diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index f5efd50..302db1f 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -5,11 +5,7 @@ provider "registry.terraform.io/gavinbunney/kubectl" { version = "1.14.0" constraints = ">= 1.14.0" hashes = [ - "h1:Ck8Re/28x7VBI5ArFg0VSg1woPu/APm1ZbMuzqUdnPo=", - "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", - "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=", "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", - "h1:tK3u7J4Ojrnx62lRvLok/XGvA7gzMkaVqNOZUDzWKOw=", "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", @@ -23,124 +19,144 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.54.1" - constraints = ">= 3.72.0, >= 4.0.0, >= 4.57.0, >= 5.30.0, >= 5.37.0" + version = "5.68.0" + constraints = ">= 4.0.0, >= 4.33.0, >= 5.46.0, >= 5.61.0, 5.68.0" hashes = [ - "h1:+aq386lQCaPX7wR6EPf3PPZvCiI6dRwnjb1wR6lNa8E=", - "zh:37c09b9a0a0a2f7854fe52c6adb15f71593810b458a8283ed71d68036af7ba3a", - "zh:42fe11d87723d4e43b9c6224ae6bacdcb53faee8abc58f0fc625a161d1f71cb1", - "zh:57c6dfc46f28c9c2737559bd84acbc05aeae90431e731bb72a0024028a2d2412", - "zh:5ba9665a4ca0e182effd75575b19a4d47383ec02662024b9fe26f78286c36619", + "h1:QU+d0rw5poZpVyplpBg5XQ5JsGnLRkZve5dR0lKZ+9U=", + "zh:045f37b115a6c94a05c6a5f2aacfe4cecbaf4b40b56917ba852d988d487e94bf", + "zh:0c388f1a94e7941cf7e6abcd8d958a3e325e513cb60affa3cac82e75c7bbbb73", + "zh:15b1f2587c06bff35a15f2d1c22eab395d549908daf05582608d729cdf54ba40", + "zh:16a9c0c7fa7a33aa22313d4444aeecde20831bf51f9b481a0406e3cf583378fc", + "zh:3330c0d49fb329dff6de17913e1a774e75aa0913106c3197814c73c3a12a4c3f", + "zh:40920318f774ff397c7b6a01b5e89e46eb1a55d7dc9943a310669a9357b9b501", + "zh:838fbac358bb72f46c8d359a28a3effb6a9d7137cdd72b9e4d2f0fcf803dc462", + "zh:84e694c0720bf54b3b8521bf6e05700abe4a1b3e7dd2a104efd1eb55ae5866a0", + "zh:90606c399498027d7d07ab78a71b574a5d8b982c4372e6b67479f7e39e153e2f", + "zh:9162cf25d5c0fdf672c9bbc4c3c84dd87ab6a15b4971df1f32aea6b477c0e028", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:b55980be0237644123a02a30b56d4cc03863ef29036c47d6e8ab5429ab45adf5", - "zh:b81e7664f10855a3a6fc234a18b4c4f1456273126a40c41516f2061696fb9870", - "zh:bd09736ffafd92af104c3c34b5add138ae8db4402eb687863ce472ca7e5ff2e2", - "zh:cc2eb1c62fba2a11d1f239e650cc2ae94bcab01c907384dcf2e213a6ee1bd5b2", - "zh:e5dc40205d9cf6f353c0ca532ae29afc6c83928bc9bcca47d74b640d3bb5a38c", - "zh:ebf1acdcd13f10db1b9c85050ddaadc70ab269c47c5a240753362446442d8371", - "zh:f2fc28a4ad94af5e6144a7309286505e3eb7a94d9dc106722b506c372ff7f591", - "zh:f49445e8435944df122aa89853260a2716ba8b73d6a6a70cae1661554926d5a2", - "zh:fc3b5046e60ae7cab20715be23de8436eb12736136fd6d0f0cc1549ebda6cc73", - "zh:fdb98a53500e245a3b5bec077b994da6959dba8fc4eb7534528658d820e06bd5", + "zh:9cd8ec40a88b25e9f0f7d7f51460a921f4529554a260ffbe5083ddeba2f41ae3", + "zh:adeffac1d01a35bc8d2497ccceb9978b4746872143016c2c631de6cb38b6aa8d", + "zh:c7b682c81f9ae850669deb6239a66d8aa960abed984aad25db2d3954c09c2616", + "zh:d10b9f40934e14d55cfc5731d728507e50d014561322e9e0c84b33ab255a4d51", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.4" + version = "2.3.5" constraints = ">= 2.0.0" hashes = [ - "h1:S3j8poSaLbaftlKq2STBkQEkZH253ZLaHhBHBifdpBQ=", - "zh:09f1f1e1d232da96fbf9513b0fb5263bc2fe9bee85697aa15d40bb93835efbeb", - "zh:381e74b90d7a038c3a8dcdcc2ce8c72d6b86da9f208a27f4b98cabe1a1032773", - "zh:398eb321949e28c4c5f7c52e9b1f922a10d0b2b073b7db04cb69318d24ffc5a9", - "zh:4a425679614a8f0fe440845828794e609b35af17db59134c4f9e56d61e979813", - "zh:4d955d8608ece4984c9f1dacda2a59fdb4ea6b0243872f049b388181aab8c80a", + "h1:C//ncldNugV8TpMQaj9ygoPXRVYOqltIxNB8LKrpzgU=", + "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", + "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", + "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", + "zh:6ef97ee4c8c6a69a3d36746ba5c857cf4f4d78f32aa3d0e1ce68f2ece6a5dba5", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a48fbee1d58d55a1f4c92c2f38c83a37c8b2f2701ed1a3c926cefb0801fa446a", - "zh:b748fe6631b16a1dafd35a09377c3bffa89552af584cf95f47568b6cd31fc241", - "zh:d4b931f7a54603fa4692a2ec6e498b95464babd2be072bed5c7c2e140a280d99", - "zh:f1c9337fcfe3a7be39d179eb7986c22a979cfb2c587c05f1b3b83064f41785c5", - "zh:f58fc57edd1ee3250a28943cd84de3e4b744cdb52df0356a53403fc240240636", - "zh:f5f50de0923ff530b03e1bca0ac697534d61bb3e5fc7f60e13becb62229097a9", + "zh:8283e5a785e3c518a440f6ac6e7cc4fc07fe266bf34974246f4e2ef05762feda", + "zh:a44eb5077950168b571b7eb65491246c00f45409110f0f172cc3a7605f19dba9", + "zh:aa0806cbff72b49c1b389c0b8e6904586e5259c08dabb7cb5040418568146530", + "zh:bec4613c3beaad9a7be7ca99cdb2852073f782355b272892e6ee97a22856aec1", + "zh:d7fe368577b6c8d1ae44c751ed42246754c10305c7f001cc0109833e95aa107d", + "zh:df2409fc6a364b1f0a0f8a9cd8a86e61e80307996979ce3790243c4ce88f2915", + "zh:ed3c263396ff1f4d29639cc43339b655235acf4d06296a7c120a80e4e0fd6409", ] } provider "registry.terraform.io/hashicorp/helm" { - version = "2.14.0" - constraints = ">= 2.4.0" + version = "2.16.1" + constraints = ">= 2.16.1" hashes = [ - "h1:8Vt9264v3UE6mHLRG8yiteVl5h8ZSTkJXf1xdVLa7GA=", - "zh:087a475fda3649e4b6b9aeb5f21704972f5d85c10d0bf334289b0a1b8c1a5575", - "zh:1877991d976491d4e2a653a89491bd3b92123a00f442f15aa62caea8902677c7", - "zh:233d9e550b900be8bbf62871322964239bb4827b3500b77d7e2652a8bae6a106", - "zh:6ed09d405ade276dfc6ec591d113ca328ea3fe423405d4bc1116f7a06dfd86ec", - "zh:9039de4cbee5ae006d9cbf27f40f0a285feb02c3b00901535a1112853de55b5f", - "zh:aea6311b0f29edddefa21b8c7953314459caeace77d72d60588d1277f1723c54", - "zh:bd6a4fea3461c2751527f1c4e4c2c160e72f5b5a3b5cfbfe051adf61badd5ead", - "zh:c5f12a2ea4c3b62d9dd2d8f62c9918ef77b1f9dd4d6ccf1758a2a24139ab5319", - "zh:cd84d7258f263c3bd24138e7633b022451fdc1935a11e34932b63f71bbe6059f", - "zh:e637d01ee4dc2e5702d62c158399ab0d0ba3269e71f5db38db922ff05505ae2a", + "h1:cE+SeUMcm6fBiidrLGg/H/MvT11CYQ1Y0EVoutK4UlE=", + "zh:0003f6719a32aee9afaeeb001687fc0cfc8c2d5f54861298cf1dc5711f3b4e65", + "zh:16cd5bfee09e7bb081b8b4470f31a9af508e52220fd97fd81c6dda725d9422fe", + "zh:51817de8fdc2c2e36785f23fbf4ec022111bd1cf7679498c16ad0ad7471c16db", + "zh:51b95829b2873be40a65809294bffe349e40cfccc3ff6fee0f471d01770e0ebd", + "zh:56b158dde897c47e1460181fc472c3e920aa23db40579fdc2aad333c1456d2dd", + "zh:916641d26c386959eb982e680028aa677b787687ef7c1283241e45620bc8df50", + "zh:aec15ca8605babba77b283f2ca35daca53e006d567e1c3a3daf50497035b820b", + "zh:c2cecf710b87c8f3a4d186da2ea12cf08041f97ae0c6db82649720d6ed929d65", + "zh:dbdd96f17aea25c7db2d516ab8172a5e683c6686c72a1a44173d2fe96319be39", + "zh:de11e180368434a796b1ab6f20fde7554dc74f7800e063b8e4c8ec3a86d0be63", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fbf9c9936ae547b75a81170b7bd20f72bc5538e015efcf7d12f822358d758f57", + "zh:f827a9c1540d210c56053a2d5d5a6abda924896ffa8eeedc94054cf6d44c5f60", ] } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.31.0" - constraints = ">= 2.10.0, >= 2.13.1" + version = "2.33.0" + constraints = ">= 2.33.0" hashes = [ - "h1:ZlKkkHJrjF4AiMueI2yA+abBc1c37cfwjyxURdLKhEw=", - "zh:0d16b861edb2c021b3e9d759b8911ce4cf6d531320e5dc9457e2ea64d8c54ecd", - "zh:1bad69ed535a5f32dec70561eb481c432273b81045d788eb8b37f2e4a322cc40", - "zh:43c58e3912fcd5bb346b5cb89f31061508a9be3ca7dd4cd8169c066203bcdfb3", - "zh:4778123da9206918a92dfa73cc711475d2b9a8275ff25c13a30513c523ac9660", - "zh:8bfa67d2db03b3bfae62beebe6fb961aee8d91b7a766efdfe4d337b33dfd23dd", - "zh:9020bb5729db59a520ade5e24984b737e65f8b81751fbbd343926f6d44d22176", - "zh:90431dbfc5b92498bfbce38f0b989978c84421a6c33245b97788a46b563fbd6e", - "zh:b71a061dda1244f6a52500e703a9524b851e7b11bbf238c17bbd282f27d51cb2", - "zh:d6232a7651b834b89591b94bf4446050119dcde740247e6083a4d55a2cefd28a", - "zh:d89fba43e699e28e2b5e92fff2f75fc03dbc8de0df9dacefe1a8836f8f430753", - "zh:ef85c0b744f5ba1b10dadc3c11e331ba4225c45bb733e024d7218c24b02b0512", + "h1:44s6P+u1FUHyEclCAyko9UL+PB73rGp+REnCML3hyzg=", + "zh:255b35790b706d405e987750190658dcaefb663741b96803a9529ba5d7435329", + "zh:362feba1aa820a8e02869ec71d1a08e87243dbce43671dc0995fa6c5a2fafa1d", + "zh:39332abcf75b5dd9c78c79c7c0c094f7d4ca908d1b76bbd2aae67e8e3516710c", + "zh:3e8e7f758bb09a9b5b613c8866e77541f8f00b521070cc86bc095ce61f010baf", + "zh:427883b889b9c36630c3eec4d5c07bc4ae12cc0d358fc17ea42a8049bf8d5275", + "zh:69bfc4ed067a5e4844db1a1809343652ff239aa0a8da089b1671524c44e8740a", + "zh:6b9f731062b945c5020e0930ed9a1b1b50afd2caf751f0e70a282d165c970979", + "zh:6faf9ec006af7ee7014a9c3251d65b701792abb823f149b0b7e4ac4433848201", + "zh:b706f76d695104a47682ee6ab842870f9c70a680f979fa9e7efe34278c0831bc", + "zh:b9bca48de2c92f57389ed58dd2fac564deaccd79a92cafd08edeed3ba6b91d4d", + "zh:bbd3336dbee5aed9880f98e36fb8340e0c6d8f0399a05787521af599ccb3dac4", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.0.0" + hashes = [ + "h1:nKUqWEza6Lcv3xRlzeiRQrHtqvzX1BhIzjaOVXRYQXQ=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + provider "registry.terraform.io/hashicorp/time" { - version = "0.11.2" + version = "0.12.1" constraints = ">= 0.9.0" hashes = [ - "h1:qg3O4PmHnlPcvuZ2LvzOYEAPGOKtccgD5kPdQPZw094=", - "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", - "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", - "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", - "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", - "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", - "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", + "h1:j+ED7j0ZFJ4EDx7sdna76wsiIf397toylDN0dFi6v0U=", + "zh:090023137df8effe8804e81c65f636dadf8f9d35b79c3afff282d39367ba44b2", + "zh:26f1e458358ba55f6558613f1427dcfa6ae2be5119b722d0b3adb27cd001efea", + "zh:272ccc73a03384b72b964918c7afeb22c2e6be22460d92b150aaf28f29a7d511", + "zh:438b8c74f5ed62fe921bd1078abe628a6675e44912933100ea4fa26863e340e9", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", - "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", - "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", - "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", - "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", + "zh:85c8bd8eefc4afc33445de2ee7fbf33a7807bc34eb3734b8eefa4e98e4cddf38", + "zh:98bbe309c9ff5b2352de6a047e0ec6c7e3764b4ed3dfd370839c4be2fbfff869", + "zh:9c7bf8c56da1b124e0e2f3210a1915e778bab2be924481af684695b52672891e", + "zh:d2200f7f6ab8ecb8373cda796b864ad4867f5c255cff9d3b032f666e4c78f625", + "zh:d8c7926feaddfdc08d5ebb41b03445166df8c125417b28d64712dccd9feef136", + "zh:e2412a192fc340c61b373d6c20c9d805d7d3dee6c720c34db23c2a8ff0abd71b", + "zh:e6ac6bba391afe728a099df344dbd6481425b06d61697522017b8f7a59957d44", ] } provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.5" + version = "4.0.6" constraints = ">= 3.0.0" hashes = [ - "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", - "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", - "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", - "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", - "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", - "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", - "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", - "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", - "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", - "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", - "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", - "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/alb-ingress.tf b/alb-ingress.tf index 295ad3e..0e81f6a 100644 --- a/alb-ingress.tf +++ b/alb-ingress.tf @@ -62,6 +62,7 @@ resource "helm_release" "alb-ingress-controller" { depends_on = [ helm_release.cert_manager, - module.alb_controller_irsa + module.alb_controller_irsa, + module.eks, ] } diff --git a/artifacts/cloudformation-template.yaml b/artifacts/cloudformation-template.yaml index 3133bcf..0bbc8f5 100644 --- a/artifacts/cloudformation-template.yaml +++ b/artifacts/cloudformation-template.yaml @@ -56,11 +56,9 @@ Resources: - ec2:AuthorizeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress - ec2:AuthorizeSecurityGroupIngress - - ec2:DescribeSecurityGroupReferences - - ec2:DescribeSecurityGroupRules - - ec2:DescribeSecurityGroups - - ec2:DescribeAvailabilityZones - ec2:CreateInternetGateway + - ec2:CreateLaunchTemplate + - ec2:CreateLaunchTemplateVersion - ec2:CreateNatGateway - ec2:CreateNetworkAclEntry - ec2:CreateRoute @@ -69,15 +67,17 @@ Resources: - ec2:CreateSubnet - ec2:CreateTags - ec2:CreateVpc - - ec2:CreateLaunchTemplateVersion - - ec2:CreateLaunchTemplate - ec2:DescribeAddresses + - ec2:DescribeAvailabilityZones - ec2:DescribeInternetGateways - ec2:DescribeLaunchTemplateVersions - ec2:DescribeLaunchTemplates - ec2:DescribeNatGateways - ec2:DescribeNetworkAcls - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroupReferences + - ec2:DescribeSecurityGroupRules + - ec2:DescribeSecurityGroups - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeTags @@ -85,32 +85,40 @@ Resources: - ec2:DescribeVpcClassicLink - ec2:DescribeVpcClassicLinkDnsSupport - ec2:DescribeVpcs + - ec2:ModifyLaunchTemplate - ec2:ModifySubnetAttribute - ec2:ModifyVpcAttribute - - ec2:ModifyLaunchTemplate - ec2:RevokeSecurityGroupEgress - ec2:RunInstances - ecr:CreateRepository - ecr:DescribeRepositories - ecr:ListTagsForResource - ecr:TagResource + - ecr:UntagResource + - eks:AssociateAccessPolicy + - eks:CreateAccessEntry + - eks:CreateAddon - eks:CreateCluster - - eks:DescribeUpdate - - eks:UpdateNodegroupVersion - eks:CreateNodegroup - - eks:DescribeCluster - - eks:TagResource - - eks:ListTagsForResource - - eks:DescribeNodegroup - - eks:ListAddons - - eks:CreateAddon + - eks:DescribeAccessEntry - eks:DescribeAddon - eks:DescribeAddonConfiguration - eks:DescribeAddonVersions + - eks:DescribeCluster + - eks:DescribeNodegroup + - eks:DescribeUpdate + - eks:DisassociateAccessPolicy + - eks:ListAccessEntries + - eks:ListAddons + - eks:ListAssociatedAccessPolicies + - eks:ListTagsForResource + - eks:TagResource + - eks:UntagResource + - eks:UpdateAccessEntry + - eks:UpdateAddon + - eks:UpdateNodegroupVersion - iam:AttachRolePolicy - iam:CreateOpenIDConnectProvider - - iam:UpdateAssumeRolePolicy - - iam:TagOpenIDConnectProvider - iam:CreatePolicy - iam:CreatePolicyVersion - iam:CreateRole @@ -124,8 +132,12 @@ Resources: - iam:ListRolePolicies - iam:PassRole - iam:PutRolePolicy + - iam:TagOpenIDConnectProvider - iam:TagPolicy - iam:TagRole + - iam:UntagPolicy + - iam:UntagRole + - iam:UpdateAssumeRolePolicy - kms:CreateAlias - kms:CreateGrant - kms:CreateKey @@ -136,19 +148,21 @@ Resources: - kms:ListResourceTags - kms:PutKeyPolicy - kms:TagResource + - kms:UntagResource - logs:CreateLogGroup - - logs:TagLogGroup - logs:DescribeLogGroups - logs:ListTagsLogGroup - logs:PutRetentionPolicy + - logs:TagLogGroup - logs:TagResource + - logs:UntagResource + - route53:ChangeResourceRecordSets - route53:ChangeTagsForResource - route53:CreateHostedZone - route53:GetChange - route53:GetHostedZone - route53:ListResourceRecordSets - route53:ListTagsForResource - - route53:ChangeResourceRecordSets - s3:GetObject - s3:ListBucket - s3:PutObject @@ -167,21 +181,23 @@ Resources: - Effect: Allow Action: - ec2:DeleteInternetGateway - - ec2:DeleteVpc + - ec2:DeleteLaunchTemplate + - ec2:DeleteLaunchTemplateVersions - ec2:DeleteNatGateway + - ec2:DeleteNetworkAclEntry + - ec2:DeleteNetworkInterface - ec2:DeleteRoute - ec2:DeleteRouteTable + - ec2:DeleteSecurityGroup - ec2:DeleteSubnet - ec2:DeleteTags - - ec2:DeleteNetworkAclEntry + - ec2:DeleteVpc - ec2:DescribeAddresses - ec2:DescribeInternetGateways - ec2:DescribeLaunchTemplateVersions - ec2:DescribeLaunchTemplates - ec2:DescribeNatGateways - ec2:DescribeNetworkAcls - - ec2:DeleteNetworkInterface - - ec2:DetachNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DescribeRouteTables - ec2:DescribeSecurityGroupRules @@ -193,20 +209,24 @@ Resources: - ec2:DescribeVpcClassicLinkDnsSupport - ec2:DescribeVpcs - ec2:DetachInternetGateway + - ec2:DetachNetworkInterface - ec2:DisassociateAddress - ec2:DisassociateRouteTable - - ec2:DeleteLaunchTemplate - - ec2:DeleteLaunchTemplateVersions - ec2:ReleaseAddress - ec2:RevokeSecurityGroupIngress - ecr:DeleteRepository - ecr:DescribeRepositories - ecr:ListTagsForResource + - eks:DeleteAccessEntry + - eks:DeleteAddon - eks:DeleteCluster - eks:DeleteNodegroup + - eks:DescribeAccessEntry - eks:DescribeCluster - eks:DescribeNodegroup - - eks:DeleteAddon + - eks:DisassociateAccessPolicy + - eks:ListAccessEntries + - eks:ListAssociatedAccessPolicies - iam:DeleteOpenIDConnectProvider - iam:DeletePolicy - iam:DeletePolicyVersion @@ -222,24 +242,25 @@ Resources: - iam:ListInstanceProfilesForRole - iam:ListPolicyVersions - iam:ListRolePolicies + - iam:UntagPolicy + - iam:UntagRole - kms:DeleteAlias - kms:DescribeKey - kms:GetKeyPolicy - kms:GetKeyRotationStatus - kms:ListAliases - kms:ListResourceTags + - kms:RetireGrant - kms:ScheduleKeyDeletion - logs:DeleteLogGroup - logs:DescribeLogGroups - logs:ListTagsLogGroup + - route53:ChangeTagsForResource - route53:DeleteHostedZone - route53:GetDNSSEC - route53:GetHostedZone - route53:ListResourceRecordSets - route53:ListTagsForResource - - route53:ChangeTagsForResource - s3:GetObject - s3:ListBucket - - kms:RetireGrant - - ec2:DeleteSecurityGroup Resource: "*" diff --git a/artifacts/provision.json b/artifacts/provision.json index 07fe2dd..af86894 100644 --- a/artifacts/provision.json +++ b/artifacts/provision.json @@ -1,113 +1,114 