Adding example README. Running pre-commit

chore(deps): Bump github/codeql-action from 2.21.0 to 2.21.1 (#1703) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> fix: Correct doc name for privatelink example (#1704) chore: Clean up of the README (#1705) chore(deps): Bump github/codeql-action from 2.21.1 to 2.21.2 (#1706) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Remove remaining modules from project, update workflows now that modules are removed (#1699) fix: Change EKS addons to use EKS Blueprint addons module (#1718) chore(deps): Bump github/codeql-action from 2.21.2 to 2.21.3 (#1720) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Adding `README`. Running `pre-commit` Adding example Adding `README`. Running `pre-commit`
aws-ia · Aug 9, 2023 · be8559e · be8559e
1 parent 1204c9d
commit be8559e
Show file tree

Hide file tree

Showing 34 changed files with 776 additions and 726 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -60,9 +60,6 @@ jobs:
  - uses: dorny/paths-filter@v2
  id: changes
  with:
- # We only need to check Terraform files for the current directory
- # because the `preCommitMaxVersion` job will run the full,
- # exhaustive checks (always)
  filters: |
  src:
  - '${{ matrix.directory }}/*.tf'
@@ -87,71 +84,10 @@ jobs:
  directory: ${{ matrix.directory }}
 
  - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
- uses: clowdhaus/terraform-composite-actions/[email protected]
- # Run only validate pre-commit check on min version supported
- if: ${{ matrix.directory != '.' && steps.changes.outputs.src== 'true' }}
- with:
- terraform-version: ${{ steps.minMax.outputs.minVersion }}
- tflint-version: ${{ env.TFLINT_VERSION }}
- args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
-
- - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
- uses: clowdhaus/terraform-composite-actions/[email protected]
- # Run only validate pre-commit check on min version supported
- if: ${{ matrix.directory == '.' && steps.changes.outputs.src== 'true' }}
- with:
- terraform-version: ${{ steps.minMax.outputs.minVersion }}
- tflint-version: ${{ env.TFLINT_VERSION }}
- args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
-
- preCommitMaxVersion:
- name: Max TF pre-commit
- runs-on: ubuntu-latest
- needs: collectInputs
- steps:
- - name: Harden Runner
- uses: step-security/harden-runner@v2
- with:
- egress-policy: audit
-
- - name: Remove default Terraform
- run: rm -rf $(which terraform)
-
- - name: Checkout
- uses: actions/checkout@v3
-
- - uses: dorny/paths-filter@v2
- id: changes
- with:
- filters: |
- src:
- - '**/*.tf'
-
- - name: Config Terraform plugin cache
- if: steps.changes.outputs.src== 'true'
- run: mkdir --parents ${{ env.TERRAFORM_DOCS_VERSION }}
-
- - name: Cache Terraform
- uses: actions/cache@v3
- if: steps.changes.outputs.src== 'true'
- with:
- path: ${{ env.TF_PLUGIN_CACHE_DIR }}
- key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
- restore-keys: ${{ runner.os }}-terraform-
-
- - name: Install tfsec
- if: steps.changes.outputs.src== 'true'
- run: curl -sSLo ./tfsec https://github.com/aquasecurity/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-$(uname)-amd64 && chmod +x tfsec && sudo mv tfsec /usr/bin/
-
- - name: Terraform min/max versions
- id: minMax
- uses: clowdhaus/[email protected]
- if: steps.changes.outputs.src== 'true'
-
- - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
  uses: clowdhaus/terraform-composite-actions/[email protected]
  if: steps.changes.outputs.src== 'true'
  with:
  terraform-version: ${{ steps.minMax.outputs.maxVersion }}
  terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
  tflint-version: ${{ env.TFLINT_VERSION }}
+ args: '--files ${{ matrix.directory }}/*'
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -71,6 +71,6 @@ jobs:
 
  # Upload the results to GitHub's code scanning dashboard.
  - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0
+ uses: github/codeql-action/upload-sarif@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3
  with:
  sarif_file: results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -32,9 +32,4 @@ repos:
  - '--args=--only=terraform_standard_module_structure'
  - '--args=--only=terraform_workspace_remote'
  - id: terraform_validate
- exclude: docs
- # - id: terraform_tfsec
- # files: ^examples/ # only scan `examples/*` which are the implementation
- # args:
- # - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml
- # - --args=--concise-output
+ exclude: (docs|modules)
diff --git a/docs/blueprints/aws-eks-privatelink.md b/docs/blueprints/aws-eks-privatelink.md
diff --git a/docs/blueprints/privatelink-access.md b/docs/blueprints/privatelink-access.md
@@ -0,0 +1,7 @@
+---
+title: PrivateLink Access
+---
+
+{%
+ include-markdown "../../examples/privatelink-access/README.md"
+%}
diff --git a/examples/fully-private-cluster/README.md b/examples/fully-private-cluster/README.md
@@ -29,15 +29,12 @@ Ensure that you have the following tools installed locally:
 
