpc_cni, "before_compute", null) + most_recent = lookup(var.amazon_eks_vpc_cni, "most_recent", null) + configuration_values = jsonencode({ env = (lookup(var.amazon_eks_vpc_cni, "configuration_values", null)) }) + resolve_conflict = lookup(var.amazon_eks_vpc_cni, "resolve_conflict", null) + } : null } } diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 8834d5db..fb8dea3d 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -151,42 +151,37 @@ variable "self_managed_node_group_defaults" { ########################################################### ################## EKS Addons Config ###################### -#----------------AWS EKS VPC CNI------------------------- -variable "enable_amazon_eks_vpc_cni" { - description = "HANDLED by EKS module, not blueprints: Enable VPC CNI add-on" - type = bool - default = true -} - -variable "amazon_eks_vpc_cni_before_compute" { - description = "HANDLED by EKS module, not blueprints: Deploy VPC CNI add-on before compute nodes" - type = bool - default = true -} - -variable "amazon_eks_vpc_cni_most_recent" { - description = "HANDLED by EKS module, not blueprints: Deploy most recent VPC CNI add-on" - type = bool - default = true -} - -variable "amazon_eks_vpc_cni_resolve_conflict" { - description = "HANDLED by EKS module, not blueprints: Conflict resolution strategy of VPC CNI add-on deployment via eks module" - type = string - default = "OVERWRITE" -} - -variable "amazon_eks_vpc_cni_configuration_values" { - description = "Config of Amazon EKS VPC CNI add-on, HCL format that will be jsonencoded" - type = any +variable "amazon_eks_vpc_cni" { + description = <<-EOD + The VPC CNI add-on configuration. + + enabled - (Optional) Whether to enable the add-on. Defaults to false. + before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. + most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. + resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. + EOD + type = object({ + enabled = bool + before_compute = bool + most_recent = bool + resolve_conflict = string + configuration_values = map(any) # hcl format later to be json encoded + }) default = { - # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking - AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" - ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" - - # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html - ENABLE_PREFIX_DELEGATION = "true" - WARM_PREFIX_TARGET = "1" + before_compute = true + enabled = false + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } } } From f24ee3e4b98972e741e4e4aa60a8e90538fa9eda Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 12:05:42 -0700 Subject: [PATCH 14/46] cleanup junk --- .../.terraform.lock.hcl | 182 ---------- .../README.md | 288 --------------- .../backend.tf.example | 9 - .../bigbang-dependencies.tf | 83 ----- .../main.tf | 232 ------------ .../outputs.tf | 41 --- .../providers.tf | 59 ---- .../terraform.tfvars.example | 96 ----- .../variables.tf | 329 ------------------ .../.terraform.lock.hcl | 169 ++++----- .../complete-self-managed-nodegroup/README.md | 30 +- .../bigbang-dependencies.tf | 6 +- .../complete-self-managed-nodegroup/main.tf | 183 +++++----- .../outputs.tf | 17 +- .../providers.tf | 14 + .../terraform.tfvars.example | 80 +++-- .../variables.tf | 148 +++++++- .../versions.tf | 0 18 files changed, 416 insertions(+), 1550 deletions(-) delete mode 100644 examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl delete mode 100644 examples/complete-self-managed-ng-intra-subnets/README.md delete mode 100644 examples/complete-self-managed-ng-intra-subnets/backend.tf.example delete mode 100644 examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf delete mode 100644 examples/complete-self-managed-ng-intra-subnets/main.tf delete mode 100644 examples/complete-self-managed-ng-intra-subnets/outputs.tf delete mode 100644 examples/complete-self-managed-ng-intra-subnets/providers.tf delete mode 100644 examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example delete mode 100644 examples/complete-self-managed-ng-intra-subnets/variables.tf rename examples/{complete-self-managed-ng-intra-subnets => complete-self-managed-nodegroup}/versions.tf (100%) diff --git a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl b/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl deleted file mode 100644 index 257d5c52..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/.terraform.lock.hcl +++ /dev/null @@ -1,182 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.14.0" - constraints = ">= 1.14.0" - hashes = [ - "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", - "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", - "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", - "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", - "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", - "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", - "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", - "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", - "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", - "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", - ] -} - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.58.0" - constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0, >= 4.47.0" - hashes = [ - "h1:YIRXIr1ji0HLWLU0ae+UbUNOHc9MJaLrMHxH3LIQ/Vk=", - "zh:14b2b2dfbc7ee705c412d762b1485ee08958c816a64ac74f5769e946e4a1d265", - "zh:17a37e6825e2023b18987d31c0cbb9336654ea146b68e6c90710ea4636af71ae", - "zh:273127c69fb244577e5c136c46164d34f77b0c956c18d27f63d1072dd558f924", - "zh:4b2b6416d34fb3e1051c99d2a84045b136976140e34381d5fbf90e32db15272e", - "zh:7e6a8571ff15d51f892776265642ee01004b8553fd4f6f2014b6f3f2834670c7", - "zh:847c76ab2381b66666d0f79cf1ac697b5bfd0d9c3009fd11bc6ad6545d1eb427", - "zh:9a52cae08ba8d27d0639a8d2b8c61591027883058bf0cc5a639cffe1e299f019", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9df647e8322d6f94f1843366ba39d21c4b36c8e7dcdc03711d52e27f73b0e974", - "zh:9e52037e68409802ff913b166c30e3f2035af03865cbef0c1b03762bce853941", - "zh:a30288e7c3c904d6998d1709835d7c5800a739f8608f0837f960286a2b8b6e59", - "zh:a7f24e3bda3be566468e4ad62cef1016f68c6f5a94d2e3e979485bc05626281b", - "zh:ba326ba80f5e39829b67a6d1ce54ba52b171e5e13a0a91ef5f9170a9b0cc9ce4", - "zh:c4e3fe9f2be6e244a3dfce599f4b0be9e8fffaece64cbc65f3195f825f65489b", - "zh:f20a251af37039bb2c7612dbd2c5df3a25886b4cc78f902385a2850ea6e30d08", - ] -} - -provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.2" - constraints = ">= 2.0.0" - hashes = [ - "h1:ocyv0lvfyvzW4krenxV5CL4Jq5DiA3EUfoy8DR6zFMw=", - "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", - "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", - "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", - "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", - "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", - "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", - "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", - "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", - "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", - "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.9.0" - constraints = ">= 2.4.1, >= 2.5.1" - hashes = [ - "h1:fEDID5J/9ret/sLpOSNAu98F/ZBEZhOmL0Leut7m5JU=", - "zh:1471cb45908b426104687c962007b2980cfde294fa3530fabc4798ce9fb6c20c", - "zh:1572e9cec20591ec08ece797b3630802be816a5adde36ca91a93359f2430b130", - "zh:1b10ae03cf5ab1ae21ffaac2251de99797294ae4242b156b3b0beebbdbcb7e0f", - "zh:3bd043b68de967d8d0b549d3f71485193d81167d5656f5507d743dedfe60e352", - "zh:538911921c729185900176cc22eb8edcb822bc8d22b9ebb48103a1d9bb53cc38", - "zh:69a6a2d40c0463662c3fb1621e37a3ee65024ea4479adf4d5f7f19fb0dea48c2", - "zh:94b58daa0c351a49d01f6d8f1caae46c95c2d6c3f29753e2b9ea3e3c0e7c9ab4", - "zh:9d0543331a4a32241e1ab5457f30b41df745acb235a0391205c725a5311e4809", - "zh:a6789306524ca121512a95e873e3949b4175114a6c5db32bed2df2551a79368f", - "zh:d146b94cd9502cca7f2044797a328d71c7ec2a98e2d138270d8a28c872f04289", - "zh:d14ccd14511f0446eacf43a9243f22de7c1427ceb059cf67d7bf9803be2cb15d", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.18.1" - constraints = ">= 2.6.1, >= 2.10.0" - hashes = [ - "h1:y4VED+vsulAqE7YbQC7x1XXrzvi/dEIjupttSyzSA/M=", - "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753", - "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197", - "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8", - "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80", - "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25", - "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce", - "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15", - "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad", - "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8", - "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4", - "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - constraints = ">= 3.0.0" - hashes = [ - "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.4.3" - constraints = ">= 3.1.0" - hashes = [ - "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", - "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", - "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", - "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", - "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", - "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", - "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", - "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", - "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", - "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", - "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.9.1" - constraints = ">= 0.7.0, >= 0.8.0, >= 0.9.0" - hashes = [ - "h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=", - "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", - "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", - "zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a", - "zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57", - "zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1", - "zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b", - "zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00", - "zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea", - "zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904", - "zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.4" - constraints = ">= 3.0.0" - hashes = [ - "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", - "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", - "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", - "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", - "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", - "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", - "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", - "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", - "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", - "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", - "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", - "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/examples/complete-self-managed-ng-intra-subnets/README.md b/examples/complete-self-managed-ng-intra-subnets/README.md deleted file mode 100644 index 6a9fd6e5..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/README.md +++ /dev/null @@ -1,288 +0,0 @@ -# EKS Cluster Deployment with new VPC & Big Bang Dependencies - -This example deploys the following Basic Self-Managed EKS Cluster with VPC - -- Creates a new sample VPC, 3 Private Subnets and 3 Public Subnets -- Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets -- Creates EKS Cluster Control plane with one managed node group -- Creates a Bastion host in a private subnet -- Creates dependencies needed for BigBang - ---- -**Table of contents:** -- [EKS Cluster Deployment with new VPC \& Big Bang Dependencies](#eks-cluster-deployment-with-new-vpc--big-bang-dependencies) - - [How to Deploy](#how-to-deploy) - - [Prerequisites](#prerequisites) - - [Deployment Steps](#deployment-steps) - - [Step 1: Preparation](#step-1-preparation) - - [Step 2: Modify terraform.tfvars (located in tmp directory) with desired values](#step-2-modify-terraformtfvars-located-in-tmp-directory-with-desired-values) - - [Step 3: Terraform Init \& State](#step-3-terraform-init--state) - - [local](#local) - - [remote](#remote) - - [Step 4: Provision VPC and Bastion](#step-4-provision-vpc-and-bastion) - - [Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture](#step-5-required-if-eks-public-access-set-to-false-connect-to-the-bastion-using-sshuttle-and-provision-the-remaining-infrastucture) - - [Configure `kubectl` and test cluster](#configure-kubectl-and-test-cluster) - - [Step 6: Run the `aws eks update-kubeconfig` command](#step-6-run-the-aws-eks-update-kubeconfig-command) - - [Step 7: List all the worker nodes by running the command below](#step-7-list-all-the-worker-nodes-by-running-the-command-below) - - [Step 8: List all the pods running in `kube-system` namespace](#step-8-list-all-the-pods-running-in-kube-system-namespace) - - [Cleanup](#cleanup) - - [Requirements](#requirements) - - [Providers](#providers) - - [Modules](#modules) - - [Resources](#resources) - - [Inputs](#inputs) - - [Outputs](#outputs) - ---- - -## How to Deploy - -### Prerequisites - -Ensure that you have installed the following tools in your Mac or Windows Laptop before start working with this module and run Terraform Plan and Apply - -1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) -2. [Kubectl](https://Kubernetes.io/docs/tasks/tools/) -3. [Helm](https://helm.sh/docs/intro/install/) -4. [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) -5. [SSHuttle](https://github.com/sshuttle/sshuttle) - -Ensure that your AWS credentials are configured. This can be done by running `aws configure` - -### Deployment Steps - -#### Step 1: Preparation - -```sh -git clone https://github.com/defenseunicorns/iac.git -cd ./iac/examples/complete-self-managed-nodegroup -cp terraform.tfvars.example terraform.tfvars -``` - -#### Step 2: Modify terraform.tfvars (located in tmp directory) with desired values - -AWS usernames must be changed to match actual usernames `aws iam get-user | jq '.[]' | jq -r '.UserName'` - -#### Step 3: Terraform Init & State - -Use remote or local state for terraform - -##### local - -Initialize a working directory with configuration files and create local terraform state file - -```sh -terraform init -``` - -##### remote - -Alternatively, you can provision an S3 backend prior to this step using the tf-state-backend example and init via the following: - -```sh -#from the ./iac/examples/complete-self-managed-nodegroup directory -pushd ../tf-state-backend - -terraform apply -export BUCKET_ID=`(terraform output -raw tfstate_bucket_id)` -export DYNAMODB_TABLE_NAME=`(terraform output -raw tfstate_dynamodb_table_name)` - -popd - -export AWS_DEFAULT_REGION=$(grep 'region' terraform.tfvars | grep -v 'region2' |cut -d'=' -f2 | cut -d'#' -f1 | tr -d '[:space:]' | sed 's/"//g') - -#make backend file -cp backend.tf.example backend.tf - -#init and copy state if it exists -terraform init -force-copy -backend-config="bucket=$BUCKET_ID" \ - -backend-config="key=complete-self-managed-nodegroup/terraform.tfstate" \ - -backend-config="dynamodb_table=$DYNAMODB_TABLE_NAME" \ - -backend-config="region=$AWS_DEFAULT_REGION" -``` - -#### Step 4: Provision VPC and Bastion - -```sh -# plan deployment and verify desired outcome -terraform plan -target=module.vpc -target=module.bastion - -# type yes to confirm or utilize the '-auto-approve' flag -terraform apply -target=module.vpc -target=module.bastion -``` - -#### Step 5: (Required if EKS Public Access set to False) Connect to the Bastion using SSHuttle and Provision the remaining Infrastucture - -Add the following to your ~/.ssh/config to connect to the Bastion via AWS SSM (create config file if it does not exist) - -```sh -# SSH over Session Manager -host i-* mi-* - ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" -``` - -Test SSH connection to the Bastion - -```sh -# grab bastion instance id from terraform -export BASTION_INSTANCE_ID=`(terraform output -raw bastion_instance_id)` -# replace "my-password" with the variable set (if changed from the default) -expect -c 'spawn ssh ec2-user@$BASTION_INSTANCE_ID ; expect "assword:"; send "my-password\r"; interact' -``` - -In a new terminal, open an sshuttle tunnel to the bastion - -```sh -# subnet below is the CIDR block from your tfvars file -sshuttle --dns -vr ec2-user@$BASTION_INSTANCE_ID 10.200.0.0/16 -``` - -Navigate back to the terminal in the `complete-self-managed-nodegroup` directory and Provision the EKS Cluster - -```sh -terraform apply -var-file -# type yes to confirm or utilize the ```-auto-approve``` flag in the above command -``` - -### Configure `kubectl` and test cluster - -Note: In this example we are using a private EKS Cluster endpoint for the control plane. You must ensure the sshuttle is running to the bastion to utilize `kubectl` - -EKS Cluster details can be extracted from terraform output or from AWS Console to get the name of cluster. -This following command used to update the `kubeconfig` in your local machine where you run kubectl commands to interact with your EKS Cluster. - -#### Step 6: Run the `aws eks update-kubeconfig` command - -`~/.kube/config` file gets updated with cluster details and certificate from the below command - -```bash -CLUSTER_NAME=$(grep 'cluster_name' terraform.tfvars | cut -d'=' -f2 | tr -d '[:space:]' | sed 's/"//g') -aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $CLUSTER_NAME -``` - -#### Step 7: List all the worker nodes by running the command below - - kubectl get nodes - -#### Step 8: List all the pods running in `kube-system` namespace - - kubectl get pods -n kube-system - -## Cleanup - -To clean up your environment, destroy the Terraform modules in reverse order. - -Destroy the Kubernetes Add-ons / EKS cluster first (requires sshuttle through bastion if EKS Public Access set to False) - -```sh -terraform destroy -auto-approve -target=module.eks -``` - -Destroy all other resources - -```sh -terraform destroy -auto-approve -``` - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.9 | -| [helm](#requirement\_helm) | >= 2.4.1 | -| [kubectl](#requirement\_kubectl) | >= 1.14 | -| [kubernetes](#requirement\_kubernetes) | >= 2.10 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.58.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [bastion](#module\_bastion) | ../../modules/bastion | n/a | -| [eks](#module\_eks) | ../../modules/eks | n/a | -| [flux\_sops](#module\_flux\_sops) | ../../modules/sops | n/a | -| [loki\_s3\_bucket](#module\_loki\_s3\_bucket) | ../../modules/s3-irsa | n/a | -| [rds\_postgres\_keycloak](#module\_rds\_postgres\_keycloak) | ../../modules/rds | n/a | -| [vpc](#module\_vpc) | ../../modules/vpc | n/a | - -## Resources - -| Name | Type | -|------|------| -| [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | -| [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | -| [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | -| [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | -| [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | -| [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | -| [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | -| [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | -| [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | -| [bastion\_name](#input\_bastion\_name) | The name to use for the bastion | `string` | `"my-bastion"` | no | -| [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | -| [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | -| [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | -| [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | -| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | -| [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | -| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | -| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | -| [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | -| [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | -| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | -| [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | -| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | -| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | -| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | -| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | -| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | -| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | -| [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | -| [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | -| [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | -| [kc\_db\_instance\_class](#input\_kc\_db\_instance\_class) | The database instance class to use for Keycloak | `string` | n/a | yes | -| [kc\_db\_major\_engine\_version](#input\_kc\_db\_major\_engine\_version) | The database major engine version to use for Keycloak | `string` | n/a | yes | -| [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | -| [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | -| [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | -| [loki\_s3\_bucket\_kms\_key\_alias](#input\_loki\_s3\_bucket\_kms\_key\_alias) | The alias of the KMS key to use for the Loki S3 bucket | `string` | `""` | no | -| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | -| [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | -| [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | -| [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | -| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | -| [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The tenancy of instances launched into the VPC | `string` | `"default"` | no | -| [vpc\_name](#input\_vpc\_name) | The name to use for the VPC | `string` | `"my-vpc"` | no | -| [zarf\_version](#input\_zarf\_version) | The version of Zarf to use | `string` | `""` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [bastion\_instance\_id](#output\_bastion\_instance\_id) | The ID of the bastion host | -| [bastion\_private\_key](#output\_bastion\_private\_key) | The private key for the bastion host | -| [dynamodb\_name](#output\_dynamodb\_name) | Name of DynmoDB table | -| [keycloak\_db\_instance\_endpoint](#output\_keycloak\_db\_instance\_endpoint) | The connection endpoint | -| [keycloak\_db\_instance\_name](#output\_keycloak\_db\_instance\_name) | The database name | -| [keycloak\_db\_instance\_port](#output\_keycloak\_db\_instance\_port) | The database port | -| [keycloak\_db\_instance\_username](#output\_keycloak\_db\_instance\_username) | The master username for the database | -| [loki\_s3\_bucket](#output\_loki\_s3\_bucket) | Loki S3 Bucket Name | - diff --git a/examples/complete-self-managed-ng-intra-subnets/backend.tf.example b/examples/complete-self-managed-ng-intra-subnets/backend.tf.example deleted file mode 100644 index 6e9833ac..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/backend.tf.example +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - backend "s3" { - region = "" - bucket = "" - key = "" - dynamodb_table = "" - encrypt = "true" - } -} diff --git a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf b/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf deleted file mode 100644 index 833f1974..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/bigbang-dependencies.tf +++ /dev/null @@ -1,83 +0,0 @@ - -########################################################### -############## Big Bang Core Dependencies ################# -########################################################### - -########################################################### -################# Enable EKS Sops ######################### - -module "flux_sops" { - # source = "git::https://github.com/defenseunicorns/iac.git//modules/sops?ref=v" - source = "../../modules/sops" - - region = var.region - cluster_name = module.eks.cluster_name - vpc_id = module.vpc.vpc_id - policy_name_prefix = "${module.eks.cluster_name}-flux-sops" - kms_key_alias = "${module.eks.cluster_name}-flux-sops" - kubernetes_service_account = "flux-system-sops-sa" - kubernetes_namespace = "flux-system" - irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" - eks_oidc_provider_arn = module.eks.oidc_provider_arn - tags = local.tags - role_name = module.bastion.bastion_role_name -} - -########################################################### -################## Loki S3 Buckets ######################## - -module "loki_s3_bucket" { - # source = "git::https://github.com/defenseunicorns/iac.git//modules/s3-irsa?ref=v" - source = "../../modules/s3-irsa" - - region = var.region - cluster_name = module.eks.cluster_name - policy_name_prefix = "loki-s3-policy" - bucket_prefix = "loki-s3" - kms_key_alias = var.loki_s3_bucket_kms_key_alias - kubernetes_service_account = "logging-loki-s3-sa" - kubernetes_namespace = "logging" - irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" - eks_oidc_provider_arn = module.eks.oidc_provider - tags = local.tags - dynamodb_enabled = true -} - -########################################################### -############ Big Bang Add-Ons Dependencies ################ -########################################################### - -########################################################### -############### Keycloak RDS Database ##################### - -module "rds_postgres_keycloak" { - # source = "git::https://github.com/defenseunicorns/iac.git//modules/rds?ref=v" - source = "../../modules/rds" - - count = var.keycloak_enabled ? 1 : 0 - - # provider alias is needed for every parent module supporting RDS backup replication is a separate region - providers = { - aws.region2 = aws.region2 - } - - vpc_id = module.vpc.vpc_id - vpc_cidr = module.vpc.vpc_cidr_block - database_subnet_group_name = module.vpc.database_subnet_group_name - engine = "postgres" - engine_version = var.kc_db_engine_version - family = var.kc_db_family - major_engine_version = var.kc_db_major_engine_version - instance_class = var.kc_db_instance_class - identifier = "${var.cluster_name}-keycloak" - db_name = "keycloak" # Can only be alphanumeric, no hyphens or underscores - username = "kcadmin" - create_random_password = false - password = var.keycloak_db_password - allocated_storage = var.kc_db_allocated_storage - max_allocated_storage = var.kc_db_max_allocated_storage - create_db_subnet_group = true - deletion_protection = false - # automated_backups_replication_enabled = true - tags = local.tags -} diff --git a/examples/complete-self-managed-ng-intra-subnets/main.tf b/examples/complete-self-managed-ng-intra-subnets/main.tf deleted file mode 100644 index cbb61f06..