From 772421d96ee533a9a3d5c769e590231aa49fd2bf Mon Sep 17 00:00:00 2001 From: Joachim Hill-Grannec Date: Thu, 11 Jan 2024 14:17:20 -0600 Subject: [PATCH] fix: refactor all foundation to use valuesObject instead of parameters or values, also removed TF modules which are no longer needed and started the example terraform --- gitops/base-install/cert-manager/install.yaml | 81 ++++--- gitops/base-install/ebs-csi/install.yaml | 93 ++++---- gitops/base-install/external-dns/install.yaml | 9 +- .../base-install/image-updater/install.yaml | 6 +- .../ingress-controller/resources.yaml | 45 ++-- gitops/base-install/reloader/install.yaml | 2 +- .../replacements/kustomization.yaml | 22 +- gitops/components/adot/kustomization.yaml | 8 +- gitops/components/adot/resources.yaml | 16 +- .../components/autoscaling/kustomization.yaml | 66 ------ gitops/components/autoscaling/resources.yaml | 92 -------- gitops/components/cilium/resources.yaml | 13 +- .../components/fluent-bit/kustomization.yaml | 3 +- gitops/components/fluent-bit/resources.yaml | 6 +- gitops/components/goldilocks/resources.yaml | 2 +- .../components/karpenter/kustomization.yaml | 8 +- gitops/components/karpenter/resources.yaml | 24 +- gitops/components/loki/kustomization.yaml | 14 +- gitops/components/loki/resources.yaml | 29 +-- terraform/cluster_roles/README.md | 44 ---- terraform/cluster_roles/main.tf | 149 ------------- .../cluster_roles/policies/autoscaler.json | 34 --- .../policies/aws-lb-controller-gov.json | 209 ------------------ .../policies/aws-lb-controller.json | 209 ------------------ .../policies/ebs-csi-driver-gov.json | 142 ------------ .../policies/ebs-csi-driver.json | 142 ------------ .../cluster_roles/policies/fluent-bit.json | 14 -- terraform/cluster_roles/variables.tf | 30 --- terraform/example/main.tf | 131 +++++++++++ terraform/example/variables.tf | 8 + 30 files changed, 300 insertions(+), 1351 deletions(-) delete mode 100644 gitops/components/autoscaling/kustomization.yaml delete mode 100644 gitops/components/autoscaling/resources.yaml delete mode 100644 terraform/cluster_roles/README.md delete mode 100644 terraform/cluster_roles/main.tf delete mode 100644 terraform/cluster_roles/policies/autoscaler.json delete mode 100644 terraform/cluster_roles/policies/aws-lb-controller-gov.json delete mode 100644 terraform/cluster_roles/policies/aws-lb-controller.json delete mode 100644 terraform/cluster_roles/policies/ebs-csi-driver-gov.json delete mode 100644 terraform/cluster_roles/policies/ebs-csi-driver.json delete mode 100644 terraform/cluster_roles/policies/fluent-bit.json delete mode 100644 terraform/cluster_roles/variables.tf create mode 100644 terraform/example/main.tf create mode 100644 terraform/example/variables.tf diff --git a/gitops/base-install/cert-manager/install.yaml b/gitops/base-install/cert-manager/install.yaml index 269d8e2..76fd047 100644 --- a/gitops/base-install/cert-manager/install.yaml +++ b/gitops/base-install/cert-manager/install.yaml @@ -19,42 +19,42 @@ spec: targetRevision: 1.13.2 helm: releaseName: cert-manager - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: CERT_MANAGER_ROLE_ARN - - name: serviceAccount.annotations.eks\.amazonaws\.com/sts-regional-endpoints - value: "true" - forceString: true - - name: installCRDs - value: "true" - - name: serviceAccount.create - value: "true" - - name: extraEnv[0].name - value: "AWS_REGION" - - name: extraEnv[0].value - value: "us-east-1" - - name: serviceAccount.name - value: "cert-manager" - - name: securityContext.fsGroup - value: "1001" - - name: resources.limits.memory - value: "105M" - - name: resources.requests.cpu - value: "15m" - - name: resources.requests.memory - value: "105M" - - name: webhook.resources.limits.memory - value: "105M" - - name: webhook.resources.requests.cpu - value: "15m" - - name: webhook.resources.requests.memory - value: "105M" - - name: cainjector.resources.limits.memory - value: "105M" - - name: cainjector.resources.requests.cpu - value: "15m" - - name: cainjector.resources.requests.memory - value: "105M" + valuesObject: + installCRDs: true + serviceAccount: + create: true + name: cert-manager + annotations: + eks.amazonaws.com/role-arn: CERT_MANAGER_ROLE_ARN + eks.amazonaws.com/sts-regional-endpoint: "true" + extraEnv: + - name: AWS_REGION + value: "us-east-1" + securityContext: + fsGroup: "1001" + resources: + requests: + cpu: "15m" + memory: "105M" + limits: + cpu: "15m" + memory: "105M" + webhook: + resources: + requests: + cpu: "15m" + memory: "105M" + limits: + cpu: "15m" + memory: "105M" + cainjector: + resources: + requests: + cpu: "15m" + memory: "105M" + limits: + cpu: "15m" + memory: "105M" destination: namespace: cert-manager name: in-cluster @@ -75,12 +75,9 @@ spec: path: gitops/base-install/cert-manager/create-issuer helm: releaseName: create-issuer - parameters: - - name: acmeIssuerEmail - value: ACME_ISSUER_EMAIL - - name: awsRegion - value: AWS_REGION - + valuesObject: + acmeIssuerEmail: ACME_ISSUER_EMAIL + awsRegion: AWS_REGION targetRevision: