From 82c730fdb003dee0babc4e8ae34aa30bddeb647d Mon Sep 17 00:00:00 2001 From: Jon Morehouse Date: Wed, 19 Jun 2024 18:24:14 -0600 Subject: [PATCH] feat: consolidate to use `runner_install_role` (#11) --- .terraform.lock.hcl | 136 ++++++++++++++++++++++---------------------- dns.tf | 14 ++--- eks.tf | 24 +------- variables.tf | 21 ++----- vpc.tf | 4 +- 5 files changed, 85 insertions(+), 114 deletions(-) diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index f7539cc..f5efd50 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -23,105 +23,105 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.44.0" + version = "5.54.1" constraints = ">= 3.72.0, >= 4.0.0, >= 4.57.0, >= 5.30.0, >= 5.37.0" hashes = [ - "h1:K3sX+P4wofRNcVsnYW4PIhxHijd3w/ZD5AO7yWFPT6A=", - "zh:1224a42bb04574785549b89815d98bda11f6e9992352fc6c36c5622f3aea91c0", - "zh:2a8d1095a2f1ab097f516d9e7e0d289337849eebb3fcc34f075070c65063f4fa", - "zh:46cce11150eb4934196d9bff693b72d0494c85917ceb3c2914d5ff4a785af861", - "zh:4a7c15d585ee747d17f4b3904851cd95cfbb920fa197aed3df78e8d7ef9609b6", - "zh:508f1a85a0b0f93bf26341207d809bd55b60c8fdeede40097d91f30111fc6f5d", - "zh:52f968ffc21240213110378d0ffb298cbd23e9157a6d01dfac5a4360492d69c2", - "zh:5e9846b48ef03eb59541049e81b15cae8bc7696a3779ae4a5412fdce60bb24e0", - "zh:850398aecaf7dc0231fc320fdd6dffe41836e07a54c8c7b40eb28e7525d3c0a9", - "zh:8f87eeb05bdd1b873b6cfb3898dfad6402ac180dfa3c8f9754df8f85dcf92ca6", + "h1:+aq386lQCaPX7wR6EPf3PPZvCiI6dRwnjb1wR6lNa8E=", + "zh:37c09b9a0a0a2f7854fe52c6adb15f71593810b458a8283ed71d68036af7ba3a", + "zh:42fe11d87723d4e43b9c6224ae6bacdcb53faee8abc58f0fc625a161d1f71cb1", + "zh:57c6dfc46f28c9c2737559bd84acbc05aeae90431e731bb72a0024028a2d2412", + "zh:5ba9665a4ca0e182effd75575b19a4d47383ec02662024b9fe26f78286c36619", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:c726b87cd6ed111536f875dccedecff21abc802a4087264515ffab113cac36dc", - "zh:d57ea706d2f98b93c7b05b0c6bc3420de8e8cf2d0b6703085dc15ed239b2cc49", - "zh:d5d1a21246e68c2a7a04c5619eb0ad5a81644f644c432cb690537b816a156de2", - "zh:e869904cac41114b7e4ee66bcd2ce4585ed15ca842040a60cb47119f69472c91", - "zh:f1a09f2f3ea72cbe795b865cf31ad9b1866a536a8050cf0bb93d3fa51069582e", + "zh:b55980be0237644123a02a30b56d4cc03863ef29036c47d6e8ab5429ab45adf5", + "zh:b81e7664f10855a3a6fc234a18b4c4f1456273126a40c41516f2061696fb9870", + "zh:bd09736ffafd92af104c3c34b5add138ae8db4402eb687863ce472ca7e5ff2e2", + "zh:cc2eb1c62fba2a11d1f239e650cc2ae94bcab01c907384dcf2e213a6ee1bd5b2", + "zh:e5dc40205d9cf6f353c0ca532ae29afc6c83928bc9bcca47d74b640d3bb5a38c", + "zh:ebf1acdcd13f10db1b9c85050ddaadc70ab269c47c5a240753362446442d8371", + "zh:f2fc28a4ad94af5e6144a7309286505e3eb7a94d9dc106722b506c372ff7f591", + "zh:f49445e8435944df122aa89853260a2716ba8b73d6a6a70cae1661554926d5a2", + "zh:fc3b5046e60ae7cab20715be23de8436eb12736136fd6d0f0cc1549ebda6cc73", + "zh:fdb98a53500e245a3b5bec077b994da6959dba8fc4eb7534528658d820e06bd5", ] } provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.3" + version = "2.3.4" constraints = ">= 2.0.0" hashes = [ - "h1:GmJ8PxLjjPr+lh02Bw3u7RYqA3UtpE2hQ1T43Vt7PTQ=", - "zh:0bd6ee14ca5cf0f0c83d3bb965346b1225ccd06a6247e80774aaaf54c729daa7", - "zh:3055ad0dcc98de1d4e45b72c5889ae91b62f4ae4e54dbc56c4821be0fdfbed91", - "zh:32764cfcff0d7379ca8b7dde376ac5551854d454c5881945f1952b785a312fa2", - "zh:55c2a4dc3ebdeaa1dec3a36db96dab253c7fa10b9fe1209862e1ee77a01e0aa1", - "zh:5c71f260ba5674d656d12f67cde3bb494498e6b6b6e66945ef85688f185dcf63", + "h1:S3j8poSaLbaftlKq2STBkQEkZH253ZLaHhBHBifdpBQ=", + "zh:09f1f1e1d232da96fbf9513b0fb5263bc2fe9bee85697aa15d40bb93835efbeb", + "zh:381e74b90d7a038c3a8dcdcc2ce8c72d6b86da9f208a27f4b98cabe1a1032773", + "zh:398eb321949e28c4c5f7c52e9b1f922a10d0b2b073b7db04cb69318d24ffc5a9", + "zh:4a425679614a8f0fe440845828794e609b35af17db59134c4f9e56d61e979813", + "zh:4d955d8608ece4984c9f1dacda2a59fdb4ea6b0243872f049b388181aab8c80a", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9617280a853ec7caedb8beb7864e4b29faf9c850a453283980c28fccef2c493d", - "zh:ac8bda21950f8dddade3e9bc15f7bcfdee743738483be5724169943cafa611f5", - "zh:ba9ab567bbe63dee9197a763b3104ea9217ba27449ed54d3afa6657f412e3496", - "zh:effd1a7e34bae3879c02f03ed3afa979433a518e11de1f8afd35a8710231ac14", - "zh:f021538c86d0ac250d75e59efde6d869bbfff711eb744c8bddce79d2475bf46d", - "zh:f1e3984597948a2103391a26600e177b19f16a5a4c66acee27a4343fb141571f", + "zh:a48fbee1d58d55a1f4c92c2f38c83a37c8b2f2701ed1a3c926cefb0801fa446a", + "zh:b748fe6631b16a1dafd35a09377c3bffa89552af584cf95f47568b6cd31fc241", + "zh:d4b931f7a54603fa4692a2ec6e498b95464babd2be072bed5c7c2e140a280d99", + "zh:f1c9337fcfe3a7be39d179eb7986c22a979cfb2c587c05f1b3b83064f41785c5", + "zh:f58fc57edd1ee3250a28943cd84de3e4b744cdb52df0356a53403fc240240636", + "zh:f5f50de0923ff530b03e1bca0ac697534d61bb3e5fc7f60e13becb62229097a9", ] } provider "registry.terraform.io/hashicorp/helm" { - version = "2.13.0" + version = "2.14.0" constraints = ">= 2.4.0" hashes = [ - "h1:jGANeRsj81e6I6LYTV7s+7bOfeb6wtVssAOnbu+ZUWg=", - "zh:016e42bea1c9145b0856bfcf1e5faf657e40e9a94e4d80bee9e0b8742eb9f5fd", - "zh:0a325cfcb62d4c611a9a7854d2ca26ee8cbd27a1cae40f607c0966e36a858358", - "zh:2e22929aa1cc59c02e1cb8af8cee25063a706cdfc15d3aff242c8bf76cd12ea3", - "zh:35d989aa6f43d6401077c190c3262c6df434290c5bec978079ae69eb33f3929e", - "zh:4cc42ee66af3fa965424c19904e5ac52326d4a31df066d565d591d0e46e64c2d", - "zh:69a429be3f7183f53ec1928a44ed7ad0606a0247a7ce34e2c5a8e9d8906dbcbd", - "zh:88155234e7a4d45cc91ebcb2d633fdfc2daad4e85e5b1990c864dab0432afa0e", - "zh:b13055e38617be147e82eec8b20c579e9c202da9ead8c976a54ed08bde6b06f7", - "zh:bc6f8f1f84afcc66c5b248ffa34580d8f7e7552628eb6ad044765513159db8e4", - "zh:d91899fe77e7223d91d2cfed2cacde1afe8b528771402ec4d494b81457421bb1", - "zh:ef5ca86c48a786a0cc481f4cfb1c9f2e3b8eccb640c106c6a1f253f97f5e9c55", + "h1:8Vt9264v3UE6mHLRG8yiteVl5h8ZSTkJXf1xdVLa7GA=", + "zh:087a475fda3649e4b6b9aeb5f21704972f5d85c10d0bf334289b0a1b8c1a5575", + "zh:1877991d976491d4e2a653a89491bd3b92123a00f442f15aa62caea8902677c7", + "zh:233d9e550b900be8bbf62871322964239bb4827b3500b77d7e2652a8bae6a106", + "zh:6ed09d405ade276dfc6ec591d113ca328ea3fe423405d4bc1116f7a06dfd86ec", + "zh:9039de4cbee5ae006d9cbf27f40f0a285feb02c3b00901535a1112853de55b5f", + "zh:aea6311b0f29edddefa21b8c7953314459caeace77d72d60588d1277f1723c54", + "zh:bd6a4fea3461c2751527f1c4e4c2c160e72f5b5a3b5cfbfe051adf61badd5ead", + "zh:c5f12a2ea4c3b62d9dd2d8f62c9918ef77b1f9dd4d6ccf1758a2a24139ab5319", + "zh:cd84d7258f263c3bd24138e7633b022451fdc1935a11e34932b63f71bbe6059f", + "zh:e637d01ee4dc2e5702d62c158399ab0d0ba3269e71f5db38db922ff05505ae2a", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fbf9c9936ae547b75a81170b7bd20f72bc5538e015efcf7d12f822358d758f57", ] } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.27.0" + version = "2.31.0" constraints = ">= 2.10.0, >= 2.13.1" hashes = [ - "h1:GzU0FzYAT/+IgAhnSBcFH3bT+4I5N6oSga6iZgNJAus=", - "zh:3bdba30ae67c55dc7e9a317ac0da3b208ea7926fe9c2f0ae6587ee88dcc58d1f", - "zh:3f35138a831c00b188d2ffee27111dd0cf59afad2dd5653ed9e67d59646de12c", - "zh:64066d18f6ae9a316c2bc840ef3e641d7ab94e1ea3a41d12523e77345ad442ef", - "zh:653063d44b44881af3a480f7f8eaa94fa300e0229df2072d30f606bddcc9f025", - "zh:87f306e37efb61d13efa6da53a1e45e97e5996ebc0568b1caf8c3c5e54c05809", - "zh:8c428b9708f9634391e52300218771eab3fe942bb1295d8c0ad50ca4b33db3d9", - "zh:a44e87119a0337ded15479851786a13f412b413d9a463ba550d1210249206b0f", - "zh:aa2c4d110b0de6ef997c0d45f3f23f8a98f5530753095d6eff439a6d91a8ea31", - "zh:eb15ed8781ac6a0dec2f7d03cf090e23cfa05e3225806c6231ff2c574662fd63", - "zh:eb81c563f93bd3303f9620d11cd49f21f3f89ac3475c6d3e821b239feb9c217d", - "zh:f1a344a7f16131123577e4ec994d04a34ea458ec16c1ccac53fe7946bd817b18", + "h1:ZlKkkHJrjF4AiMueI2yA+abBc1c37cfwjyxURdLKhEw=", + "zh:0d16b861edb2c021b3e9d759b8911ce4cf6d531320e5dc9457e2ea64d8c54ecd", + "zh:1bad69ed535a5f32dec70561eb481c432273b81045d788eb8b37f2e4a322cc40", + "zh:43c58e3912fcd5bb346b5cb89f31061508a9be3ca7dd4cd8169c066203bcdfb3", + "zh:4778123da9206918a92dfa73cc711475d2b9a8275ff25c13a30513c523ac9660", + "zh:8bfa67d2db03b3bfae62beebe6fb961aee8d91b7a766efdfe4d337b33dfd23dd", + "zh:9020bb5729db59a520ade5e24984b737e65f8b81751fbbd343926f6d44d22176", + "zh:90431dbfc5b92498bfbce38f0b989978c84421a6c33245b97788a46b563fbd6e", + "zh:b71a061dda1244f6a52500e703a9524b851e7b11bbf238c17bbd282f27d51cb2", + "zh:d6232a7651b834b89591b94bf4446050119dcde740247e6083a4d55a2cefd28a", + "zh:d89fba43e699e28e2b5e92fff2f75fc03dbc8de0df9dacefe1a8836f8f430753", + "zh:ef85c0b744f5ba1b10dadc3c11e331ba4225c45bb733e024d7218c24b02b0512", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/time" { - version = "0.11.1" + version = "0.11.2" constraints = ">= 0.9.0" hashes = [ - "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", - "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", - "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", - "zh:29970fecbf4a3ca23bacbb05d6b90cdd33dd379f90059fe39e08289951502d9f", - "zh:65024596f22f10e7dcb5e0e4a75277f275b529daa0bc0daf34ca7901c678ab88", - "zh:694d080cb5e3bf5ef08c7409208d061c135a4f5f4cdc93ea8607860995264b2e", + "h1:qg3O4PmHnlPcvuZ2LvzOYEAPGOKtccgD5kPdQPZw094=", + "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", + "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", + "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", + "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", + "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", + "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b29d15d13e1b3412e6a4e1627d378dbd102659132f7488f64017dd6b6d5216d3", - "zh:bb79f4cae9f8c17c73998edc54aa16c2130a03227f7f4e71fc6ac87e230575ec", - "zh:ceccf80e95929d97f62dcf1bb3c7c7553d5757b2d9e7d222518722fc934f7ad5", - "zh:f40e638336527490e294d9c938ae55919069e6987e85a80506784ba90348792a", - "zh:f99ef33b1629a3b2278201142a3011a8489e66d92da832a5b99e442204de18fb", - "zh:fded14754ea46fdecc62a52cd970126420d4cd190e598cb61190b4724a727edb", + "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", + "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", + "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", + "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", + "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", ] } diff --git a/dns.tf b/dns.tf index 12e8931..24161d8 100644 --- a/dns.tf +++ b/dns.tf @@ -15,13 +15,13 @@ resource "aws_route53_zone" "public" { resource "aws_route53_record" "caa" { zone_id = aws_route53_zone.public.zone_id - name = var.public_root_domain - type = "CAA" - ttl = 300 + name = var.public_root_domain + type = "CAA" + ttl = 300 records = [ - "0 issue \"letsencrypt.org\"", - "0 issue \"amazon.com\"", - "0 issue \"amazonaws.com\"", - "0 issue \"amazontrust.com\"", + "0 issue \"letsencrypt.org\"", + "0 issue \"amazon.com\"", + "0 issue \"amazonaws.com\"", + "0 issue \"amazontrust.com\"", ] } diff --git a/eks.tf b/eks.tf index 17760e5..7511315 100644 --- a/eks.tf +++ b/eks.tf @@ -9,33 +9,15 @@ locals { # allow installing the runner in the cluster aws_auth_role_install_access = { - rolearn = var.external_access_role_arns[0], + rolearn = var.runner_install_role, username = "install:{{SessionName}}" groups = [ "system:masters", ] } - # Allow for updates via terraform - aws_auth_role_terraform_access = { - rolearn = var.assume_role_arn - username = "terraform:{{SessionName}}" - groups = [ - "system:masters", - ] - } - # give vendor admin access to cluster - aws_auth_role_admin_access = { - rolearn = var.admin_access_role_arn - username = "terraform:{{SessionName}}" - groups = [ - "system:masters", - ] - } + # only add admin access role if variable was set - aws_auth_roles = (var.admin_access_role_arn == "" ? - [local.aws_auth_role_install_access, local.aws_auth_role_terraform_access] : - [local.aws_auth_role_install_access, local.aws_auth_role_terraform_access, local.aws_auth_role_admin_access] - ) + aws_auth_roles = [local.aws_auth_role_install_access] } resource "aws_kms_key" "eks" { diff --git a/variables.tf b/variables.tf index 88883b6..fca3f3d 100644 --- a/variables.tf +++ b/variables.tf @@ -50,12 +50,6 @@ variable "default_instance_type" { description = "The EC2 instance type to use for the EKS cluster's default node group." } -variable "admin_access_role_arn" { - description = "Optional role to provide admin access to the cluster." - type = string - default = "" -} - variable "additional_tags" { type = map(any) description = "Extra tags to append to the default tags that will be added to install resources." @@ -74,16 +68,6 @@ variable "region" { description = "The region to launch the cluster in" } -variable "assume_role_arn" { - type = string - description = "The role arn to assume during provisioning of this sandbox." -} - -variable "external_access_role_arns" { - type = list(string) - description = "Roles for external access to the cluster." -} - variable "waypoint_odr_namespace" { type = string description = "Namespace in which the ODR IAM Role's service account presides." @@ -115,3 +99,8 @@ variable "enable_nginx_ingress_controller" { default = "true" description = "Toggle the nginx-ingress controller in the EKS cluster." } + +variable "runner_install_role" { + type = string + description = "The role that is used to install the runner, and should be granted access." +} diff --git a/vpc.tf b/vpc.tf index 057356b..c51fb83 100644 --- a/vpc.tf +++ b/vpc.tf @@ -40,12 +40,12 @@ module "vpc" { public_subnet_tags = { "kubernetes.io/cluster/${var.nuon_id}" = "shared" "kubernetes.io/role/elb" = 1 - "visibility" = "public" + "visibility" = "public" } private_subnet_tags = { "kubernetes.io/cluster/${var.nuon_id}" = "shared" "kubernetes.io/role/internal-elb" = 1 - "visibility" = "private" + "visibility" = "private" } }