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/main.tf +++ /dev/null @@ -1,232 +0,0 @@ -data "aws_partition" "current" {} - -locals { - tags = { - Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" - } -} - -data "aws_ami" "amazonlinux2" { - most_recent = true - - filter { - name = "name" - values = ["amzn2-ami-hvm*x86_64-gp2"] - } - - owners = ["amazon"] -} - -########################################################### -####################### VPC ############################### - -module "vpc" { - # source = "git::https://github.com/defenseunicorns/iac.git//modules/vpc?ref=v" - source = "../../modules/vpc" - - region = var.region - name = var.vpc_name - vpc_cidr = var.vpc_cidr - azs = ["${var.region}a", "${var.region}b", "${var.region}c"] - public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] - private_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 4)] - database_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 8)] - intra_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 12)] - single_nat_gateway = true - enable_nat_gateway = true - - private_subnet_tags = { - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = 1 - } - create_database_subnet_group = true - create_database_subnet_route_table = true - - instance_tenancy = var.vpc_instance_tenancy # dedicated tenancy globally set in VPC does not currently work with EKS -} - -########################################################### -##################### Bastion ############################# - -module "bastion" { - # source = "git::https://github.com/defenseunicorns/iac.git//modules/bastion?ref=v" - source = "../../modules/bastion" - - ami_id = coalesce(var.bastion_ami_id, data.aws_ami.amazonlinux2.id) #use var.bastion_ami_id if set, otherwise use the latest Amazon Linux 2 AMI - instance_type = var.bastion_instance_type - root_volume_config = { - volume_type = "gp3" - volume_size = "20" - encrypted = true - } - name = var.bastion_name - vpc_id = module.vpc.vpc_id - subnet_id = module.vpc.private_subnets[0] - aws_region = var.region - access_log_bucket_name = "${var.bastion_name}-access-logs" - bucket_name = "${var.bastion_name}-session-logs" - ssh_user = var.bastion_ssh_user - ssh_password = var.bastion_ssh_password - assign_public_ip = false # var.assign_public_ip - enable_log_to_s3 = true - enable_log_to_cloudwatch = true - vpc_endpoints_enabled = true - tenancy = var.bastion_tenancy - zarf_version = var.zarf_version - tags = { - Function = "bastion-ssm" - } -} - -########################################################### -################### EKS Cluster ########################### -module "eks" { - # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" - source = "../../modules/eks" - - name = var.cluster_name - aws_region = var.region - aws_account = var.account - vpc_id = module.vpc.vpc_id - private_subnet_ids = module.vpc.private_subnets - vpc_cni_custom_subnet = module.vpc.intra_subnets - # control_plane_subnet_ids = module.vpc.private_subnets #uses subnet_ids if not set - source_security_group_id = module.bastion.security_group_ids[0] - cluster_endpoint_public_access = var.cluster_endpoint_public_access - cluster_endpoint_private_access = true - aws_admin_usernames = var.aws_admin_usernames - cluster_version = var.cluster_version - bastion_role_arn = module.bastion.bastion_role_arn - bastion_role_name = module.bastion.bastion_role_name - - #AWS_AUTH - manage_aws_auth_configmap = var.manage_aws_auth_configmap - create_aws_auth_configmap = var.create_aws_auth_configmap - - ########################################################### - # Self Managed Node Groups - - self_managed_node_group_defaults = { - instance_type = "m5.xlarge" - update_launch_template_default_version = true - iam_role_additional_policies = { - AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" - } - # enable discovery of autoscaling groups by cluster-autoscaler - autoscaling_group_tags = { - "k8s.io/cluster-autoscaler/enabled" : true, - "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned" - } - metadata_options = { - #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options - http_endpoint = "enabled" - http_put_response_hop_limit = 2 - http_tokens = "optional" # set to "enabled" to enforce IMDSv2, default for upstream terraform-aws-eks module - } - } - - self_managed_node_groups = { - self_mg1 = { - node_group_name = "self_mg1" - subnet_ids = module.vpc.private_subnets - - min_size = 3 - max_size = 10 - desired_size = 3 - - # ami_id = "" # defaults to latest amazon linux 2 eks ami matching k8s version in the upstream module - # create_iam_role = true # Changing `create_iam_role=false` to bring your own IAM Role - # iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false - # iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false - placement = { - tenancy = var.eks_worker_tenancy - } - - metadata_options = false - - pre_bootstrap_userdata = <<-EOT - yum install -y amazon-ssm-agent - systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent - EOT - - post_userdata = <<-EOT - echo "Bootstrap successfully completed! You can further apply config or install to run after bootstrap if needed" - EOT - - # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes - # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" - bootstrap_extra_args = "--use-max-pods false" - - block_device_mappings = { - xvda = { - device_name = "/dev/xvda" - ebs = { - volume_size = 50 - volume_type = "gp3" - } - }, - xvdf = { - device_name = "/dev/xvdf" - ebs = { - volume_size = 80 - volume_type = "gp3" - iops = 3000 - throughput = 125 - } - }, - xvdg = { - device_name = "/dev/xvdg" - ebs = { - volume_size = 100 - volume_type = "gp3" - iops = 3000 - throughput = 125 - } - } - } - - instance_type = "m5.xlarge" - #capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot". Only for eks_managed_node_groups - - tags = { - subnet_type = "private" - } - } - } - - #--------------------------------------------------------------- - #"native" EKS Add-Ons - #--------------------------------------------------------------- - - # VPC CNI - amazon_eks_vpc_cni = var.amazon_eks_vpc_cni - - #--------------------------------------------------------------- - # EKS Blueprints - EKS Add-Ons - #--------------------------------------------------------------- - - # EKS CoreDNS - enable_amazon_eks_coredns = var.enable_amazon_eks_coredns - amazon_eks_coredns_config = var.amazon_eks_coredns_config - - # EKS kube-proxy - enable_amazon_eks_kube_proxy = var.enable_amazon_eks_kube_proxy - amazon_eks_kube_proxy_config = var.amazon_eks_kube_proxy_config - - # EKS EBS CSI Driver - enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver - amazon_eks_aws_ebs_csi_driver_config = var.amazon_eks_aws_ebs_csi_driver_config - - # EKS Metrics Server - enable_metrics_server = var.enable_metrics_server - metrics_server_helm_config = var.metrics_server_helm_config - - # EKS AWS node termination handler - enable_aws_node_termination_handler = var.enable_aws_node_termination_handler - aws_node_termination_handler_helm_config = var.aws_node_termination_handler_helm_config - - # EKS Cluster Autoscaler - enable_cluster_autoscaler = var.enable_cluster_autoscaler - cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config -} diff --git a/examples/complete-self-managed-ng-intra-subnets/outputs.tf b/examples/complete-self-managed-ng-intra-subnets/outputs.tf deleted file mode 100644 index b5d1c77f..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/outputs.tf +++ /dev/null @@ -1,41 +0,0 @@ -output "loki_s3_bucket" { - description = "Loki S3 Bucket Name" - value = try(module.loki_s3_bucket.s3_bucket, null) -} - -output "keycloak_db_instance_endpoint" { - description = "The connection endpoint" - value = try(module.rds_postgres_keycloak[0].db_instance_endpoint, null) - -} - -output "keycloak_db_instance_name" { - description = "The database name" - value = try(module.rds_postgres_keycloak[0].db_instance_name, null) -} - -output "keycloak_db_instance_username" { - description = "The master username for the database" - value = try(module.rds_postgres_keycloak[0].db_instance_username, null) - sensitive = true -} - -output "keycloak_db_instance_port" { - description = "The database port" - value = try(module.rds_postgres_keycloak[0].db_instance_port, null) -} - -output "bastion_instance_id" { - description = "The ID of the bastion host" - value = try(module.bastion.instance_id, null) -} - -output "bastion_private_key" { - description = "The private key for the bastion host" - value = try(module.bastion.private_key, null) - sensitive = true -} -output "dynamodb_name" { - description = "Name of DynmoDB table" - value = try(module.loki_s3_bucket.dynamodb_name, null) -} diff --git a/examples/complete-self-managed-ng-intra-subnets/providers.tf b/examples/complete-self-managed-ng-intra-subnets/providers.tf deleted file mode 100644 index acb8e25f..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/providers.tf +++ /dev/null @@ -1,59 +0,0 @@ - -data "aws_eks_cluster_auth" "this" { - name = module.eks.cluster_name -} - -data "aws_eks_cluster" "example" { - name = module.eks.cluster_name - depends_on = [ - module.eks.cluster_status - ] -} - -provider "aws" { - region = var.region - default_tags { - tags = var.default_tags - } -} - -provider "aws" { - alias = "region2" - region = var.region2 - default_tags { - tags = var.default_tags - } -} - -provider "kubernetes" { - host = data.aws_eks_cluster.example.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) - exec { - api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } -} - -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.example.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) - exec { - api_version = "client.authentication.k8s.io/v1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } - } -} - -provider "kubectl" { - apply_retry_count = 5 - host = data.aws_eks_cluster.example.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) - exec { - api_version = "client.authentication.k8s.io/v1beta1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } -} diff --git a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example b/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example deleted file mode 100644 index 5b20df0c..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/terraform.tfvars.example +++ /dev/null @@ -1,96 +0,0 @@ -# Rename this file to .tfvars and fill in the values -# Run terraform command to specify using the tfvars file `terraform plan -var-file tf-state-backend.tfvars` -# Variables can also be set via environment variables - -########################################################### -################## Global Settings ######################## - -region = "us-east-2" # target AWS region -region2 = "us-east-1" # RDS backup target AWS region -account = "100008675309" # target AWS account -aws_profile = "du-dev" # local AWS profile to be used for deployment -aws_admin_usernames = ["Bob.Marley", "Jane.Doe"] # list of users to be added to the AWS admin group -default_tags = { - Environment = "dev" - Project = "du-navy" - Owner = "my-name" -} -manage_aws_auth_configmap = true -create_aws_auth_configmap = true - -########################################################### -#################### VPC Config ########################### - -vpc_cidr = "10.200.0.0/16" -vpc_name = "my-vpc" -# vpc_instance_tenancy = "dedicated" #does not currently work with EKS - -########################################################### -################## Bastion Config ######################### - -bastion_name = "my-bastion" -# bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" #AWS linux 2 #optional -bastion_ssh_user = "ec2-user" # local user in bastion used to ssh -bastion_ssh_password = "my-password" -bastion_tenancy = "dedicated" -zarf_version = "v0.24.0-rc4" - -########################################################### -#################### EKS Config ########################### - -cluster_name = "my-eks" -cluster_version = "1.23" -eks_worker_tenancy = "dedicated" -cluster_endpoint_public_access = true -instance_type = "m4.xlarge" - - -########################################################### -############## Big Bang Dependencies ###################### - -keycloak_enabled = true -# other_addon_enabled = true - - -#################### Keycloak ########################### - -keycloak_db_password = "my-password" -kc_db_engine_version = "14.1" -kc_db_family = "postgres14" # DB parameter group -kc_db_major_engine_version = "14" # DB option group -kc_db_allocated_storage = 20 -kc_db_max_allocated_storage = 100 -kc_db_instance_class = "db.t4g.large" - -#################### Other Addon ######################## -loki_s3_bucket_kms_key_alias = "my-loki-s3" - -enable_amazon_eks_vpc_cni = true -amazon_eks_vpc_cni_before_compute = true -amazon_eks_vpc_cni_most_recent = true -amazon_eks_vpc_cni_resolve_conflict = "OVERWRITE" -amazon_eks_vpc_cni_configuration_values = { - # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking - AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" - ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in - - # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html - ENABLE_PREFIX_DELEGATION = "true" - WARM_PREFIX_TARGET = "1" -} - -amazon_eks_vpc_cni = { - enabled = true - before_compute = true - most_recent = true - resolve_conflict = "OVERWRITE" - configuration_values = { - # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking - AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" - ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in - - # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html - ENABLE_PREFIX_DELEGATION = "true" - WARM_PREFIX_TARGET = "1" - } -} diff --git a/examples/complete-self-managed-ng-intra-subnets/variables.tf b/examples/complete-self-managed-ng-intra-subnets/variables.tf deleted file mode 100644 index 905916bf..00000000 --- a/examples/complete-self-managed-ng-intra-subnets/variables.tf +++ /dev/null @@ -1,329 +0,0 @@ -########################################################### -################## Global Settings ######################## - -variable "region" { - description = "The AWS region to deploy into" - type = string -} - -variable "region2" { - description = "The AWS region to deploy into" - type = string -} - -variable "account" { - description = "The AWS account to deploy into" - type = string -} - -variable "aws_profile" { - description = "The AWS profile to use for deployment" - type = string -} - -variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with admin access to KMS and EKS resources" - type = list(string) -} - -variable "manage_aws_auth_configmap" { - description = "Determines whether to manage the aws-auth configmap" - type = bool - default = false -} - -variable "create_aws_auth_configmap" { - description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" - type = bool - default = false -} - -variable "default_tags" { - description = "A map of default tags to apply to all resources" - type = map(string) - default = {} -} - -########################################################### -#################### VPC Config ########################### - -variable "vpc_cidr" { - description = "The CIDR block for the VPC" - type = string -} - -variable "vpc_name" { - description = "The name to use for the VPC" - type = string - default = "my-vpc" -} - -variable "create_database_subnet_group" { - description = "Whether to create a database subnet group" - type = bool - default = true -} - -variable "create_database_subnet_route_table" { - description = "Whether to create a database subnet route table" - type = bool - default = true -} - -variable "intra_subnets" { - description = "A list of intra subnets" - type = list(string) - default = [] -} - -########################################################### -#################### EKS Config ########################### - -variable "cluster_name" { - description = "The name to use for the EKS cluster" - type = string - default = "my-eks" -} - -variable "cluster_version" { - description = "The Kubernetes version to use for the EKS cluster" - type = string - default = "1.23" -} - -variable "cluster_endpoint_public_access" { - description = "Whether to enable private access to the EKS cluster" - type = bool - default = false -} - -########################################################### -################## EKS Addons Config ###################### - -#----------------AWS EKS VPC CNI------------------------- -variable "amazon_eks_vpc_cni" { - description = <<-EOD - The VPC CNI add-on configuration. - enabled - (Optional) Whether to enable the add-on. Defaults to false. - before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. - most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. - resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. - configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. - EOD - type = object({ - enabled = bool - before_compute = bool - most_recent = bool - resolve_conflict = string - configuration_values = map(any) # hcl format later to be json encoded - }) - default = { - before_compute = true - enabled = false - most_recent = true - resolve_conflict = "OVERWRITE" - configuration_values = { - # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking - AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" - ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in - - # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html - ENABLE_PREFIX_DELEGATION = "true" - WARM_PREFIX_TARGET = "1" - } - } -} - -#----------------AWS CoreDNS------------------------- -variable "enable_amazon_eks_coredns" { - description = "Enable Amazon EKS CoreDNS add-on" - type = bool - default = false -} - -variable "amazon_eks_coredns_config" { - description = "Configuration for Amazon CoreDNS EKS add-on" - type = any - default = {} -} - -#----------------AWS Kube Proxy------------------------- -variable "enable_amazon_eks_kube_proxy" { - description = "Enable Kube Proxy add-on" - type = bool - default = false -} - -variable "amazon_eks_kube_proxy_config" { - description = "ConfigMap for Amazon EKS Kube-Proxy add-on" - type = any - default = {} -} - -#----------------AWS EBS CSI Driver------------------------- -variable "enable_amazon_eks_aws_ebs_csi_driver" { - description = "Enable EKS Managed AWS EBS CSI Driver add-on; enable_amazon_eks_aws_ebs_csi_driver and enable_self_managed_aws_ebs_csi_driver are mutually exclusive" - type = bool - default = false -} - -variable "amazon_eks_aws_ebs_csi_driver_config" { - description = "configMap for AWS EBS CSI Driver add-on" - type = any - default = {} -} - -#----------------Metrics Server------------------------- -variable "enable_metrics_server" { - description = "Enable metrics server add-on" - type = bool - default = false -} - -variable "metrics_server_helm_config" { - description = "Metrics Server Helm Chart config" - type = any - default = {} -} - -#----------------AWS Node Termination Handler------------------------- -variable "enable_aws_node_termination_handler" { - description = "Enable AWS Node Termination Handler add-on" - type = bool - default = false -} - -variable "aws_node_termination_handler_helm_config" { - description = "AWS Node Termination Handler Helm Chart config" - type = any - default = {} -} - -#----------------Cluster Autoscaler------------------------- -variable "enable_cluster_autoscaler" { - description = "Enable Cluster autoscaler add-on" - type = bool - default = false -} - -variable "cluster_autoscaler_helm_config" { - description = "Cluster Autoscaler Helm Chart config" - type = any - default = {} -} - -########################################################### -################## Bastion Config ######################### - -variable "bastion_name" { - description = "The name to use for the bastion" - type = string - default = "my-bastion" -} - -variable "bastion_instance_type" { - description = "value for the instance type of the EKS worker nodes" - type = string - default = "m5.xlarge" -} - -variable "assign_public_ip" { - description = "Whether to assign a public IP to the bastion" - type = bool - default = false -} - -variable "bastion_ami_id" { - description = "(Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided" - type = string - default = "" -} - -variable "bastion_ssh_user" { - description = "The SSH user to use for the bastion" - type = string - default = "ec2-user" -} - -variable "bastion_ssh_password" { - description = "The SSH password to use for the bastion if SSM authentication is used" - type = string - default = "my-password" -} - -########################################################### -############## Big Bang Dependencies ###################### - -variable "keycloak_enabled" { - description = "Whether to enable Keycloak" - type = bool - default = false -} - -#################### Keycloak ########################### - -variable "keycloak_db_password" { - description = "The password to use for the Keycloak database" - type = string - default = "my-password" -} - -variable "kc_db_engine_version" { - description = "The database engine to use for Keycloak" - type = string -} - -variable "kc_db_family" { - description = "The database family to use for Keycloak" - type = string -} - -variable "kc_db_major_engine_version" { - description = "The database major engine version to use for Keycloak" - type = string -} - -variable "kc_db_instance_class" { - description = "The database instance class to use for Keycloak" - type = string -} - -variable "kc_db_allocated_storage" { - description = "The database allocated storage to use for Keycloak" - type = number -} - -variable "kc_db_max_allocated_storage" { - description = "The database allocated storage to use for Keycloak" - type = number -} - -variable "vpc_instance_tenancy" { - description = "The tenancy of instances launched into the VPC" - type = string - default = "default" -} - -variable "bastion_tenancy" { - description = "The tenancy of the bastion" - type = string - default = "default" -} - -variable "eks_worker_tenancy" { - description = "The tenancy of the EKS worker nodes" - type = string - default = "default" -} - -variable "zarf_version" { - description = "The version of Zarf to use" - type = string - default = "" -} - -variable "loki_s3_bucket_kms_key_alias" { - description = "The alias of the KMS key to use for the Loki S3 bucket" - type = string - default = "" -} diff --git a/examples/complete-self-managed-nodegroup/.terraform.lock.hcl b/examples/complete-self-managed-nodegroup/.terraform.lock.hcl index 99c00212..257d5c52 100644 --- a/examples/complete-self-managed-nodegroup/.terraform.lock.hcl +++ b/examples/complete-self-managed-nodegroup/.terraform.lock.hcl @@ -6,7 +6,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = ">= 1.14.0" hashes = [ "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", - "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", @@ -20,117 +19,92 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "4.53.0" - constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0" + version = "4.58.0" + constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0, >= 4.47.0" hashes = [ - "h1:P6ZZ716SRIimw0t/SAgYbOMZtO0HDvwVQKxyHEW6aaE=", - "h1:SamdqgizhmtJ7ejTM/G8RoxMoKC1ovLnd1jBzCFkI7c=", - "zh:0d44171544a916adf0fa96b7d0851a49d8dec98f71f0229dfd2d178958b3996b", - "zh:16945808ce26b86af7f5a77c4ab1154da786208c793abb95b8f918b4f48daded", - "zh:1a57a5a30cef9a5867579d894b74f60bb99afc7ca0d030d49a80ad776958b428", - "zh:2c718734ae17430d7f598ca0b4e4f86d43d66569c72076a10f4ace3ff8dfc605", - "zh:46fdf6301cb2fa0a4d122d1a8f75f047b6660c24851d6a4537ee38926a86485d", - "zh:53a53920b38a9e1648e85c6ee33bccf95bfcd067bffc4934a2af55621e6a6bd9", - "zh:548d927b234b1914c43169224b03f641d0961a4e312e5c6508657fce27b66db4", - "zh:57c847b2a5ae41ddea20b18ef006369d36bfdc4dec7f542f60e22a47f7b6f347", - "zh:79f7402b581621ba69f5a07ce70299735c678beb265d114d58955d04f0d39f87", - "zh:8970109a692dc4ecbda98a0969da472da4759db90ce22f2a196356ea85bb2cf7", + "h1:YIRXIr1ji0HLWLU0ae+UbUNOHc9MJaLrMHxH3LIQ/Vk=", + "zh:14b2b2dfbc7ee705c412d762b1485ee08958c816a64ac74f5769e946e4a1d265", + "zh:17a37e6825e2023b18987d31c0cbb9336654ea146b68e6c90710ea4636af71ae", + "zh:273127c69fb244577e5c136c46164d34f77b0c956c18d27f63d1072dd558f924", + "zh:4b2b6416d34fb3e1051c99d2a84045b136976140e34381d5fbf90e32db15272e", + "zh:7e6a8571ff15d51f892776265642ee01004b8553fd4f6f2014b6f3f2834670c7", + "zh:847c76ab2381b66666d0f79cf1ac697b5bfd0d9c3009fd11bc6ad6545d1eb427", + "zh:9a52cae08ba8d27d0639a8d2b8c61591027883058bf0cc5a639cffe1e299f019", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a500cc4ffcad854dec0cf6f97751930a53c9f278f143a4355fa8892aa77c77bf", - "zh:b687c20b42a8b9e9e9f56c42e3b3c6859c043ec72b8907a6e4d4b64068e11df5", - "zh:e2c592e96822b78287554be43c66398f658c74c4ae3796f6b9e6d4b0f1f7f626", - "zh:ff1c4a46fdc988716c6fc28925549600093fc098828237cb1a30264e15cf730f", + "zh:9df647e8322d6f94f1843366ba39d21c4b36c8e7dcdc03711d52e27f73b0e974", + "zh:9e52037e68409802ff913b166c30e3f2035af03865cbef0c1b03762bce853941", + "zh:a30288e7c3c904d6998d1709835d7c5800a739f8608f0837f960286a2b8b6e59", + "zh:a7f24e3bda3be566468e4ad62cef1016f68c6f5a94d2e3e979485bc05626281b", + "zh:ba326ba80f5e39829b67a6d1ce54ba52b171e5e13a0a91ef5f9170a9b0cc9ce4", + "zh:c4e3fe9f2be6e244a3dfce599f4b0be9e8fffaece64cbc65f3195f825f65489b", + "zh:f20a251af37039bb2c7612dbd2c5df3a25886b4cc78f902385a2850ea6e30d08", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.2.0" + version = "2.3.2" constraints = ">= 2.0.0" hashes = [ - "h1:Id6dDkpuSSLbGPTdbw49bVS/7XXHu/+d7CJoGDqtk5g=", - "h1:siiI0wK6/jUDdA5P8ifTO0yc9YmXHml4hz5K9I9N+MA=", - "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96", - "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d", - "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9", - "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472", - "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f", - "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb", - "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a", - "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c", - "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c", - "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517", - "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c", + "h1:ocyv0lvfyvzW4krenxV5CL4Jq5DiA3EUfoy8DR6zFMw=", + "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", + "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", + "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", + "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", + "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", + "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", + "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", + "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", + "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", + "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", ] } provider "registry.terraform.io/hashicorp/helm" { - version = "2.8.0" + version = "2.9.0" constraints = ">= 2.4.1, >= 2.5.1" hashes = [ - "h1:U0w0mUT0SwZCR0poGNSxGaZJKWcOiu4GerpGztYBiMM=", - "h1:a98mBNghv9odh5PVmgdXapgyYJmO/ncAWkwLWdXLuY4=", - "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54", - "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f", - "zh:391fe49b4d2dc07bc717248a3fc6952189cfc49c596c514ad72a29c9a9f9d575", - "zh:89272048e1e63f3edc3e83dfddd5a9fd4bd2a4ead104e67de1e14319294dedf1", - "zh:a5a057c3435a854389ce8a1d98a54aaa7cbab68aca7baa436a605897aa70ff7e", - "zh:b1098e53e1a8a3afcd325ecd0328662156b3d9c3d80948f19ba3a4eb870cee2b", - "zh:b676f949e8274a2b6c3fa41f5428ea597125579c7b93bb50bb73a5e295a7a447", - "zh:cdf7e9460f28c2dbfe49a79a5022bd0d474ff18120d340738aa35456ba77ebca", - "zh:e24b59b4ed1c593facbf8051ec58550917991e2e017f3085dac5fb902d9908cb", - "zh:e3b5e1f5543cac9d9031a028f1c1be4858fb80fae69f181f21e9465e366ebfa2", - "zh:e9fddc0bcdb28503078456f0088851d45451600d229975fd9990ee92c7489a10", + "h1:fEDID5J/9ret/sLpOSNAu98F/ZBEZhOmL0Leut7m5JU=", + "zh:1471cb45908b426104687c962007b2980cfde294fa3530fabc4798ce9fb6c20c", + "zh:1572e9cec20591ec08ece797b3630802be816a5adde36ca91a93359f2430b130", + "zh:1b10ae03cf5ab1ae21ffaac2251de99797294ae4242b156b3b0beebbdbcb7e0f", + "zh:3bd043b68de967d8d0b549d3f71485193d81167d5656f5507d743dedfe60e352", + "zh:538911921c729185900176cc22eb8edcb822bc8d22b9ebb48103a1d9bb53cc38", + "zh:69a6a2d40c0463662c3fb1621e37a3ee65024ea4479adf4d5f7f19fb0dea48c2", + "zh:94b58daa0c351a49d01f6d8f1caae46c95c2d6c3f29753e2b9ea3e3c0e7c9ab4", + "zh:9d0543331a4a32241e1ab5457f30b41df745acb235a0391205c725a5311e4809", + "zh:a6789306524ca121512a95e873e3949b4175114a6c5db32bed2df2551a79368f", + "zh:d146b94cd9502cca7f2044797a328d71c7ec2a98e2d138270d8a28c872f04289", + "zh:d14ccd14511f0446eacf43a9243f22de7c1427ceb059cf67d7bf9803be2cb15d", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.17.0" + version = "2.18.1" constraints = ">= 2.6.1, >= 2.10.0" hashes = [ - "h1:Dq/EHg8mKP9wDDTJx5CzZ+w44wutIZJGfQLrAIznAqY=", - "h1:p2sgF62c2svJSKuImL3/zq/SSPOZFyd4Vj7K0UF2VrQ=", - "zh:1cbafea8c404195d8ad2490d75dbeebef131563d3e38dec87231ceb3923a3012", - "zh:26d9584423ee77e607999b082de7d9dc3e937934aa83341e0832e7253caf4f51", - "zh:333527fc15fb43bbf1898a2f058598c596468a01d88c415627bb617878dc4d4d", - "zh:391b8c80e3115af485977d6e949d7260b7fc0b641089b884256bfd36a7077db2", - "zh:4d18ba55247486181759d60195777945bcd68e17ccd980820ca18e8a8b94aeb5", - "zh:607ae94d85d1c1ed3845bd71095daadea4b2468e16f57fa05c98eab0de6b14ae", - "zh:95c6cf22f8ef14e7a4f85e33cff5d6f11056c7880041b71d425d1b5ebbe246e7", - "zh:b077edcedb46a313b461ac1e49317872063b3871f2acbe1a50498612cefff387", - "zh:c6a7891683e44148b0c928fd4748b7abac727266ab551d679015f5fe8b72d1e6", - "zh:e5cebfdf873770c37a4304362003d3fea8d6c2fd819663ad121bc65bb81e4738", + "h1:y4VED+vsulAqE7YbQC7x1XXrzvi/dEIjupttSyzSA/M=", + "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753", + "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197", + "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8", + "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80", + "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25", + "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce", + "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15", + "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad", + "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8", + "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4", + "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:feb19269e7c0de473ad412b37818b48da0cc91e5c93dd4c77a72676ca97a16b1", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.3.