main destination: namespace: cert-manager diff --git a/gitops/base-install/ebs-csi/install.yaml b/gitops/base-install/ebs-csi/install.yaml index 549ef91..69ed1a7 100644 --- a/gitops/base-install/ebs-csi/install.yaml +++ b/gitops/base-install/ebs-csi/install.yaml @@ -17,57 +17,48 @@ spec: targetRevision: 2.26.0 helm: releaseName: aws-ebs-csi-driver - parameters: - - name: controller.serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: EBS_CSI_ROLE_ARN - - name: controller.serviceAccount.create - value: "true" - - name: controller.serviceAccount.name - value: "ebs-csi-driver" - - name: controller.serviceAccount.annotations.eks\.amazonaws\.com/sts-regional-endpoints - value: "true" - forceString: true - - name: controller.resources.limits.memory - value: "128Mi" - - name: controller.resources.requests.cpu - value: "100m" - - name: controller.resources.requests.memory - value: "128Mi" - - name: node.serviceAccount.create - value: "false" - - name: node.serviceAccount.name - value: "ebs-csi-driver" - - name: node.resources.limits.memory - value: "128Mi" - - name: node.resources.requests.cpu - value: "100m" - - name: node.resources.requests.memory - value: "128Mi" - - name: storageClasses.0.name - value: gp3 - - name: >- - storageClasses.0.annotations.storageclass\.kubernetes\.io/is-default-class - value: 'true' - forceString: true - - name: storageClasses.0.parameters.type - value: gp3 -# TODO: Encrypting volumes by default seems desirable, but may have unintended consequences -# - name: storageClasses.0.parameters.encrypted -# value: "true" - - name: storageClasses.1.name - value: gp2 - - name: storageClasses.1.parameters.type - value: gp2 -# TODO: Encrypting volumes by default seems desirable, but may have unintended consequences -# - name: storageClasses.1.parameters.encrypted -# value: "true" - - name: volumeSnapshotClasses.0.annotations.snapshot\.storage\.kubernetes\.io/is-default-class - value: "true" - forceString: true - - name: volumeSnapshotClasses.0.name - value: ebs-snapshot - - name: volumeSnapshotClasses.0.deletionPolicy - value: Delete + valuesObject: + controller: + serviceAccount: + create: "true" + name: ebs-csi-driver + annotations: + eks.amazonaws.com/role-arn: EBS_CSI_ROLE_ARN + eks.amazonaws.com/sts-regional-endpoints: "true" + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "100m" + memory: "128Mi" + node: + serviceAccount: + create: "false" + name: "ebs-csi-driver" + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "100m" + memory: "128Mi" + storageClasses: + - name: gp3 + parameters: + type: gp3 +# encrypted: "true" #TODO: Encrypting volumes by default seems desirable, check side effects + annotations: + storageclass.kubernetes.io/is-default-class: "true" + - name: gp2 + parameters: + type: gp2 +# encrypted: "true" #TODO: Encrypting volumes by default seems desirable, check side effects + volumeSnapshotClasses: + - name: ebs-snapshot + annotations: + snapshot.storage.kubernetes.io/is-default-class + deletionPolicy: Delete destination: namespace: kube-system name: in-cluster diff --git a/gitops/base-install/external-dns/install.yaml b/gitops/base-install/external-dns/install.yaml index bab02a7..d6ed25a 100644 --- a/gitops/base-install/external-dns/install.yaml +++ b/gitops/base-install/external-dns/install.yaml @@ -19,16 +19,13 @@ spec: targetRevision: 6.28.4 helm: releaseName: external-dns - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: EXTERNAL_DNS_ROLE_ARN - - name: txtOwnerId - value: CLUSTER_NAME - values: | + valuesObject: + txtOwnerId: CLUSTER_NAME serviceAccount: create: true name: external-dns-controller annotations: + eks.amazonaws.com/role-arn: EXTERNAL_DNS_ROLE_ARN eks.amazonaws.com/sts-regional-endpoints: "true" provider: aws policy: sync diff --git a/gitops/base-install/image-updater/install.yaml b/gitops/base-install/image-updater/install.yaml index d309e1c..830c6a9 100644 --- a/gitops/base-install/image-updater/install.yaml +++ b/gitops/base-install/image-updater/install.yaml @@ -18,10 +18,7 @@ spec: chart: argocd-image-updater targetRevision: 0.9.1 helm: - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: IMAGE_UPDATER_ROLE_ARN - values: | + valuesObject: # guide: https://github.com/argoproj-labs/argocd-image-updater/issues/112#issuecomment-1058465942 config: registries: @@ -53,3 +50,4 @@ spec: name: argocd-image-updater annotations: eks.amazonaws.com/sts-regional-endpoints: "true" + eks.amazonaws.com/role-arn: IMAGE_UPDATER_ROLE_ARN diff --git a/gitops/base-install/ingress-controller/resources.yaml b/gitops/base-install/ingress-controller/resources.yaml index c6f07a3..27299d8 100644 --- a/gitops/base-install/ingress-controller/resources.yaml +++ b/gitops/base-install/ingress-controller/resources.yaml @@ -18,37 +18,30 @@ spec: targetRevision: 1.6.2 helm: releaseName: aws-load-balancer-controller - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: ALB_ROLE_ARN - - name: serviceAccount.annotations.eks\.amazonaws\.com/sts-regional-endpoints - value: "true" - forceString: true - - name: serviceAccount.create - value: "true" - - name: serviceAccount.name - value: "aws-load-balancer-controller" - - name: clusterName - value: CLUSTER_NAME - - name: resources.limits.memory - value: "128Mi" - - name: resources.requests.cpu - value: "100m" - - name: resources.requests.memory - value: "128Mi" - - name: 'tolerations[0].key' - value: CriticalAddonsOnly - - name: 'tolerations[0].operator' - value: Exists -# NOTE: Currently disabled however may need to bring back to limit aws lb controller. -# - name: watchNamespace -# value: "ingress-nginx" + valuesObject: + serviceAccount: + create: "true" + name: "aws-load-balancer-controller" + annotations: + eks.amazonaws.com/role-arn: ALB_ROLE_ARN + eks.amazonaws.com/sts-regional-endpoints: "true" + clusterName: CLUSTER_NAME + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "100m" + memory: "128Mi" + tolerations: + - key: CriticalAddonsOnly + operator: Exists +# watchNamespace: ingress-nginx # NOTE: Currently disabled however may need to bring back to limit aws lb controller. ignoreDifferences: - kind: Secret name: aws-load-balancer-tls jqPathExpressions: - .data - destination: namespace: alb name: in-cluster diff --git a/gitops/base-install/reloader/install.yaml b/gitops/base-install/reloader/install.yaml index 149bdc2..f2629e0 100644 --- a/gitops/base-install/reloader/install.yaml +++ b/gitops/base-install/reloader/install.yaml @@ -24,7 +24,7 @@ spec: targetRevision: v1.0.51 helm: releaseName: reloader - values: | + valuesObject: reloader: deployment: resources: diff --git a/gitops/base-install/replacements/kustomization.yaml b/gitops/base-install/replacements/kustomization.yaml index c9ffe7b..fce7640 100644 --- a/gitops/base-install/replacements/kustomization.yaml +++ b/gitops/base-install/replacements/kustomization.yaml @@ -38,7 +38,7 @@ replacements: kind: Application name: create-issuer fieldPaths: - - spec.source.helm.parameters.[name=acmeIssuerEmail].value + - spec.source.helm.valuesObject.acmeIssuerEmail - source: version: v1 @@ -52,7 +52,7 @@ replacements: kind: Application name: create-issuer fieldPaths: - - spec.source.helm.parameters.[name=awsRegion].value + - spec.source.helm.valuesObject.awsRegion - source: version: v1 @@ -66,14 +66,14 @@ replacements: kind: Application name: alb-controller fieldPaths: - - spec.source.helm.parameters.[name=clusterName].value + - spec.source.helm.valuesObject.clusterName - select: group: argoproj.io version: v1alpha1 kind: Application name: external-dns fieldPaths: - - spec.source.helm.parameters.[name=txtOwnerId].value + - spec.source.helm.valuesObject.txtOwnerId - source: version: v1 @@ -87,8 +87,7 @@ replacements: kind: Application name: alb-controller fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 @@ -102,7 +101,7 @@ replacements: kind: Application name: ebs-csi fieldPaths: - - spec.sources.[chart=aws-ebs-csi-driver].helm.parameters.0.value # TODO: is there a way to use the [name=controller.serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work + - spec.sources.[chart=aws-ebs-csi-driver].helm.valuesObject.controller.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 @@ -116,8 +115,7 @@ replacements: kind: Application name: external-dns fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 @@ -131,8 +129,7 @@ replacements: kind: Application name: cert-manager fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 @@ -146,5 +143,4 @@ replacements: kind: Application name: argocd-image-updater fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] diff --git a/gitops/components/adot/kustomization.yaml b/gitops/components/adot/kustomization.yaml index bf6ad1a..4210d70 100644 --- a/gitops/components/adot/kustomization.yaml +++ b/gitops/components/adot/kustomization.yaml @@ -33,7 +33,7 @@ replacements: kind: Application name: adot-collector fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work + - spec.source.helm.valuesObject.adotCollector.daemonSet.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 @@ -47,7 +47,7 @@ replacements: kind: Application name: adot-collector fieldPaths: - - spec.source.helm.parameters.[name=clusterName].value + - spec.source.helm.valuesObject.clusterName - source: version: v1 kind: ConfigMap @@ -60,7 +60,7 @@ replacements: kind: Application name: adot-collector fieldPaths: - - spec.source.helm.parameters.[name=awsRegion].value + - spec.source.helm.valuesObject.awsRegion - source: version: v1 kind: ConfigMap @@ -73,4 +73,4 @@ replacements: kind: Application name: adot-collector fieldPaths: - - spec.source.helm.parameters.