diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 56c3229..508dd05 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -2,8 +2,7 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.49.0" - constraints = "5.49.0" + version = "5.49.0" hashes = [ "h1:BKrMq4aIOvXbJA9fd0kdmIm3Q01MQcheDIEzXtrkNf4=", "h1:EMzIW40AXkmr5qYv2ynb6ToWO7oRwMNYHwHo20kXAdY=", @@ -28,13 +27,9 @@ provider "registry.terraform.io/hashicorp/aws" { } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.4" - constraints = "2.3.4" + version = "2.3.4" hashes = [ - "h1:/Ty/HXg0Bti5T+Zk6XvhwEHyKGiOV5LzCrbLiekjuLU=", "h1:S3j8poSaLbaftlKq2STBkQEkZH253ZLaHhBHBifdpBQ=", - "h1:cVIIhnXweOHavu1uV2bdKScTjLbM1WnKM/25wqYBJWo=", - "h1:pb1C8Lrfp4VnPRm6Uo+jEWbKvqsGunHxDO7pWtc/yRI=", "zh:09f1f1e1d232da96fbf9513b0fb5263bc2fe9bee85697aa15d40bb93835efbeb", "zh:381e74b90d7a038c3a8dcdcc2ce8c72d6b86da9f208a27f4b98cabe1a1032773", "zh:398eb321949e28c4c5f7c52e9b1f922a10d0b2b073b7db04cb69318d24ffc5a9", @@ -50,29 +45,6 @@ provider "registry.terraform.io/hashicorp/cloudinit" { ] } -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.30.0" - constraints = "2.30.0" - hashes = [ - "h1:+Je5UPTWMmO4eG5ep1WfujkXQI9tDk0OsMU4olU76Bg=", - "h1:UNl9l/iN6mrImpC7PNxdx93ycl3iLQdBKoYmCw8rYDc=", - "h1:wRVWY3sK32BNInDOlQnoGSmL638f3jjLFypCAotwpc8=", - "h1:z0Gy1p59XfS9MawIqCck7m2eeEEhAj6D7n8Ngglu8vE=", - "zh:06531333a72fe6d2829f37a328e08a3fc4ed66226344a003b62418a834ac6c69", - "zh:34480263939ef5007ce65c9f4945df5cab363f91e5260ae552bcd9f2ffeed444", - "zh:59e71f9177da570c33507c44828288264c082d512138c5755800f2cd706c62bc", - "zh:6e979b0c07326f9c8d1999096a920322d22261ca61d346b3a9775283d00a2fa5", - "zh:73e3f228de0077b5c0a84ec5b1ada507fbb3456cba35a6b5758723f77715b7af", - "zh:79e0de985159c056f001cc47a654620d51f5d55f554bcbcde1fe7d52f667db40", - "zh:8accb9100f609377db42e3ced42cc9d5c36065a06644dfb21d3893bb8d4797fd", - "zh:9f99aa0bf5caa4223a7dbf5d22d71c16083e782c4eea4b0130abfd6e6f1cec18", - "zh:bcb2ad76ad05ec23f8da62231a2360d1f70bbcd28abd06b8458a9e2f17da7873", - "zh:bce317d7790c2d3c4e724726dc78070db28daf7d861faa646fc891fe28842a29", - "zh:ed0a8e7fa8a1c419a19840b421d18200c3a63cf16ccbcbc400cb375d5397f615", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - provider "registry.terraform.io/hashicorp/local" { version = "2.5.1" hashes = [ @@ -94,71 +66,3 @@ provider "registry.terraform.io/hashicorp/local" { "zh:dfcd88ac5f13c0d04e24be00b686d069b4879cc4add1b7b1a8ae545783d97520", ] } - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.1" - hashes = [ - "h1:12+TxYsSS5bzT7uiE2w0ke2WxmhehRV7uKU1wKUUnmM=", - "h1:1OlP753r4lOKlBprL0HdZGWerm5DCabD5Mli8k8lWAg=", - "h1:8iqExjtAvirFTJkpm5YyYD+fC+DGV8NTJzKsE2c70VA=", - "h1:a+Goawwh6Qtg4/bRWzfDtIdrEFfPlnVy0y4LdUQY3nI=", - "zh:2a0ec154e39911f19c8214acd6241e469157489fc56b6c739f45fbed5896a176", - "zh:57f4e553224a5e849c99131f5e5294be3a7adcabe2d867d8a4fef8d0976e0e52", - "zh:58f09948c608e601bd9d0a9e47dcb78e2b2c13b4bda4d8f097d09152ea9e91c5", - "zh:5c2a297146ed6fb3fe934c800e78380f700f49ff24dbb5fb5463134948e3a65f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7ce41e26f0603e31cdac849085fc99e5cd5b3b73414c6c6d955c0ceb249b593f", - "zh:8c9e8d30c4ef08ee8bcc4294dbf3c2115cd7d9049c6ba21422bd3471d92faf8a", - "zh:93e91be717a7ffbd6410120eb925ebb8658cc8f563de35a8b53804d33c51c8b0", - "zh:982542e921970d727ce10ed64795bf36c4dec77a5db0741d4665230d12250a0d", - "zh:b9d1873f14d6033e216510ef541c891f44d249464f13cc07d3f782d09c7d18de", - "zh:cfe27faa0bc9556391c8803ade135a5856c34a3fe85b9ae3bdd515013c0c87c1", - "zh:e4aabf3184bbb556b89e4b195eab1514c86a2914dd01c23ad9813ec17e863a8a", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.11.1" - constraints = "0.11.1" - hashes = [ - "h1:IkDriv5C9G+kQQ+mP+8QGIahwKgbQcw1/mzh9U6q+ZI=", - "h1:UyhbtF79Wy4EVNrnvMcOPzmZLVQQyzM2ostfjs2l5PI=", - "h1:lRdsNTvt4IT3LGDrgQbepriDTbMKbIsbceTbM/bLGfw=", - "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", - "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", - "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", - "zh:29970fecbf4a3ca23bacbb05d6b90cdd33dd379f90059fe39e08289951502d9f", - "zh:65024596f22f10e7dcb5e0e4a75277f275b529daa0bc0daf34ca7901c678ab88", - "zh:694d080cb5e3bf5ef08c7409208d061c135a4f5f4cdc93ea8607860995264b2e", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b29d15d13e1b3412e6a4e1627d378dbd102659132f7488f64017dd6b6d5216d3", - "zh:bb79f4cae9f8c17c73998edc54aa16c2130a03227f7f4e71fc6ac87e230575ec", - "zh:ceccf80e95929d97f62dcf1bb3c7c7553d5757b2d9e7d222518722fc934f7ad5", - "zh:f40e638336527490e294d9c938ae55919069e6987e85a80506784ba90348792a", - "zh:f99ef33b1629a3b2278201142a3011a8489e66d92da832a5b99e442204de18fb", - "zh:fded14754ea46fdecc62a52cd970126420d4cd190e598cb61190b4724a727edb", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.5" - constraints = "4.0.5" - hashes = [ - "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", - "h1:kcw9sNLNFMY2S0HIGOkjlwKtUc8lpqZsQGsC2SG9xEQ=", - "h1:yLqz+skP3+EbU3yyvw8JqzflQTKDQGsC9QyZAg+S4dg=", - "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", - "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", - "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", - "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", - "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", - "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", - "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", - "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", - "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", - "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", - "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", - "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/Jenkinsfile_k8s b/Jenkinsfile_k8s index 2c3e57e..7e1b0bf 100644 --- a/Jenkinsfile_k8s +++ b/Jenkinsfile_k8s @@ -14,10 +14,11 @@ parallel( ], ) }, - 'updatecli': { - updatecli(action: 'diff') - if (env.BRANCH_IS_PRIMARY) { - updatecli(action: 'apply', cronTriggerExpression: '@daily') - } - }, + // TODO:; split into 2 jobs + // 'updatecli': { + // updatecli(action: 'diff') + // if (env.BRANCH_IS_PRIMARY) { + // updatecli(action: 'apply', cronTriggerExpression: '@daily') + // } + // }, ) diff --git a/ci.jenkins.io.tf b/ci.jenkins.io.tf deleted file mode 100644 index 27ef97a..0000000 --- a/ci.jenkins.io.tf +++ /dev/null @@ -1,94 +0,0 @@ -# Service: ci.jenkins.io - -########################################################################################################################################################## -## Section: S3 Bucket used for storing Artifact and stashes -## This bucket does not need logging, versionning nor encryption as all objects are public -#trivy:ignore:AVD-AWS-0089 trivy:ignore:aws-s3-enable-versioning trivy:ignore:aws-s3-enable-bucket-logging trivy:ignore:aws-s3-encryption-customer-key trivy:ignore:aws-s3-enable-bucket-encryption -resource "aws_s3_bucket" "ci_jenkins_io_artifacts" { - bucket = "ci-jenkins-io-artifacts" - - force_destroy = true - - tags = { - jenkins = "ci.jenkins.io" - } -} - -resource "aws_s3_bucket_public_access_block" "ci_jenkins_io_artifacts" { - bucket = aws_s3_bucket.ci_jenkins_io_artifacts.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - -#trivy:ignore:AVD-AWS-0143 -resource "aws_iam_user" "ci_jenkins_io_artifacts" { - name = "ci-jenkins-io-artifacts" - - tags = { - jenkins = "ci.jenkins.io" - } -} - -resource "aws_iam_access_key" "ci_jenkins_io_artifacts" { - user = aws_iam_user.ci_jenkins_io_artifacts.name - # No pgp_key provided: the secret value is unencrypted in the state file (which is fine: we encrypt the state file here with sops) -} - -resource "aws_iam_policy" "ci_jenkins_io_artifacts" { - name = "ci-jenkins-io-artifacts" - description = "S3 Artifact Manager for ci.jenkins.io" - - policy = data.aws_iam_policy_document.ci_jenkins_io_artifacts_iam.json -} - -data "aws_iam_policy_document" "ci_jenkins_io_artifacts_iam" { - statement { - actions = ["s3:ListBucket"] - resources = [aws_s3_bucket.ci_jenkins_io_artifacts.arn] - effect = "Allow" - } - statement { - actions = [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:DeleteObject", - "s3:ListObjects", - - ] - resources = [aws_s3_bucket.ci_jenkins_io_artifacts.arn] - effect = "Allow" - } -} - -resource "aws_iam_user_policy_attachment" "ci_jenkins_io_artifacts" { - user = resource.aws_iam_user.ci_jenkins_io_artifacts.name - policy_arn = aws_iam_policy.ci_jenkins_io_artifacts.arn -} - -resource "aws_s3_bucket_policy" "ci_jenkins_io_artifacts" { - bucket = aws_s3_bucket.ci_jenkins_io_artifacts.id - policy = data.aws_iam_policy_document.ci_jenkins_io_artifacts_objects.json -} - -data "aws_iam_policy_document" "ci_jenkins_io_artifacts_objects" { - statement { - principals { - type = "AWS" - identifiers = [resource.aws_iam_user.ci_jenkins_io_artifacts.arn] - } - - actions = [ - "s3:PutObject", - "s3:GetObject", - ] - - resources = [ - aws_s3_bucket.ci_jenkins_io_artifacts.arn, - "${aws_s3_bucket.ci_jenkins_io_artifacts.arn}/*", - ] - } -} -# End of S3 Bucket Section -########################################################################################################################################################## diff --git a/cik8s-cluster.tf b/cik8s-cluster.tf deleted file mode 100644 index cc6af68..0000000 --- a/cik8s-cluster.tf +++ /dev/null @@ -1,260 +0,0 @@ -# Define a KMS main key to encrypt the EKS cluster -resource "aws_kms_key" "cik8s" { - description = "EKS Secret Encryption Key for the cluster ${local.cik8s_cluster_name}" - enable_key_rotation = true - - tags = merge(local.common_tags, { - associated_service = "eks/${local.cik8s_cluster_name}" - }) -} - -# EKS Cluster definition -module "cik8s" { - source = "terraform-aws-modules/eks/aws" - version = "19.21.0" - cluster_name = local.cik8s_cluster_name - # Kubernetes version in format '.', as per https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html - cluster_version = "1.27" - # Start is inclusive, end is exclusive (!): from index 0 to index 2 (https://www.terraform.io/language/functions/slice) - # We're using the 3 first private_subnets defined in vpc.tf for this cluster - subnet_ids = slice(module.vpc.private_subnets, 0, 3) - # Required to allow EKS service accounts to authenticate to AWS API through OIDC (and assume IAM roles) - # useful for autoscaler, EKS addons and any AWS APi usage - enable_irsa = true - - # Specifying the kubernetes provider to use for this cluster - # Note: this should be done AFTER initial cluster creation (bootstrap) - providers = { - kubernetes = kubernetes.cik8s - } - - create_kms_key = false - cluster_encryption_config = { - provider_key_arn = aws_kms_key.cik8s.arn - resources = ["secrets"] - } - - create_aws_auth_configmap = true - manage_aws_auth_configmap = true - - cluster_endpoint_public_access = true - - aws_auth_users = local.configmap_iam_admin_accounts - - aws_auth_accounts = [ - local.aws_account_id, - ] - - create_cluster_primary_security_group_tags = false - - # Do not use interpolated values from `local` in either keys and values of provided tags (or `cluster_tags) - # To avoid having and implicit dependency to a resource not available when parsing the module (infamous errror `Error: Invalid for_each argument`) - # Ref. same error as having a `depends_on` in https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2337 - tags = merge(local.common_tags, { - Environment = "jenkins-infra-${terraform.workspace}" - GithubRepo = "aws" - GithubOrg = "jenkins-infra" - - associated_service = "eks/cik8s" - }) - - # VPC is defined in vpc.tf - vpc_id = module.vpc.vpc_id - - ## Manage EKS addons with module - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon - # See new versions with `aws eks describe-addon-versions --kubernetes-version --addon-name ` - cluster_addons = { - # https://github.com/coredns/coredns/releases - coredns = { - addon_version = "v1.10.1-eksbuild.7" - } - # Kube-proxy on an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes - # See https://kubernetes.io/releases/version-skew-policy/#kube-proxy - kube-proxy = { - addon_version = "v1.27.10-eksbuild.2" - } - # https://github.com/aws/amazon-vpc-cni-k8s/releases - vpc-cni = { - addon_version = "v1.16.4-eksbuild.2" - } - # https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/CHANGELOG.md - aws-ebs-csi-driver = { - addon_version = "v1.28.0-eksbuild.1" - } - } - - eks_managed_node_groups = { - tiny_ondemand_linux = { - # This worker pool is expected to host the "technical" services such as pod autoscaler, etc. - name = "tiny-ondemand-linux" - instance_types = ["t3a.xlarge"] - capacity_type = "ON_DEMAND" - min_size = 1 - max_size = 2 # Allow manual scaling when running operations or upgrades - desired_size = 1 - bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=normal'" - suspended_processes = ["AZRebalance"] - tags = merge(local.common_tags, { - "k8s.io/cluster-autoscaler/enabled" = false # No autoscaling for these 2 machines - }), - attach_cluster_primary_security_group = true - }, - # This list of worker pool is aimed at mixed spot instances type, to ensure that we always get the most available (e.g. the cheaper) spot size - # as per https://aws.amazon.com/blogs/compute/cost-optimization-and-resilience-eks-with-spot-instances/ - # Pricing table for 2023: https://docs.google.com/spreadsheets/d/1_C0I0jE-X0e0vDcdKOFIWcnwpOqWC8RQ4YOCgXNnplY/edit?usp=sharing - spot_linux_4xlarge = { - # 4xlarge: Instances supporting 3 pods (limited to 4 vCPUs/8 Gb) each with 1 vCPU/1Gb margin - name = "spot-linux-4xlarge" - capacity_type = "SPOT" - # Less than 5% eviction rate, cost below $0.08 per pod per hour - instance_types = [ - "c5.4xlarge", - "c5a.4xlarge" - ] - block_device_mappings = { - xvda = { - device_name = "/dev/xvda" - ebs = { - volume_size = 90 # With 3 pods / machine, that can use ~30 Gb each at the same time (`emptyDir`) - volume_type = "gp3" - iops = 3000 # Max included with gp3 without additional cost - throughput = 125 # Max included with gp3 without additional cost - encrypted = false - delete_on_termination = true - } - } - } - spot_instance_pools = 3 # Amount of different instance that we can use - min_size = 0 - max_size = 50 - desired_size = 0 - kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" - tags = merge(local.common_tags, { - "k8s.io/cluster-autoscaler/enabled" = true, - "k8s.io/cluster-autoscaler/${local.cik8s_cluster_name}" = "owned", - "ci.jenkins.io/agents-density" = 3, - }) - attach_cluster_primary_security_group = true - labels = { - "ci.jenkins.io/agents-density" = 3, - } - }, - # This list of worker pool is aimed at mixed spot instances type, to ensure that we always get the most available (e.g. the cheaper) spot size - # as per https://aws.amazon.com/blogs/compute/cost-optimization-and-resilience-eks-with-spot-instances/ - # Pricing table for 2023: https://docs.google.com/spreadsheets/d/1_C0I0jE-X0e0vDcdKOFIWcnwpOqWC8RQ4YOCgXNnplY/edit?usp=sharing - spot_linux_4xlarge_bom = { - # 4xlarge: Instances supporting 3 pods (limited to 4 vCPUs/8 Gb) each with 1 vCPU/1Gb margin - name = "spot-linux-4xlarge-bom" - capacity_type = "SPOT" - # Less than 5% eviction rate, cost below $0.08 per