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=", - "h1:U+DbBqKnXSIqC2z7qIko2dy8w6wwuZd89orPvfeqHk0=", - "zh:1f1920b3f78c31c6b69cdfe1e016a959667c0e2d01934e1a084b94d5a02cd9d2", - "zh:550a3cdae0ddb350942624e7b2e8b31d28bc15c20511553432413b1f38f4b214", - "zh:68d1d9ccbfce2ce56b28a23b22833a5369d4c719d6d75d50e101a8a8dbe33b9b", - "zh:6ae3ad6d865a906920c313ec2f413d080efe32c230aca711fd106b4cb9022ced", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a0f413d50f54124057ae3dcd9353a797b84e91dc34bcf85c34a06f8aef1f9b12", - "zh:a2ac6d4088ceddcd73d88505e18b8226a6e008bff967b9e2d04254ef71b4ac6b", - "zh:a851010672e5218bdd4c4ea1822706c9025ef813a03da716d647dd6f8e2cffb0", - "zh:aa797561755041ef2fad99ee9ffc12b5e724e246bb019b21d7409afc2ece3232", - "zh:c6afa960a20d776f54bb1fc260cd13ead17280ebd87f05b9abcaa841ed29d289", - "zh:df0975e86b30bb89717b8c8d6d4690b21db66de06e79e6d6cfda769f3304afe6", - "zh:f0d3cc3da72135efdbe8f4cfbfb0f2f7174827887990a5545e6db1981f0d3a7c", ] } provider "registry.terraform.io/hashicorp/null" { version = "3.2.1" - constraints = ">= 3.0.0, >= 3.1.0" + constraints = ">= 3.0.0" hashes = [ - "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", @@ -152,7 +126,6 @@ provider "registry.terraform.io/hashicorp/random" { constraints = ">= 3.1.0" hashes = [ "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", - "h1:tL3katm68lX+4lAncjQA9AXL4GR/VM+RPwqYf4D2X8Q=", "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", @@ -170,9 +143,8 @@ provider "registry.terraform.io/hashicorp/random" { provider "registry.terraform.io/hashicorp/time" { version = "0.9.1" - constraints = ">= 0.7.0, >= 0.8.0" + constraints = ">= 0.7.0, >= 0.8.0, >= 0.9.0" hashes = [ - "h1:UHcDnIYFZ00uoou0TwPGMwOrE8gTkoRephIvdwDAK70=", "h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=", "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", @@ -194,7 +166,6 @@ provider "registry.terraform.io/hashicorp/tls" { constraints = ">= 3.0.0" hashes = [ "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", - "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", @@ -209,25 +180,3 @@ provider "registry.terraform.io/hashicorp/tls" { "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } - -provider "registry.terraform.io/terraform-aws-modules/http" { - version = "2.4.1" - constraints = "2.4.1" - hashes = [ - "h1:FINkX7/X/cr5NEssB7dMqVWa6YtJtmwzvkfryuR39/k=", - "h1:fHqAXle/P/fT2k+HEyTqYVE+/RvpQAaBr6xXZgM66es=", - "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", - "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", - "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", - "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", - "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", - "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", - "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", - "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", - "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", - "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", - "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", - "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", - "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", - ] -} diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 9c4c3f9f..6a9fd6e5 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -186,13 +186,19 @@ terraform destroy -auto-approve ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.9 | +| [helm](#requirement\_helm) | >= 2.4.1 | +| [kubectl](#requirement\_kubectl) | >= 1.14 | +| [kubernetes](#requirement\_kubernetes) | >= 2.10 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.53.0 | +| [aws](#provider\_aws) | 4.58.0 | ## Modules @@ -219,8 +225,13 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [account](#input\_account) | The AWS account to deploy into | `string` | n/a | yes | +| [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | +| [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | +| [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | @@ -228,12 +239,22 @@ No requirements. | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | | [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | +| [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | +| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | +| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | +| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | +| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | +| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | +| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | +| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | +| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | @@ -242,6 +263,9 @@ No requirements. | [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | | [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [loki\_s3\_bucket\_kms\_key\_alias](#input\_loki\_s3\_bucket\_kms\_key\_alias) | The alias of the KMS key to use for the Loki S3 bucket | `string` | `""` | no | +| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | +| [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | | [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf index ff68b64a..833f1974 100644 --- a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf +++ b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf @@ -18,7 +18,7 @@ module "flux_sops" { kubernetes_service_account = "flux-system-sops-sa" kubernetes_namespace = "flux-system" irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" - eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + eks_oidc_provider_arn = module.eks.oidc_provider_arn tags = local.tags role_name = module.bastion.bastion_role_name } @@ -34,11 +34,11 @@ module "loki_s3_bucket" { cluster_name = module.eks.cluster_name policy_name_prefix = "loki-s3-policy" bucket_prefix = "loki-s3" - kms_key_alias = "loki-s3" + kms_key_alias = var.loki_s3_bucket_kms_key_alias kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" - eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + eks_oidc_provider_arn = module.eks.oidc_provider tags = local.tags dynamodb_enabled = true } diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index dcf4b3af..cbb61f06 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -2,16 +2,9 @@ data "aws_partition" "current" {} locals { tags = { - Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name + Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } - admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}"] - aws_auth_users = [for admin_user in var.aws_admin_usernames : { - userarn = "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin_user}" - username = "${admin_user}" - groups = ["system:masters"] - } - ] } data "aws_ami" "amazonlinux2" { @@ -39,6 +32,7 @@ module "vpc" { public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] private_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 4)] database_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 8)] + intra_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 12)] single_nat_gateway = true enable_nat_gateway = true @@ -91,119 +85,148 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = var.cluster_name - aws_region = var.region - aws_account = var.account - vpc_id = module.vpc.vpc_id - private_subnet_ids = module.vpc.private_subnets - control_plane_subnet_ids = module.vpc.private_subnets + name = var.cluster_name + aws_region = var.region + aws_account = var.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + vpc_cni_custom_subnet = module.vpc.intra_subnets + # control_plane_subnet_ids = module.vpc.private_subnets #uses subnet_ids if not set source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true - kms_key_administrators = local.admin_arns + aws_admin_usernames = var.aws_admin_usernames cluster_version = var.cluster_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - aws_auth_users = local.aws_auth_users - enable_managed_nodegroups = false + #AWS_AUTH + manage_aws_auth_configmap = var.manage_aws_auth_configmap + create_aws_auth_configmap = var.create_aws_auth_configmap - #--------------------------------------------------------------- - # EKS Blueprints - Self Managed Node Groups - #--------------------------------------------------------------- + ########################################################### + # Self Managed Node Groups + + self_managed_node_group_defaults = { + instance_type = "m5.xlarge" + update_launch_template_default_version = true + iam_role_additional_policies = { + AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" + } + # enable discovery of autoscaling groups by cluster-autoscaler + autoscaling_group_tags = { + "k8s.io/cluster-autoscaler/enabled" : true, + "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned" + } + metadata_options = { + #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options + http_endpoint = "enabled" + http_put_response_hop_limit = 2 + http_tokens = "optional" # set to "enabled" to enforce IMDSv2, default for upstream terraform-aws-eks module + } + } self_managed_node_groups = { self_mg1 = { - node_group_name = "self_mg1" - subnet_ids = module.vpc.private_subnets - create_launch_template = true - launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket or windows - custom_ami_id = "" # Bring your own custom AMI generated by Packer/ImageBuilder/Puppet etc. + node_group_name = "self_mg1" + subnet_ids = module.vpc.private_subnets - create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role - iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false - iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false - - format_mount_nvme_disk = true - public_ip = false - enable_monitoring = false + min_size = 3 + max_size = 10 + desired_size = 3 + # ami_id = "" # defaults to latest amazon linux 2 eks ami matching k8s version in the upstream module + # create_iam_role = true # Changing `create_iam_role=false` to bring your own IAM Role + # iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false + # iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false placement = { - affinity = null - availability_zone = null - group_name = null - host_id = null - tenancy = var.eks_worker_tenancy + tenancy = var.eks_worker_tenancy } - enable_metadata_options = false + metadata_options = false - pre_userdata = <<-EOT + pre_bootstrap_userdata = <<-EOT yum install -y amazon-ssm-agent systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent EOT + post_userdata = <<-EOT + echo "Bootstrap successfully completed! You can further apply config or install to run after bootstrap if needed" + EOT + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" bootstrap_extra_args = "--use-max-pods false" - block_device_mappings = [ - { - device_name = "/dev/xvda" # mount point to / - volume_type = "gp3" - volume_size = 50 + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 50 + volume_type = "gp3" + } }, - { - device_name = "/dev/xvdf" # mount point to /local1 (it could be local2, depending upon the disks are attached during boot) - volume_type = "gp3" - volume_size = 80 - iops = 3000 - throughput = 125 + xvdf = { + device_name = "/dev/xvdf" + ebs = { + volume_size = 80 + volume_type = "gp3" + iops = 3000 + throughput = 125 + } }, - { - device_name = "/dev/xvdg" # mount point to /local2 (it could be local1, depending upon the disks are attached during boot) - volume_type = "gp3" - volume_size = 100 - iops = 3000 - throughput = 125 + xvdg = { + device_name = "/dev/xvdg" + ebs = { + volume_size = 100 + volume_type = "gp3" + iops = 3000 + throughput = 125 + } } - ] + } instance_type = "m5.xlarge" - desired_size = 3 - max_size = 10 - min_size = 3 - capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot" - - k8s_labels = { - Environment = "preprod" - Zone = "test" - } + #capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot". Only for eks_managed_node_groups - additional_tags = { - ExtraTag = "m5x-on-demand" - Name = "m5x-on-demand" + tags = { subnet_type = "private" } } } #--------------------------------------------------------------- - # EKS Blueprints - EKS Add-Ons + #"native" EKS Add-Ons #--------------------------------------------------------------- + # VPC CNI + amazon_eks_vpc_cni = var.amazon_eks_vpc_cni + #--------------------------------------------------------------- - # EKS Blueprints - EKS Add-Ons - VPC CNI - # https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/aws-vpc-cni/README.md + # EKS Blueprints - EKS Add-Ons #--------------------------------------------------------------- - enable_amazon_eks_vpc_cni = var.enable_amazon_eks_vpc_cni - amazon_eks_vpc_cni_config = var.amazon_eks_vpc_cni_config - enable_amazon_eks_coredns = true - enable_amazon_eks_kube_proxy = true - enable_amazon_eks_aws_ebs_csi_driver = true - enable_metrics_server = true - enable_aws_node_termination_handler = true + # EKS CoreDNS + enable_amazon_eks_coredns = var.enable_amazon_eks_coredns + amazon_eks_coredns_config = var.amazon_eks_coredns_config + + # EKS kube-proxy + enable_amazon_eks_kube_proxy = var.enable_amazon_eks_kube_proxy + amazon_eks_kube_proxy_config = var.amazon_eks_kube_proxy_config + + # EKS EBS CSI Driver + enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver + amazon_eks_aws_ebs_csi_driver_config = var.amazon_eks_aws_ebs_csi_driver_config + + # EKS Metrics Server + enable_metrics_server = var.enable_metrics_server + metrics_server_helm_config = var.metrics_server_helm_config + + # EKS AWS node termination handler + enable_aws_node_termination_handler = var.enable_aws_node_termination_handler + aws_node_termination_handler_helm_config = var.aws_node_termination_handler_helm_config - enable_cluster_autoscaler = true + # EKS Cluster Autoscaler + enable_cluster_autoscaler = var.enable_cluster_autoscaler + cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config } diff --git a/examples/complete-self-managed-nodegroup/outputs.tf b/examples/complete-self-managed-nodegroup/outputs.tf index 2146a3e6..b5d1c77f 100644 --- a/examples/complete-self-managed-nodegroup/outputs.tf +++ b/examples/complete-self-managed-nodegroup/outputs.tf @@ -1,40 +1,41 @@ output "loki_s3_bucket" { description = "Loki S3 Bucket Name" - value = module.loki_s3_bucket.s3_bucket + value = try(module.loki_s3_bucket.s3_bucket, null) } output "keycloak_db_instance_endpoint" { description = "The connection endpoint" - value = module.rds_postgres_keycloak[0].db_instance_endpoint + value = try(module.rds_postgres_keycloak[0].db_instance_endpoint, null) + } output "keycloak_db_instance_name" { description = "The database name" - value = module.rds_postgres_keycloak[0].db_instance_name + value = try(module.rds_postgres_keycloak[0].db_instance_name, null) } output "keycloak_db_instance_username" { description = "The master username for the database" - value = module.rds_postgres_keycloak[0].db_instance_username + value = try(module.rds_postgres_keycloak[0].db_instance_username, null) sensitive = true } output "keycloak_db_instance_port" { description = "The database port" - value = module.rds_postgres_keycloak[0].db_instance_port + value = try(module.rds_postgres_keycloak[0].db_instance_port, null) } output "bastion_instance_id" { description = "The ID of the bastion host" - value = module.bastion.instance_id + value = try(module.bastion.instance_id, null) } output "bastion_private_key" { description = "The private key for the bastion host" - value = module.bastion.private_key + value = try(module.bastion.private_key, null) sensitive = true } output "dynamodb_name" { description = "Name of DynmoDB table" - value = module.loki_s3_bucket.dynamodb_name + value = try(module.loki_s3_bucket.dynamodb_name, null) } diff --git a/examples/complete-self-managed-nodegroup/providers.tf b/examples/complete-self-managed-nodegroup/providers.tf index a384885c..acb8e25f 100644 --- a/examples/complete-self-managed-nodegroup/providers.tf +++ b/examples/complete-self-managed-nodegroup/providers.tf @@ -5,6 +5,9 @@ data "aws_eks_cluster_auth" "this" { data "aws_eks_cluster" "example" { name = module.eks.cluster_name + depends_on = [ + module.eks.cluster_status + ] } provider "aws" { @@ -43,3 +46,14 @@ provider "helm" { } } } + +provider "kubectl" { + apply_retry_count = 5 + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1beta1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index b1e00e43..16d8a313 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -5,50 +5,78 @@ ########################################################### ################## Global Settings ######################## - region = "us-east-2" # target AWS region - region2 = "us-east-1" # RDS backup target AWS region - account = "100008675309" # target AWS account - aws_profile = "du-dev" # local AWS profile to be used for deployment - aws_admin_usernames = ["Bob.Marley","Jane.Doe"] # list of users to be added to the AWS admin group +region = "us-east-2" # target AWS region +region2 = "us-east-1" # RDS backup target AWS region +account = "100008675309" # target AWS account +aws_profile = "du-dev" # local AWS profile to be used for deployment +aws_admin_usernames = ["Bob.Marley", "Jane.Doe"] # list of users to be added to the AWS admin group +default_tags = { + Environment = "dev" + Project = "du-navy" + Owner = "my-name" +} +manage_aws_auth_configmap = true +create_aws_auth_configmap = true ########################################################### #################### VPC Config ########################### - vpc_cidr = "10.200.0.0/16" - vpc_name = "my-vpc" - # vpc_instance_tenancy = "dedicated" #does not currently work with EKS +vpc_cidr = "10.200.0.0/16" +vpc_name = "my-vpc" +# vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### ################## Bastion Config ######################### - bastion_name = "my-bastion" +bastion_name = "my-bastion" # bastion_ami_id = "ami-04afd6ecf73c0a579" # AWS linux 2 CIS STIG // "ami-000d4884381edb14c" #AWS linux 2 #optional - bastion_ssh_user = "ec2-user" # local user in bastion used to ssh - bastion_ssh_password = "my-password" - bastion_tenancy = "dedicated" - zarf_version = "v0.24.0-rc4" +bastion_ssh_user = "ec2-user" # local user in bastion used to ssh +bastion_ssh_password = "my-password" +bastion_tenancy = "dedicated" +zarf_version = "v0.24.0-rc4" ########################################################### #################### EKS Config ########################### - cluster_name = "my-eks" - cluster_version = "1.23" - eks_worker_tenancy = "dedicated" - cluster_endpoint_public_access = true +cluster_name = "my-eks" +cluster_version = "1.23" +eks_worker_tenancy = "dedicated" +cluster_endpoint_public_access = true +instance_type = "m4.xlarge" + ########################################################### ############## Big Bang Dependencies ###################### - keycloak_enabled = true - # other_addon_enabled = true +keycloak_enabled = true +# other_addon_enabled = true #################### Keycloak ########################### - keycloak_db_password = "my-password" - kc_db_engine_version = "14.1" - kc_db_family = "postgres14" # DB parameter group - kc_db_major_engine_version = "14" # DB option group - kc_db_allocated_storage = 20 - kc_db_max_allocated_storage = 100 - kc_db_instance_class = "db.t4g.large" +keycloak_db_password = "my-password" +kc_db_engine_version = "14.1" +kc_db_family = "postgres14" # DB parameter group +kc_db_major_engine_version = "14" # DB option group +kc_db_allocated_storage = 20 +kc_db_max_allocated_storage = 100 +kc_db_instance_class = "db.t4g.large" + +#################### Other Addon ######################## +loki_s3_bucket_kms_key_alias = "my-loki-s3" + +amazon_eks_vpc_cni = { + enabled = true + before_compute = true + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } +} diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 24b36dda..905916bf 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -22,9 +22,28 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + description = "A list of one or more AWS usernames with admin access to KMS and EKS resources" type = list(string) } + +variable "manage_aws_auth_configmap" { + description = "Determines whether to manage the aws-auth configmap" + type = bool + default = false +} + +variable "create_aws_auth_configmap" { + description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" + type = bool + default = false +} + +variable "default_tags" { + description = "A map of default tags to apply to all resources" + type = map(string) + default = {} +} + ########################################################### #################### VPC Config ########################### @@ -51,6 +70,12 @@ variable "create_database_subnet_route_table" { default = true } +variable "intra_subnets" { + description = "A list of intra subnets" + type = list(string) + default = [] +} + ########################################################### #################### EKS Config ########################### @@ -72,6 +97,121 @@ variable "cluster_endpoint_public_access" { default = false } +########################################################### +################## EKS Addons Config ###################### + +#----------------AWS EKS VPC CNI------------------------- +variable "amazon_eks_vpc_cni" { + description = <<-EOD + The VPC CNI add-on configuration. + enabled - (Optional) Whether to enable the add-on. Defaults to false. + before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. + most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. + resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. + EOD + type = object({ + enabled = bool + before_compute = bool + most_recent = bool + resolve_conflict = string + configuration_values = map(any) # hcl format later to be json encoded + }) + default = { + before_compute = true + enabled = false + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } + } +} + +#----------------AWS CoreDNS------------------------- +variable "enable_amazon_eks_coredns" { + description = "Enable Amazon EKS CoreDNS add-on" + type = bool + default = false +} + +variable "amazon_eks_coredns_config" { + description = "Configuration for Amazon CoreDNS EKS add-on" + type = any + default = {} +} + +#----------------AWS Kube Proxy------------------------- +variable "enable_amazon_eks_kube_proxy" { + description = "Enable Kube Proxy add-on" + type = bool + default = false +} + +variable "amazon_eks_kube_proxy_config" { + description = "ConfigMap for Amazon EKS Kube-Proxy add-on" + type = any + default = {} +} + +#----------------AWS EBS CSI Driver------------------------- +variable "enable_amazon_eks_aws_ebs_csi_driver" { + description = "Enable EKS Managed AWS EBS CSI Driver add-on; enable_amazon_eks_aws_ebs_csi_driver and enable_self_managed_aws_ebs_csi_driver are mutually exclusive" + type = bool + default = false +} + +variable "amazon_eks_aws_ebs_csi_driver_config" { + description = "configMap for AWS EBS CSI Driver add-on" + type = any + default = {} +} + +#----------------Metrics Server------------------------- +variable "enable_metrics_server" { + description = "Enable metrics server add-on" + type = bool + default = false +} + +variable "metrics_server_helm_config" { + description = "Metrics Server Helm Chart config" + type = any + default = {} +} + +#----------------AWS Node Termination Handler------------------------- +variable "enable_aws_node_termination_handler" { + description = "Enable AWS Node Termination Handler add-on" + type = bool + default = false +} + +variable "aws_node_termination_handler_helm_config" { + description = "AWS Node Termination Handler Helm Chart config" + type = any + default = {} +} + +#----------------Cluster Autoscaler------------------------- +variable "enable_cluster_autoscaler" { + description = "Enable Cluster autoscaler add-on" + type = bool + default = false +} + +variable "cluster_autoscaler_helm_config" { + description = "Cluster Autoscaler Helm Chart config" + type = any + default = {} +} + ########################################################### ################## Bastion Config ######################### @@ -181,3 +321,9 @@ variable "zarf_version" { type = string default = "" } + +variable "loki_s3_bucket_kms_key_alias" { + description = "The alias of the KMS key to use for the Loki S3 bucket" + type = string + default = "" +} diff --git a/examples/complete-self-managed-ng-intra-subnets/versions.tf b/examples/complete-self-managed-nodegroup/versions.tf similarity index 100% rename from examples/complete-self-managed-ng-intra-subnets/versions.tf rename to examples/complete-self-managed-nodegroup/versions.tf From eb3f5e7a9225e88a63e8579be35bd48dc1e1de5c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 14:14:09 -0700 Subject: [PATCH 15/46] update for new vars --- .../complete-self-managed-nodegroup/README.md | 1 - .../bigbang-dependencies.tf | 6 +- .../complete-self-managed-nodegroup/main.tf | 23 +- .../variables.tf | 23 +- examples/complete/README.md | 21 +- examples/complete/bigbang-dependencies.tf | 8 +- examples/complete/fixtures.common.tfvars | 27 +- examples/complete/fixtures.insecure.tfvars | 2 +- examples/complete/main.tf | 532 +++++++++--------- examples/complete/variables.tf | 175 +++++- modules/eks/main.tf | 1 - 11 files changed, 503 insertions(+), 316 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 6a9fd6e5..ca0da69c 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -254,7 +254,6 @@ terraform destroy -auto-approve | [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | -| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf index 833f1974..4d5e5d69 100644 --- a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf +++ b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf @@ -32,9 +32,9 @@ module "loki_s3_bucket" { region = var.region cluster_name = module.eks.cluster_name - policy_name_prefix = "loki-s3-policy" - bucket_prefix = "loki-s3" - kms_key_alias = var.loki_s3_bucket_kms_key_alias + policy_name_prefix = "${local.loki_name_prefix}-s3-policy" + bucket_prefix = "${local.loki_name_prefix}-s3" + kms_key_alias = local.loki_name_prefix kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index c798059e..a124118e 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -5,17 +5,7 @@ locals { Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } -} - -data "aws_ami" "amazonlinux2" { - most_recent = true - - filter { - name = "name" - values = ["amzn2-ami-hvm*x86_64-gp2"] - } - - owners = ["amazon"] + loki_name_prefix = "${var.cluster_name}-loki" } ########################################################### @@ -48,6 +38,17 @@ module "vpc" { ########################################################### ##################### Bastion ############################# +data "aws_ami" "amazonlinux2" { + most_recent = true + + filter { + name = "name" + values = ["amzn2-ami-hvm*x86_64-gp2"] + } + + owners = ["amazon"] +} + module "bastion" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/bastion?ref=v" diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 2c13a513..1f12aa61 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -46,6 +46,11 @@ variable "default_tags" { ########################################################### #################### VPC Config ########################### +variable "vpc_instance_tenancy" { + description = "The tenancy of instances launched into the VPC" + type = string + default = "default" +} variable "vpc_cidr" { description = "The CIDR block for the VPC" @@ -70,14 +75,13 @@ variable "create_database_subnet_route_table" { default = true } -variable "intra_subnets" { - description = "A list of intra subnets" - type = list(string) - default = [] -} - ########################################################### #################### EKS Config ########################### +variable "eks_worker_tenancy" { + description = "The tenancy of the EKS worker nodes" + type = string + default = "default" +} variable "cluster_name" { description = "The name to use for the EKS cluster" @@ -90,7 +94,7 @@ variable "cluster_version" { type = string default = "1.23" validation { - condition = contains(["1.23"], var.eks_k8s_version) + condition = contains(["1.23", "1.24", "1,25"], var.cluster_version) error_message = "Kubernetes version must be equal to one that we support. Currently supported versions are: 1.23." } } @@ -218,6 +222,11 @@ variable "cluster_autoscaler_helm_config" { ########################################################### ################## Bastion Config ######################### +variable "bastion_tenancy" { + description = "The tenancy of the bastion" + type = string + default = "default" +} variable "bastion_name" { description = "The name to use for the bastion" diff --git a/examples/complete/README.md b/examples/complete/README.md index 641cfbd8..9b52b289 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -85,6 +85,8 @@ Coming soon | [random_id.vpc_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ami.eks_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | @@ -94,20 +96,35 @@ Coming soon | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | +| [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | +| [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [bastion\_name\_prefix](#input\_bastion\_name\_prefix) | The name to use for the bastion | `string` | `"my-bastion"` | no | | [bastion\_ssh\_password](#input\_bastion\_ssh\_password) | The SSH password to use for the bastion if SSM authentication is used | `string` | `"my-password"` | no | | [bastion\_ssh\_user](#input\_bastion\_ssh\_user) | The SSH user to use for the bastion | `string` | `"ec2-user"` | no | | [bastion\_tenancy](#input\_bastion\_tenancy) | The tenancy of the bastion | `string` | `"default"` | no | +| [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name\_prefix](#input\_cluster\_name\_prefix) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | +| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | | [eks\_worker\_tenancy](#input\_eks\_worker\_tenancy) | The tenancy of the EKS worker nodes | `string` | `"default"` | no | -| [enable\_managed\_nodegroups](#input\_enable\_managed\_nodegroups) | Enable managed node groups. If false, self managed node groups will be used. | `bool` | n/a | yes | +| [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | +| [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | +| [enable\_amazon\_eks\_kube\_proxy](#input\_enable\_amazon\_eks\_kube\_proxy) | Enable Kube Proxy add-on | `bool` | `false` | no | +| [enable\_aws\_node\_termination\_handler](#input\_enable\_aws\_node\_termination\_handler) | Enable AWS Node Termination Handler add-on | `bool` | `false` | no | +| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | +| [enable\_eks\_managed\_nodegroups](#input\_enable\_eks\_managed\_nodegroups) | Enable managed node groups | `bool` | n/a | yes | +| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | +| [enable\_self\_managed\_nodegroups](#input\_enable\_self\_managed\_nodegroups) | Enable self managed node groups | `bool` | n/a | yes | | [kc\_db\_allocated\_storage](#input\_kc\_db\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [kc\_db\_engine\_version](#input\_kc\_db\_engine\_version) | The database engine to use for Keycloak | `string` | n/a | yes | | [kc\_db\_family](#input\_kc\_db\_family) | The database family to use for Keycloak | `string` | n/a | yes | @@ -116,6 +133,8 @@ Coming soon | [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | | [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | +| [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | +| [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | | [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index 44f83147..ca49dc4a 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -30,11 +30,11 @@ module "loki_s3_bucket" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/s3-irsa?ref=v" source = "../../modules/s3-irsa" - name_prefix = local.loki_s3_bucket_name_prefix + name_prefix = "${local.loki_name_prefix}-s3" region = var.region - policy_name_prefix = "${local.loki_s3_bucket_name_prefix}-policy" - kms_key_alias = local.loki_s3_bucket_name_prefix - kubernetes_service_account = "logging-${local.loki_s3_bucket_name_prefix}-sa" + policy_name_prefix = "${local.loki_name_prefix}-s3-policy" + kms_key_alias = local.loki_name_prefix + kubernetes_service_account = "logging-${local.loki_name_prefix}-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 37532b91..079e610b 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -4,7 +4,13 @@ region = "us-east-1" # target AWS region region2 = "us-east-2" # RDS backup target AWS region aws_admin_usernames = ["Placeholder"] # list of users to be added to the AWS admin group - +default_tags = { + Environment = "dev" + Project = "ci-eks" + Owner = "ci" +} +manage_aws_auth_configmap = true +create_aws_auth_configmap = true ########################################################### #################### VPC Config ########################### @@ -25,7 +31,7 @@ zarf_version = "v0.24.0-rc4" #################### EKS Config ########################### cluster_name_prefix = "ex-complete-eks-" -eks_k8s_version = "1.23" +cluster_version = "1.23" ########################################################### ############## Big Bang Dependencies ###################### @@ -43,3 +49,20 @@ kc_db_major_engine_version = "14" # DB option group kc_db_allocated_storage = 20 kc_db_max_allocated_storage = 100 kc_db_instance_class = "db.t4g.large" + +#################### EKS Addon ######################### +amazon_eks_vpc_cni = { + enable = true + before_compute = true + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } +} diff --git a/examples/complete/fixtures.insecure.tfvars b/examples/complete/fixtures.insecure.tfvars index d2a14643..eb54b402 100644 --- a/examples/complete/fixtures.insecure.tfvars +++ b/examples/complete/fixtures.insecure.tfvars @@ -1,4 +1,4 @@ -enable_managed_nodegroups = true +enable_eks_managed_nodegroups = true bastion_tenancy = "default" eks_worker_tenancy = "default" cluster_endpoint_public_access = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 9763f039..ee10b0c0 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -13,6 +13,26 @@ data "aws_ami" "amazonlinux2eks" { owners = ["amazon"] } +data "aws_ami" "eks_default" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amazon-eks-node-${local.cluster_version}-v*"] + } +} + +data "aws_ami" "eks_default_bottlerocket" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["bottlerocket-aws-k8s-${local.cluster_version}-x86_64-*"] + } +} + resource "random_id" "vpc_name" { byte_length = 2 prefix = var.vpc_name_prefix @@ -29,10 +49,10 @@ resource "random_id" "bastion_name" { } locals { - vpc_name = lower(random_id.vpc_name.hex) - cluster_name = lower(random_id.cluster_name.hex) - bastion_name = lower(random_id.bastion_name.hex) - loki_s3_bucket_name_prefix = "${lower(random_id.cluster_name.hex)}-loki-s3" + vpc_name = lower(random_id.vpc_name.hex) + cluster_name = lower(random_id.cluster_name.hex) + bastion_name = lower(random_id.bastion_name.hex) + loki_name_prefix = "${lower(random_id.cluster_name.hex)}-loki" account = data.aws_caller_identity.current.account_id @@ -40,291 +60,233 @@ locals { Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } - admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${local.account}:user/${admin_user}"] - aws_auth_eks_map_users = [for admin_user in var.aws_admin_usernames : { - userarn = "arn:${data.aws_partition.current.partition}:iam::${local.account}:user/${admin_user}" - username = "${admin_user}" - groups = ["system:masters"] - } - ] - managed_node_groups = var.enable_managed_nodegroups == false ? tomap({}) : { + eks_managed_node_groups = var.enable_eks_managed_nodegroups == false ? tomap({}) : { # Managed Node groups with minimum config - mg5 = { - node_group_name = "mg5" - instance_types = ["m5.large"] - min_size = 2 - create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role - iam_role_arn = module.eks.aws_iam_role_managed_ng_arn - disk_size = 100 # Disk size is used only with Managed Node Groups without Launch Templates - update_config = [{ - max_unavailable_percentage = 30 - }] - }, - # Managed Node groups with Launch templates using AMI TYPE - mng_lt = { - # Node Group configuration - node_group_name = "mng_lt" # Max 40 characters for node group name - - ami_type = "AL2_x86_64" # Available options -> AL2_x86_64, AL2_x86_64_GPU, AL2_ARM_64, CUSTOM - release_version = "" # Enter AMI release version to deploy the latest AMI released by AWS. Used only when you specify ami_type - capacity_type = "ON_DEMAND" # ON_DEMAND or SPOT - instance_types = ["r5d.large"] # List of instances used only for SPOT type - format_mount_nvme_disk = true # format and mount NVMe disks ; default to false - - # Launch template configuration - create_launch_template = true # false will use the default launch template - launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket - - enable_monitoring = true - eni_delete = true - public_ip = false # Use this to enable public IP for EC2 instances; only for public subnets used in launch templates + # Default node group - as provided by AWS EKS + default_node_group = { + # By default, the module creates a launch template to ensure tags are propagated to instances, etc., + # so we need to disable it to use the default template provided by the AWS EKS managed node group service + use_custom_launch_template = false + + disk_size = 50 + + # Remote access cannot be specified with a launch template + remote_access = { + ec2_ssh_key = module.key_pair.key_pair_name + source_security_group_ids = [aws_security_group.remote_access.id] + } + } - http_endpoint = "enabled" - http_tokens = "optional" - http_put_response_hop_limit = 3 + # Default node group - as provided by AWS EKS using Bottlerocket + bottlerocket_default = { + # By default, the module creates a launch template to ensure tags are propagated to instances, etc., + # so we need to disable it to use the default template provided by the AWS EKS managed node group service + use_custom_launch_template = false - # pre_userdata can be used in both cases where you provide custom_ami_id or ami_type - pre_userdata = <<-EOT - yum install -y amazon-ssm-agent - systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent - EOT + ami_type = "BOTTLEROCKET_x86_64" + platform = "bottlerocket" + } - # Taints can be applied through EKS API or through Bootstrap script using kubelet_extra_args - # e.g., k8s_taints = [{key= "spot", value="true", "effect"="NO_SCHEDULE"}] - k8s_taints = [] + # Adds to the AWS provided user data + bottlerocket_add = { + ami_type = "BOTTLEROCKET_x86_64" + platform = "bottlerocket" - # Node Labels can be applied through EKS API or through Bootstrap script using kubelet_extra_args - k8s_labels = { - Environment = "preprod" - Zone = "dev" - Runtime = "docker" - } + # This will get added to what AWS provides + bootstrap_extra_args = <<-EOT + # extra args added + [settings.kernel] + lockdown = "integrity" + EOT + } - # Node Group scaling configuration - desired_size = 2 - max_size = 2 - min_size = 2 + # Custom AMI, using module provided bootstrap data + bottlerocket_custom = { + # Current bottlerocket AMI + ami_id = data.aws_ami.eks_default_bottlerocket.image_id + platform = "bottlerocket" + + # Use module user data template to bootstrap + enable_bootstrap_user_data = true + # This will get added to the template + bootstrap_extra_args = <<-EOT + # The admin host container provides SSH access and runs with "superpowers". + # It is disabled by default, but can be disabled explicitly. + [settings.host-containers.admin] + enabled = false + + # The control host container provides out-of-band access via SSM. + # It is enabled by default, and can be disabled if you do not expect to use SSM. + # This could leave you with no way to access the API and change settings on an existing node! + [settings.host-containers.control] + enabled = true + + # extra args added + [settings.kernel] + lockdown = "integrity" + + [settings.kubernetes.node-labels] + label1 = "foo" + label2 = "bar" + + [settings.kubernetes.node-taints] + dedicated = "experimental:PreferNoSchedule" + special = "true:NoSchedule" + EOT + } - block_device_mappings = [ - { - device_name = "/dev/xvda" - volume_type = "gp3" - volume_size = 100 - } - ] + # Complete + complete = { + name = "complete-eks-mng" + use_name_prefix = true - # Node Group network configuration - subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" - subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] + subnet_ids = module.vpc.private_subnets - additional_iam_policies = [] # Attach additional IAM policies to the IAM role attached to this worker group + min_size = 1 + max_size = 7 + desired_size = 1 - # SSH ACCESS Optional - Recommended to use SSM Session manager - remote_access = false - ec2_ssh_key = "" - ssh_security_group_id = "" + ami_id = data.aws_ami.eks_default.image_id + enable_bootstrap_user_data = true - additional_tags = { - ExtraTag = "m5x-on-demand" - Name = "m5x-on-demand" - subnet_type = "private" - } - } - # Managed Node groups with Launch templates using CUSTOM AMI with ContainerD runtime - mng_custom_ami = { - # Node Group configuration - node_group_name = "mng_custom_ami" # Max 40 characters for node group name - - # custom_ami_id is optional when you provide ami_type. Enter the Custom AMI id if you want to use your own custom AMI - custom_ami_id = data.aws_ami.amazonlinux2eks.id - capacity_type = "ON_DEMAND" # ON_DEMAND or SPOT - instance_types = ["r5d.large"] # List of instances used only for SPOT type - - # Launch template configuration - create_launch_template = true # false will use the default launch template - launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket - - # pre_userdata will be applied by using custom_ami_id or ami_type - pre_userdata = <<-EOT - yum install -y amazon-ssm-agent - systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent + pre_bootstrap_user_data = <<-EOT + export FOO=bar EOT - # post_userdata will be applied only by using custom_ami_id - post_userdata = <<-EOT - echo "Bootstrap successfully completed! You can further apply config or install to run after bootstrap if needed" + post_bootstrap_user_data = <<-EOT + echo "you are free little kubelet!" EOT - # kubelet_extra_args used only when you pass custom_ami_id; - # --node-labels is used to apply Kubernetes Labels to Nodes - # --register-with-taints used to apply taints to Nodes - # e.g., kubelet_extra_args='--node-labels=WorkerType=SPOT,noderole=spark --register-with-taints=spot=true:NoSchedule --max-pods=58', - kubelet_extra_args = "--node-labels=WorkerType=SPOT,noderole=spark --register-with-taints=test=true:NoSchedule --max-pods=20" - - # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes - # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" - bootstrap_extra_args = "--use-max-pods false --container-runtime containerd" - - # Taints can be applied through EKS API or through Bootstrap script using kubelet_extra_args - k8s_taints = [] - - # Node Labels can be applied through EKS API or through Bootstrap script using kubelet_extra_args - k8s_labels = { - Environment = "preprod" - Zone = "dev" - Runtime = "containerd" + capacity_type = "SPOT" + force_update_version = true + instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"] + labels = { + GithubRepo = "terraform-aws-eks" + GithubOrg = "terraform-aws-modules" } - enable_monitoring = true - eni_delete = true - public_ip = false # Use this to enable public IP for EC2 instances; only for public subnets used in launch templates - - # Node Group scaling configuration - desired_size = 2 - max_size = 2 - min_size = 2 - - block_device_mappings = [ + taints = [ { - device_name = "/dev/xvda" - volume_type = "gp3" - volume_size = 150 + key = "dedicated" + value = "gpuGroup" + effect = "NO_SCHEDULE" } ] - # Node Group network configuration - subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" - subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] + update_config = { + max_unavailable_percentage = 33 # or set `max_unavailable` + } - additional_iam_policies = [] # Attach additional IAM policies to the IAM role attached to this worker group + description = "EKS managed node group example launch template" - # SSH ACCESS Optional - Recommended to use SSM Session manager - remote_access = false - ec2_ssh_key = "" - ssh_security_group_id = "" + ebs_optimized = true + disable_api_termination = false + enable_monitoring = true - additional_tags = { - ExtraTag = "mng-custom-ami" - Name = "mng-custom-ami" - subnet_type = "private" + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 75 + volume_type = "gp3" + iops = 3000 + throughput = 150 + delete_on_termination = true + } + } } - } - # Managed Node group with Launch templates using AMI TYPE and SPOT instances of 2 vCPUs and 8 Gib Memory - spot_2vcpu_8mem = { - node_group_name = "mng-spot-2vcpu-8mem" - capacity_type = "SPOT" - instance_types = ["m5.large", "m4.large", "m6a.large", "m5a.large", "m5d.large"] - max_size = 2 - desired_size = 1 - min_size = 1 - - # Node Group network configuration - subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" - subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] - - k8s_taints = [{ key = "spotInstance", value = "true", effect = "NO_SCHEDULE" }] - } - - # Managed Node group with Launch templates using AMI TYPE and SPOT instances of 4 vCPUs and 16 Gib Memory - spot_4vcpu_16mem = { - node_group_name = "mng-spot-4vcpu-16mem" - capacity_type = "SPOT" - instance_types = ["m5.xlarge", "m4.xlarge", "m6a.xlarge", "m5a.xlarge", "m5d.xlarge"] - - # Node Group network configuration - subnet_type = "private" # public or private - Default uses the private subnets used in control plane if you don't pass the "subnet_ids" - subnet_ids = [] # Defaults to private subnet-ids used by EKS Control plane. Define your private/public subnets list with comma separated subnet_ids = ['subnet1','subnet2','subnet3'] - k8s_taints = [{ key = "spotInstance", value = "true", effect = "NO_SCHEDULE" }] + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 2 + instance_metadata_tags = "disabled" + } - # NOTE: If we want the node group to scale-down to zero nodes, - # we need to use a custom launch template and define some additional tags for the ASGs - min_size = 0 + create_iam_role = true + iam_role_name = "eks-managed-node-group-complete-example" + iam_role_use_name_prefix = false + iam_role_description = "EKS managed node group complete example role" + iam_role_tags = { + Purpose = "Protector of the kubelet" + } + iam_role_additional_policies = { + AmazonEC2ContainerRegistryReadOnly = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" - # Launch template configuration - create_launch_template = true # false will use the default launch template - launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket + } - # This is so cluster autoscaler can identify which node (using ASGs tags) to scale-down to zero nodes - additional_tags = { - "k8s.io/cluster-autoscaler/node-template/label/eks.amazonaws.com/capacityType" = "SPOT" - "k8s.io/cluster-autoscaler/node-template/label/eks/node_group_name" = "mng-spot-2vcpu-8mem" + tags = { + ExtraTag = "EKS managed node group complete example" } } } - self_managed_node_groups = var.enable_managed_nodegroups == true ? tomap({}) : { + self_managed_node_groups = var.enable_self_managed_nodegroups == true ? tomap({}) : { self_mg1 = { - node_group_name = "self_mg1" - subnet_ids = module.vpc.private_subnets - create_launch_template = true - launch_template_os = "amazonlinux2eks" # amazonlinux2eks or bottlerocket or windows - custom_ami_id = "" # Bring your own custom AMI generated by Packer/ImageBuilder/Puppet etc. + node_group_name = "self_mg1" + subnet_ids = module.vpc.private_subnets - create_iam_role = false # Changing `create_iam_role=false` to bring your own IAM Role - iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false - iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false - - format_mount_nvme_disk = true - public_ip = false - enable_monitoring = false + min_size = 3 + max_size = 10 + desired_size = 3 + # ami_id = "" # defaults to latest amazon linux 2 eks ami matching k8s version in the upstream module + # create_iam_role = true # Changing `create_iam_role=false` to bring your own IAM Role + # iam_role_arn = module.eks.aws_iam_role_self_managed_ng_arn # custom IAM role for aws-auth mapping; used when create_iam_role = false + # iam_instance_profile_name = module.eks.aws_iam_instance_profile_self_managed_ng_name # IAM instance profile name for Launch templates; used when create_iam_role = false placement = { - affinity = null - availability_zone = null - group_name = null - host_id = null - tenancy = var.eks_worker_tenancy + tenancy = var.eks_worker_tenancy } - enable_metadata_options = false + metadata_options = false - pre_userdata = <<-EOT + pre_bootstrap_userdata = <<-EOT yum install -y amazon-ssm-agent systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent EOT + post_userdata = <<-EOT + echo "Bootstrap successfully completed! You can further apply config or install to run after bootstrap if needed" + EOT + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" bootstrap_extra_args = "--use-max-pods false" - block_device_mappings = [ - { - device_name = "/dev/xvda" # mount point to / - volume_type = "gp3" - volume_size = 50 + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 50 + volume_type = "gp3" + } }, - { - device_name = "/dev/xvdf" # mount point to /local1 (it could be local2, depending upon the disks are attached during boot) - volume_type = "gp3" - volume_size = 80 - iops = 3000 - throughput = 125 + xvdf = { + device_name = "/dev/xvdf" + ebs = { + volume_size = 80 + volume_type = "gp3" + iops = 3000 + throughput = 125 + } }, - { - device_name = "/dev/xvdg" # mount point to /local2 (it could be local1, depending upon the disks are attached during boot) - volume_type = "gp3" - volume_size = 100 - iops = 3000 - throughput = 125 + xvdg = { + device_name = "/dev/xvdg" + ebs = { + volume_size = 100 + volume_type = "gp3" + iops = 3000 + throughput = 125 + } } - ] + } instance_type = "m5.xlarge" - desired_size = 3 - max_size = 10 - min_size = 3 - capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot" - - k8s_labels = { - Environment = "preprod" - Zone = "test" - } + #capacity_type = "" # Optional Use this only for SPOT capacity as capacity_type = "spot". Only for eks_managed_node_groups - additional_tags = { - ExtraTag = "m5x-on-demand" - Name = "m5x-on-demand" + tags = { subnet_type = "private" } } @@ -345,6 +307,7 @@ module "vpc" { public_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k)] private_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 4)] database_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 8)] + intra_subnets = [for k, v in module.vpc.azs : cidrsubnet(module.vpc.vpc_cidr_block, 5, k + 12)] single_nat_gateway = true enable_nat_gateway = true @@ -413,47 +376,86 @@ module "eks" { aws_account = local.account vpc_id = module.vpc.vpc_id private_subnet_ids = module.vpc.private_subnets - control_plane_subnet_ids = module.vpc.private_subnets source_security_group_id = module.bastion.security_group_ids[0] cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = true cluster_kms_key_additional_admin_arns = local.admin_arns - eks_k8s_version = var.eks_k8s_version + vpc_cni_custom_subnet = module.vpc.intra_subnets + aws_admin_usernames = var.aws_admin_usernames + cluster_version = var.cluster_version bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - aws_auth_eks_map_users = local.aws_auth_eks_map_users enable_managed_nodegroups = var.enable_managed_nodegroups - managed_node_groups = local.managed_node_groups - self_managed_node_groups = local.self_managed_node_groups + + ######################## EKS Managed Node Group ################################### + eks_managed_node_group_defaults = { + ami_type = "AL2_x86_64" + instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"] + + # We are using the IRSA created below for permissions + # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster) + # and then turn this off after the cluster/node group is created. Without this initial policy, + # the VPC CNI fails to assign IPs and nodes cannot join the cluster + # See https://github.com/aws/containers-roadmap/issues/1666 for more context + iam_role_attach_cni_policy = true + } + + eks_managed_node_groups = local.eks_managed_node_groups + + ######################## Self Managed Node Group ################################### + self_managed_node_group_defaults = { + instance_type = "m5.xlarge" + update_launch_template_default_version = true + iam_role_additional_policies = { + AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" + } + # enable discovery of autoscaling groups by cluster-autoscaler + autoscaling_group_tags = { + "k8s.io/cluster-autoscaler/enabled" : true, + "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned" + } + metadata_options = { + #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options + http_endpoint = "enabled" + http_put_response_hop_limit = 2 + http_tokens = "optional" # set to "enabled" to enforce IMDSv2, default for upstream terraform-aws-eks module + } + } + + self_managed_node_groups = local.self_managed_node_groups + + #--------------------------------------------------------------- + #"native" EKS Add-Ons + #--------------------------------------------------------------- + + # VPC CNI + amazon_eks_vpc_cni = var.amazon_eks_vpc_cni #--------------------------------------------------------------- # EKS Blueprints - EKS Add-Ons #--------------------------------------------------------------- - enable_eks_vpc_cni = true - enable_eks_coredns = true - enable_eks_kube_proxy = true - enable_eks_ebs_csi_driver = true - enable_eks_metrics_server = true - - enable_eks_cluster_autoscaler = true - cluster_autoscaler_helm_config = { - set = [ - { - name = "extraArgs.expander" - value = "priority" - }, - { - name = "expanderPriorities" - value = <<-EOT - 100: - - .