[name=ampexporters.endpoint].value + - spec.source.helm.valuesObject.adotCollector.daemonSet.ampexporters.endpoint diff --git a/gitops/components/adot/resources.yaml b/gitops/components/adot/resources.yaml index 45bfb22..d119f41 100644 --- a/gitops/components/adot/resources.yaml +++ b/gitops/components/adot/resources.yaml @@ -24,16 +24,9 @@ spec: targetRevision: 0.21.0 helm: releaseName: adot-collector - parameters: - - name: adotCollector.daemonSet.serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: ADOT_ROLE_ARN - - name: clusterName - value: CLUSTER_NAME - - name: awsRegion - value: AWS_REGION - - name: adotCollector.daemonSet.ampexporters.endpoint - value: AMP_RW_ENDPOINT - values: | + valuesObject: + clusterName: CLUSTER_NAME + awsRegion: AWS_REGION adotCollector: daemonSet: createNamespace: false @@ -43,12 +36,15 @@ spec: name: "adot-collector" annotations: eks.amazonaws.com/sts-regional-endpoints: "true" + eks.amazonaws.com/role-arn: ADOT_ROLE_ARN resources: limits: memory: 200Mi requests: cpu: 200m memory: 200Mi + ampexporters: + endpoint: AMP_RW_ENDPOINT ampreceivers: scrapeInterval: 60s scrapeTimeout: 10s diff --git a/gitops/components/autoscaling/kustomization.yaml b/gitops/components/autoscaling/kustomization.yaml deleted file mode 100644 index 9d08da2..0000000 --- a/gitops/components/autoscaling/kustomization.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component - -resources: - - ./resources.yaml - -patches: - - target: - group: argoproj.io - version: v1alpha1 - kind: AppProject - name: admins - patch: |- - - op: add - path: /spec/sourceRepos/- - value: https://kubernetes-sigs.github.io/metrics-server - - op: add - path: /spec/sourceRepos/- - value: https://kubernetes.github.io/autoscaler - - op: add - path: /spec/destinations/- - value: - namespace: kube-system - server: https://kubernetes.default.svc - -replacements: - - source: - version: v1 - kind: ConfigMap - name: kustomize-environment - fieldPath: data.AUTOSCALER_ROLE_ARN - targets: - - select: - group: argoproj.io - version: v1alpha1 - kind: Application - name: cluster-autoscaler - fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - - - source: - version: v1 - kind: ConfigMap - name: kustomize-environment - fieldPath: data.CLUSTER_NAME - targets: - - select: - group: argoproj.io - version: v1alpha1 - kind: Application - name: cluster-autoscaler - fieldPaths: - - spec.source.helm.parameters.[name=autoDiscovery.clusterName].value - - source: - version: v1 - kind: ConfigMap - name: kustomize-environment - fieldPath: data.AWS_REGION - targets: - - select: - group: argoproj.io - version: v1alpha1 - kind: Application - name: cluster-autoscaler - fieldPaths: - - spec.source.helm.parameters.[name=awsRegion].value diff --git a/gitops/components/autoscaling/resources.yaml b/gitops/components/autoscaling/resources.yaml deleted file mode 100644 index 884ce88..0000000 --- a/gitops/components/autoscaling/resources.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: metrics-server - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: admins - source: - chart: metrics-server - repoURL: https://kubernetes-sigs.github.io/metrics-server - targetRevision: 3.9.0 - helm: - releaseName: metrics-server - values: | - image: - tag: v0.6.3 - defaultArgs: - - --cert-dir=/tmp - - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-use-node-status-port - - --metric-resolution=35s - resources: - limits: - memory: 105M - requests: - cpu: 15m - memory: 105M - destination: - namespace: kube-system - name: in-cluster - syncPolicy: - automated: {} ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: cluster-autoscaler - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: admins - source: - chart: cluster-autoscaler - repoURL: https://kubernetes.github.io/autoscaler - targetRevision: 9.29.4 - helm: - releaseName: cluster-autoscaler - parameters: - - name: rbac.serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: AUTOSCALER_ROLE_ARN - - name: rbac.serviceAccount.annotations.eks\.amazonaws\.com/sts-regional-endpoints - value: "true" - forceString: true - - name: autoDiscovery.clusterName - value: CLUSTER_NAME - - name: autoDiscovery.cloudProvider - value: "aws" - - name: awsRegion - value: AWS_REGION - - name: rbac.serviceAccount.create - value: "true" - - name: rbac.serviceAccount.name - value: "cluster-autoscaler" - - name: extraArgs.expander - value: "priority" - - name: resources.limits.memory - value: "105M" - - name: resources.requests.memory - value: "105M" - - name: resources.requests.cpu - value: "15m" - destination: - namespace: kube-system - name: in-cluster - syncPolicy: - automated: {} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: cluster-autoscaler-priority-expander - namespace: kube-system -data: - priorities: |- - 20: - - main.* - 10: - - fallback.