 Since this is a Fully Private Amazon EKS Cluster, make sure that you'll have access to the Amazon VPC where the cluster will be deployed, otherwise you won't be able to access it.
 
-For this example, we'll be using an Amazon Cloud9 environment to run Terraform and manage the Amazon EKS Cluster. The Cloud9 environment is already running in the Default VPC, we'll setup a VPC peering between the Default and the Cluster VPC in order to have access to the Kubernetes API and manage our EKS Cluster.
-
+See the [`privatelink-access`](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/examples/privatelink-access) pattern for using AWS PrivateLink to access the private cluster from another VPC.
 
 To provision this example:
 
 ```sh
 terraform init
-terraform apply -target module.vpc -target module.vpc_endpoints -target module.vpc_endpoints_sg
-terraform apply -target module.eks
 terraform apply
 ```
 

diff --git a/examples/fully-private-cluster/main.tf b/examples/fully-private-cluster/main.tf
@@ -116,43 +116,3 @@ module "vpc_endpoints" {
 
  tags = local.tags
 }
-
-resource "aws_vpc_peering_connection" "this" {
- peer_vpc_id = module.vpc.vpc_id
- vpc_id = module.vpc.default_vpc_id
- auto_accept = true
-
- accepter {
- allow_remote_vpc_dns_resolution = true
- }
-
- requester {
- allow_remote_vpc_dns_resolution = true
- }
-}
-
-resource "aws_route" "default_to_eks" {
- route_table_id = module.vpc.default_vpc_default_route_table_id
- destination_cidr_block = module.vpc.vpc_cidr_block
- vpc_peering_connection_id = aws_vpc_peering_connection.this.id
- depends_on = [module.vpc]
-}
-
-resource "aws_route" "eks_to_default" {
- for_each = { for rt in module.vpc.private_route_table_ids : rt => rt }
-
- route_table_id = each.value
- destination_cidr_block = module.vpc.default_vpc_cidr_block
- vpc_peering_connection_id = aws_vpc_peering_connection.this.id
- depends_on = [module.vpc]
-}
-
-resource "aws_vpc_security_group_ingress_rule" "this" {
- for_each = { for sg in concat([module.eks.cluster_security_group_id, module.eks.cluster_primary_security_group_id]) : sg => sg }
- security_group_id = each.value
-
- cidr_ipv4 = module.vpc.default_vpc_cidr_block
- from_port = 443
- to_port = 443
- ip_protocol = "tcp"
-}
diff --git a/examples/istio/main.tf b/examples/istio/main.tf
@@ -59,13 +59,6 @@ module "eks" {
  cluster_version = "1.27"
  cluster_endpoint_public_access = true
 
- # EKS Addons
- cluster_addons = {
- coredns = {}
- kube-proxy = {}
- vpc-cni = {}
- }
-
  vpc_id = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets
 
@@ -120,6 +113,13 @@ module "eks_blueprints_addons" {
  enable_aws_load_balancer_controller = true
 
  tags = local.tags
+
+ eks_addons = {
+ coredns = {}
+ vpc-cni = {}
+ kube-proxy = {}
+ }
+
 }
 
 ################################################################################

diff --git a/examples/privatelink-access/README.md b/examples/privatelink-access/README.md
@@ -2,7 +2,8 @@
 
 This example demonstrates how to access a private EKS cluster using AWS PrivateLink.
 
-Refer to the [documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html) for further details on `AWS PrivateLink`.
+Refer to the [documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html)
+for further details on `AWS PrivateLink`.
 