*-spot-2vcpu-8mem.* - 90: - - .*-spot-4vcpu-16mem.* - 10: - - .* - EOT - } - ] - } + # EKS CoreDNS + enable_amazon_eks_coredns = var.enable_amazon_eks_coredns + amazon_eks_coredns_config = var.amazon_eks_coredns_config + + # EKS kube-proxy + enable_amazon_eks_kube_proxy = var.enable_amazon_eks_kube_proxy + amazon_eks_kube_proxy_config = var.amazon_eks_kube_proxy_config + + # EKS EBS CSI Driver + enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver + amazon_eks_aws_ebs_csi_driver_config = var.amazon_eks_aws_ebs_csi_driver_config + + # EKS Metrics Server + enable_metrics_server = var.enable_metrics_server + metrics_server_helm_config = var.metrics_server_helm_config + + # EKS AWS node termination handler + enable_aws_node_termination_handler = var.enable_aws_node_termination_handler + aws_node_termination_handler_helm_config = var.aws_node_termination_handler_helm_config + + # EKS Cluster Autoscaler + enable_cluster_autoscaler = var.enable_cluster_autoscaler + cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index dfeeb0c2..085035ad 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -16,8 +16,31 @@ variable "aws_admin_usernames" { type = list(string) } +variable "manage_aws_auth_configmap" { + description = "Determines whether to manage the aws-auth configmap" + type = bool + default = false +} + +variable "create_aws_auth_configmap" { + description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" + type = bool + default = false +} + +variable "default_tags" { + description = "A map of default tags to apply to all resources" + type = map(string) + default = {} +} + ########################################################### #################### VPC Config ########################### +variable "vpc_instance_tenancy" { + description = "The tenancy of instances launched into the VPC" + type = string + default = "default" +} variable "vpc_cidr" { description = "The CIDR block for the VPC" @@ -48,6 +71,11 @@ variable "create_database_subnet_route_table" { ########################################################### #################### EKS Config ########################### +variable "eks_worker_tenancy" { + description = "The tenancy of the EKS worker nodes" + type = string + default = "default" +} variable "cluster_name_prefix" { description = "The name to use for the EKS cluster" @@ -71,13 +99,138 @@ variable "cluster_endpoint_public_access" { default = false } -variable "enable_managed_nodegroups" { - description = "Enable managed node groups. If false, self managed node groups will be used." +variable "enable_eks_managed_nodegroups" { + description = "Enable managed node groups" + type = bool +} + +variable "enable_self_managed_nodegroups" { + description = "Enable self managed node groups" + type = bool +} + +########################################################### +################## EKS Addons Config ###################### + +#----------------AWS EKS VPC CNI------------------------- +variable "amazon_eks_vpc_cni" { + description = <<-EOD + The VPC CNI add-on configuration. + enabled - (Optional) Whether to enable the add-on. Defaults to false. + before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. + most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. + resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. + EOD + type = object({ + enabled = bool + before_compute = bool + most_recent = bool + resolve_conflict = string + configuration_values = map(any) # hcl format later to be json encoded + }) + default = { + before_compute = true + enabled = false + most_recent = true + resolve_conflict = "OVERWRITE" + configuration_values = { + # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking + AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" + ENI_CONFIG_LABEL_DEF = "topology.kubernetes.io/zone" # allows vpc-cni to use topology labels to determine which subnet to deploy an ENI in + + # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html + ENABLE_PREFIX_DELEGATION = "true" + WARM_PREFIX_TARGET = "1" + } + } +} + +#----------------AWS CoreDNS------------------------- +variable "enable_amazon_eks_coredns" { + description = "Enable Amazon EKS CoreDNS add-on" + type = bool + default = false +} + +variable "amazon_eks_coredns_config" { + description = "Configuration for Amazon CoreDNS EKS add-on" + type = any + default = {} +} + +#----------------AWS Kube Proxy------------------------- +variable "enable_amazon_eks_kube_proxy" { + description = "Enable Kube Proxy add-on" + type = bool + default = false +} + +variable "amazon_eks_kube_proxy_config" { + description = "ConfigMap for Amazon EKS Kube-Proxy add-on" + type = any + default = {} +} + +#----------------AWS EBS CSI Driver------------------------- +variable "enable_amazon_eks_aws_ebs_csi_driver" { + description = "Enable EKS Managed AWS EBS CSI Driver add-on; enable_amazon_eks_aws_ebs_csi_driver and enable_self_managed_aws_ebs_csi_driver are mutually exclusive" + type = bool + default = false +} + +variable "amazon_eks_aws_ebs_csi_driver_config" { + description = "configMap for AWS EBS CSI Driver add-on" + type = any + default = {} +} + +#----------------Metrics Server------------------------- +variable "enable_metrics_server" { + description = "Enable metrics server add-on" + type = bool + default = false +} + +variable "metrics_server_helm_config" { + description = "Metrics Server Helm Chart config" + type = any + default = {} +} + +#----------------AWS Node Termination Handler------------------------- +variable "enable_aws_node_termination_handler" { + description = "Enable AWS Node Termination Handler add-on" + type = bool + default = false +} + +variable "aws_node_termination_handler_helm_config" { + description = "AWS Node Termination Handler Helm Chart config" + type = any + default = {} +} + +#----------------Cluster Autoscaler------------------------- +variable "enable_cluster_autoscaler" { + description = "Enable Cluster autoscaler add-on" type = bool + default = false +} + +variable "cluster_autoscaler_helm_config" { + description = "Cluster Autoscaler Helm Chart config" + type = any + default = {} } ########################################################### ################## Bastion Config ######################### +variable "bastion_tenancy" { + description = "The tenancy of the bastion" + type = string + default = "default" +} variable "bastion_name_prefix" { description = "The name to use for the bastion" @@ -160,24 +313,6 @@ variable "kc_db_max_allocated_storage" { type = number } -variable "vpc_instance_tenancy" { - description = "The tenancy of instances launched into the VPC" - type = string - default = "default" -} - -variable "bastion_tenancy" { - description = "The tenancy of the bastion" - type = string - default = "default" -} - -variable "eks_worker_tenancy" { - description = "The tenancy of the EKS worker nodes" - type = string - default = "default" -} - variable "zarf_version" { description = "The version of Zarf to use" type = string diff --git a/modules/eks/main.tf b/modules/eks/main.tf index d59052d0..4f7b1a12 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -14,7 +14,6 @@ module "aws_eks" { # public_subnet_ids = var.public_subnet_ids cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_private_access = var.cluster_endpoint_private_access - # control_plane_subnet_ids = var.control_plane_subnet_ids #uses subnet_ids if not set self_managed_node_group_defaults = var.self_managed_node_group_defaults self_managed_node_groups = var.self_managed_node_groups From 3bdd89acc3fe13d1585c48ac5efb9468993a50b5 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 14:25:09 -0700 Subject: [PATCH 16/46] fix stuff --- examples/complete-self-managed-nodegroup/variables.tf | 2 +- examples/complete/main.tf | 2 +- modules/eks/variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 1f12aa61..bba58888 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -94,7 +94,7 @@ variable "cluster_version" { type = string default = "1.23" validation { - condition = contains(["1.23", "1.24", "1,25"], var.cluster_version) + condition = contains(["1.23"], var.cluster_version) error_message = "Kubernetes version must be equal to one that we support. Currently supported versions are: 1.23." } } diff --git a/examples/complete/main.tf b/examples/complete/main.tf index ee10b0c0..0e2c9ef3 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -7,7 +7,7 @@ data "aws_ami" "amazonlinux2eks" { filter { name = "name" - values = ["amazon-eks-node-${var.eks_k8s_version}-*"] + values = ["amazon-eks-node-${var.cluster_version}-*"] } owners = ["amazon"] diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 9e95672c..24493b98 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -10,7 +10,7 @@ variable "cluster_version" { type = string default = "1.23" validation { - condition = contains(["1.23"], var.eks_k8s_version) + condition = contains(["1.23"], var.cluster_version) error_message = "Kubernetes version must be equal to one that we support. Currently supported versions are: 1.23." } } From 451c31424e1f28d45fcac93ccd1d114f903effa0 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 14:30:57 -0700 Subject: [PATCH 17/46] fix var --- examples/complete-self-managed-nodegroup/README.md | 2 +- .../terraform.tfvars.example | 8 ++++---- .../complete-self-managed-nodegroup/variables.tf | 12 ++++++------ examples/complete/README.md | 2 +- examples/complete/fixtures.common.tfvars | 8 ++++---- examples/complete/variables.tf | 12 ++++++------ modules/eks/README.md | 2 +- modules/eks/locals.tf | 2 +- modules/eks/variables.tf | 12 ++++++------ 9 files changed, 30 insertions(+), 30 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index ca0da69c..37e1938c 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -228,7 +228,7 @@ terraform destroy -auto-approve | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 16d8a313..71b44a11 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -66,10 +66,10 @@ kc_db_instance_class = "db.t4g.large" loki_s3_bucket_kms_key_alias = "my-loki-s3" amazon_eks_vpc_cni = { - enabled = true - before_compute = true - most_recent = true - resolve_conflict = "OVERWRITE" + enabled = true + before_compute = true + most_recent = true + resolve_conflicts = "OVERWRITE" configuration_values = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index bba58888..81f2745a 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -115,21 +115,21 @@ variable "amazon_eks_vpc_cni" { enabled - (Optional) Whether to enable the add-on. Defaults to false. before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. - resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + resolve_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD type = object({ enabled = bool before_compute = bool most_recent = bool - resolve_conflict = string + resolve_conflicts = string configuration_values = map(any) # hcl format later to be json encoded }) default = { - before_compute = true - enabled = false - most_recent = true - resolve_conflict = "OVERWRITE" + before_compute = true + enabled = false + most_recent = true + resolve_conflicts = "OVERWRITE" configuration_values = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" diff --git a/examples/complete/README.md b/examples/complete/README.md index 9b52b289..20333121 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -99,7 +99,7 @@ Coming soon | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 079e610b..4bc176f5 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -52,10 +52,10 @@ kc_db_instance_class = "db.t4g.large" #################### EKS Addon ######################### amazon_eks_vpc_cni = { - enable = true - before_compute = true - most_recent = true - resolve_conflict = "OVERWRITE" + enable = true + before_compute = true + most_recent = true + resolve_conflicts = "OVERWRITE" configuration_values = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 085035ad..0af8c0bc 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -119,21 +119,21 @@ variable "amazon_eks_vpc_cni" { enabled - (Optional) Whether to enable the add-on. Defaults to false. before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. - resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + resolve_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD type = object({ enabled = bool before_compute = bool most_recent = bool - resolve_conflict = string + resolve_conflicts = string configuration_values = map(any) # hcl format later to be json encoded }) default = { - before_compute = true - enabled = false - most_recent = true - resolve_conflict = "OVERWRITE" + before_compute = true + enabled = false + most_recent = true + resolve_conflicts = "OVERWRITE" configuration_values = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" diff --git a/modules/eks/README.md b/modules/eks/README.md index a7441854..e66fe32c 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -51,7 +51,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.

enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflict     = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflict": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.

enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | `[]` | no | | [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index 80141173..b52c1c07 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -21,7 +21,7 @@ locals { before_compute = lookup(var.amazon_eks_vpc_cni, "before_compute", null) most_recent = lookup(var.amazon_eks_vpc_cni, "most_recent", null) configuration_values = jsonencode({ env = (lookup(var.amazon_eks_vpc_cni, "configuration_values", null)) }) - resolve_conflict = lookup(var.amazon_eks_vpc_cni, "resolve_conflict", null) + resolve_conflicts = lookup(var.amazon_eks_vpc_cni, "resolve_conflicts", null) } : null } } diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 24493b98..9debda29 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -162,21 +162,21 @@ variable "amazon_eks_vpc_cni" { enabled - (Optional) Whether to enable the add-on. Defaults to false. before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. - resolve_conflict - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. + resolve_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD type = object({ enabled = bool before_compute = bool most_recent = bool - resolve_conflict = string + resolve_conflicts = string configuration_values = map(any) # hcl format later to be json encoded }) default = { - before_compute = true - enabled = false - most_recent = true - resolve_conflict = "OVERWRITE" + before_compute = true + enabled = false + most_recent = true + resolve_conflicts = "OVERWRITE" configuration_values = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = "true" From 09d92973bd19c0130c9fae91d197de0ca947f3f7 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 14:51:12 -0700 Subject: [PATCH 18/46] why not both? --- examples/complete/fixtures.insecure.tfvars | 1 + examples/complete/main.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/complete/fixtures.insecure.tfvars b/examples/complete/fixtures.insecure.tfvars index eb54b402..6659531b 100644 --- a/examples/complete/fixtures.insecure.tfvars +++ b/examples/complete/fixtures.insecure.tfvars @@ -1,4 +1,5 @@ enable_eks_managed_nodegroups = true +enable_self_managed_nodegroups = true bastion_tenancy = "default" eks_worker_tenancy = "default" cluster_endpoint_public_access = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0e2c9ef3..0d4a67e4 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -223,7 +223,7 @@ locals { } } - self_managed_node_groups = var.enable_self_managed_nodegroups == true ? tomap({}) : { + self_managed_node_groups = var.enable_self_managed_nodegroups == false ? tomap({}) : { self_mg1 = { node_group_name = "self_mg1" subnet_ids = module.vpc.private_subnets From 2e79dd7d0a23f6c2894c874f5972920c9ab84f04 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 15:09:24 -0700 Subject: [PATCH 19/46] fix input vars --- examples/complete/main.tf | 28 +++++++++++++--------------- modules/eks/README.md | 1 + modules/eks/variables.tf | 6 ++++++ 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0d4a67e4..8ae6b25a 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -371,21 +371,19 @@ module "eks" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/eks?ref=v" source = "../../modules/eks" - name = local.cluster_name - aws_region = var.region - aws_account = local.account - vpc_id = module.vpc.vpc_id - private_subnet_ids = module.vpc.private_subnets - source_security_group_id = module.bastion.security_group_ids[0] - cluster_endpoint_public_access = var.cluster_endpoint_public_access - cluster_endpoint_private_access = true - cluster_kms_key_additional_admin_arns = local.admin_arns - vpc_cni_custom_subnet = module.vpc.intra_subnets - aws_admin_usernames = var.aws_admin_usernames - cluster_version = var.cluster_version - bastion_role_arn = module.bastion.bastion_role_arn - bastion_role_name = module.bastion.bastion_role_name - enable_managed_nodegroups = var.enable_managed_nodegroups + name = local.cluster_name + aws_region = var.region + aws_account = local.account + vpc_id = module.vpc.vpc_id + private_subnet_ids = module.vpc.private_subnets + source_security_group_id = module.bastion.security_group_ids[0] + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_private_access = true + vpc_cni_custom_subnet = module.vpc.intra_subnets + aws_admin_usernames = var.aws_admin_usernames + cluster_version = var.cluster_version + bastion_role_arn = module.bastion.bastion_role_arn + bastion_role_name = module.bastion.bastion_role_name ######################## EKS Managed Node Group ################################### eks_managed_node_group_defaults = { diff --git a/modules/eks/README.md b/modules/eks/README.md index e66fe32c..99f84f5c 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -66,6 +66,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no | | [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids) | Subnet IDs for control plane | `list(string)` | `[]` | no | | [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | +| [eks\_managed\_node\_group\_defaults](#input\_eks\_managed\_node\_group\_defaults) | Map of EKS-managed node group default configurations | `any` | `{}` | no | | [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Managed node groups configuration | `any` | `{}` | no | | [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | | [enable\_amazon\_eks\_coredns](#input\_enable\_amazon\_eks\_coredns) | Enable Amazon EKS CoreDNS add-on | `bool` | `false` | no | diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 9debda29..959d7430 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -152,6 +152,12 @@ variable "self_managed_node_group_defaults" { default = {} } +variable "eks_managed_node_group_defaults" { + description = "Map of EKS-managed node group default configurations" + type = any + default = {} +} + ########################################################### ################## EKS Addons Config ###################### From 66e73b9587c9acbe98325e6c68fb66463b2f0a67 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 15:18:56 -0700 Subject: [PATCH 20/46] fix var --- examples/complete/bigbang-dependencies.tf | 10 +++++----- examples/complete/main.tf | 4 ++-- examples/complete/providers.tf | 13 +++++++++++-- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index ca49dc4a..9ed35f6d 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -11,13 +11,13 @@ module "flux_sops" { source = "../../modules/sops" region = var.region - cluster_name = module.eks.eks_cluster_id + cluster_name = module.eks.cluster_name vpc_id = module.vpc.vpc_id - policy_name_prefix = "${module.eks.eks_cluster_id}-flux-sops" - kms_key_alias = "${module.eks.eks_cluster_id}-flux-sops" + policy_name_prefix = "${module.eks.cluster_name}-flux-sops" + kms_key_alias = "${module.eks.cluster_name}-flux-sops" kubernetes_service_account = "flux-system-sops-sa" kubernetes_namespace = "flux-system" - irsa_sops_iam_role_name = "${module.eks.eks_cluster_id}-flux-system-sa-role" + irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn tags = local.tags role_name = module.bastion.bastion_role_name @@ -36,7 +36,7 @@ module "loki_s3_bucket" { kms_key_alias = local.loki_name_prefix kubernetes_service_account = "logging-${local.loki_name_prefix}-sa" kubernetes_namespace = "logging" - irsa_iam_role_name = "${module.eks.eks_cluster_id}-logging-loki-sa-role" + irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn tags = local.tags dynamodb_enabled = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 8ae6b25a..6a496575 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -19,7 +19,7 @@ data "aws_ami" "eks_default" { filter { name = "name" - values = ["amazon-eks-node-${local.cluster_version}-v*"] + values = ["amazon-eks-node-${var.cluster_version}-v*"] } } @@ -29,7 +29,7 @@ data "aws_ami" "eks_default_bottlerocket" { filter { name = "name" - values = ["bottlerocket-aws-k8s-${local.cluster_version}-x86_64-*"] + values = ["bottlerocket-aws-k8s-${var.cluster_version}-x86_64-*"] } } diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index e3e5049a..84bb846c 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -48,20 +48,29 @@ terraform { } data "aws_eks_cluster_auth" "this" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name } data "aws_eks_cluster" "example" { - name = module.eks.eks_cluster_id + name = module.eks.cluster_name + depends_on = [ + module.eks.cluster_status + ] } provider "aws" { region = var.region + default_tags { + tags = var.default_tags + } } provider "aws" { alias = "region2" region = var.region2 + default_tags { + tags = var.default_tags + } } provider "kubernetes" { From 6afecc400de70047a8c8890ae40f0cd256e5411f Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 15:45:22 -0700 Subject: [PATCH 21/46] MORE fixes --- .checkov.yml | 2 ++ examples/complete/README.md | 2 ++ examples/complete/bigbang-dependencies.tf | 4 +-- examples/complete/main.tf | 35 ++++++++++++++++++++++- 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/.checkov.yml b/.checkov.yml index fcd0706f..548b3c52 100644 --- a/.checkov.yml +++ b/.checkov.yml @@ -6,3 +6,5 @@ framework: terraform compact: true quiet: false summary-position: bottom +skip-check: + - CKV2_AWS_5 diff --git a/examples/complete/README.md b/examples/complete/README.md index 20333121..3cbf5d94 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -72,6 +72,7 @@ Coming soon | [bastion](#module\_bastion) | ../../modules/bastion | n/a | | [eks](#module\_eks) | ../../modules/eks | n/a | | [flux\_sops](#module\_flux\_sops) | ../../modules/sops | n/a | +| [key\_pair](#module\_key\_pair) | terraform-aws-modules/key-pair/aws | ~> 2.0 | | [loki\_s3\_bucket](#module\_loki\_s3\_bucket) | ../../modules/s3-irsa | n/a | | [rds\_postgres\_keycloak](#module\_rds\_postgres\_keycloak) | ../../modules/rds | n/a | | [vpc](#module\_vpc) | ../../modules/vpc | n/a | @@ -80,6 +81,7 @@ Coming soon | Name | Type | |------|------| +| [aws_security_group.remote_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [random_id.bastion_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [random_id.cluster_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [random_id.vpc_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | diff --git a/examples/complete/bigbang-dependencies.tf b/examples/complete/bigbang-dependencies.tf index 9ed35f6d..9c800091 100644 --- a/examples/complete/bigbang-dependencies.tf +++ b/examples/complete/bigbang-dependencies.tf @@ -18,7 +18,7 @@ module "flux_sops" { kubernetes_service_account = "flux-system-sops-sa" kubernetes_namespace = "flux-system" irsa_sops_iam_role_name = "${module.eks.cluster_name}-flux-system-sa-role" - eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + eks_oidc_provider_arn = module.eks.oidc_provider_arn tags = local.tags role_name = module.bastion.bastion_role_name } @@ -37,7 +37,7 @@ module "loki_s3_bucket" { kubernetes_service_account = "logging-${local.loki_name_prefix}-sa" kubernetes_namespace = "logging" irsa_iam_role_name = "${module.eks.cluster_name}-logging-loki-sa-role" - eks_oidc_provider_arn = module.eks.eks_oidc_provider_arn + eks_oidc_provider_arn = module.eks.oidc_provider_arn tags = local.tags dynamodb_enabled = true } diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 6a496575..6542ce1a 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -410,7 +410,7 @@ module "eks" { # enable discovery of autoscaling groups by cluster-autoscaler autoscaling_group_tags = { "k8s.io/cluster-autoscaler/enabled" : true, - "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned" + "k8s.io/cluster-autoscaler/${local.cluster_name}" : "owned" } metadata_options = { #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options @@ -457,3 +457,36 @@ module "eks" { enable_cluster_autoscaler = var.enable_cluster_autoscaler cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config } + +module "key_pair" { + source = "terraform-aws-modules/key-pair/aws" + version = "~> 2.0" + + key_name_prefix = local.cluster_name + create_private_key = true + + tags = local.tags +} + +resource "aws_security_group" "remote_access" { + name_prefix = "${local.cluster_name}-remote-access" + description = "Allow remote SSH access" + vpc_id = module.vpc.vpc_id + + ingress { + description = "SSH access" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [var.vpc_cidr] + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } +} From 72901bdddd243e3c99c7cf5461d6f0e8b3100fa4 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 15:55:36 -0700 Subject: [PATCH 22/46] fix input var --- examples/complete/README.md | 2 +- examples/complete/variables.tf | 4 ++-- modules/eks/README.md | 2 +- modules/eks/variables.tf | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index 3cbf5d94..201aeabb 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -101,7 +101,7 @@ Coming soon | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 0af8c0bc..1a889319 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -123,7 +123,7 @@ variable "amazon_eks_vpc_cni" { configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD type = object({ - enabled = bool + enable = bool before_compute = bool most_recent = bool resolve_conflicts = string @@ -131,7 +131,7 @@ variable "amazon_eks_vpc_cni" { }) default = { before_compute = true - enabled = false + enable = false most_recent = true resolve_conflicts = "OVERWRITE" configuration_values = { diff --git a/modules/eks/README.md b/modules/eks/README.md index 99f84f5c..c4726b54 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -51,7 +51,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.

enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.

enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | `[]` | no | | [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index 959d7430..ef0b8b86 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -172,7 +172,7 @@ variable "amazon_eks_vpc_cni" { configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD type = object({ - enabled = bool + enable = bool before_compute = bool most_recent = bool resolve_conflicts = string @@ -180,7 +180,7 @@ variable "amazon_eks_vpc_cni" { }) default = { before_compute = true - enabled = false + enable = false most_recent = true resolve_conflicts = "OVERWRITE" configuration_values = { From 4c1a0c9b8b357c1ee877a0bdffe2e7ee69302cac Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 16:02:31 -0700 Subject: [PATCH 23/46] kinda weird fix --- examples/complete/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 6542ce1a..b22d244b 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -200,7 +200,7 @@ locals { metadata_options = { http_endpoint = "enabled" http_tokens = "required" - http_put_response_hop_limit = 2 + http_put_response_hop_limit = "2" instance_metadata_tags = "disabled" } From b74e05ac445c90b641bfa2e915dbff16933d4f89 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 16:28:10 -0700 Subject: [PATCH 24/46] more var more fix --- .../complete-self-managed-nodegroup/README.md | 2 +- .../bigbang-dependencies.tf | 3 +-- .../complete-self-managed-nodegroup/main.tf | 2 -- .../terraform.tfvars.example | 2 +- .../variables.tf | 24 +++---------------- examples/complete/main.tf | 4 +--- 6 files changed, 7 insertions(+), 30 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 37e1938c..ac990bfb 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -228,7 +228,7 @@ terraform destroy -auto-approve | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enabled              = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enabled": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enable - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf index 4d5e5d69..b049e8b8 100644 --- a/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf +++ b/examples/complete-self-managed-nodegroup/bigbang-dependencies.tf @@ -30,10 +30,9 @@ module "loki_s3_bucket" { # source = "git::https://github.com/defenseunicorns/iac.git//modules/s3-irsa?ref=v" source = "../../modules/s3-irsa" + name_prefix = "${local.loki_name_prefix}-s3" region = var.region - cluster_name = module.eks.cluster_name policy_name_prefix = "${local.loki_name_prefix}-s3-policy" - bucket_prefix = "${local.loki_name_prefix}-s3" kms_key_alias = local.loki_name_prefix kubernetes_service_account = "logging-loki-s3-sa" kubernetes_namespace = "logging" diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index a124118e..04a5cc24 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -144,8 +144,6 @@ module "eks" { tenancy = var.eks_worker_tenancy } - metadata_options = false - pre_bootstrap_userdata = <<-EOT yum install -y amazon-ssm-agent systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index 71b44a11..fcfbd45f 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -66,7 +66,7 @@ kc_db_instance_class = "db.t4g.large" loki_s3_bucket_kms_key_alias = "my-loki-s3" amazon_eks_vpc_cni = { - enabled = true + enable = true before_compute = true most_recent = true resolve_conflicts = "OVERWRITE" diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 81f2745a..865fe414 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -112,14 +112,14 @@ variable "cluster_endpoint_public_access" { variable "amazon_eks_vpc_cni" { description = <<-EOD The VPC CNI add-on configuration. - enabled - (Optional) Whether to enable the add-on. Defaults to false. + enable - (Optional) Whether to enable the add-on. Defaults to false. before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. resolve_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. configuration_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. EOD type = object({ - enabled = bool + enable = bool before_compute = bool most_recent = bool resolve_conflicts = string @@ -127,7 +127,7 @@ variable "amazon_eks_vpc_cni" { }) default = { before_compute = true - enabled = false + enable = false most_recent = true resolve_conflicts = "OVERWRITE" configuration_values = { @@ -311,24 +311,6 @@ variable "kc_db_max_allocated_storage" { type = number } -variable "vpc_instance_tenancy" { - description = "The tenancy of instances launched into the VPC" - type = string - default = "default" -} - -variable "bastion_tenancy" { - description = "The tenancy of the bastion" - type = string - default = "default" -} - -variable "eks_worker_tenancy" { - description = "The tenancy of the EKS worker nodes" - type = string - default = "default" -} - variable "zarf_version" { description = "The version of Zarf to use" type = string diff --git a/examples/complete/main.tf b/examples/complete/main.tf index b22d244b..04fdb1f9 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -200,7 +200,7 @@ locals { metadata_options = { http_endpoint = "enabled" http_tokens = "required" - http_put_response_hop_limit = "2" + http_put_response_hop_limit = 2 instance_metadata_tags = "disabled" } @@ -240,8 +240,6 @@ locals { tenancy = var.eks_worker_tenancy } - metadata_options = false - pre_bootstrap_userdata = <<-EOT yum install -y amazon-ssm-agent systemctl enable amazon-ssm-agent && systemctl start amazon-ssm-agent From d36513f86e0f3701f19b7a23061b0b0340435c30 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 17:23:39 -0700 Subject: [PATCH 25/46] buggy --- .../complete-self-managed-nodegroup/providers.tf | 12 ++++++------ examples/complete/fixtures.common.tfvars | 10 +++++----- examples/complete/providers.tf | 12 ++++++------ examples/tf-state-backend/main.tf | 6 +++--- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/providers.tf b/examples/complete-self-managed-nodegroup/providers.tf index acb8e25f..9092a1c1 100644 --- a/examples/complete-self-managed-nodegroup/providers.tf +++ b/examples/complete-self-managed-nodegroup/providers.tf @@ -12,17 +12,17 @@ data "aws_eks_cluster" "example" { provider "aws" { region = var.region - default_tags { - tags = var.default_tags - } + # default_tags { + # tags = var.default_tags + # } } provider "aws" { alias = "region2" region = var.region2 - default_tags { - tags = var.default_tags - } + # default_tags { + # tags = var.default_tags + # } } provider "kubernetes" { diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 4bc176f5..a9ccecae 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -4,11 +4,11 @@ region = "us-east-1" # target AWS region region2 = "us-east-2" # RDS backup target AWS region aws_admin_usernames = ["Placeholder"] # list of users to be added to the AWS admin group -default_tags = { - Environment = "dev" - Project = "ci-eks" - Owner = "ci" -} +# default_tags = { +# Environment = "dev" +# Project = "ci-eks" +# Owner = "ci" +# } manage_aws_auth_configmap = true create_aws_auth_configmap = true diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index 84bb846c..9bb4da20 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -60,17 +60,17 @@ data "aws_eks_cluster" "example" { provider "aws" { region = var.region - default_tags { - tags = var.default_tags - } + # default_tags { + # tags = var.default_tags + # } } provider "aws" { alias = "region2" region = var.region2 - default_tags { - tags = var.default_tags - } + # default_tags { + # tags = var.default_tags + # } } provider "kubernetes" { diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index a84807ae..a28b0d29 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -1,8 +1,8 @@ provider "aws" { region = var.region - default_tags { - tags = var.default_tags - } + # default_tags { + # tags = var.default_tags + # } } data "aws_partition" "current" {} From 9a204e46a17967e93cf89864c36f4c34a5c346a5 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 21:40:02 -0700 Subject: [PATCH 26/46] 1 more --- modules/eks/locals.tf | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index b52c1c07..ed2e75cf 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -8,13 +8,21 @@ locals { Blueprint = var.name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } - admin_arns = [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"] - aws_auth_users = [for admin_user in var.aws_admin_usernames : { + admin_arns = distinct(concat( + [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"], + data.aws_caller_identity.current.arn + )) + aws_auth_users = distinct(concat([for admin_user in var.aws_admin_usernames : { userarn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}" username = admin_user groups = ["system:masters"] - } - ] + }], + [{ + userarn = data.aws_caller_identity.current.arn + username = split("/", data.aws_caller_identity.current.arn)[1] + groups = ["system:masters"] + }] + )) cluster_addons = { vpc-cni = lookup(var.amazon_eks_vpc_cni, "enabled", false) ? { From a65e390009f905bc5698d9ef58bf688de5197a33 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 17 Mar 2023 21:47:01 -0700 Subject: [PATCH 27/46] make list --- modules/eks/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index ed2e75cf..25e93d2e 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -10,7 +10,7 @@ locals { } admin_arns = distinct(concat( [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"], - data.aws_caller_identity.current.arn + [data.aws_caller_identity.current.arn] )) aws_auth_users = distinct(concat([for admin_user in var.aws_admin_usernames : { userarn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}" From 4c408788f6ddf78ac900052d2a28a629da66aaf6 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 20 Mar 2023 17:21:10 -0700 Subject: [PATCH 28/46] simplify --- .checkov.yml | 2 - Makefile | 22 ++- examples/complete/README.md | 8 +- examples/complete/main.tf | 149 ++------------------ examples/complete/providers.tf | 16 ++- examples/complete/variables.tf | 2 +- modules/eks/README.md | 2 +- modules/eks/locals.tf | 2 +- modules/eks/main.tf | 3 +- modules/eks/variables.tf | 3 +- test/e2e/examples_complete_insecure_test.go | 3 +- 11 files changed, 56 insertions(+), 156 deletions(-) diff --git a/.checkov.yml b/.checkov.yml index 548b3c52..fcd0706f 100644 --- a/.checkov.yml +++ b/.checkov.yml @@ -6,5 +6,3 @@ framework: terraform compact: true quiet: false summary-position: bottom -skip-check: - - CKV2_AWS_5 diff --git a/Makefile b/Makefile index dadc847d..f380d2f6 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,27 @@ _test-all: mkdir -p .cache/go-build mkdir -p .cache/tmp echo "Running automated tests. This will take several minutes. At times it does not log anything to the console. If you interrupt the test run you will need to log into AWS console and manually delete any orphaned infrastructure." - docker run $(TTY_ARG) --rm -v "${PWD}:/app" -v "${PWD}/.cache/tmp:/tmp" -v "${PWD}/.cache/go:/root/go" -v "${PWD}/.cache/go-build:/root/.cache/go-build" --workdir "/app/test/e2e" -e GOPATH=/root/go -e GOCACHE=/root/.cache/go-build -e REPO_URL -e GIT_BRANCH -e AWS_REGION -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_SECURITY_TOKEN -e AWS_SESSION_EXPIRATION -e SKIP_SETUP -e SKIP_TEST -e SKIP_TEARDOWN $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v $(EXTRA_TEST_ARGS) ./...' + docker run $(TTY_ARG) --rm \ + -v "${PWD}:/app" \ + -v "${PWD}/.cache/tmp:/tmp" \ + -v "${PWD}/.cache/go:/root/go" \ + -v "${PWD}/.cache/go-build:/root/.cache/go-build" \ + --workdir "/app/test/e2e" \ + -e GOPATH=/root/go \ + -e GOCACHE=/root/.cache/go-build \ + -e REPO_URL \ + -e GIT_BRANCH \ + -e AWS_REGION \ + -e AWS_DEFAULT_REGION \ + -e AWS_ACCESS_KEY_ID \ + -e AWS_SECRET_ACCESS_KEY \ + -e AWS_SESSION_TOKEN \ + -e AWS_SECURITY_TOKEN \ + -e AWS_SESSION_EXPIRATION \ + -e SKIP_SETUP \ + -e SKIP_TEST \ + -e SKIP_TEARDOWN \ + $(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v $(EXTRA_TEST_ARGS) ./...' .PHONY: test test: ## Run all automated tests. Requires access to an AWS account. Costs real money. diff --git a/examples/complete/README.md b/examples/complete/README.md index 201aeabb..b4d83e32 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -46,6 +46,7 @@ Coming soon | Name | Version | |------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.0 | | [aws](#requirement\_aws) | >= 4.47.0 | | [cloudinit](#requirement\_cloudinit) | >= 2.0.0 | | [helm](#requirement\_helm) | >= 2.5.1 | @@ -62,8 +63,8 @@ Coming soon | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.47.0 | -| [random](#provider\_random) | >= 3.1.0 | +| [aws](#provider\_aws) | 4.59.0 | +| [random](#provider\_random) | 3.4.3 | ## Modules @@ -91,7 +92,6 @@ Coming soon | [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs @@ -101,7 +101,7 @@ Coming soon | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enable - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 04fdb1f9..28e4a7c3 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -57,14 +57,15 @@ locals { account = data.aws_caller_identity.current.account_id tags = { - Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name + Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" } - eks_managed_node_groups = var.enable_eks_managed_nodegroups == false ? tomap({}) : { + eks_managed_node_groups = { # Managed Node groups with minimum config # Default node group - as provided by AWS EKS default_node_group = { + create = var.enable_eks_managed_nodegroups # By default, the module creates a launch template to ensure tags are propagated to instances, etc., # so we need to disable it to use the default template provided by the AWS EKS managed node group service use_custom_launch_template = false @@ -80,6 +81,7 @@ locals { # Default node group - as provided by AWS EKS using Bottlerocket bottlerocket_default = { + create = var.enable_eks_managed_nodegroups # By default, the module creates a launch template to ensure tags are propagated to instances, etc., # so we need to disable it to use the default template provided by the AWS EKS managed node group service use_custom_launch_template = false @@ -87,144 +89,11 @@ locals { ami_type = "BOTTLEROCKET_x86_64" platform = "bottlerocket" } - - # Adds to the AWS provided user data - bottlerocket_add = { - ami_type = "BOTTLEROCKET_x86_64" - platform = "bottlerocket" - - # This will get added to what AWS provides - bootstrap_extra_args = <<-EOT - # extra args added - [settings.kernel] - lockdown = "integrity" - EOT - } - - # Custom AMI, using module provided bootstrap data - bottlerocket_custom = { - # Current bottlerocket AMI - ami_id = data.aws_ami.eks_default_bottlerocket.image_id - platform = "bottlerocket" - - # Use module user data template to bootstrap - enable_bootstrap_user_data = true - # This will get added to the template - bootstrap_extra_args = <<-EOT - # The admin host container provides SSH access and runs with "superpowers". - # It is disabled by default, but can be disabled explicitly. - [settings.host-containers.admin] - enabled = false - - # The control host container provides out-of-band access via SSM. - # It is enabled by default, and can be disabled if you do not expect to use SSM. - # This could leave you with no way to access the API and change settings on an existing node! - [settings.host-containers.control] - enabled = true - - # extra args added - [settings.kernel] - lockdown = "integrity" - - [settings.kubernetes.node-labels] - label1 = "foo" - label2 = "bar" - - [settings.kubernetes.node-taints] - dedicated = "experimental:PreferNoSchedule" - special = "true:NoSchedule" - EOT - } - - # Complete - complete = { - name = "complete-eks-mng" - use_name_prefix = true - - subnet_ids = module.vpc.private_subnets - - min_size = 1 - max_size = 7 - desired_size = 1 - - ami_id = data.aws_ami.eks_default.image_id - enable_bootstrap_user_data = true - - pre_bootstrap_user_data = <<-EOT - export FOO=bar - EOT - - post_bootstrap_user_data = <<-EOT - echo "you are free little kubelet!" - EOT - - capacity_type = "SPOT" - force_update_version = true - instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"] - labels = { - GithubRepo = "terraform-aws-eks" - GithubOrg = "terraform-aws-modules" - } - - taints = [ - { - key = "dedicated" - value = "gpuGroup" - effect = "NO_SCHEDULE" - } - ] - - update_config = { - max_unavailable_percentage = 33 # or set `max_unavailable` - } - - description = "EKS managed node group example launch template" - - ebs_optimized = true - disable_api_termination = false - enable_monitoring = true - - block_device_mappings = { - xvda = { - device_name = "/dev/xvda" - ebs = { - volume_size = 75 - volume_type = "gp3" - iops = 3000 - throughput = 150 - delete_on_termination = true - } - } - } - - metadata_options = { - http_endpoint = "enabled" - http_tokens = "required" - http_put_response_hop_limit = 2 - instance_metadata_tags = "disabled" - } - - create_iam_role = true - iam_role_name = "eks-managed-node-group-complete-example" - iam_role_use_name_prefix = false - iam_role_description = "EKS managed node group complete example role" - iam_role_tags = { - Purpose = "Protector of the kubelet" - } - iam_role_additional_policies = { - AmazonEC2ContainerRegistryReadOnly = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" - - } - - tags = { - ExtraTag = "EKS managed node group complete example" - } - } } - self_managed_node_groups = var.enable_self_managed_nodegroups == false ? tomap({}) : { + self_managed_node_groups = { self_mg1 = { + create = var.enable_self_managed_nodegroups node_group_name = "self_mg1" subnet_ids = module.vpc.private_subnets @@ -383,6 +252,10 @@ module "eks" { bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name + # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only + create_aws_auth_configmap = var.enable_eks_managed_nodegroups == false ? true : var.create_aws_auth_configmap + manage_aws_auth_configmap = var.manage_aws_auth_configmap + ######################## EKS Managed Node Group ################################### eks_managed_node_group_defaults = { ami_type = "AL2_x86_64" @@ -467,10 +340,10 @@ module "key_pair" { } resource "aws_security_group" "remote_access" { + #checkov:skip=CKV2_AWS_5: this is a false positive name_prefix = "${local.cluster_name}-remote-access" description = "Allow remote SSH access" vpc_id = module.vpc.vpc_id - ingress { description = "SSH access" from_port = 22 diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index 9bb4da20..6ca7ad6d 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -1,4 +1,5 @@ terraform { + required_version = ">= 1.3.0" required_providers { kubectl = { source = "gavinbunney/kubectl" @@ -47,10 +48,6 @@ terraform { } } -data "aws_eks_cluster_auth" "this" { - name = module.eks.cluster_name -} - data "aws_eks_cluster" "example" { name = module.eks.cluster_name depends_on = [ @@ -94,3 +91,14 @@ provider "helm" { } } } + +provider "kubectl" { + apply_retry_count = 5 + host = data.aws_eks_cluster.example.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data) + exec { + api_version = "client.authentication.k8s.io/v1beta1" + args = ["eks", "get-token", "--cluster-name", local.cluster_name] + command = "aws" + } +} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 1a889319..4960b177 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -116,7 +116,7 @@ variable "enable_self_managed_nodegroups" { variable "amazon_eks_vpc_cni" { description = <<-EOD The VPC CNI add-on configuration. - enabled - (Optional) Whether to enable the add-on. Defaults to false. + enable - (Optional) Whether to enable the add-on. Defaults to false. before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. resolve_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. diff --git a/modules/eks/README.md b/modules/eks/README.md index c4726b54..4e1a9cad 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -51,7 +51,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_aws\_ebs\_csi\_driver\_config](#input\_amazon\_eks\_aws\_ebs\_csi\_driver\_config) | configMap for AWS EBS CSI Driver add-on | `any` | `{}` | no | | [amazon\_eks\_coredns\_config](#input\_amazon\_eks\_coredns\_config) | Configuration for Amazon CoreDNS EKS add-on | `any` | `{}` | no | | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | -| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.