pod per hour - instance_types = [ - "c5.4xlarge", - "c5a.4xlarge" - ] - block_device_mappings = { - xvda = { - device_name = "/dev/xvda" - ebs = { - volume_size = 90 # With 3 pods / machine, that can use ~30 Gb each at the same time (`emptyDir`) - volume_type = "gp3" - iops = 3000 # Max included with gp3 without additional cost - throughput = 125 # Max included with gp3 without additional cost - encrypted = false - delete_on_termination = true - } - } - } - spot_instance_pools = 3 # Amount of different instance that we can use - min_size = 0 - max_size = 50 - desired_size = 0 - kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" - tags = merge(local.common_tags, { - "k8s.io/cluster-autoscaler/enabled" = true, - "k8s.io/cluster-autoscaler/${local.cik8s_cluster_name}" = "owned", - "ci.jenkins.io/agents-density" = 3, - }) - attach_cluster_primary_security_group = true - labels = { - "ci.jenkins.io/agents-density" = 3, - "ci.jenkins.io/bom" = true, - } - taints = [ - { - key = "ci.jenkins.io/bom" - value = "true" - effect = "NO_SCHEDULE" - } - ] - }, - spot_linux_24xlarge_bom = { - # 24xlarge: Instances supporting 23 pods (limited to 4 vCPUs/8 Gb) each with 1 vCPU/1Gb margin - name = "spot-linux-24xlarge" - capacity_type = "SPOT" - # Less than 5% eviction rate, cost below $0.05 per pod per hour - instance_types = [ - "m5.24xlarge", - "c5.24xlarge", - ] - block_device_mappings = { - xvda = { - device_name = "/dev/xvda" - ebs = { - volume_size = 575 # With 23 pods / machine, that can use ~25 Gb each at the same time (`emptyDir`) - volume_type = "gp3" - iops = 3000 # Max included with gp3 without additional cost - throughput = 125 # Max included with gp3 without additional cost - encrypted = false - delete_on_termination = true - } - } - } - spot_instance_pools = 2 # Amount of different instance that we can use - min_size = 0 - max_size = 15 - desired_size = 0 - kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" - tags = merge(local.common_tags, { - "k8s.io/cluster-autoscaler/enabled" = true, - "k8s.io/cluster-autoscaler/${local.cik8s_cluster_name}" = "owned", - }) - attach_cluster_primary_security_group = true - labels = { - "ci.jenkins.io/agents-density" = 23, - } - taints = [ - { - key = "ci.jenkins.io/bom" - value = "true" - effect = "NO_SCHEDULE" - } - ] - }, - } - - # Allow egress from nodes (and pods...) - node_security_group_additional_rules = { - egress_jenkins_jnlp = { - description = "Allow egress to Jenkins TCP" - protocol = "TCP" - from_port = 50000 - to_port = 50000 - type = "egress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - }, - egress_http = { - description = "Allow egress to plain HTTP" - protocol = "TCP" - from_port = 80 - to_port = 80 - type = "egress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - }, - } -} - -data "aws_eks_cluster_auth" "cik8s" { - name = local.cik8s_cluster_name -} diff --git a/eks-public-cluster.tf b/eks-public-cluster.tf deleted file mode 100644 index d2d3f95..0000000 --- a/eks-public-cluster.tf +++ /dev/null @@ -1,113 +0,0 @@ -# Define a KMS main key to encrypt the EKS cluster -resource "aws_kms_key" "eks_public" { - description = "EKS Secret Encryption Key for the cluster ${local.public_cluster_name}" - enable_key_rotation = true - - tags = merge(local.common_tags, { - associated_service = "eks/${local.public_cluster_name}" - }) -} - -# EKS Cluster definition -module "eks-public" { - source = "terraform-aws-modules/eks/aws" - version = "19.21.0" - cluster_name = local.public_cluster_name - # Kubernetes version in format '.', as per https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html - cluster_version = "1.27" - # Start is inclusive, end is exclusive (!): from index 3 to index 5 (https://www.terraform.io/language/functions/slice) - # We're using the 3 last private_subnets defined in vpc.tf for this cluster - subnet_ids = slice(module.vpc.private_subnets, 3, 6) - # Required to allow EKS service accounts to authenticate to AWS API through OIDC (and assume IAM roles) - # useful for autoscaler, EKS addons, NLB and any AWS API usage - # See list at https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks - enable_irsa = true - - # Specifying the kubernetes provider to use for this cluster - # Note: this should be done AFTER initial cluster creation (bootstrap) - providers = { - kubernetes = kubernetes.eks-public - } - - create_kms_key = false - cluster_encryption_config = { - provider_key_arn = aws_kms_key.eks_public.arn - resources = ["secrets"] - } - - create_cluster_primary_security_group_tags = false - - # Do not use interpolated values from `local` in either keys and values of provided tags (or `cluster_tags) - # To avoid having and implicit dependency to a resource not available when parsing the module (infamous errror `Error: Invalid for_each argument`) - # Ref. same error as having a `depends_on` in https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2337 - tags = merge(local.common_tags, { - Environment = "jenkins-infra-${terraform.workspace}" - GithubRepo = "aws" - GithubOrg = "jenkins-infra" - associated_service = "eks/eks-public" - }) - - # VPC is defined in vpc.tf - vpc_id = module.vpc.vpc_id - - ## Manage EKS addons with module - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon - # See new versions with `aws eks describe-addon-versions --kubernetes-version --addon-name ` - cluster_addons = { - # https://github.com/coredns/coredns/releases - coredns = { - addon_version = "v1.10.1-eksbuild.7" - } - # Kube-proxy on an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes - # See https://kubernetes.io/releases/version-skew-policy/#kube-proxy - kube-proxy = { - addon_version = "v1.27.10-eksbuild.2" - } - # https://github.com/aws/amazon-vpc-cni-k8s/releases - vpc-cni = { - addon_version = "v1.16.4-eksbuild.2" - } - # https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/CHANGELOG.md - aws-ebs-csi-driver = { - addon_version = "v1.28.0-eksbuild.1" - } - } - - eks_managed_node_group_defaults = { - instance_types = ["t3a.xlarge"] - capacity_type = "ON_DEMAND" - bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=normal'" - suspended_processes = ["AZRebalance"] - tags = merge(local.common_tags, { - "k8s.io/cluster-autoscaler/enabled" = true # Autoscaling enabled - "k8s.io/cluster-autoscaler/${local.public_cluster_name}" = "owned", - }), - } - - eks_managed_node_groups = { - # 1 subnet per node poole == 1 AZ per node pool - default_linux_az1 = { - # This worker pool is expected to host the "technical" services (such as the autoscaler, the load balancer controller, etc.) and the public services like artifact-caching-proxy - name = "eks-public-linux-az1" - min_size = 0 - max_size = 4 - desired_size = 2 - subnet_ids = [element(module.vpc.private_subnets, 0)] - }, - } - - create_aws_auth_configmap = true - manage_aws_auth_configmap = true - - cluster_endpoint_public_access = true - - aws_auth_users = local.configmap_iam_admin_accounts - - aws_auth_accounts = [ - local.aws_account_id, - ] -} - -# Reference to allow configuration of the Terraform's kubernetes provider (in providers.tf) -data "aws_eks_cluster_auth" "public-cluster" { - name = module.eks-public.cluster_name -} diff --git a/iam-nlb-policy.json b/iam-nlb-policy.json deleted file mode 100644 index e8a05f8..0000000 --- a/iam-nlb-policy.json +++ /dev/null @@ -1,242 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTrustStores" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "StringEquals": { - "elasticloadbalancing:CreateAction": [ - "CreateTargetGroup", - "CreateLoadBalancer" - ] - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" - } - ] -} diff --git a/iam-roles-eks.tf b/iam-roles-eks.tf deleted file mode 100644 index 0925922..0000000 --- a/iam-roles-eks.tf +++ /dev/null @@ -1,254 +0,0 @@ -# https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html -resource "aws_iam_policy" "ebs_csi" { - name = "AmazonEBSCSIDriverPolicy" - description = "EKS EBS CSI policy" - policy = data.aws_iam_policy_document.ebs.json -} - -resource "aws_iam_policy" "cluster_nlb" { - name = "AWSLoadBalancerControllerIAMPolicy" - description = "EKS cluster-nlb policy" - # JSON from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.7.2/docs/install/iam_policy.json - # Cf https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html - policy = file("iam-nlb-policy.json") #trivy:ignore:aws-iam-no-policy-wildcards -} - -## https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#set-up-driver-permission -## No restriction on the resources: either managed outside terraform, or already scoped by conditions -#trivy:ignore:aws-iam-no-policy-wildcards -data "aws_iam_policy_document" "ebs" { - statement { - sid = "ebsGrant" - effect = "Allow" - - actions = [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ] - - condition { - test = "StringEquals" - variable = "kms:GrantIsForAWSResource" - values = ["true"] - } - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - } - - statement { - sid = "ebsEncryption" - effect = "Allow" - - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - } - - statement { - sid = "ec2VolumesManagement" - effect = "Allow" - - actions = [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - } - - statement { - sid = "ec2CreateTags" - effect = "Allow" - - actions = [ - "ec2:CreateTags" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*", - ] - - condition { - test = "StringEquals" - variable = "ec2:CreateAction" - values = ["CreateVolume", "CreateSnapshot"] - } - } - - statement { - sid = "ec2DeleteTags" - effect = "Allow" - - actions = [ - "ec2:DeleteTags" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*", - ] - } - - statement { - effect = "Allow" - actions = [ - "ec2:CreateVolume" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/ebs.csi.aws.com/cluster" - values = ["true"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:CreateVolume" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/CSIVolumeName" - values = ["*"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:CreateVolume" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/kubernetes.io/cluster/*" - values = ["owned"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:DeleteVolume" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:DeleteVolume" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/CSIVolumeName" - values = ["*"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:DeleteVolume" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/kubernetes.io/cluster/*" - values = ["owned"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:DeleteSnapshot" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/CSIVolumeSnapshotName" - values = ["*"] - } - } - - statement { - effect = "Allow" - actions = [ - "ec2:DeleteSnapshot" - ] - - ## Allow wildcard for resource as it's used to request AMIs with their IDs unknwon in Terraform - #trivy:ignore:aws-iam-no-policy-wildcards - resources = ["*"] - - condition { - test = "StringLike" - variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" - values = ["true"] - } - } - -} diff --git a/locals.tf b/locals.tf index fb7ed6e..e41093d 100644 --- a/locals.tf +++ b/locals.tf @@ -1,12 +1,3 @@ -resource "random_string" "suffix" { - length = 8 - special = false -} - -resource "random_pet" "suffix_public" { - # You want to taint this resource in order to get a new pet -} - locals { aws_account_id = "200564066411" @@ -22,30 +13,4 @@ locals { ## Load public keypars from the reference file # Each line is expected to holds an OpenSSH public key followed by a comment character ('#') and the name of the instance using the ec2 agents with this key ec2_agents_publickeys = compact(split("\n", file("./ec2_agents_authorized_keys"))) - - # EKS related - cik8s_cluster_name = "cik8s-${random_string.suffix.result}" - public_cluster_name = "public-${random_pet.suffix_public.id}" - autoscaler_account_namespace = "autoscaler" - autoscaler_account_name = "cluster-autoscaler-aws-cluster-autoscaler-chart" - nlb_account_namespace = "aws-load-balancer" - nlb_account_name = "aws-load-balancer-controller" - ebs_account_namespace = "kube-system" - ebs_account_name = "ebs-csi-controller-sa" - configmap_iam_admin_accounts = [ - # Impersonated role when using the CloudBees Accounts (e.g. humans) - { - userarn = "arn:aws:iam::${local.aws_account_id}:role/AWSReservedSSO_infra-admin_eaf058d61d35b904", - username = "infra-admin", - groups = ["system:masters"], - }, - # User used by infra.ci.jenkins.io to operate the cluster through terraform (including the configmap itself) - { - userarn = "arn:aws:iam::${local.aws_account_id}:user/terraform-aws-production", - username = "terraform-aws-production", - groups = ["system:masters"], - }, - ] - # AWS security groups related - aws_security_groups = ["infraci:infra.ci.jenkins.io:20.22.6.81/32"] } diff --git a/providers.tf b/providers.tf index 3de5b1b..5b5fec9 100644 --- a/providers.tf +++ b/providers.tf @@ -7,20 +7,3 @@ provider "aws" { provider "local" { } - -provider "random" { -} - -provider "kubernetes" { - alias = "eks-public" - host = module.eks-public.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks-public.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.public-cluster.token -} - -provider "kubernetes" { - alias = "cik8s" - host = module.cik8s.cluster_endpoint - cluster_ca_certificate = base64decode(module.cik8s.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.cik8s.token -} diff --git a/updatecli/updatecli.d/aws-load-balancer-provider.yaml b/updatecli/updatecli.d/aws-load-balancer-provider.yaml deleted file mode 100644 index d5dff7e..0000000 --- a/updatecli/updatecli.d/aws-load-balancer-provider.yaml +++ /dev/null @@ -1,58 +0,0 @@ -name: Bump `aws-load-balancer-controller` version and IAM policy content - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - getLatestVersion: - kind: githubrelease - name: "Retrieve the latest version" - spec: - owner: "kubernetes-sigs" - repository: "aws-load-balancer-controller" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - getLatestContent: - dependson: - - getLatestVersion - kind: file - spec: - # https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.3/docs/install/iam_policy.json - file: 'https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/{{ source "getLatestVersion" }}/docs/install/iam_policy.json' - -targets: - updateTerraformFile: - disablesourceinput: true - name: Update aws-load-balancer-controller version in terraform file - kind: file - spec: - file: ./iam-roles-eks.tf - matchpattern: aws-load-balancer-controller\/(.*)\/docs - replacepattern: aws-load-balancer-controller/{{ source "getLatestVersion" }}/docs - scmid: default - updateJSONFile: - sourceid: "getLatestContent" - name: Update iam-nlb-policy.json file content - kind: file - spec: - file: ./iam-nlb-policy.json - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - title: Bump `aws-load-balancer-controller` version and IAM policy content to {{ source "getLatestVersion" }} - spec: - labels: - - dependencies - - aws-load-balancer-controller diff --git a/updatecli/updatecli.d/terraform-modules/eks.yml b/updatecli/updatecli.d/terraform-modules/eks.yml deleted file mode 100644 index 9fba95c..0000000 --- a/updatecli/updatecli.d/terraform-modules/eks.