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAclEntry", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateLaunchTemplate", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcs", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ModifyLaunchTemplate", - "ec2:RevokeSecurityGroupEgress", - "ec2:RunInstances", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:ListTagsForResource", - "ecr:TagResource", - "eks:CreateCluster", - "eks:CreateNodegroup", - "eks:DescribeUpdate", - "eks:DescribeCluster", - "eks:TagResource", - "eks:ListTagsForResource", - "eks:DescribeNodegroup", - "eks:ListAddons", - "eks:CreateAddon", - "eks:UpdateNodegroupVersion", - "eks:DescribeAddon", - "eks:DescribeAddonConfiguration", - "eks:DescribeAddonVersions", - "iam:AttachRolePolicy", - "iam:CreateOpenIDConnectProvider", - "iam:UpdateAssumeRolePolicy", - "iam:TagOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:TagPolicy", - "iam:TagRole", - "kms:CreateAlias", - "kms:CreateGrant", - "kms:CreateKey", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:TagResource", - "logs:CreateLogGroup", - "logs:TagLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "logs:PutRetentionPolicy", - "logs:TagResource", - "route53:ChangeTagsForResource", - "route53:CreateHostedZone", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "route53:ChangeResourceRecordSets", - "s3:GetObject", - "s3:ListBucket", - "s3:PutObject" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DescribeSecurityGroupReferences", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSecurityGroups", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAclEntry", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateLaunchTemplate", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ModifyLaunchTemplate", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:ListTagsForResource", + "ecr:TagResource", + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonConfiguration", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "eks:DescribeUpdate", + "eks:ListAddons", + "eks:ListTagsForResource", + "eks:TagResource", + "eks:UpdateAddon", + "eks:UpdateNodegroupVersion", + "iam:AttachRolePolicy", + "iam:CreateOpenIDConnectProvider", + "iam:UpdateAssumeRolePolicy", + "iam:TagOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:TagPolicy", + "iam:TagRole", + "kms:CreateAlias", + "kms:CreateGrant", + "kms:CreateKey", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:TagResource", + "logs:CreateLogGroup", + "logs:TagLogGroup", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", + "logs:PutRetentionPolicy", + "logs:TagResource", + "route53:ChangeTagsForResource", + "route53:CreateHostedZone", + "route53:GetChange", + "route53:GetHostedZone", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource", + "route53:ChangeResourceRecordSets", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": "*" + } + ] } diff --git a/cert-manager.tf b/cert-manager.tf index 1f72706..c2c960d 100644 --- a/cert-manager.tf +++ b/cert-manager.tf @@ -51,6 +51,7 @@ resource "helm_release" "cert_manager" { depends_on = [ module.cert_manager_irsa, - helm_release.external_dns + helm_release.external_dns, + module.eks, ] } diff --git a/ebs-csi.tf b/ebs-csi.tf index 739782b..3195e82 100644 --- a/ebs-csi.tf +++ b/ebs-csi.tf @@ -27,7 +27,7 @@ resource "helm_release" "ebs_csi" { name = local.ebs_csi.name repository = "https://kubernetes-sigs.github.io/aws-ebs-csi-driver" chart = "aws-ebs-csi-driver" - version = "2.13.0" + version = "2.16.0" values = [ yamlencode({ diff --git a/eks.tf b/eks.tf index 7511315..d8082f9 100644 --- a/eks.tf +++ b/eks.tf @@ -6,40 +6,19 @@ locals { min_size = var.min_size max_size = var.max_size