enabled - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | +| [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enable - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | | [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | `[]` | no | | [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index 25e93d2e..5cfce76d 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -25,7 +25,7 @@ locals { )) cluster_addons = { - vpc-cni = lookup(var.amazon_eks_vpc_cni, "enabled", false) ? { + vpc-cni = lookup(var.amazon_eks_vpc_cni, "enable", null) ? { before_compute = lookup(var.amazon_eks_vpc_cni, "before_compute", null) most_recent = lookup(var.amazon_eks_vpc_cni, "most_recent", null) configuration_values = jsonencode({ env = (lookup(var.amazon_eks_vpc_cni, "configuration_values", null)) }) diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 4f7b1a12..66d5d19d 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -74,8 +74,9 @@ module "aws_eks" { } #AWS_AUTH things - manage_aws_auth_configmap = var.manage_aws_auth_configmap + # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only create_aws_auth_configmap = var.create_aws_auth_configmap + manage_aws_auth_configmap = var.manage_aws_auth_configmap kms_key_administrators = distinct(concat(local.admin_arns, var.kms_key_administrators)) aws_auth_users = distinct(concat(local.aws_auth_users, var.aws_auth_users)) diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index ef0b8b86..e75abcc3 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -164,8 +164,7 @@ variable "eks_managed_node_group_defaults" { variable "amazon_eks_vpc_cni" { description = <<-EOD The VPC CNI add-on configuration. - - enabled - (Optional) Whether to enable the add-on. Defaults to false. + enable - (Optional) Whether to enable the add-on. Defaults to false. before_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true. most_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true. resolve_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE. diff --git a/test/e2e/examples_complete_insecure_test.go b/test/e2e/examples_complete_insecure_test.go index 52a72849..310b8a8b 100644 --- a/test/e2e/examples_complete_insecure_test.go +++ b/test/e2e/examples_complete_insecure_test.go @@ -1,9 +1,10 @@ package test_test import ( + "testing" + "github.com/gruntwork-io/terratest/modules/terraform" teststructure "github.com/gruntwork-io/terratest/modules/test-structure" - "testing" ) func TestExamplesCompleteInsecure(t *testing.T) { From 5112a7324f6ef695f4854272040e21f028ed6f1c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 20 Mar 2023 18:43:40 -0700 Subject: [PATCH 29/46] safety checks --- examples/complete/main.tf | 2 +- modules/eks/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 28e4a7c3..7ebcfe58 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -253,7 +253,7 @@ module "eks" { bastion_role_name = module.bastion.bastion_role_name # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only - create_aws_auth_configmap = var.enable_eks_managed_nodegroups == false ? true : var.create_aws_auth_configmap + create_aws_auth_configmap = var.enable_eks_managed_nodegroups ? false : var.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap ######################## EKS Managed Node Group ################################### diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 66d5d19d..caa8f511 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -75,7 +75,7 @@ module "aws_eks" { #AWS_AUTH things # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only - create_aws_auth_configmap = var.create_aws_auth_configmap + create_aws_auth_configmap = length(var.eks_managed_node_groups) == 0 ? true : var.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap kms_key_administrators = distinct(concat(local.admin_arns, var.kms_key_administrators)) From b4089fcc7c349c7768f3b7bf2d3370ed6f10505a Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 20 Mar 2023 20:59:57 -0700 Subject: [PATCH 30/46] update --- examples/complete/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index b4d83e32..0be32ae9 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -63,8 +63,8 @@ Coming soon | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.59.0 | -| [random](#provider\_random) | 3.4.3 | +| [aws](#provider\_aws) | >= 4.47.0 | +| [random](#provider\_random) | >= 3.1.0 | ## Modules From f11cf76563dab19b64b41e332e71a2e0fac11cac Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 20 Mar 2023 21:36:00 -0700 Subject: [PATCH 31/46] just ensure that the code deploys --- modules/eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eks/main.tf b/modules/eks/main.tf index caa8f511..6c39066a 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -75,7 +75,7 @@ module "aws_eks" { #AWS_AUTH things # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only - create_aws_auth_configmap = length(var.eks_managed_node_groups) == 0 ? true : var.create_aws_auth_configmap + create_aws_auth_configmap = length(var.eks_managed_node_groups) > 0 ? false : var.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap kms_key_administrators = distinct(concat(local.admin_arns, var.kms_key_administrators)) From 6a950d2dc902be7eefe185639ad07adf7245a50c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Mon, 20 Mar 2023 21:38:18 -0700 Subject: [PATCH 32/46] update comment --- examples/complete/main.tf | 2 +- modules/eks/main.tf | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 7ebcfe58..e341b529 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -252,7 +252,7 @@ module "eks" { bastion_role_arn = module.bastion.bastion_role_arn bastion_role_name = module.bastion.bastion_role_name - # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only + # If using EKS Managed Node Groups, the aws-auth ConfigMap is created by eks itself and terraform can not create it create_aws_auth_configmap = var.enable_eks_managed_nodegroups ? false : var.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 6c39066a..579905e0 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -73,8 +73,7 @@ module "aws_eks" { } } - #AWS_AUTH things - # If not using EKS Managed Node Groups, we need to create the aws-auth configmap, ex: for self-managed node groups only + # If using EKS Managed Node Groups, the aws-auth ConfigMap is created by eks itself and terraform can not create it create_aws_auth_configmap = length(var.eks_managed_node_groups) > 0 ? false : var.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap From 1aa2d670014508ea371726075d223e32af2b7c39 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 21 Mar 2023 21:11:07 -0700 Subject: [PATCH 33/46] determine if aws-auth configmap should be created --- modules/eks/locals.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index 5cfce76d..eb70055a 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -24,6 +24,20 @@ locals { }] )) + # if using EKS Managed Node Groups you can not also create the aws-auth configmap because eks does it for you - it will already exist when TF tries to create it and you will receive an error. + # the following logic determines if the aws-auth configmap should be created or not by checking if eks_managed_node_groups would be created based on inputs to the upstream eks module + # this returns true (will create the configmap) if eks_managed_node_groups is empty or if eks_managed_node_groups is not empty AND all eks_managed_node_groups.*.create values are set to false + # it returns false (won't create the configmap) when eks_managed_node_groups is not empty AND at least one eks_managed_node_groups.*.create value is set to true OR is not defined + create_aws_auth_configmap = !( + # Check if eks_managed_node_groups is not empty + length(var.eks_managed_node_groups) > 0 && ( + # Check if any EKS managed node group value is set to create or not defined, if not defined, then set to true as null = true in upstream. + length([for v in values(var.eks_managed_node_groups) : v if try(v.create, true) == true]) > 0 || + # Check if all EKS managed node groups have create set to false + length([for v in values(var.eks_managed_node_groups) : v if try(v.create, true) == false]) < length(var.eks_managed_node_groups) + ) + ) + cluster_addons = { vpc-cni = lookup(var.amazon_eks_vpc_cni, "enable", null) ? { before_compute = lookup(var.amazon_eks_vpc_cni, "before_compute", null) From e9688b7e680b51d370cdb5a849cabf8559e94d65 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Tue, 21 Mar 2023 21:12:07 -0700 Subject: [PATCH 34/46] remove unnecessary inputs --- .../complete-self-managed-nodegroup/README.md | 1 - .../complete-self-managed-nodegroup/main.tf | 29 +++++++++----- .../terraform.tfvars.example | 2 +- .../variables.tf | 6 --- examples/complete/README.md | 3 -- examples/complete/fixtures.common.tfvars | 1 - examples/complete/main.tf | 40 ------------------- examples/complete/variables.tf | 6 --- .../tf-state-backend.auto.tfvars.example | 2 +- modules/eks/README.md | 1 - modules/eks/main.tf | 3 +- modules/eks/variables.tf | 6 --- 12 files changed, 21 insertions(+), 79 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index ac990bfb..e8bb6bc9 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -243,7 +243,6 @@ terraform destroy -auto-approve | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | -| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index 04a5cc24..f699523c 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -103,7 +103,6 @@ module "eks" { #AWS_AUTH manage_aws_auth_configmap = var.manage_aws_auth_configmap - create_aws_auth_configmap = var.create_aws_auth_configmap ########################################################### # Self Managed Node Groups @@ -111,6 +110,7 @@ module "eks" { self_managed_node_group_defaults = { instance_type = "m5.xlarge" update_launch_template_default_version = true + ebs_optimized = true iam_role_additional_policies = { AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" } @@ -161,26 +161,33 @@ module "eks" { xvda = { device_name = "/dev/xvda" ebs = { - volume_size = 50 - volume_type = "gp3" + encrypted = true + delete_on_termination = true + iops = 3000 + volume_size = 50 + volume_type = "gp3" } }, xvdf = { device_name = "/dev/xvdf" ebs = { - volume_size = 80 - volume_type = "gp3" - iops = 3000 - throughput = 125 + encrypted = true + delete_on_termination = true + volume_size = 80 + volume_type = "gp3" + iops = 3000 + throughput = 125 } }, xvdg = { device_name = "/dev/xvdg" ebs = { - volume_size = 100 - volume_type = "gp3" - iops = 3000 - throughput = 125 + encrypted = true + delete_on_termination = true + volume_size = 100 + volume_type = "gp3" + iops = 3000 + throughput = 125 } } } diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index fcfbd45f..c88ebd4c 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -12,7 +12,7 @@ aws_profile = "du-dev" # local AWS profile to be used aws_admin_usernames = ["Bob.Marley", "Jane.Doe"] # list of users to be added to the AWS admin group default_tags = { Environment = "dev" - Project = "du-navy" + Project = "du-dev" Owner = "my-name" } manage_aws_auth_configmap = true diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 865fe414..08f8daaa 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -32,12 +32,6 @@ variable "manage_aws_auth_configmap" { default = false } -variable "create_aws_auth_configmap" { - description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" - type = bool - default = false -} - variable "default_tags" { description = "A map of default tags to apply to all resources" type = map(string) diff --git a/examples/complete/README.md b/examples/complete/README.md index 0be32ae9..d2db8268 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -73,7 +73,6 @@ Coming soon | [bastion](#module\_bastion) | ../../modules/bastion | n/a | | [eks](#module\_eks) | ../../modules/eks | n/a | | [flux\_sops](#module\_flux\_sops) | ../../modules/sops | n/a | -| [key\_pair](#module\_key\_pair) | terraform-aws-modules/key-pair/aws | ~> 2.0 | | [loki\_s3\_bucket](#module\_loki\_s3\_bucket) | ../../modules/s3-irsa | n/a | | [rds\_postgres\_keycloak](#module\_rds\_postgres\_keycloak) | ../../modules/rds | n/a | | [vpc](#module\_vpc) | ../../modules/vpc | n/a | @@ -82,7 +81,6 @@ Coming soon | Name | Type | |------|------| -| [aws_security_group.remote_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [random_id.bastion_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [random_id.cluster_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [random_id.vpc_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | @@ -114,7 +112,6 @@ Coming soon | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name\_prefix](#input\_cluster\_name\_prefix) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | -| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index a9ccecae..a654aca7 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -10,7 +10,6 @@ aws_admin_usernames = ["Placeholder"] # list of users to be added to the AWS adm # Owner = "ci" # } manage_aws_auth_configmap = true -create_aws_auth_configmap = true ########################################################### #################### VPC Config ########################### diff --git a/examples/complete/main.tf b/examples/complete/main.tf index e341b529..78f1e683 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -71,12 +71,6 @@ locals { use_custom_launch_template = false disk_size = 50 - - # Remote access cannot be specified with a launch template - remote_access = { - ec2_ssh_key = module.key_pair.key_pair_name - source_security_group_ids = [aws_security_group.remote_access.id] - } } # Default node group - as provided by AWS EKS using Bottlerocket @@ -253,7 +247,6 @@ module "eks" { bastion_role_name = module.bastion.bastion_role_name # If using EKS Managed Node Groups, the aws-auth ConfigMap is created by eks itself and terraform can not create it - create_aws_auth_configmap = var.enable_eks_managed_nodegroups ? false : var.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap ######################## EKS Managed Node Group ################################### @@ -328,36 +321,3 @@ module "eks" { enable_cluster_autoscaler = var.enable_cluster_autoscaler cluster_autoscaler_helm_config = var.cluster_autoscaler_helm_config } - -module "key_pair" { - source = "terraform-aws-modules/key-pair/aws" - version = "~> 2.0" - - key_name_prefix = local.cluster_name - create_private_key = true - - tags = local.tags -} - -resource "aws_security_group" "remote_access" { - #checkov:skip=CKV2_AWS_5: this is a false positive - name_prefix = "${local.cluster_name}-remote-access" - description = "Allow remote SSH access" - vpc_id = module.vpc.vpc_id - ingress { - description = "SSH access" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = [var.vpc_cidr] - } - - egress { - description = "Allow all outbound traffic" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - } -} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 4960b177..2683db88 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -22,12 +22,6 @@ variable "manage_aws_auth_configmap" { default = false } -variable "create_aws_auth_configmap" { - description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" - type = bool - default = false -} - variable "default_tags" { description = "A map of default tags to apply to all resources" type = map(string) diff --git a/examples/tf-state-backend/tf-state-backend.auto.tfvars.example b/examples/tf-state-backend/tf-state-backend.auto.tfvars.example index 74c18f28..0eebb2bf 100644 --- a/examples/tf-state-backend/tf-state-backend.auto.tfvars.example +++ b/examples/tf-state-backend/tf-state-backend.auto.tfvars.example @@ -13,6 +13,6 @@ force_delete = false default_tags = { Environment = "dev" - Project = "du-navy" + Project = "du-dev" Owner = "my-name" } diff --git a/modules/eks/README.md b/modules/eks/README.md index 4e1a9cad..26baa4d3 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -65,7 +65,6 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [cluster\_name](#input\_cluster\_name) | Name of cluster - used by Terratest for e2e test automation | `string` | `""` | no | | [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no | | [control\_plane\_subnet\_ids](#input\_control\_plane\_subnet\_ids) | Subnet IDs for control plane | `list(string)` | `[]` | no | -| [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no | | [eks\_managed\_node\_group\_defaults](#input\_eks\_managed\_node\_group\_defaults) | Map of EKS-managed node group default configurations | `any` | `{}` | no | | [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Managed node groups configuration | `any` | `{}` | no | | [enable\_amazon\_eks\_aws\_ebs\_csi\_driver](#input\_enable\_amazon\_eks\_aws\_ebs\_csi\_driver) | Enable EKS Managed AWS EBS CSI Driver add-on; enable\_amazon\_eks\_aws\_ebs\_csi\_driver and enable\_self\_managed\_aws\_ebs\_csi\_driver are mutually exclusive | `bool` | `false` | no | diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 579905e0..75b15cfc 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -73,8 +73,7 @@ module "aws_eks" { } } - # If using EKS Managed Node Groups, the aws-auth ConfigMap is created by eks itself and terraform can not create it - create_aws_auth_configmap = length(var.eks_managed_node_groups) > 0 ? false : var.create_aws_auth_configmap + create_aws_auth_configmap = local.create_aws_auth_configmap manage_aws_auth_configmap = var.manage_aws_auth_configmap kms_key_administrators = distinct(concat(local.admin_arns, var.kms_key_administrators)) diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index e75abcc3..f5c23a42 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -76,12 +76,6 @@ variable "manage_aws_auth_configmap" { default = false } -variable "create_aws_auth_configmap" { - description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`" - type = bool - default = false -} - variable "cluster_endpoint_private_access" { description = "Enable private access to the cluster endpoint" type = bool From 15a500a2b18496b871e21984d7ce42696e8772d4 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 07:36:43 -0700 Subject: [PATCH 35/46] cleanup updates --- .gitignore | 3 + .../.terraform.lock.hcl | 182 ------------------ .../complete-self-managed-nodegroup/README.md | 2 +- .../complete-self-managed-nodegroup/main.tf | 4 +- examples/tf-state-backend/.terraform.lock.hcl | 25 --- modules/eks/README.md | 1 - modules/eks/main.tf | 1 - modules/eks/outputs.tf | 8 +- 8 files changed, 8 insertions(+), 218 deletions(-) delete mode 100644 examples/complete-self-managed-nodegroup/.terraform.lock.hcl delete mode 100644 examples/tf-state-backend/.terraform.lock.hcl diff --git a/.gitignore b/.gitignore index 8f6c1b90..65cc40e0 100644 --- a/.gitignore +++ b/.gitignore @@ -6,10 +6,13 @@ .terraform/ *.terraform.* + # .tfstate files *.tfstate *.tfstate.* +*.terraform.lock.hcl + # Crash log files crash.log crash.*.log diff --git a/examples/complete-self-managed-nodegroup/.terraform.lock.hcl b/examples/complete-self-managed-nodegroup/.terraform.lock.hcl deleted file mode 100644 index 257d5c52..00000000 --- a/examples/complete-self-managed-nodegroup/.terraform.lock.hcl +++ /dev/null @@ -1,182 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.14.0" - constraints = ">= 1.14.0" - hashes = [ - "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", - "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", - "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", - "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", - "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", - "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", - "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", - "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", - "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", - "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", - ] -} - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.58.0" - constraints = ">= 3.28.0, >= 3.29.0, >= 3.72.0, >= 3.73.0, >= 4.9.0, >= 4.10.0, >= 4.13.0, >= 4.45.0, >= 4.47.0" - hashes = [ - "h1:YIRXIr1ji0HLWLU0ae+UbUNOHc9MJaLrMHxH3LIQ/Vk=", - "zh:14b2b2dfbc7ee705c412d762b1485ee08958c816a64ac74f5769e946e4a1d265", - "zh:17a37e6825e2023b18987d31c0cbb9336654ea146b68e6c90710ea4636af71ae", - "zh:273127c69fb244577e5c136c46164d34f77b0c956c18d27f63d1072dd558f924", - "zh:4b2b6416d34fb3e1051c99d2a84045b136976140e34381d5fbf90e32db15272e", - "zh:7e6a8571ff15d51f892776265642ee01004b8553fd4f6f2014b6f3f2834670c7", - "zh:847c76ab2381b66666d0f79cf1ac697b5bfd0d9c3009fd11bc6ad6545d1eb427", - "zh:9a52cae08ba8d27d0639a8d2b8c61591027883058bf0cc5a639cffe1e299f019", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9df647e8322d6f94f1843366ba39d21c4b36c8e7dcdc03711d52e27f73b0e974", - "zh:9e52037e68409802ff913b166c30e3f2035af03865cbef0c1b03762bce853941", - "zh:a30288e7c3c904d6998d1709835d7c5800a739f8608f0837f960286a2b8b6e59", - "zh:a7f24e3bda3be566468e4ad62cef1016f68c6f5a94d2e3e979485bc05626281b", - "zh:ba326ba80f5e39829b67a6d1ce54ba52b171e5e13a0a91ef5f9170a9b0cc9ce4", - "zh:c4e3fe9f2be6e244a3dfce599f4b0be9e8fffaece64cbc65f3195f825f65489b", - "zh:f20a251af37039bb2c7612dbd2c5df3a25886b4cc78f902385a2850ea6e30d08", - ] -} - -provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.2" - constraints = ">= 2.0.0" - hashes = [ - "h1:ocyv0lvfyvzW4krenxV5CL4Jq5DiA3EUfoy8DR6zFMw=", - "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", - "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", - "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", - "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", - "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", - "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", - "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", - "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", - "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", - "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.9.0" - constraints = ">= 2.4.1, >= 2.5.1" - hashes = [ - "h1:fEDID5J/9ret/sLpOSNAu98F/ZBEZhOmL0Leut7m5JU=", - "zh:1471cb45908b426104687c962007b2980cfde294fa3530fabc4798ce9fb6c20c", - "zh:1572e9cec20591ec08ece797b3630802be816a5adde36ca91a93359f2430b130", - "zh:1b10ae03cf5ab1ae21ffaac2251de99797294ae4242b156b3b0beebbdbcb7e0f", - "zh:3bd043b68de967d8d0b549d3f71485193d81167d5656f5507d743dedfe60e352", - "zh:538911921c729185900176cc22eb8edcb822bc8d22b9ebb48103a1d9bb53cc38", - "zh:69a6a2d40c0463662c3fb1621e37a3ee65024ea4479adf4d5f7f19fb0dea48c2", - "zh:94b58daa0c351a49d01f6d8f1caae46c95c2d6c3f29753e2b9ea3e3c0e7c9ab4", - "zh:9d0543331a4a32241e1ab5457f30b41df745acb235a0391205c725a5311e4809", - "zh:a6789306524ca121512a95e873e3949b4175114a6c5db32bed2df2551a79368f", - "zh:d146b94cd9502cca7f2044797a328d71c7ec2a98e2d138270d8a28c872f04289", - "zh:d14ccd14511f0446eacf43a9243f22de7c1427ceb059cf67d7bf9803be2cb15d", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.18.1" - constraints = ">= 2.6.1, >= 2.10.0" - hashes = [ - "h1:y4VED+vsulAqE7YbQC7x1XXrzvi/dEIjupttSyzSA/M=", - "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753", - "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197", - "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8", - "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80", - "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25", - "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce", - "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15", - "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad", - "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8", - "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4", - "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" - constraints = ">= 3.0.0" - hashes = [ - "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.4.3" - constraints = ">= 3.1.0" - hashes = [ - "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", - "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", - "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", - "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", - "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", - "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", - "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", - "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", - "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", - "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", - "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.9.1" - constraints = ">= 0.7.0, >= 0.8.0, >= 0.9.0" - hashes = [ - "h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=", - "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f", - "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5", - "zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a", - "zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57", - "zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1", - "zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b", - "zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00", - "zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea", - "zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904", - "zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.4" - constraints = ">= 3.0.0" - hashes = [ - "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", - "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", - "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", - "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", - "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", - "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", - "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", - "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", - "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", - "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", - "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", - "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index e8bb6bc9..a63c7f20 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -198,7 +198,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.58.0 | +| [aws](#provider\_aws) | >= 4.9 | ## Modules diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index f699523c..45a087c0 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -2,8 +2,8 @@ data "aws_partition" "current" {} locals { tags = { - Blueprint = replace(basename(path.cwd), "_", "-") # tag names based on the directory name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" + RootModule = replace(basename(path.cwd), "_", "-") # tag names based on the directory name + GithubRepo = "github.com/defenseunicorns/iac" } loki_name_prefix = "${var.cluster_name}-loki" } diff --git a/examples/tf-state-backend/.terraform.lock.hcl b/examples/tf-state-backend/.terraform.lock.hcl deleted file mode 100644 index 15938a22..00000000 --- a/examples/tf-state-backend/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.57.1" - constraints = ">= 4.9.0" - hashes = [ - "h1:Qfq7Q9aCQqdl7w439mCMm89126n8DsDAmg6H8gXhnLI=", - "zh:44200c213ddb138df80d2a5ad86c2ebadbb5fd1d08cd7e4fc56ec6dca927659b", - "zh:469e6fe6a9e99e60cb168d32f05e2e9a83cf161f39160d075ff96f7674c510e1", - "zh:6110ba2c15a2268652ec9ea3797dd0216de84ece428055c49eaf9caa2be1ed62", - "zh:62ed7348acca44f64fc087e879e01cfa4e084c7600cc91e8bb7683f8065a9c79", - "zh:7a80e6fa9b35be178bb566093f7984dd6ffb7ad9d40b9dd5d5907f054f0c3e60", - "zh:8793043c8575a598c1a7cbefcb65ee1776b0061eba719098e552a3adc88f3090", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a777a0082114e273b7b3eb14095a3f6f6e703c1aff61ffb1f0846bb869e6dfc7", - "zh:b060c3b2973097f2087a98ac6aad7c9c89fe80f7cf3027019049feafc3f8305b", - "zh:e7035e74563f4486848ea1feb60852175353790bc374e0e97e241a88dc0908f7", - "zh:eaaa8e9eba09ada41e13116d53d4baece04fead8fcf3eab68cca3a67ed738e18", - "zh:ec52d8f95a84fad8fe1aae169c89d0c54d5401f75caae0869ad8182c6b6db65b", - "zh:f0e33174025b1b57ecfbdd09f2a59c2559ee94d7681e5ae09079e2822ec54ecf", - "zh:f69790a21380e5aab9303a252564737333e1e95b5d25567681630e49b17e3ec7", - "zh:ff6053942c40a99904bd407f3c082c1fa8f927ecce0374566eb7e8ee8145e582", - ] -} diff --git a/modules/eks/README.md b/modules/eks/README.md index 26baa4d3..b9d78db6 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -90,7 +90,6 @@ To view examples for how you can leverage this EKS Module, please see the [examp | Name | Description | |------|-------------| -| [aws\_eks](#output\_aws\_eks) | all EKS cluster outputs, just for debugging | | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | EKS cluster certificate authority data | | [cluster\_endpoint](#output\_cluster\_endpoint) | EKS cluster endpoint | | [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster | diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 75b15cfc..50ed4f0d 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -3,7 +3,6 @@ #--------------------------------------------------------------- module "aws_eks" { - # module "eks_blueprints" { source = "git::https://github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v19.10.0" cluster_name = local.cluster_name diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 631e0a61..f7bfcbbf 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -1,9 +1,3 @@ -output "aws_eks" { - #https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/outputs.tf - description = "all EKS cluster outputs, just for debugging" - value = module.aws_eks -} - output "cluster_name" { description = "The name of the EKS cluster" value = module.aws_eks.cluster_name @@ -38,9 +32,11 @@ output "oidc_provider_arn" { output "cluster_endpoint" { description = "EKS cluster endpoint" value = module.aws_eks.cluster_endpoint + sensitive = true } output "cluster_certificate_authority_data" { description = "EKS cluster certificate authority data" value = module.aws_eks.cluster_certificate_authority_data + sensitive = true } From 3b87fac1280f420fbb5bba4bc9c57670f3378efc Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 08:47:01 -0700 Subject: [PATCH 36/46] remove try --- examples/complete-self-managed-nodegroup/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/outputs.tf b/examples/complete-self-managed-nodegroup/outputs.tf index b5d1c77f..86acc69b 100644 --- a/examples/complete-self-managed-nodegroup/outputs.tf +++ b/examples/complete-self-managed-nodegroup/outputs.tf @@ -1,6 +1,6 @@ output "loki_s3_bucket" { description = "Loki S3 Bucket Name" - value = try(module.loki_s3_bucket.s3_bucket, null) + value = module.loki_s3_bucket.s3_bucket } output "keycloak_db_instance_endpoint" { @@ -27,15 +27,15 @@ output "keycloak_db_instance_port" { output "bastion_instance_id" { description = "The ID of the bastion host" - value = try(module.bastion.instance_id, null) + value = module.bastion.instance_id } output "bastion_private_key" { description = "The private key for the bastion host" - value = try(module.bastion.private_key, null) + value = module.bastion.private_key sensitive = true } output "dynamodb_name" { description = "Name of DynmoDB table" - value = try(module.loki_s3_bucket.dynamodb_name, null) + value = module.loki_s3_bucket.dynamodb_name } From 4d6eba1a914fbe96a8eff3aca3cd0bed3aa6055e Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 08:47:28 -0700 Subject: [PATCH 37/46] update tag to 0.0.2 --- examples/tf-state-backend/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index a28b0d29..36139859 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -12,7 +12,7 @@ locals { } module "tfstate_backend" { - source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=main" + source = "git::https://github.com/defenseunicorns/terraform-aws-tfstate-backend.git?ref=0.0.2" region = var.region bucket_prefix = var.bucket_prefix From bec6cb58c5e0ba71d434d216fb9cacc2ff9e77d3 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 08:56:57 -0700 Subject: [PATCH 38/46] update validation --- examples/complete/README.md | 2 +- examples/complete/variables.tf | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index d2db8268..19b41d8a 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -111,7 +111,7 @@ Coming soon | [cluster\_autoscaler\_helm\_config](#input\_cluster\_autoscaler\_helm\_config) | Cluster Autoscaler Helm Chart config | `any` | `{}` | no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether to enable private access to the EKS cluster | `bool` | `false` | no | | [cluster\_name\_prefix](#input\_cluster\_name\_prefix) | The name to use for the EKS cluster | `string` | `"my-eks"` | no | -| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster | `string` | `"1.23"` | no | +| [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for EKS cluster | `string` | `"1.23"` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Whether to create a database subnet route table | `bool` | `true` | no | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all resources | `map(string)` | `{}` | no | diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 2683db88..d95d7249 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -82,9 +82,13 @@ variable "cluster_name_prefix" { } variable "cluster_version" { - description = "The Kubernetes version to use for the EKS cluster" + description = "Kubernetes version to use for EKS cluster" type = string default = "1.23" + validation { + condition = contains(["1.23"], var.cluster_version) + error_message = "Kubernetes version must be equal to one that we support. Currently supported versions are: 1.23." + } } variable "cluster_endpoint_public_access" { From 542473af8b2c13595b42db5efbe97553054514c1 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 09:09:20 -0700 Subject: [PATCH 39/46] remove vpc.instance_tenanacy and create validation --- examples/complete-self-managed-nodegroup/README.md | 1 - examples/complete-self-managed-nodegroup/main.tf | 2 +- examples/complete-self-managed-nodegroup/variables.tf | 6 ------ examples/complete/README.md | 1 - examples/complete/fixtures.common.tfvars | 6 ++---- examples/complete/main.tf | 2 +- examples/complete/variables.tf | 6 ------ modules/vpc/README.md | 2 +- modules/vpc/variables.tf | 10 +++++++++- 9 files changed, 14 insertions(+), 22 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index a63c7f20..e3df12c2 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -267,7 +267,6 @@ terraform destroy -auto-approve | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | | [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | -| [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The tenancy of instances launched into the VPC | `string` | `"default"` | no | | [vpc\_name](#input\_vpc\_name) | The name to use for the VPC | `string` | `"my-vpc"` | no | | [zarf\_version](#input\_zarf\_version) | The version of Zarf to use | `string` | `""` | no | diff --git a/examples/complete-self-managed-nodegroup/main.tf b/examples/complete-self-managed-nodegroup/main.tf index 45a087c0..d1d5b96b 100644 --- a/examples/complete-self-managed-nodegroup/main.tf +++ b/examples/complete-self-managed-nodegroup/main.tf @@ -33,7 +33,7 @@ module "vpc" { create_database_subnet_group = true create_database_subnet_route_table = true - instance_tenancy = var.vpc_instance_tenancy # dedicated tenancy globally set in VPC does not currently work with EKS + instance_tenancy = "default" } ########################################################### diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 08f8daaa..0336265e 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -40,12 +40,6 @@ variable "default_tags" { ########################################################### #################### VPC Config ########################### -variable "vpc_instance_tenancy" { - description = "The tenancy of instances launched into the VPC" - type = string - default = "default" -} - variable "vpc_cidr" { description = "The CIDR block for the VPC" type = string diff --git a/examples/complete/README.md b/examples/complete/README.md index 19b41d8a..905a071f 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -137,7 +137,6 @@ Coming soon | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | | [region2](#input\_region2) | The AWS region to deploy into | `string` | n/a | yes | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | n/a | yes | -| [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The tenancy of instances launched into the VPC | `string` | `"default"` | no | | [vpc\_name\_prefix](#input\_vpc\_name\_prefix) | The name to use for the VPC | `string` | `"my-vpc"` | no | | [zarf\_version](#input\_zarf\_version) | The version of Zarf to use | `string` | `""` | no | diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index a654aca7..9bc15601 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -1,9 +1,8 @@ ########################################################### ################## Global Settings ######################## -region = "us-east-1" # target AWS region -region2 = "us-east-2" # RDS backup target AWS region -aws_admin_usernames = ["Placeholder"] # list of users to be added to the AWS admin group +region = "us-east-1" # target AWS region +region2 = "us-east-2" # RDS backup target AWS region # default_tags = { # Environment = "dev" # Project = "ci-eks" @@ -16,7 +15,6 @@ manage_aws_auth_configmap = true vpc_cidr = "10.200.0.0/16" vpc_name_prefix = "ex-complete-vpc-" -# vpc_instance_tenancy = "dedicated" #does not currently work with EKS ########################################################### ################## Bastion Config ######################### diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 78f1e683..6b8654ef 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -179,7 +179,7 @@ module "vpc" { create_database_subnet_group = true create_database_subnet_route_table = true - instance_tenancy = var.vpc_instance_tenancy # dedicated tenancy globally set in VPC does not currently work with EKS + instance_tenancy = "default" } ########################################################### diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index d95d7249..2daedc2d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -30,12 +30,6 @@ variable "default_tags" { ########################################################### #################### VPC Config ########################### -variable "vpc_instance_tenancy" { - description = "The tenancy of instances launched into the VPC" - type = string - default = "default" -} - variable "vpc_cidr" { description = "The CIDR block for the VPC" type = string diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 657600d1..c770c556 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -46,7 +46,7 @@ To view examples for how you can leverage this VPC Module, please see the [examp | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Create database subnet route table | `bool` | `true` | no | | [database\_subnets](#input\_database\_subnets) | List of database subnets inside the VPC | `list(string)` | `[]` | no | | [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT gateway | `bool` | `false` | no | -| [instance\_tenancy](#input\_instance\_tenancy) | Tenancy of instances launched into the VPC | `string` | `"default"` | no | +| [instance\_tenancy](#input\_instance\_tenancy) | Tenancy of instances launched into the VPC.
Valid values are "default" or "dedicated".
EKS does not support dedicated tenancy. | `string` | `"default"` | no | | [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Tags to apply to intra subnets | `map(string)` | `{}` | no | | [intra\_subnets](#input\_intra\_subnets) | List of intra subnets inside the VPC | `list(string)` | `[]` | no | | [name](#input\_name) | Name to be used on all resources as identifier | `string` | n/a | yes | diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 77567c7d..7132974b 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -43,9 +43,17 @@ variable "create_database_subnet_route_table" { } variable "instance_tenancy" { - description = "Tenancy of instances launched into the VPC" + description = <<-EOD + Tenancy of instances launched into the VPC. + Valid values are "default" or "dedicated". + EKS does not support dedicated tenancy. + EOD type = string default = "default" + validation { + condition = contains(["default", "dedicated"], var.instance_tenancy) + error_message = "Value must be either default or dedicated." + } } variable "public_subnets" { From 22b177a9799ecf4ebdf504f30e5b1c86fdbddeb3 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 09:27:39 -0700 Subject: [PATCH 40/46] make version the same --- examples/complete/README.md | 2 +- examples/complete/providers.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index 905a071f..79e08ce8 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -46,7 +46,7 @@ Coming soon | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 4.47.0 | | [cloudinit](#requirement\_cloudinit) | >= 2.0.0 | | [helm](#requirement\_helm) | >= 2.5.1 | diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf index 6ca7ad6d..c2f8622f 100644 --- a/examples/complete/providers.tf +++ b/examples/complete/providers.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.0.0" required_providers { kubectl = { source = "gavinbunney/kubectl" From f8b770825d9fc5341bbff4595cd20cdc9198dc8c Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 09:34:01 -0700 Subject: [PATCH 41/46] cleanup --- examples/complete/README.md | 3 --- examples/complete/main.tf | 42 ------------------------------------- 2 files changed, 45 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index 79e08ce8..0cb2e266 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -85,9 +85,6 @@ Coming soon | [random_id.cluster_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [random_id.vpc_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ami.amazonlinux2eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ami.eks_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 6b8654ef..8b8f5c86 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -2,37 +2,6 @@ data "aws_partition" "current" {} data "aws_caller_identity" "current" {} -data "aws_ami" "amazonlinux2eks" { - most_recent = true - - filter { - name = "name" - values = ["amazon-eks-node-${var.cluster_version}-*"] - } - - owners = ["amazon"] -} - -data "aws_ami" "eks_default" { - most_recent = true - owners = ["amazon"] - - filter { - name = "name" - values = ["amazon-eks-node-${var.cluster_version}-v*"] - } -} - -data "aws_ami" "eks_default_bottlerocket" { - most_recent = true - owners = ["amazon"] - - filter { - name = "name" - values = ["bottlerocket-aws-k8s-${var.cluster_version}-x86_64-*"] - } -} - resource "random_id" "vpc_name" { byte_length = 2 prefix = var.vpc_name_prefix @@ -72,17 +41,6 @@ locals { disk_size = 50 } - - # Default node group - as provided by AWS EKS using Bottlerocket - bottlerocket_default = { - create = var.enable_eks_managed_nodegroups - # By default, the module creates a launch template to ensure tags are propagated to instances, etc., - # so we need to disable it to use the default template provided by the AWS EKS managed node group service - use_custom_launch_template = false - - ami_type = "BOTTLEROCKET_x86_64" - platform = "bottlerocket" - } } self_managed_node_groups = { From 052fb28f10844a370062fb980650071998ca83e9 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 09:37:25 -0700 Subject: [PATCH 42/46] removed --- examples/complete-self-managed-nodegroup/README.md | 1 - examples/complete-self-managed-nodegroup/variables.tf | 6 ------ 2 files changed, 7 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index e3df12c2..9577b410 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -261,7 +261,6 @@ terraform destroy -auto-approve | [kc\_db\_max\_allocated\_storage](#input\_kc\_db\_max\_allocated\_storage) | The database allocated storage to use for Keycloak | `number` | n/a | yes | | [keycloak\_db\_password](#input\_keycloak\_db\_password) | The password to use for the Keycloak database | `string` | `"my-password"` | no | | [keycloak\_enabled](#input\_keycloak\_enabled) | Whether to enable Keycloak | `bool` | `false` | no | -| [loki\_s3\_bucket\_kms\_key\_alias](#input\_loki\_s3\_bucket\_kms\_key\_alias) | The alias of the KMS key to use for the Loki S3 bucket | `string` | `""` | no | | [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Determines whether to manage the aws-auth configmap | `bool` | `false` | no | | [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 0336265e..20993e1e 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -304,9 +304,3 @@ variable "zarf_version" { type = string default = "" } - -variable "loki_s3_bucket_kms_key_alias" { - description = "The alias of the KMS key to use for the Loki S3 bucket" - type = string - default = "" -} From 5650f3dda2365d8b3a882d2ec335041e60be16c7 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 09:51:53 -0700 Subject: [PATCH 43/46] removed because not used --- .../complete-self-managed-nodegroup/terraform.tfvars.example | 4 ---- 1 file changed, 4 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/terraform.tfvars.example b/examples/complete-self-managed-nodegroup/terraform.tfvars.example index c88ebd4c..1ccd5f1d 100644 --- a/examples/complete-self-managed-nodegroup/terraform.tfvars.example +++ b/examples/complete-self-managed-nodegroup/terraform.tfvars.example @@ -42,8 +42,6 @@ cluster_name = "my-eks" cluster_version = "1.23" eks_worker_tenancy = "dedicated" cluster_endpoint_public_access = true -instance_type = "m4.xlarge" - ########################################################### ############## Big Bang Dependencies ###################### @@ -63,8 +61,6 @@ kc_db_max_allocated_storage = 100 kc_db_instance_class = "db.t4g.large" #################### Other Addon ######################## -loki_s3_bucket_kms_key_alias = "my-loki-s3" - amazon_eks_vpc_cni = { enable = true before_compute = true From 67b76bda1e765742084e51ea9c2c23ea0f5deb67 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 10:35:40 -0700 Subject: [PATCH 44/46] cleanup --- examples/complete-self-managed-nodegroup/README.md | 4 ++-- examples/complete-self-managed-nodegroup/variables.tf | 3 ++- examples/complete/README.md | 2 +- examples/complete/variables.tf | 3 ++- examples/tf-state-backend/main.tf | 5 ++++- examples/tf-state-backend/variables.tf | 3 ++- modules/eks/README.md | 2 +- modules/eks/locals.tf | 4 ---- modules/eks/variables.tf | 2 +- 9 files changed, 15 insertions(+), 13 deletions(-) diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 9577b410..06920924 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -198,7 +198,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.9 | +| [aws](#provider\_aws) | 4.59.0 | ## Modules @@ -230,7 +230,7 @@ terraform destroy -auto-approve | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | | [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enable - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with admin access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin | `list(string)` | `[]` | no | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_profile](#input\_aws\_profile) | The AWS profile to use for deployment | `string` | n/a | yes | | [bastion\_ami\_id](#input\_bastion\_ami\_id) | (Optional) The AMI ID to use for the bastion, will query the latest Amazon Linux 2 AMI if not provided | `string` | `""` | no | diff --git a/examples/complete-self-managed-nodegroup/variables.tf b/examples/complete-self-managed-nodegroup/variables.tf index 20993e1e..118d4c96 100644 --- a/examples/complete-self-managed-nodegroup/variables.tf +++ b/examples/complete-self-managed-nodegroup/variables.tf @@ -22,8 +22,9 @@ variable "aws_profile" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with admin access to KMS and EKS resources" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin" type = list(string) + default = [] } variable "manage_aws_auth_configmap" { diff --git a/examples/complete/README.md b/examples/complete/README.md index 0cb2e266..583d1647 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -98,7 +98,7 @@ Coming soon | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | | [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enable - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Whether to assign a public IP to the bastion | `bool` | `false` | no | -| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | n/a | yes | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin | `list(string)` | `[]` | no | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [bastion\_instance\_type](#input\_bastion\_instance\_type) | value for the instance type of the EKS worker nodes | `string` | `"m5.xlarge"` | no | | [bastion\_name\_prefix](#input\_bastion\_name\_prefix) | The name to use for the bastion | `string` | `"my-bastion"` | no | diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 2daedc2d..3cf416ad 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -12,8 +12,9 @@ variable "region2" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin" type = list(string) + default = [] } variable "manage_aws_auth_configmap" { diff --git a/examples/tf-state-backend/main.tf b/examples/tf-state-backend/main.tf index 36139859..927b5092 100644 --- a/examples/tf-state-backend/main.tf +++ b/examples/tf-state-backend/main.tf @@ -8,7 +8,10 @@ provider "aws" { data "aws_partition" "current" {} locals { - admin_arns = [for admin in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${var.account}:user/${admin}"] + admin_arns = distinct(concat( + [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"], + [data.aws_caller_identity.current.arn] + )) } module "tfstate_backend" { diff --git a/examples/tf-state-backend/variables.tf b/examples/tf-state-backend/variables.tf index 0383ee26..2132577a 100644 --- a/examples/tf-state-backend/variables.tf +++ b/examples/tf-state-backend/variables.tf @@ -9,8 +9,9 @@ variable "account" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin" type = list(string) + default = [] } variable "bucket_prefix" { diff --git a/modules/eks/README.md b/modules/eks/README.md index b9d78db6..53b5f9aa 100644 --- a/modules/eks/README.md +++ b/modules/eks/README.md @@ -53,7 +53,7 @@ To view examples for how you can leverage this EKS Module, please see the [examp | [amazon\_eks\_kube\_proxy\_config](#input\_amazon\_eks\_kube\_proxy\_config) | ConfigMap for Amazon EKS Kube-Proxy add-on | `any` | `{}` | no | | [amazon\_eks\_vpc\_cni](#input\_amazon\_eks\_vpc\_cni) | The VPC CNI add-on configuration.
enable - (Optional) Whether to enable the add-on. Defaults to false.
before\_compute - (Optional) Whether to create the add-on before the compute resources. Defaults to true.
most\_recent - (Optional) Whether to use the most recent version of the add-on. Defaults to true.
resolve\_conflicts - (Optional) How to resolve parameter value conflicts between the add-on and the cluster. Defaults to OVERWRITE. Valid values: OVERWRITE, NONE, PRESERVE.
configuration\_values - (Optional) A map of configuration values for the add-on. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon for supported values. | 
object({
    enable               = bool
    before_compute       = bool
    most_recent          = bool
    resolve_conflicts    = string
    configuration_values = map(any) # hcl format later to be json encoded
  })
| 
{
  "before_compute": true,
  "configuration_values": {
    "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true",
    "ENABLE_PREFIX_DELEGATION": "true",
    "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone",
    "WARM_PREFIX_TARGET": "1"
  },
  "enable": false,
  "most_recent": true,
  "resolve_conflicts": "OVERWRITE"
}
| no | | [aws\_account](#input\_aws\_account) | n/a | `string` | `""` | no | -| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources | `list(string)` | `[]` | no | +| [aws\_admin\_usernames](#input\_aws\_admin\_usernames) | A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin | `list(string)` | `[]` | no | | [aws\_auth\_users](#input\_aws\_auth\_users) | List of map of users to add to aws-auth configmap | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | `""` | no | diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf index eb70055a..1f02019a 100644 --- a/modules/eks/locals.tf +++ b/modules/eks/locals.tf @@ -4,10 +4,6 @@ locals { # var.cluster_name is for Terratest cluster_name = coalesce(var.cluster_name, var.name) - tags = { - Blueprint = var.name - GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints" - } admin_arns = distinct(concat( [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"], [data.aws_caller_identity.current.arn] diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index f5c23a42..95fd07a4 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -65,7 +65,7 @@ variable "kms_key_administrators" { } variable "aws_admin_usernames" { - description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources" + description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin" type = list(string) default = [] } From 190a715472e0f032469452605a3d35b3c3b63366 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Wed, 22 Mar 2023 11:29:28 -0700 Subject: [PATCH 45/46] ignore lockfile for pre-commit things --- .pre-commit-config.yaml | 2 ++ examples/complete-self-managed-nodegroup/README.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ac1dd037..a295da1e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,6 +43,8 @@ repos: hooks: - id: terraform_fmt - id: terraform_docs + args: + - --args=--lockfile=false - id: terraform_checkov verbose: true args: diff --git a/examples/complete-self-managed-nodegroup/README.md b/examples/complete-self-managed-nodegroup/README.md index 06920924..5527af38 100644 --- a/examples/complete-self-managed-nodegroup/README.md +++ b/examples/complete-self-managed-nodegroup/README.md @@ -198,7 +198,7 @@ terraform destroy -auto-approve | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.59.0 | +| [aws](#provider\_aws) | >= 4.9 | ## Modules From e19373f1149f8240329e028ddb6e763ef5a4b0d1 Mon Sep 17 00:00:00 2001 From: Zack A <24322023+zack-is-cool@users.noreply.github.com> Date: Wed, 22 Mar 2023 12:45:00 -0700 Subject: [PATCH 46/46] Remove Blank line from .gitiignore Signed-off-by: Zack A <24322023+zack-is-cool@users.noreply.github.com> --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 65cc40e0..44c22512 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,6 @@ .terraform/ *.terraform.* - # .tfstate files *.tfstate *.tfstate.*