* diff --git a/gitops/components/cilium/resources.yaml b/gitops/components/cilium/resources.yaml index e81bed8..be7f68a 100644 --- a/gitops/components/cilium/resources.yaml +++ b/gitops/components/cilium/resources.yaml @@ -21,13 +21,7 @@ spec: targetRevision: 1.14.4 helm: releaseName: cilium -# parameters: -# - name: serviceAccounts.cilium.annotations -# value: AMP_RW_ENDPOINT -# TODO: how to express a map with multiple dot-separated keys as a value here? -# eks.amazonaws.com/role-arn: CILIUM_ROLE_ARN -# eks.amazonaws.com/sts-regional-endpoints: "true" - values: | + valuesObject: cni: exclusive: "false" # tunnelProtocol: "" @@ -38,8 +32,3 @@ spec: kubernetes.io/os: linux pelo.tech/multi-home-networking: "true" pelo.tech/uki-labs: "lab3" -# serviceAccounts: -# cilium: -# annotations: -# eks.amazonaws.com/role-arn: CILIUM_ROLE_ARN -# eks.amazonaws.com/sts-regional-endpoints: "true" diff --git a/gitops/components/fluent-bit/kustomization.yaml b/gitops/components/fluent-bit/kustomization.yaml index 7eecefd..5712c1b 100644 --- a/gitops/components/fluent-bit/kustomization.yaml +++ b/gitops/components/fluent-bit/kustomization.yaml @@ -33,5 +33,4 @@ replacements: kind: Application name: fluent-bit fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] diff --git a/gitops/components/fluent-bit/resources.yaml b/gitops/components/fluent-bit/resources.yaml index 25a459a..0734533 100644 --- a/gitops/components/fluent-bit/resources.yaml +++ b/gitops/components/fluent-bit/resources.yaml @@ -24,15 +24,13 @@ spec: targetRevision: 0.39.1 helm: releaseName: fluent-bit - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: FLUENT_BIT_ROLE_ARN - values: | + valuesObject: serviceAccount: create: true name: fluent-bit annotations: eks.amazonaws.com/sts-regional-endpoints: "true" + eks.amazonaws.com/role-arn: FLUENT_BIT_ROLE_ARN priorityClassName: system-node-critical config: outputs: | diff --git a/gitops/components/goldilocks/resources.yaml b/gitops/components/goldilocks/resources.yaml index 04e3ea9..6d4a320 100644 --- a/gitops/components/goldilocks/resources.yaml +++ b/gitops/components/goldilocks/resources.yaml @@ -24,7 +24,7 @@ spec: targetRevision: 6.8.0 helm: releaseName: goldilocks - values: | + valuesObject: controller: flags: on-by-default: true diff --git a/gitops/components/karpenter/kustomization.yaml b/gitops/components/karpenter/kustomization.yaml index 894ec46..032d7f3 100644 --- a/gitops/components/karpenter/kustomization.yaml +++ b/gitops/components/karpenter/kustomization.yaml @@ -38,8 +38,7 @@ replacements: kind: Application name: karpenter fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work - + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 kind: ConfigMap @@ -52,7 +51,7 @@ replacements: kind: Application name: karpenter fieldPaths: - - spec.source.helm.parameters.[name=settings.clusterName].value + - spec.source.helm.valuesObject.settings.clusterName - source: version: v1 kind: ConfigMap @@ -65,5 +64,4 @@ replacements: kind: Application name: karpenter fieldPaths: - - spec.source.helm.parameters.[name=settings.interruptionQueue].value - + - spec.source.helm.valuesObject.settings.interruptionQueue diff --git a/gitops/components/karpenter/resources.yaml b/gitops/components/karpenter/resources.yaml index f4c6117..5ff97f1 100644 --- a/gitops/components/karpenter/resources.yaml +++ b/gitops/components/karpenter/resources.yaml @@ -24,17 +24,13 @@ spec: targetRevision: v0.32.1 helm: releaseName: karpenter - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: KARPENTER_ROLE_ARN - - name: serviceAccount.annotations.eks\.amazonaws\.com/sts-regional-endpoints - value: "true" - forceString: true - - name: serviceAccount.create - value: "true" - - name: serviceAccount.name - value: "karpenter" - - name: settings.clusterName - value: CLUSTER_NAME - - name: settings.interruptionQueue - value: CLUSTER_NAME + valuesObject: + serviceAccount: + create: "true" + name: "karpenter" + annotations: + eks.amazonaws.com/role-arn: KARPENTER_ROLE_ARN + eks.amazonaws.com/sts-regional-endpoints: "true" + settings: + clusterName: CLUSTER_NAME + interruptionQueue: CLUSTER_NAME diff --git a/gitops/components/loki/kustomization.yaml b/gitops/components/loki/kustomization.yaml index 6a7ae29..f89afa3 100644 --- a/gitops/components/loki/kustomization.yaml +++ b/gitops/components/loki/kustomization.yaml @@ -33,7 +33,7 @@ replacements: kind: Application name: loki fieldPaths: - - spec.source.helm.parameters.0.value # TODO: is there a way to use the [name=serviceAccount.annotations.eks\.amazonaws\.com/role-arn] escapes don't work + - spec.source.helm.valuesObject.serviceAccount.annotations.[eks.amazonaws.com/role-arn] - source: version: v1 @@ -47,7 +47,7 @@ replacements: kind: Application name: loki fieldPaths: - - spec.source.helm.parameters.[name=storage.s3.region].value + - spec.source.helm.valuesObject.storage.s3.region - source: version: v1 kind: ConfigMap @@ -60,9 +60,9 @@ replacements: kind: Application name: loki fieldPaths: - - spec.source.helm.parameters.[name=storage.bucketNames.chunks].value - - spec.source.helm.parameters.[name=storage.bucketNames.ruler].value - - spec.source.helm.parameters.