 ## Prerequisites:
 
@@ -14,7 +15,9 @@ Ensure that you have the following tools installed locally:
 
 ## Deploy
 
-To provision this example, first deploy the Lambda function that responds to `CreateNetworkInterface` API calls. This needs to exist before the cluster is created so that it can respond to the ENIs created by the EKS control plane:
+To provision this example, first deploy the Lambda function that responds to
+`CreateNetworkInterface` API calls. This needs to exist before the cluster is
+created so that it can respond to the ENIs created by the EKS control plane:
 
 ```sh
 terraform init
@@ -35,62 +38,98 @@ Enter `yes` at command prompt to apply
 
 ### Network Connectivity
 
-1. An output `ssm_test` has been provided to aid in quickly testing the connectivity from the client EC2 instance to the private EKS cluster via AWS Privatelink. Copy the output value and paste it into your terminal to execute and check the connectivity. If configured correctly, the value returned should be `ok`.
+An output `ssm_test` has been provided to aid in quickly testing the
+connectivity from the client EC2 instance to the private EKS cluster via AWS
+PrivateLink. Copy the output value and paste it into your terminal to execute
+and check the connectivity. If configured correctly, the value returned should
+be `ok`.
 
 ```sh
-COMMAND_ID=$(aws ssm send-command --region us-west-2 --document-name "AWS-RunShellScript" \
---parameters 'commands=["curl -ks https://0218D48323E3E7D404D98659F1D097DD.gr7.us-west-2.eks.amazonaws.com/readyz"]' \
---targets "Key=instanceids,Values=i-0280cf604085f4a44" --query 'Command.CommandId' --output text)
-
-aws ssm get-command-invocation --region us-west-2 --command-id $COMMAND_ID --instance-id i-0280cf604085f4a44 --query 'StandardOutputContent' --output text
+COMMAND="curl -ks https://9A85B21811733524E3ABCDFEA8714642.gr7.us-west-2.eks.amazonaws.com/readyz"
+
+COMMAND_ID=$(aws ssm send-command --region us-west-2 \
+--document-name "AWS-RunShellScript" \
+--parameters "commands=[$COMMAND]" \
+--targets "Key=instanceids,Values=i-0a45eff73ba408575" \
+--query 'Command.CommandId' \
+--output text)
+
+aws ssm get-command-invocation --region us-west-2 \
+--command-id $COMMAND_ID \
+--instance-id i-0a45eff73ba408575 \
+--query 'StandardOutputContent' \
+--output text
 ```
 
 ### Cluster Access
 
-To test access to the cluster, you will need to execute Kubernetes API calls from within the private network to access the cluster. An EC2 instance has been deployed to simulate this scenario, where the EC2 is deployed into a "client" VPC. However, since the EKS cluster was created with your local IAM identity, the `aws-auth` ConfigMap will only have your local identity that is permitted to access the cluster. Since cluster's API endpoint is private, we cannot use Terraform to reach it to additional entries to the ConfigMap; we can only access the cluster from within the private network of the cluster's VPC or from the client VPC using AWS PrivateLink access.
+To test access to the cluster, you will need to execute Kubernetes API calls
+from within the private network to access the cluster. An EC2 instance has been
+deployed into a "client" VPC to simulate this scenario. However, since the EKS
+cluster was created with your local IAM identity, the `aws-auth` ConfigMap will
+only have your local identity that is permitted to access the cluster. Since
+cluster's API endpoint is private, we cannot use Terraform to reach it to
+add additional entries to the ConfigMap; we can only access the cluster from
+within the private network of the cluster's VPC or from the client VPC using AWS
+PrivateLink access.
 
-:warning: The "client" EC2 instance provided and copying of AWS credentials to that instance are merely for demonstration purposes only. Please consider alternate methods of network access such as AWS Client VPN to provide more secure access.
+> :warning: The "client" EC2 instance provided and copying of AWS credentials to
+ that instance are merely for demonstration purposes only. Please consider
+ alternate methods of network access such as AWS Client VPN to provide more
+ secure access.
 
-Perform the following steps to access the cluster with `kubectl` from the provided "client" EC2 instance.
+Perform the following steps to access the cluster with `kubectl` from the