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: Bump version of the Terraform module "eks" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - getLatestVersion: - name: Get version from registry - kind: terraform/registry - spec: - type: module - namespace: terraform-aws-modules - name: eks - targetsystem: aws - -targets: - upgradeForCik8s: - name: "Update the Terraform module version of terraform-aws-modules/eks/aws in cik8s-cluster.tf" - sourceid: getLatestVersion - kind: hcl - spec: - file: cik8s-cluster.tf - path: module.cik8s.version - scmid: default - upgradeForEksPublic: - name: "Update the Terraform module version of terraform-aws-modules/eks/aws in cik8s-cluster.tf" - sourceid: getLatestVersion - kind: hcl - spec: - file: eks-public-cluster.tf - path: module.eks-public.version - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - title: Bump version of the Terraform module "eks" to {{ source "getLatestVersion" }} - spec: - labels: - - dependencies - - terraform-aws-eks-module diff --git a/updatecli/updatecli.d/terraform-modules/irsa.yaml b/updatecli/updatecli.d/terraform-modules/irsa.yaml deleted file mode 100644 index e6b73fe..0000000 --- a/updatecli/updatecli.d/terraform-modules/irsa.yaml +++ /dev/null @@ -1,52 +0,0 @@ -name: Bump version of the Terraform module "irsa" (terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc) - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - getLatestVersion: - name: Get version from registry - kind: terraform/registry - spec: - type: module - namespace: terraform-aws-modules - # IAM is the "parent" module for submodule "iam-assumable-role-with-oidc" - name: iam - targetsystem: aws - -targets: - upgradeForCik8s: - name: "Update the Terraform module version of terraform-aws-modules/iam/aws in cik8s-cluster.tf" - sourceid: getLatestVersion - kind: hcl - spec: - file: cik8s-cluster.tf - path: module.cik8s_iam_role_autoscaler.version - scmid: default - upgradeForEksPublic: - name: "Update the Terraform module version of terraform-aws-modules/iam/aws in cik8s-cluster.tf" - sourceid: getLatestVersion - kind: hcl - spec: - file: eks-public-cluster.tf - path: module.eks_iam_assumable_role_autoscaler_eks_public.version - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - title: Bump version of the Terraform module "irsa" to {{ source "getLatestVersion" }} - spec: - labels: - - dependencies - - terraform-aws-irsa-module diff --git a/updatecli/updatecli.d/terraform-modules/vpc.yaml b/updatecli/updatecli.d/terraform-modules/vpc.yaml deleted file mode 100644 index 5175f79..0000000 --- a/updatecli/updatecli.d/terraform-modules/vpc.yaml +++ /dev/null @@ -1,43 +0,0 @@ -name: Bump version of the Terraform module terraform-aws-modules/vpc/aws - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - getLatestVersion: - name: Get version from registry - kind: terraform/registry - spec: - type: module - namespace: terraform-aws-modules - name: vpc - targetsystem: aws - -targets: - upgradeForVpc: - name: "Update the Terraform module version of terraform-aws-modules/vpc/aws in cik8s-cluster.tf" - sourceid: getLatestVersion - kind: hcl - spec: - file: vpc.tf - path: module.vpc.version - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - title: Bump version of the Terraform module "vpc" to {{ source "getLatestVersion" }} - spec: - labels: - - dependencies - - terraform-aws-vpc-module diff --git a/updatecli/updatecli.d/terraform-providers/aws.yaml b/updatecli/updatecli.d/terraform-providers/aws.yaml deleted file mode 100644 index ca13624..0000000 --- a/updatecli/updatecli.d/terraform-providers/aws.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `aws` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `aws` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: aws - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/aws - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `aws` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/aws diff --git a/updatecli/updatecli.d/terraform-providers/cloudinit.yaml b/updatecli/updatecli.d/terraform-providers/cloudinit.yaml deleted file mode 100644 index bcc9e0a..0000000 --- a/updatecli/updatecli.d/terraform-providers/cloudinit.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `cloudinit` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `cloudinit` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: cloudinit - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/cloudinit - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `cloudinit` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/cloudinit diff --git a/updatecli/updatecli.d/terraform-providers/kubernetes.yaml b/updatecli/updatecli.d/terraform-providers/kubernetes.yaml deleted file mode 100644 index 2ed8f32..0000000 --- a/updatecli/updatecli.d/terraform-providers/kubernetes.