[name=storage.bucketNames.admin].value + - spec.source.helm.valuesObject.storage.bucketNames.chunks + - spec.source.helm.valuesObject.storage.bucketNames.ruler + - spec.source.helm.valuesObject.storage.bucketNames.admin - source: version: v1 kind: ConfigMap @@ -75,5 +75,5 @@ replacements: kind: Application name: loki fieldPaths: - - spec.source.helm.parameters.1.value - - spec.source.helm.parameters.2.value + - spec.source.helm.valuesObject.gateway.ingress.hosts[host=LOKI_GATEWAY_HOST].host + - spec.source.helm.valuesObject.gateway.ingress.tls[secretName=loki-tls].hosts[0] diff --git a/gitops/components/loki/resources.yaml b/gitops/components/loki/resources.yaml index abadc0b..0a99875 100644 --- a/gitops/components/loki/resources.yaml +++ b/gitops/components/loki/resources.yaml @@ -24,27 +24,13 @@ spec: targetRevision: 5.36.3 helm: releaseName: loki - parameters: - - name: serviceAccount.annotations.eks\.amazonaws\.com/role-arn - value: LOKI_ROLE_ARN - - name: 'gateway.ingress.hosts[0].host' - value: LOKI_GATEWAY_HOST - - name: 'gateway.ingress.tls[0].hosts[0]' - value: LOKI_GATEWAY_HOST - - name: loki.storage.s3.region - value: AWS_REGION - - name: loki.storage.bucketNames.chunks - value: LOKI_S3_BUCKET - - name: loki.storage.bucketNames.ruler - value: LOKI_S3_BUCKET - - name: loki.storage.bucketNames.admin - value: LOKI_S3_BUCKET - values: | + valuesObject: serviceAccount: create: true name: loki annotations: eks.amazonaws.com/sts-regional-endpoints: "true" + eks.amazonaws.com/role-arn: LOKI_ROLE_ARN singleBinary: replicas: 2 persistence: @@ -65,6 +51,13 @@ spec: backend: replicas: 0 loki: + storage: + s3: + region: AWS_REGION + bucketNames: + chunks: LOKI_S3_BUCKET + ruler: LOKI_S3_BUCKET + admin: LOKI_S3_BUCKET extraMemberlistConfig: bind_addr: - ${MY_POD_IP} @@ -90,13 +83,13 @@ spec: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: loki-basic-auth hosts: - - host: loki.example.com + - host: LOKI_GATEWAY_HOST paths: - path: / pathType: Prefix tls: - hosts: - - loki.example.com + - LOKI_GATEWAY_HOST secretName: loki-tls ingress: enabled: false diff --git a/terraform/cluster_roles/README.md b/terraform/cluster_roles/README.md deleted file mode 100644 index aceb1ff..0000000 --- a/terraform/cluster_roles/README.md +++ /dev/null @@ -1,44 +0,0 @@ - -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_role.alb_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.autoscaler_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.ebs_csi_driver_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.fluent_bit_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.image_updater_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.alb_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.autoscaler_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.ebs_csi_driver_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.fluent_bit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [create\_autoscaler\_role](#input\_create\_autoscaler\_role) | n/a | `bool` | `false` | no | -| [create\_fluent\_bit\_role](#input\_create\_fluent\_bit\_role) | n/a | `bool` | `false` | no | -| [create\_roles](#input\_create\_roles) | n/a | `bool` | `true` | no | -| [eks\_oidc\_issuer\_url](#input\_eks\_oidc\_issuer\_url) | URL of the cluster's OIDC provider. | `string` | n/a | yes | -| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | ARN of the cluster's OIDC provider. | `string` | n/a | yes | -| [use\_us\_gov\_cloud\_arns](#input\_use\_us\_gov\_cloud\_arns) | Whether to generate policies using arn:aws-us-gov:* prefixed ARNs instead of arn:aws:* | `bool` | `false` | no | - -## Outputs - -No outputs. - diff --git a/terraform/cluster_roles/main.tf b/terraform/cluster_roles/main.tf deleted file mode 100644 index 5972c70..0000000 --- a/terraform/cluster_roles/main.tf +++ /dev/null @@ -1,149 +0,0 @@ -terraform { - required_version = "=1.4.3" - required_providers { - aws = { - version = "~> 4.63.0" - source = "hashicorp/aws" - } - } -} - -resource "aws_iam_role" "alb_role" { - count = var.create_roles ? 1 : 0 - name = "alb-role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Federated = var.eks_oidc_provider_arn - } - Action = "sts:AssumeRoleWithWebIdentity" - Condition : { - StringEquals : { - "${var.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - "${var.eks_oidc_issuer_url}:sub" : "system:serviceaccount:alb:aws-load-balancer-controller" - } - } - } - ] - }) -} - -resource "aws_iam_role_policy" "alb_policy" { - count = var.create_roles ? 1 : 0 - role = aws_iam_role.alb_role[0].id - policy = var.use_us_gov_cloud_arns ? file("${path.module}/policies/aws-lb-controller-gov.json") : file("${path.module}/policies/aws-lb-controller.json") - -} - -resource "aws_iam_role" "image_updater_role" { - count = var.create_roles ? 1 : 0 - name = "image-updater-role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Federated = var.eks_oidc_provider_arn - } - Action = "sts:AssumeRoleWithWebIdentity" - Condition : { - StringEquals : { - "${var.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - "${var.eks_oidc_issuer_url}:sub" : "system:serviceaccount:argocd:argocd-image-updater" - } - } - } - ] - }) -} - -resource "aws_iam_role" "ebs_csi_driver_role" { - count = var.create_roles ? 1 : 0 - name = "ebs-csi-driver" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Federated = var.eks_oidc_provider_arn - } - Action = "sts:AssumeRoleWithWebIdentity" - Condition : { - StringEquals : { - "${var.