fd/hard code launch template (#15)

* chore: update tf version to what we use in cloud * chore: hardcoded launch template for faster reprovision * chore: move odr iam role out of eks module entries * chore: update permissions
nuonco · Nov 22, 2024 · d895917 · d895917
1 parent 387dfc8
commit d895917
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 23 deletions.
diff --git a/artifacts/cloudformation-template.yaml b/artifacts/cloudformation-template.yaml
@@ -55,7 +55,6 @@ Resources:
               - ec2:AttachInternetGateway
               - ec2:AuthorizeSecurityGroupEgress
               - ec2:AuthorizeSecurityGroupIngress
-              - ec2:AuthorizeSecurityGroupIngress
               - ec2:CreateInternetGateway
               - ec2:CreateLaunchTemplate
               - ec2:CreateLaunchTemplateVersion
@@ -151,6 +150,7 @@ Resources:
               - kms:UntagResource
               - logs:CreateLogGroup
               - logs:DescribeLogGroups
+              - logs:ListTagsForResource
               - logs:ListTagsLogGroup
               - logs:PutRetentionPolicy
               - logs:TagLogGroup
@@ -254,7 +254,9 @@ Resources:
               - kms:ScheduleKeyDeletion
               - logs:DeleteLogGroup
               - logs:DescribeLogGroups
+              - logs:ListTagsForResource
               - logs:ListTagsLogGroup
+              - logs:UntagResource
               - route53:ChangeTagsForResource
               - route53:DeleteHostedZone
               - route53:GetDNSSEC

diff --git a/eks.tf b/eks.tf
@@ -65,27 +65,7 @@ module "eks" {
           }
         }
       }
-    },
-    # TODO(fd): we should have this passed in as an input in case this ever changes
-    "odr-${local.cluster_name}" = {
-      principal_arn     = module.odr_iam_role.iam_role_arn
-      kubernetes_groups = [] # superceded by AmazonEKSClusterAdminPolicy
-      policy_associations = {
-        cluster_admin = {
-          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-        eks_admin = {
-          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
-          access_scope = {
-            type = "cluster"
-          }
-        }
-      }
     }
-
   }
 
   node_security_group_additional_rules = {}
@@ -96,6 +76,12 @@ module "eks" {
       max_size       = local.max_size
       desired_size   = local.desired_size
 
+      # NOTE(fd): automate the update of this on a regular interval
+      launch_template = {
+        name    = "default-2024112202580872790000001a"
+        version = 2
+      }
+
       iam_role_additional_policies = {
         additional = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
       }

diff --git a/odr.tf b/odr.tf
@@ -30,5 +30,8 @@ module "odr_iam_role" {
     custom = aws_iam_policy.odr.arn
   }
 
-  depends_on = [aws_iam_policy.odr]
+  depends_on = [
+    aws_iam_policy.odr,
+    module.eks,
+  ]
 }
diff --git a/terraform.tfstate b/terraform.tfstate
diff --git a/versions.tf b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.5.4"
+  required_version = ">= 1.7.5"
 
   required_providers {
     aws = {