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `kubernetes` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `kubernetes` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: kubernetes - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/kubernetes - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `kubernetes` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/kubernetes diff --git a/updatecli/updatecli.d/terraform-providers/local.yaml b/updatecli/updatecli.d/terraform-providers/local.yaml deleted file mode 100644 index e9e776e..0000000 --- a/updatecli/updatecli.d/terraform-providers/local.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `local` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `local` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: local - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/local - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `local` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/local diff --git a/updatecli/updatecli.d/terraform-providers/random.yaml b/updatecli/updatecli.d/terraform-providers/random.yaml deleted file mode 100644 index ad88717..0000000 --- a/updatecli/updatecli.d/terraform-providers/random.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `random` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `random` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: random - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/random - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `random` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/random diff --git a/updatecli/updatecli.d/terraform-providers/time.yaml b/updatecli/updatecli.d/terraform-providers/time.yaml deleted file mode 100644 index 3223637..0000000 --- a/updatecli/updatecli.d/terraform-providers/time.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `time` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `time` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: time - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/time - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `time` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/time diff --git a/updatecli/updatecli.d/terraform-providers/tls.yaml b/updatecli/updatecli.d/terraform-providers/tls.yaml deleted file mode 100644 index acdceab..0000000 --- a/updatecli/updatecli.d/terraform-providers/tls.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Bump Terraform `tls` provider version" - -scms: - default: - kind: github - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - owner: "{{ .github.owner }}" - repository: "{{ .github.repository }}" - token: "{{ requiredEnv .github.token }}" - username: "{{ .github.username }}" - branch: "{{ .github.branch }}" - -sources: - lastVersion: - name: Get latest version of the `tls` provider - kind: terraform/registry - spec: - type: provider - namespace: hashicorp - name: tls - -targets: - updateTerraformLockFile: - name: Update Terraform lock file - kind: terraform/lock - sourceid: lastVersion - spec: - file: .terraform.lock.hcl - provider: hashicorp/tls - platforms: - - linux_amd64 - - linux_arm64 - - darwin_amd64 - - darwin_arm64 - scmid: default - -actions: - default: - kind: github/pullrequest - scmid: default - spec: - title: Bump Terraform `tls` provider version to {{ source "lastVersion" }} - labels: - - terraform-providers - - hashicorp/tls diff --git a/versions.tf b/versions.tf index 306335c..f1d4005 100644 --- a/versions.tf +++ b/versions.tf @@ -8,20 +8,5 @@ terraform { local = { source = "hashicorp/local" } - kubernetes = { - source = "hashicorp/kubernetes" - } - tls = { - source = "hashicorp/tls" - } - cloudinit = { - source = "hashicorp/cloudinit" - } - random = { - source = "hashicorp/random" - } - time = { - source = "hashicorp/time" - } } } diff --git a/vpc.tf b/vpc.tf deleted file mode 100644 index bde0e53..0000000 --- a/vpc.tf +++ /dev/null @@ -1,45 +0,0 @@ -data "aws_availability_zones" "available" {} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.8.1" - - name = "${local.cik8s_cluster_name}-vpc" - cidr = "10.0.0.0/16" - - manage_default_network_acl = false - map_public_ip_on_launch = true - manage_default_route_table = false - manage_default_security_group = false - - - azs = data.aws_availability_zones.available.names - private_subnets = [ - # first for eks-cluster - "10.0.16.0/20", # 10.0.16.1 -> 10.0.31.254 - "10.0.32.0/20", # 10.0.32.1 -> 10.0.47.254 - "10.0.64.0/20", # 10.0.64.1 -> 10.0.79.254 - # next for eks-public - "10.0.80.0/24", # 10.0.80.1 -> 10.0.80.254 - "10.0.81.0/24", # 10.0.81.1 -> 10.0.81.254 - "10.0.82.0/24", # 10.0.82.1 -> 10.0.82.254 - ] - public_subnets = [ - # first for vpc's Elastic IPs - "10.0.0.16/28", # 10.0.0.17 -> 10.0.0.30 - "10.0.0.32/28", # 10.0.0.33 -> 10.0.0.46 - "10.0.0.48/28", # 10.0.0.49 -> 10.0.0.62 - ] - - # One NAT gateway per subnet (default) - # ref. https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#one-nat-gateway-per-subnet-default - enable_nat_gateway = true - single_nat_gateway = false - one_nat_gateway_per_az = false - - enable_dns_hostnames = true - - public_subnet_tags = { - "kubernetes.io/role/elb" = 1 - } -}