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - "${var.eks_oidc_issuer_url}:sub" : "system:serviceaccount:kube-system:ebs-csi-driver" - } - } - } - ] - }) -} - -resource "aws_iam_role_policy" "ebs_csi_driver_policy" { - count = var.create_roles ? 1 : 0 - role = aws_iam_role.ebs_csi_driver_role[0].id - policy = var.use_us_gov_cloud_arns ? file("${path.module}/policies/ebs-csi-driver-gov.json") : file("${path.module}/policies/ebs-csi-driver.json") -} - -resource "aws_iam_role" "autoscaler_role" { - count = var.create_roles && var.create_autoscaler_role ? 1 : 0 - name = "autoscaler-role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Federated = var.eks_oidc_provider_arn - } - Action = "sts:AssumeRoleWithWebIdentity" - Condition : { - StringEquals : { - "${var.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - "${var.eks_oidc_issuer_url}:sub" : "system:serviceaccount:kube-system:cluster-autoscaler" - } - } - } - ] - }) -} - -resource "aws_iam_role_policy" "autoscaler_policy" { - count = var.create_roles && var.create_autoscaler_role ? 1 : 0 - role = aws_iam_role.autoscaler_role[0].id - policy = file("${path.module}/policies/autoscaler.json") -} - -resource "aws_iam_role" "fluent_bit_role" { - count = var.create_roles && var.create_fluent_bit_role ? 1 : 0 - name = "fluent-bit-role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Federated = var.eks_oidc_provider_arn - } - Action = "sts:AssumeRoleWithWebIdentity" - Condition : { - StringEquals : { - "${var.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - "${var.eks_oidc_issuer_url}:sub" : "system:serviceaccount:fluent-bit:fluent-bit" - } - } - } - ] - }) -} - -resource "aws_iam_role_policy" "fluent_bit_policy" { - count = var.create_roles && var.create_fluent_bit_role ? 1 : 0 - role = aws_iam_role.fluent_bit_role[0].id - policy = file("${path.module}/policies/fluent-bit.json") -} diff --git a/terraform/cluster_roles/policies/autoscaler.json b/terraform/cluster_roles/policies/autoscaler.json deleted file mode 100644 index 7751085..0000000 --- a/terraform/cluster_roles/policies/autoscaler.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeScalingActivities", - "autoscaling:DescribeTags", - "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplateVersions" - ], - "Resource": ["*"] - }, - { - "Effect": "Allow", - "Action": [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:DescribeImages", - "ec2:GetInstanceTypesFromInstanceRequirements", - "eks:DescribeNodegroup" - ], - "Resource": ["*"], - "Condition": { - "StringEquals": { - "aws:ResourceTag/k8s.io/cluster-autoscaler/core-cluster": "owned" - } - } - } - ] -} \ No newline at end of file diff --git a/terraform/cluster_roles/policies/aws-lb-controller-gov.json b/terraform/cluster_roles/policies/aws-lb-controller-gov.json deleted file mode 100644 index ce35f92..0000000 --- a/terraform/cluster_roles/policies/aws-lb-controller-gov.json +++ /dev/null @@ -1,209 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws-us-gov:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws-us-gov:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws-us-gov:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws-us-gov:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws-us-gov:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws-us-gov:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws-us-gov:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws-us-gov:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws-us-gov:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws-us-gov:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" - } - ] -} diff --git a/terraform/cluster_roles/policies/aws-lb-controller.json b/terraform/cluster_roles/policies/aws-lb-controller.json deleted file mode 100644 index 75d683b..0000000 --- a/terraform/cluster_roles/policies/aws-lb-controller.json +++ /dev/null @@ -1,209 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" - } - ] -} diff --git a/terraform/cluster_roles/policies/ebs-csi-driver-gov.json b/terraform/cluster_roles/policies/ebs-csi-driver-gov.json deleted file mode 100644 index 0debeb0..0000000 --- a/terraform/cluster_roles/policies/ebs-csi-driver-gov.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "arn:aws-us-gov:ec2:*:*:volume/*", - "arn:aws-us-gov:ec2:*:*:snapshot/*" - ], - "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags" - ], - "Resource": [ - "arn:aws-us-gov:ec2:*:*:volume/*", - "arn:aws-us-gov:ec2:*:*:snapshot/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws-us-gov:RequestTag/ebs.csi.aws-us-gov.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws-us-gov:RequestTag/CSIVolumeName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws-us-gov.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws-us-gov.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:CreateGrant" - ], - "Resource": "*" - } - ] -} diff --git a/terraform/cluster_roles/policies/ebs-csi-driver.json b/terraform/cluster_roles/policies/ebs-csi-driver.json deleted file mode 100644 index 62f3467..0000000 --- a/terraform/cluster_roles/policies/ebs-csi-driver.