desired_size = var.desired_size +} - # allow installing the runner in the cluster - aws_auth_role_install_access = { - rolearn = var.runner_install_role, - username = "install:{{SessionName}}" - groups = [ - "system:masters", - ] - } - - # only add admin access role if variable was set - aws_auth_roles = [local.aws_auth_role_install_access] +provider "aws" { + region = local.install_region } resource "aws_kms_key" "eks" { description = "Key for ${local.cluster_name} EKS cluster" } -# TODO: Looks like we're not using this? -# resource "aws_kms_alias" "eks" { -# name = "alias/nuon/eks-${var.nuon_id}" -# target_key_id = aws_kms_key.eks.id -# } - module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.17.2" - - # This module does something funny with state and `default_tags` - # so it shows as a change on every apply. By using a provider w/o - # `default_tags`, we can avoid this? - providers = { - aws = aws.no_tags - } + version = "~> 20.24.3" cluster_name = local.cluster_name cluster_version = local.cluster_version @@ -56,21 +35,63 @@ module "eks" { } cluster_addons = { + coredns = {} + eks-pod-identity-agent = {} + kube-proxy = {} vpc-cni = { most_recent = true preserve = true } } - node_security_group_additional_rules = {} - - manage_aws_auth_configmap = true + authentication_mode = "API_AND_CONFIG_MAP" + enable_cluster_creator_admin_permissions = false + + access_entries = { + "install:{{SessionName}}" = { + principal_arn = var.runner_install_role + kubernetes_groups = [] # superceded by AmazonEKSClusterAdminPolicy + policy_associations = { + cluster_admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + eks_admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + }, + # TODO(fd): we should have this passed in as an input in case this ever changes + "odr-${local.cluster_name}" = { + principal_arn = module.odr_iam_role.iam_role_arn + kubernetes_groups = [] # superceded by AmazonEKSClusterAdminPolicy + policy_associations = { + cluster_admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + eks_admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } - aws_auth_roles = local.aws_auth_roles + } + node_security_group_additional_rules = {} eks_managed_node_groups = { default = { - instance_types = [var.default_instance_type] + instance_types = local.instance_types min_size = local.min_size max_size = local.max_size desired_size = local.desired_size diff --git a/error-destroy.sh b/error-destroy.sh index 24a20ca..54aefe5 100755 --- a/error-destroy.sh +++ b/error-destroy.sh @@ -3,11 +3,36 @@ set -u set -o pipefail + echo "executing error-destroy script" +echo +echo ' region: '$AWS_REGION +echo ' profile: '$AWS_PROFILE +echo ' install id: '$NUON_INSTALL_ID +echo + echo "ensuring AWS is setup" aws sts get-caller-identity > /dev/null +echo "looking for NAT Gateways" +NAT_GATEWAYS=$(aws ec2 describe-nat-gateways --filter Name=tag:Name,Values=$NUON_INSTALL_ID*) +echo $NAT_GATEWAYS | jq -r '.NatGateways[].NatGatewayId' | while read -r nat_gateway_id; do + echo "deleting NAT Gateway "$nat_gateway_id + aws ec2 delete-nat-gateway --nat-gateway-id $nat_gateway_id +done + +echo "looking for Load Balancers" +NLBS=$(aws elbv2 describe-load-balancers | jq '.LoadBalancers') +echo $NLBS | jq -r '.[].LoadBalancerArn' | while read -r lb_arn; do + echo $lb_arn + tag_values=$(aws elbv2 describe-tags --resource-arn $lb_arn | jq -r '.TagDescriptions[].Tags.