+provided "client" EC2 instance.
 
-1. Execute the command below on your local machine to get temporary credentials that will be used on the "client" EC2 instance:
+1. Execute the command below on your local machine to get temporary credentials
+that will be used on the "client" EC2 instance:
 
-```sh
-aws sts get-session-token --duration-seconds 3600 --output yaml
-```
+ ```sh
+ aws sts get-session-token --duration-seconds 3600 --output yaml
+ ```
 
-2. Start a new SSM session on the "client" EC2 instance using the provided `ssm_start_session` output value. Your terminal will now be connected to the "client" EC2 instance.
+2. Start a new SSM session on the "client" EC2 instance using the provided
+`ssm_start_session` output value. Copy the output value and paste it into your
+terminal to execute. Your terminal will now be connected to the "client" EC2
+instance.
 
-```sh
-ssm_start_session = "aws ssm start-session --region us-west-2 --target i-0280cf604085f4a44"
-```
+ ```sh
+ aws ssm start-session --region us-west-2 --target i-0280cf604085f4a44
+ ```
 
-3. Once logged in, export the following environment variables from the output of step 1. Note - the session credentials are only valid for 1 hour; you can adjust the session duration in the command provided in step 1:
+3. Once logged in, export the following environment variables from the output
+of step #1:
 
-```sh
-export AWS_ACCESS_KEY_ID=XXXX
-export AWS_SECRET_ACCESS_KEY=YYYY
-export AWS_SESSION_TOKEN=ZZZZ
-```
+ > :exclamation: The session credentials are only valid for 1 hour; you can
+ adjust the session duration in the command provided in step #1
 
-4. Update the local `~/.kube/config` file to enable access to the cluster:
+ ```sh
+ export AWS_ACCESS_KEY_ID=XXXX
+ export AWS_SECRET_ACCESS_KEY=YYYY
+ export AWS_SESSION_TOKEN=ZZZZ
+ ```
 
-```sh
-aws eks update-kubeconfig --region us-west-2 --name privatelink-access
-```
+4. Run the following command to update the local `~/.kube/config` file to enable
+access to the cluster:
 
-5. Test access by listing the pods running on the clsuter:
+ ```sh
+ aws eks update-kubeconfig --region us-west-2 --name privatelink-access
+ ```
+
+5. Test access by listing the pods running on the cluster:
+
+ ```sh
+ kubectl get pods -A
+ ```
+
+ The test succeeded if you see an output like the one shown below:
+
+ NAMESPACE NAME READY STATUS RESTARTS AGE
+ kube-system aws-node-4f8g8 1/1 Running 0 1m
+ kube-system coredns-6ff9c46cd8-59sqp 1/1 Running 0 1m
+ kube-system coredns-6ff9c46cd8-svnpb 1/1 Running 0 2m
+ kube-system kube-proxy-mm2zc 1/1 Running 0 1m
 
-```sh
-sh-4.2$ kubectl get pods -A
-
-# Output
-NAMESPACE NAME READY STATUS RESTARTS AGE
-kube-system aws-node-4f8g8 1/1 Running 0 1m
-kube-system coredns-6ff9c46cd8-59sqp 1/1 Running 0 1m
-kube-system coredns-6ff9c46cd8-svnpb 1/1 Running 0 2m
-kube-system kube-proxy-mm2zc 1/1 Running 0 1m
-```
 
 ## Destroy
 

diff --git a/examples/privatelink-access/outputs.tf b/examples/privatelink-access/outputs.tf
@@ -4,12 +4,21 @@ output "ssm_start_session" {
 }
 
 output "ssm_test" {
- description = "SSM start session command to connect to remote host created"
+ description = "SSM commands to test connectivity from client EC2 instance to the private EKS cluster"
  value = <<-EOT
- COMMAND_ID=$(aws ssm send-command --region ${local.region} --document-name "AWS-RunShellScript" \
- --parameters 'commands=["curl -ks ${module.eks.cluster_endpoint}/readyz"]' \
- --targets "Key=instanceids,Values=${module.client_ec2_instance.id}" --query 'Command.CommandId' --output text)
+ COMMAND="curl -ks ${module.eks.cluster_endpoint}/readyz"
+
+ COMMAND_ID=$(aws ssm send-command --region ${local.region} \
+ --document-name "AWS-RunShellScript" \
+ --parameters "commands=[$COMMAND]" \
+ --targets "Key=instanceids,Values=${module.client_ec2_instance.id}" \
+ --query 'Command.CommandId' \
+ --output text)
 
- aws ssm get-command-invocation --region ${local.region} --command-id $COMMAND_ID --instance-id ${module.client_ec2_instance.id} --query 'StandardOutputContent' --output text
+ aws ssm get-command-invocation --region ${local.region} \
+ --command-id $COMMAND_ID \
+ --instance-id ${module.client_ec2_instance.id} \
+ --query 'StandardOutputContent' \
+ --output text
  EOT
 }
diff --git a/examples/privatelink-access/variables.tf b/examples/privatelink-access/variables.tf
@@ -1 +0,0 @@
-