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ], - "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags" - ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/CSIVolumeName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:CreateGrant" - ], - "Resource": "*" - } - ] -} diff --git a/terraform/cluster_roles/policies/fluent-bit.json b/terraform/cluster_roles/policies/fluent-bit.json deleted file mode 100644 index 13f0193..0000000 --- a/terraform/cluster_roles/policies/fluent-bit.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents" - ], - "Resource": "*" - } - ] -} diff --git a/terraform/cluster_roles/variables.tf b/terraform/cluster_roles/variables.tf deleted file mode 100644 index 13b3de1..0000000 --- a/terraform/cluster_roles/variables.tf +++ /dev/null @@ -1,30 +0,0 @@ -variable "create_roles" { - type = bool - default = true -} - -variable "eks_oidc_provider_arn" { - type = string - description = "ARN of the cluster's OIDC provider." -} - -variable "eks_oidc_issuer_url" { - type = string - description = "URL of the cluster's OIDC provider." -} - -variable "create_autoscaler_role" { - type = bool - default = false -} - -variable "create_fluent_bit_role" { - type = bool - default = false -} - -variable "use_us_gov_cloud_arns" { - type = bool - default = false - description = "Whether to generate policies using arn:aws-us-gov:* prefixed ARNs instead of arn:aws:*" -} diff --git a/terraform/example/main.tf b/terraform/example/main.tf new file mode 100644 index 0000000..c334651 --- /dev/null +++ b/terraform/example/main.tf @@ -0,0 +1,131 @@ +terraform { + required_version = "= 1.5.7" +# backend "s3" { +# bucket = "something" +# key = "somekey" +# region = "us-west-2" +# } + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.65.0" + } + } +} +locals { + core_cluster_name = "test" + create_cluster = true + tags = {} +} +provider "aws" { + region = "us-west-2" +} +data "aws_caller_identity" "current" {} +resource "aws_ebs_encryption_by_default" "us_west_2" { + enabled = true +} +module "vpc_core" { + source = "terraform-aws-modules/vpc/aws" + version = "4.0.1" + name = "${var.environment}-core" + enable_dns_hostnames = "true" + enable_dns_support = "true" + enable_nat_gateway = "true" + one_nat_gateway_per_az = "true" + cidr = "172.15.0.0/16" + azs = [ + "us-west-2a", + "us-west-2b", + "us-west-2c", + ] + private_subnets = [ + "172.15.0.0/24", + "172.15.1.0/24", + "172.15.2.0/24", + ] + public_subnets = [ + "172.15.100.0/24", + "172.15.101.0/24", + "172.15.102.0/24", + ] + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + public_subnet_tags = { + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = 1 + "karpenter.sh/discovery" = local.core_cluster_name + } + + tags = { + Owner = var.owner + Environment = var.environment + } +} + + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "19.21.0" + cluster_name = local.core_cluster_name + cluster_version = "1.28" + create = local.create_cluster + # TODO: resume usage of node security group; see: https://linear.app/pelotech/issue/PEL-97 + create_node_security_group = false + cluster_endpoint_private_access = true + cluster_endpoint_public_access = true + cluster_enabled_log_types = [] + + subnet_ids = module.vpc_core.private_subnets + vpc_id = module.vpc_core.vpc_id + create_kms_key = true + enable_irsa = true + # cluster_encryption_config = [{ + # resources = ["secrets"] + # }] + kms_key_administrators = [ + "arn:aws:iam::xxxxxx:role/gh-main", + ] + eks_managed_node_groups = { + initial = { + iam_role_use_name_prefix = false + instance_types = ["t3a.medium"] + min_size = 1 + max_size = 3 + desired_size = 2 + capacity_type = "ON_DEMAND" + taints = [ + { + key = "CriticalAddonsOnly" + value = "true" + effect = "NO_SCHEDULE" + } + ] + } + } + tags = merge(local.tags, { + # NOTE - if creating multiple security groups with this module, only tag the + # security group that Karpenter should utilize with the following tag + # (i.e. - at most, only one security group should have this tag in your account) + "karpenter.sh/discovery" = local.core_cluster_name + }) +} +module "karpenter" { + count = local.create_cluster ? 1 : 0 + source = "terraform-aws-modules/eks/aws//modules/karpenter" + version = "19.21.0" + + cluster_name = module.eks.cluster_name + queue_name = local.core_cluster_name + irsa_oidc_provider_arn = module.eks.oidc_provider_arn + irsa_namespace_service_accounts = ["karpenter:karpenter"] + irsa_name = "${local.core_cluster_name}-karpenter-role" + irsa_use_name_prefix = false + + create_iam_role = false + iam_role_arn = module.eks.eks_managed_node_groups["initial"].iam_role_arn +} diff --git a/terraform/example/variables.tf b/terraform/example/variables.tf new file mode 100644 index 0000000..7f5321e --- /dev/null +++ b/terraform/example/variables.tf @@ -0,0 +1,8 @@ +variable "owner" { + default = "pelotech" + type = string +} +variable "environment" { + default = "production" + type = string +}