[].Value') + if [[ $tag_values == *"$NUON_INSTALL_ID"* ]]; then + echo "deleting load balancer "$lb_arn + aws elbv2 delete-load-balancer --load-balancer-arn $lb_arn + fi +done + echo "looking for ENIs which were orphaned by vpc-cni plugin" ENIS=$(aws ec2 \ describe-network-interfaces \ diff --git a/example.tfvars b/example.tfvars index 8b8db11..071edd1 100644 --- a/example.tfvars +++ b/example.tfvars @@ -1,14 +1,17 @@ -nuon_id = "28g232g0an6vh29t6mu7kv3a96" +# noqa +internal_root_domain = "internal.inl4kswfghtbjvygxnuynkxohz.nuon.run" +public_root_domain = "api.inl4kswfghtbjvygxnuynkxohz.nuon.run" +nuon_id = "inl4kswfghtbjvygxnuynkxohz" region = "us-east-2" # assume_role_arn = "arn:aws:iam::949309607565:role/nuon-demo-install-access" -assume_role_arn = "" # This needs to be set for use from our services but should not be when running locally. -install_role_arn = "arn:aws:iam::618886478608:role/install-k8s-admin-stage" +# assume_role_arn = "arn:aws:iam::949309607565:role/nuon-aws-eks-install-access-003" # This needs to be set for use from our services but should not be when running locally. +runner_install_role = "arn:aws:iam::949309607565:role/nuon-aws-eks-install-access-003" + tags = { - nuon_id = "28g232g0an6vh29t6mu7kv3a96" - nuon_install_id = "28g232g0an6vh29t6mu7kv3a96" - nuon_app_id = "1mqyl4egjsebw2dwap2s66r69x" + nuon_id = "org2p22dpzwvwrrwna8laa6o8k" + nuon_install_id = "inl4kswfghtbjvygxnuynkxohz" + nuon_app_id = "appnjs4w7n1ozkhllblcjb8crs" nuon_sandbox_name = "aws-eks" - nuon_sandbox_version = "0.10.4" } -waypoint_odr_namespace = "02w56dgii30zc23fb4kvqz77yi" -waypoint_odr_service_account_name = "waypoint-odr-02w56dgii30zc23fb4kvqz77yi" +waypoint_odr_namespace = "inl4kswfghtbjvygxnuynkxohz" +waypoint_odr_service_account_name = "runner-inl4kswfghtbjvygxnuynkxohz" diff --git a/odr.tf b/odr.tf index 90d2dfe..bc1de3b 100644 --- a/odr.tf +++ b/odr.tf @@ -14,7 +14,6 @@ resource "aws_iam_policy" "odr" { module "odr_iam_role" { # NOTE: the iam role requires the cluster be created, but you can not reference the cluster module in the for_each # loop that the eks module uses to iterate over cluster_service_accounts - depends_on = [module.eks, aws_iam_policy.odr] source = "terraform-aws-modules/iam/aws//modules/iam-eks-role" version = ">= 5.1.0" @@ -30,4 +29,6 @@ module "odr_iam_role" { role_policy_arns = { custom = aws_iam_policy.odr.arn } + + depends_on = [aws_iam_policy.odr] } diff --git a/variables.tf b/variables.tf index fca3f3d..ca286a7 100644 --- a/variables.tf +++ b/variables.tf @@ -23,7 +23,7 @@ variable "cluster_name" { variable "cluster_version" { type = string description = "The Kubernetes version to use for the EKS cluster." - default = "1.28" + default = "1.31" } variable "min_size" { diff --git a/versions.tf b/versions.tf index 0ccca43..7cdbf12 100644 --- a/versions.tf +++ b/versions.tf @@ -1,18 +1,14 @@ terraform { - required_version = ">= 1.3.7" + required_version = ">= 1.5.4" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" - # This is required in order for the calling TF project to pass in both the default and the no_tags aws providers. - # Everything works fine in the calling project, but this causes `terraform validate` to fail when run against this module itself. - # Apparently, this is a bug in Terraform: https://github.com/hashicorp/terraform/issues/28490 - configuration_aliases = [aws.no_tags] + version = ">= 5.68.0" } helm = { source = "hashicorp/helm" - version = ">= 2.4" + version = ">= 2.16.1" } kubectl = { source = "gavinbunney/kubectl" @@ -20,7 +16,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.13.1" + version = ">= 2.33.0" } } }